Blocking abusive IP addresses using IPTABLES Firewall in Debian/Ubuntu

Leave reply

blocking-abusive-ip-addresses-using-iptables-firewall-in-debianubuntuIn one of our previous article we have posted an instructional guide on how to secure your Debian/Ubuntu based VPS using IPTABLES/Netfilter.

In the following article we are adding a blacklist to the firewall script which will allow you to block any abusive IP addresses or ranges of IPs in your Debian or Ubuntu based virtual server.

What is iptables?

It is is a user space application program that allows a system administrator to configure the tables provided by the Linux kernel firewall (implemented as different Netfilter modules) and the chains and rules it stores.

Before proceeding any further, make sure you read the article on how to secure/design the firewall in your linux vps. This includes:

  • Flushing the old firewall rules
  • Determining service ports
  • Setting-up default policies
  • Setting-up your firewall rules
  • Saving your firewall rules

BLOCKING IPs USING IPTABLES

To block some abusive IP address or range of IPs, you can use the following iptables rules:

## iptables -I INPUT -s 1.2.3.4 -j DROP
## iptables -I INPUT -s 1.2.0.0/16 -j DROP

CREATING THE BLACKLIST

For better readability and maintenance, it is a good idea to have all abusing IPs in one particular file, for example /etc/blacklist.ips. This way, you can add the IP addresses or subnets in this file (one IP or subnet per line) and use the fwall-rules script below to block anything listed in this file.

So, create or edit /usr/local/bin/fwall-rules and make it as follows:

#!/bin/bash
#
# iptables firewall script
# http://www.rosehosting.com
#

IPTABLES=/sbin/iptables
BLACKLIST=/etc/blacklist.ips

echo " * flushing old rules"
${IPTABLES} --flush
${IPTABLES} --delete-chain
${IPTABLES} --table nat --flush
${IPTABLES} --table nat --delete-chain

echo " * setting default policies"
${IPTABLES} -P INPUT DROP
${IPTABLES} -P FORWARD DROP
${IPTABLES} -P OUTPUT ACCEPT

echo " * allowing loopback devices"
${IPTABLES} -A INPUT -i lo -j ACCEPT
${IPTABLES} -A OUTPUT -o lo -j ACCEPT

${IPTABLES} -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
${IPTABLES} -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

## BLOCK ABUSING IPs HERE ##
#echo " * BLACKLIST"
#${IPTABLES} -A INPUT -s _ABUSIVE_IP_ -j DROP
#${IPTABLES} -A INPUT -s _ABUSIVE_IP2_ -j DROP

echo " * allowing ssh on port 5622"
${IPTABLES} -A INPUT -p tcp --dport 5622  -m state --state NEW -j ACCEPT

echo " * allowing ftp on port 21"
${IPTABLES} -A INPUT -p tcp --dport 21  -m state --state NEW -j ACCEPT

echo " * allowing dns on port 53 udp"
${IPTABLES} -A INPUT -p udp -m udp --dport 53 -j ACCEPT

echo " * allowing dns on port 53 tcp"
${IPTABLES} -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT

echo " * allowing http on port 80"
${IPTABLES} -A INPUT -p tcp --dport 80  -m state --state NEW -j ACCEPT

echo " * allowing https on port 443"
${IPTABLES} -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT

echo " * allowing smtp on port 25"
${IPTABLES} -A INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT

echo " * allowing submission on port 587"
${IPTABLES} -A INPUT -p tcp -m state --state NEW -m tcp --dport 587 -j ACCEPT

echo " * allowing imaps on port 993"
${IPTABLES} -A INPUT -p tcp -m state --state NEW -m tcp --dport 993 -j ACCEPT

echo " * allowing pop3s on port 995"
${IPTABLES} -A INPUT -p tcp -m state --state NEW -m tcp --dport 995 -j ACCEPT

echo " * allowing imap on port 143"
${IPTABLES} -A INPUT -p tcp -m state --state NEW -m tcp --dport 143 -j ACCEPT

echo " * allowing pop3 on port 110"
${IPTABLES} -A INPUT -p tcp -m state --state NEW -m tcp --dport 110 -j ACCEPT

echo " * allowing ping responses"
${IPTABLES} -A INPUT -p ICMP --icmp-type 8 -j ACCEPT

# DROP everything else and Log it
${IPTABLES} -A INPUT -j LOG
${IPTABLES} -A INPUT -j DROP

#
# Block abusing IPs 
# from ${BLACKLIST}
#
if [[ -f "${BLACKLIST}" ]] && [[ -s "${BLACKLIST}" ]]; then
    echo " * BLOCKING ABUSIVE IPs"
    while read IP; do
        ${IPTABLES} -I INPUT -s "${IP}" -j DROP
    done < <(cat "${BLACKLIST}")
fi

#
# Save settings
#
echo " * SAVING RULES"

if [[ -d /etc/network/if-pre-up.d ]]; then
    if [[ ! -f /etc/network/if-pre-up.d/iptables ]]; then
        echo -e "#!/bin/bash" > /etc/network/if-pre-up.d/iptables
        echo -e "test -e /etc/iptables.rules && iptables-restore -c /etc/iptables.rules" >> /etc/network/if-pre-up.d/iptables
        chmod +x /etc/network/if-pre-up.d/iptables
    fi
fi

iptables-save > /etc/fwall.rules
iptables-restore -c /etc/fwall.rules

make sure the script is executable by adding an ‘x’ bit to it:

## chmod +x /usr/local/bin/fwall-rules

APPLYING THE RULES

To apply the firewall rules and block the abusers, you need to just execute the fwall-rules script and that’s it.

## fwall-rules
 * flushing old rules
 * setting default policies
 * allowing loopback devices
 * allowing ssh on port 5622
 * allowing ftp on port 21
 * allowing dns on port 53 udp
 * allowing dns on port 53 tcp
 * allowing http on port 80
 * allowing https on port 443
 * allowing smtp on port 25
 * allowing submission on port 587
 * allowing imaps on port 993
 * allowing pop3s on port 995
 * allowing imap on port 143
 * allowing pop3 on port 110
 * allowing ping responses
 * BLOCKING ABUSIVE IPs
 * SAVING RULES

Of course you don’t have to do any of this if you use one of our Linux VPS hosting services, in which case you can simply ask our expert linux admins to do this for you. They are available 24×7 and will take care of your request immediately.

PS. If you liked this post please share it with your friends on the social networks using the buttons on the left or simply leave a reply below. Thanks.


50% OFF Coupon

EXCLUSIVE EMAIL UPDATES AND “MEMBERS-ONLY” CONTENT


3 Responses to “Blocking abusive IP addresses using IPTABLES Firewall in Debian/Ubuntu”

  1. Keith Sorbo

    Great article.

    Saved my bacon on a DDos Attack

    Reply
  2. Use IP Tables to Block a Specific or a Range of IP Addreses | Code Sport I/O

    […] Blocking Abusive IP Addresses… […]

    Reply
  3. Johan

    If you have many blocked IP addresses adding them directly in the chain is not a very good idea. This can require quite a lot of CPU to match incoming packets to a couple of 1000’s blocked IP addresses. A better way is to use “ipset”. Create a set of IP addresses and add a rule that matches against that set.

    This is magnitudes faster and can easily handle 10,000’s of blocked IP addresses with no noticable CPU degradation
    This allows you to use existing blacklists (which have 10,000’s entries) for your server. For example from ipdeny . com

    For example:

    # Create a new map
    sudo ipset -n my-blacklist hash:net

    # Add ip addresses to the set
    # In reality this will be a loop to read blacklists from a file
    ipset -a my-blacklist 43.255.0.0/16
    ipset -a my-blacklist 218.87.0.0/16
    ……….
    ……….

    # Add rule to drop all packages in the blacklist
    sudo iptables -A INPUT -p tcp -m set –match-set my-blacklist src -j DROP

    Reply

Leave a Reply