[CentOS] Paranoid Firewalling

Kirk Bocek t004 at kbocek.com
Tue Sep 6 17:19:58 UTC 2005


After reading this article:

http://www.theregister.co.uk/2005/08/31/blocking_chinese_ip_addresses/

I got to thinking that there is really no reason for *any* traffic to 
hit my servers that comes from anywhere outside North America. So I 
wrote the perl script at the end of this posting to extract selected IP 
ranges posted at iana.org and convert them into iptables rules blocking 
any traffic from those ranges.

I'd like comments on this. I know it's not perfect as there are both 
corporate and 'various registries' address ranges that aren't covered 
but it's a start. Since my company web site is hosted elsewhere but we 
are doing the DNS, I put in the exceptions for DNS.

In my ten or so years of administering Linux servers, following the 
usual security precautions has been sufficient: closing unused ports, 
keeping up to date on patches, limiting permissions and logins, etc. 
I've never had a system broken into.

But if I can lessen the bandwidth used up by brute-force password 
attacks and port scans at the cost of a few CPU cycles, that's a good 
thing. I've had the new rules up on one server for about half an hour 
and can see about 10 or so connection attempts from the addresses in 
question.

What do you think?

Kirk Bocek


#!/usr/bin/perl
#
# iana-makeiptables.pl
# Convert IPv4 Address assignment document from iana.org into
# a shell script that will insert iptables rules to block traffic
# from selected regional registries.
#
# Copy the data from:
#       http://www.iana.org/assignments/ipv4-address-space
# and save it to the file in $datafile (here -- iana-assignments.dat)
# Then edit the 'my @block' line below to select the registries you want 
to block
#
# Sept 6, 2005 Kirk Bocek
#
use strict;

my $datafile='iana-assignments.dat';
my $outfile='iana-block.sh';
#Registries are ARIN APNIC RIPE LACNIC AfriNIC
my @block=qw/APNIC RIPE LACNIC AfriNIC/;

die "Data File $datafile Not Found!" unless -f $datafile;
die "Cannot open $outfile for writing!" unless
         open OUT, ">$outfile";
die "Cannot open $datafile for reading!" unless
         open DAT, "<$datafile";

print OUT "#!/bin/bash\n";
print OUT "# Blocking traffic from: @block\n";
print OUT "# Generated by iana-makeiptables.pl\n";

foreach (<DAT>) {
         next unless /^\d{3}\/8/;
         BLOCK: foreach my $reg (@block) {
                 if (/^(\d{3})\/8.*$reg/) {
                         my $x=$1;
                         $x=substr($x,1) if substr($x,0,1) eq '0'; 
#Strip leading zero
                         $x=substr($x,1) if substr($x,0,1) eq '0'; 
#Might be two of them
                         print OUT 'iptables -I INPUT -s ',$x,".0.0.0/8 
-j DROP\n";
                         last BLOCK;
                 }
         }
}

#Put any exceptions here
#For example, I'm allowing DNS traffic
print OUT "iptables -I INPUT -p tcp -m tcp --dport 53 -j ACCEPT\n";
print OUT "iptables -I INPUT -p udp -m udp --dport 53 -j ACCEPT\n";


close OUT;
close DAT;
# End of iana-makeiptables.pl





More information about the CentOS mailing list