Re: [opensuse] iptables: is PREROUTING nat before or after PREROUTING filter?
On Monday, March 24, 2014 03:13:10 AM Timothy Butterworth wrote:
If you are simply going to drop all packets silently (recommend) then use the iptables hash function as it uses less memory and processes faster as well. Their are a lot of examples available on the internet. If you are allowing established connections and have not implemented deny by default permit by exception in and out then place this above your established statements inbound. Also use supernet to block their entire country range to reduce the number of entries. You can also make statements to block outbound as well Mascarade is not an issue with this make sure you are blocking as source inbound and destination outbound.
I am on my cell I'll take a look at your attachment when I get a chance.
On Mar 24, 2014 2:07 AM, "Per Jessen"
wrote: Stefan Gofferje wrote:
Hi,
I have fairly enough of certain probes and am planning to completely block all known networks from China as well as from Gaza/.ps. Respective CSV files are available.
The more interesting question is, where do I put the rules as intelligently as possible? I want to block the IPs for INPUT (to the fw host itself) as well as for FORWARD, but simply pushing the rules twice, once into each chain, appears a huge waste of mem to me (those are quite a couple of rules...).
Do you need the memory for anything else ? :-)
-- Per Jessen, Zürich (3.9°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland.
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org Here is an article that describes an easy way to implement a full country block. http://www.itworld.com/security/397733/how-block-traffic-other-countries-lin...
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 03/24/2014 06:08 PM, Timothy Butterworth wrote:
On Monday, March 24, 2014 03:13:10 AM Timothy Butterworth wrote:
If you are simply going to drop all packets silently (recommend) then use the iptables hash function as it uses less memory and processes faster as well. Their are a lot of examples available on the internet. If you are allowing established connections and have not implemented deny by default permit by exception in and out then place this above your established statements inbound. Also use supernet to block their entire country range to reduce the number of entries. You can also make statements to block outbound as well Mascarade is not an issue with this make sure you are blocking as source inbound and destination outbound.
I am on my cell I'll take a look at your attachment when I get a chance.
Here is an article that describes an easy way to implement a full country block. http://www.itworld.com/security/397733/how-block-traffic-other-countries-lin...
I somehow missed your original message. Anyways, I didn't find anything about hashing at a quick glance. I'm going to dig a bit deeper the next days. Basically, what I have now and what I'd like to optimize a bit is this: #!/bin/bash IPTABLES="/sbin/iptables" ANY="0.0.0.0/0" BLOCKDIR="blocklist.d" if ! test -d ${BLOCKDIR}; then mkdir ${BLOCKDIR} fi curl -s http://www.ipdeny.com/ipblocks/data/countries/cn.zone -o ${BLOCKDIR}/cn.zone curl -s http://www.ipdeny.com/ipblocks/data/countries/kr.zone -o ${BLOCKDIR}/kr.zone curl -s http://www.ipdeny.com/ipblocks/data/countries/ps.zone -o ${BLOCKDIR}/ps.zone for FILE in ${BLOCKDIR}/*zone; do for ADDRESS in $(cat ${FILE}); do $IPTABLES -A INPUT -s ${ADDRESS} -d $ANY -j DROP $IPTABLES -A INPUT -s ${ADDRESS} -d $ANY -j LOG --log-prefix "Packet log: COUNTRY BLOCK " $IPTABLES -A FORWARD -s ${ADDRESS} -d $ANY -j DROP $IPTABLES -A FORWARD -s ${ADDRESS} -d $ANY -j LOG --log-prefix "Packet log: COUNTRY BLOCK " done done This is executed in my main firewall script before my custom rules are set. -S -- (o_ Stefan Gofferje | SCLT, MCP, CCSA //\ Reg'd Linux User #247167 | VCP #2263 V_/_ Heckler & Koch - the original point and click interface
participants (2)
-
Stefan Gofferje
-
Timothy Butterworth