[CentOS] Paranoid Firewalling
Ted Kaczmarek
tedkaz at optonline.net
Tue Sep 6 18:15:17 UTC 2005
On Tue, 2005-09-06 at 10:19 -0700, Kirk Bocek wrote:
> After reading this article:
>
> http://www.theregister.co.uk/2005/08/31/blocking_chinese_ip_addresses/
>
> I got to thinking that there is really no reason for *any* traffic to
> hit my servers that comes from anywhere outside North America. So I
> wrote the perl script at the end of this posting to extract selected IP
> ranges posted at iana.org and convert them into iptables rules blocking
> any traffic from those ranges.
>
> I'd like comments on this. I know it's not perfect as there are both
> corporate and 'various registries' address ranges that aren't covered
> but it's a start. Since my company web site is hosted elsewhere but we
> are doing the DNS, I put in the exceptions for DNS.
>
> In my ten or so years of administering Linux servers, following the
> usual security precautions has been sufficient: closing unused ports,
> keeping up to date on patches, limiting permissions and logins, etc.
> I've never had a system broken into.
>
> But if I can lessen the bandwidth used up by brute-force password
> attacks and port scans at the cost of a few CPU cycles, that's a good
> thing. I've had the new rules up on one server for about half an hour
> and can see about 10 or so connection attempts from the addresses in
> question.
>
> What do you think?
>
> Kirk Bocek
>
>
> #!/usr/bin/perl
> #
> # iana-makeiptables.pl
> # Convert IPv4 Address assignment document from iana.org into
> # a shell script that will insert iptables rules to block traffic
> # from selected regional registries.
> #
> # Copy the data from:
> # http://www.iana.org/assignments/ipv4-address-space
> # and save it to the file in $datafile (here -- iana-assignments.dat)
> # Then edit the 'my @block' line below to select the registries you want
> to block
> #
> # Sept 6, 2005 Kirk Bocek
> #
> use strict;
>
> my $datafile='iana-assignments.dat';
> my $outfile='iana-block.sh';
> #Registries are ARIN APNIC RIPE LACNIC AfriNIC
> my @block=qw/APNIC RIPE LACNIC AfriNIC/;
>
> die "Data File $datafile Not Found!" unless -f $datafile;
> die "Cannot open $outfile for writing!" unless
> open OUT, ">$outfile";
> die "Cannot open $datafile for reading!" unless
> open DAT, "<$datafile";
>
> print OUT "#!/bin/bash\n";
> print OUT "# Blocking traffic from: @block\n";
> print OUT "# Generated by iana-makeiptables.pl\n";
>
> foreach (<DAT>) {
> next unless /^\d{3}\/8/;
> BLOCK: foreach my $reg (@block) {
> if (/^(\d{3})\/8.*$reg/) {
> my $x=$1;
> $x=substr($x,1) if substr($x,0,1) eq '0';
> #Strip leading zero
> $x=substr($x,1) if substr($x,0,1) eq '0';
> #Might be two of them
> print OUT 'iptables -I INPUT -s ',$x,".0.0.0/8
> -j DROP\n";
> last BLOCK;
> }
> }
> }
>
> #Put any exceptions here
> #For example, I'm allowing DNS traffic
> print OUT "iptables -I INPUT -p tcp -m tcp --dport 53 -j ACCEPT\n";
> print OUT "iptables -I INPUT -p udp -m udp --dport 53 -j ACCEPT\n";
>
>
> close OUT;
> close DAT;
> # End of iana-makeiptables.pl
>
>
> _______________________________________________
Awesome, added to my todo list.
Regards,
Ted
More information about the CentOS
mailing list