[CentOS] Paranoid Firewalling

Tue Sep 6 23:35:46 UTC 2005
Thom van der Boon <thom at vanderboon.net>

Kirk Bocek wrote:

> After reading this article:
>
> http://www.theregister.co.uk/2005/08/31/blocking_chinese_ip_addresses/
>
> I got to thinking that there is really no reason for *any* traffic to 
> hit my servers that comes from anywhere outside North America. So I 
> wrote the perl script at the end of this posting to extract selected 
> IP ranges posted at iana.org and convert them into iptables rules 
> blocking any traffic from those ranges.

Sure! Greetings from Holland (The Netherlands) by the way.

As an entrepreneur my company is doing business all over the world. 
Simply blocking the "Rest of the world" is a foolish thing. That means 
that somebody from India (a lot of US and European countries are running 
their operations from that country). As far as I can read your script, 
even an e-mail from India or Europe would not get through (It blocks a 
lot of spam *grin* but also business opportunities.

My strategy is to block anything with a login-prompt except for hosts 
which are on my local network or connect via a VPN. So I've disabled 
telnet (port 23) and SSH (port 22) is only allowed from my local network 
or from users connected through the VPN. I run an FTP server on almost 
al my servers, but the only one reachable from the Internet is a CentOS 
mirror you can use anonymously. DNS, http(s) and smtp traffic is allowed 
by my firewall to the servers. The rest is blocked.

>
> I'd like comments on this. I know it's not perfect as there are both 
> corporate and 'various registries' address ranges that aren't covered 
> but it's a start. Since my company web site is hosted elsewhere but we 
> are doing the DNS, I put in the exceptions for DNS.
>
START with the DNS exeptions..... You are now also blocking DNS requests 
(and also the DNS requests to get your MX records) from the rest of the 
world. And what about SMTP traffic from the rest of the world?

> In my ten or so years of administering Linux servers, following the 
> usual security precautions has been sufficient: closing unused ports, 
> keeping up to date on patches, limiting permissions and logins, etc. 
> I've never had a system broken into.
>
> But if I can lessen the bandwidth used up by brute-force password 
> attacks and port scans at the cost of a few CPU cycles, that's a good 
> thing. I've had the new rules up on one server for about half an hour 
> and can see about 10 or so connection attempts from the addresses in 
> question.
>
> What do you think?
>
> Kirk Bocek
>
> (...)
>

Thom