Mailinglist Archive: opensuse (929 mails)

< Previous Next >
Re: [opensuse] iptables: is PREROUTING nat before or after PREROUTING filter?
On 03/24/2014 06:08 PM, Timothy Butterworth wrote:
On Monday, March 24, 2014 03:13:10 AM Timothy Butterworth wrote:
If you are simply going to drop all packets silently (recommend) then use
the iptables hash function as it uses less memory and processes faster as
well. Their are a lot of examples available on the internet. If you are
allowing established connections and have not implemented deny by default
permit by exception in and out then place this above your established
statements inbound. Also use supernet to block their entire country range
to reduce the number of entries. You can also make statements to block
outbound as well Mascarade is not an issue with this make sure you are
blocking as source inbound and destination outbound.

I am on my cell I'll take a look at your attachment when I get a chance.

Here is an article that describes an easy way to implement a full country
block.
http://www.itworld.com/security/397733/how-block-traffic-other-countries-linux

I somehow missed your original message. Anyways, I didn't find anything
about hashing at a quick glance. I'm going to dig a bit deeper the next
days.

Basically, what I have now and what I'd like to optimize a bit is this:

#!/bin/bash

IPTABLES="/sbin/iptables"
ANY="0.0.0.0/0"
BLOCKDIR="blocklist.d"

if ! test -d ${BLOCKDIR}; then
mkdir ${BLOCKDIR}
fi

curl -s http://www.ipdeny.com/ipblocks/data/countries/cn.zone -o
${BLOCKDIR}/cn.zone
curl -s http://www.ipdeny.com/ipblocks/data/countries/kr.zone -o
${BLOCKDIR}/kr.zone
curl -s http://www.ipdeny.com/ipblocks/data/countries/ps.zone -o
${BLOCKDIR}/ps.zone

for FILE in ${BLOCKDIR}/*zone; do
for ADDRESS in $(cat ${FILE}); do
$IPTABLES -A INPUT -s ${ADDRESS} -d $ANY -j DROP
$IPTABLES -A INPUT -s ${ADDRESS} -d $ANY -j LOG --log-prefix
"Packet log: COUNTRY BLOCK "
$IPTABLES -A FORWARD -s ${ADDRESS} -d $ANY -j DROP
$IPTABLES -A FORWARD -s ${ADDRESS} -d $ANY -j LOG --log-prefix
"Packet log: COUNTRY BLOCK "
done
done

This is executed in my main firewall script before my custom rules are set.

-S


--
(o_ Stefan Gofferje | SCLT, MCP, CCSA
//\ Reg'd Linux User #247167 | VCP #2263
V_/_ Heckler & Koch - the original point and click interface


< Previous Next >