[CentOS] Paranoid Firewalling

Tue Sep 6 18:15:17 UTC 2005
Ted Kaczmarek <tedkaz at optonline.net>

On Tue, 2005-09-06 at 10:19 -0700, Kirk Bocek wrote:
> After reading this article:
> 
> http://www.theregister.co.uk/2005/08/31/blocking_chinese_ip_addresses/
> 
> I got to thinking that there is really no reason for *any* traffic to 
> hit my servers that comes from anywhere outside North America. So I 
> wrote the perl script at the end of this posting to extract selected IP 
> ranges posted at iana.org and convert them into iptables rules blocking 
> any traffic from those ranges.
> 
> I'd like comments on this. I know it's not perfect as there are both 
> corporate and 'various registries' address ranges that aren't covered 
> but it's a start. Since my company web site is hosted elsewhere but we 
> are doing the DNS, I put in the exceptions for DNS.
> 
> In my ten or so years of administering Linux servers, following the 
> usual security precautions has been sufficient: closing unused ports, 
> keeping up to date on patches, limiting permissions and logins, etc. 
> I've never had a system broken into.
> 
> But if I can lessen the bandwidth used up by brute-force password 
> attacks and port scans at the cost of a few CPU cycles, that's a good 
> thing. I've had the new rules up on one server for about half an hour 
> and can see about 10 or so connection attempts from the addresses in 
> question.
> 
> What do you think?
> 
> Kirk Bocek
> 
> 
> #!/usr/bin/perl
> #
> # iana-makeiptables.pl
> # Convert IPv4 Address assignment document from iana.org into
> # a shell script that will insert iptables rules to block traffic
> # from selected regional registries.
> #
> # Copy the data from:
> #       http://www.iana.org/assignments/ipv4-address-space
> # and save it to the file in $datafile (here -- iana-assignments.dat)
> # Then edit the 'my @block' line below to select the registries you want 
> to block
> #
> # Sept 6, 2005 Kirk Bocek
> #
> use strict;
> 
> my $datafile='iana-assignments.dat';
> my $outfile='iana-block.sh';
> #Registries are ARIN APNIC RIPE LACNIC AfriNIC
> my @block=qw/APNIC RIPE LACNIC AfriNIC/;
> 
> die "Data File $datafile Not Found!" unless -f $datafile;
> die "Cannot open $outfile for writing!" unless
>          open OUT, ">$outfile";
> die "Cannot open $datafile for reading!" unless
>          open DAT, "<$datafile";
> 
> print OUT "#!/bin/bash\n";
> print OUT "# Blocking traffic from: @block\n";
> print OUT "# Generated by iana-makeiptables.pl\n";
> 
> foreach (<DAT>) {
>          next unless /^\d{3}\/8/;
>          BLOCK: foreach my $reg (@block) {
>                  if (/^(\d{3})\/8.*$reg/) {
>                          my $x=$1;
>                          $x=substr($x,1) if substr($x,0,1) eq '0'; 
> #Strip leading zero
>                          $x=substr($x,1) if substr($x,0,1) eq '0'; 
> #Might be two of them
>                          print OUT 'iptables -I INPUT -s ',$x,".0.0.0/8 
> -j DROP\n";
>                          last BLOCK;
>                  }
>          }
> }
> 
> #Put any exceptions here
> #For example, I'm allowing DNS traffic
> print OUT "iptables -I INPUT -p tcp -m tcp --dport 53 -j ACCEPT\n";
> print OUT "iptables -I INPUT -p udp -m udp --dport 53 -j ACCEPT\n";
> 
> 
> close OUT;
> close DAT;
> # End of iana-makeiptables.pl
> 
> 
> _______________________________________________

Awesome, added to my todo list.

Regards,
Ted