KrnlPanic's Linux Notes and Tips

Working with linux since kernel version 2.0.30

Blocking International Network Traffic From Your Server

2 Comments

Over the years, I have found that most spam traffic comes from outside the United States. My websites are meant for English-speaking, Western Hemisphere type people, so why leave my server open to the rest of the world? Since I don’t care about traffic from outside the US, we have made the decision to block access to our servers from all network blocks that are allocated to foreign countries.

Here is a list of IP blocks that can safely be blocked from accessing your server(s). This list is not all-inclusive, but includes many of the “Problem countries” including China, Turkey, Romania, Denmark, Russia, etc.

I use the linux program IPTables (/sbin/iptables) to block these network blocks. It’s as simple as copying the following IP addresses to a file on your server (I call mine ‘iptables.rules’ and running a short ‘for’ loop to read in all the entries. Once you have read them in, you can save them to your iptables configuration (on redhat-ish systems) by using the command iptables-save then run the command ‘chkconfig iptables on’ to make it so that your new iptables config will start up the next time your server is booted (and every time, thereafter).

More information about iptables can be found at the following link:

IPTables tutorial – How to use iptables

Run this loop to read in all the IPs below into your iptables configuration:

for line in `grep -v N iptables.rules`; do /sbin/iptables -A INPUT -s $line -m state --state NEW -j DROP; done

## Alternatively, here it is as a script:
#!/bin/bash
for line in `grep -v N iptables.rules`
do 
  /sbin/iptables -A INPUT -s $line -m state --state NEW -j DROP
done

Input file “iptables.rules”:

N Filename iptables.rules
N Russia .ru
89.0.0.0/8

N RIPE.NET (Europe, the Middle East and parts of Central Asia)
62.0.0.0/8
77.0.0.0/8
78.0.0.0/8
79.0.0.0/8
80.0.0.0/8
81.0.0.0/8
82.0.0.0/8
83.0.0.0/8
84.0.0.0/8
85.0.0.0/8
86.0.0.0/8
87.0.0.0/8
88.0.0.0/8
89.0.0.0/8
90.0.0.0/8
91.0.0.0/8
193.0.0.0/8
194.0.0.0/8
195.0.0.0/8
212.0.0.0/8
213.0.0.0/8
217.0.0.0/8

N APNIC (Asian Pacific Network Information Center)
58.0.0.0/8
59.0.0.0/8
60.0.0.0/8
61.0.0.0/8
202.0.0.0/8
203.0.0.0/8
210.0.0.0/8
211.0.0.0/8
218.0.0.0/8
219.0.0.0/8
220.0.0.0/8
221.0.0.0/8
222.0.0.0/8
116.0.0.0/8
117.0.0.0/8
118.0.0.0/8
119.0.0.0/8
120.0.0.0/8
121.0.0.0/8
122.0.0.0/8
123.0.0.0/8
124.0.0.0/8
125.0.0.0/8
126.0.0.0/8

N End APNIC Addresses

N LACNIC (Latin American and Caribbean Network Information Center)
189.0.0.0/8
190.0.0.0/8
200.0.0.0/8
201.0.0.0/8
N End LACNIC

N Add .EU here?
N duesentrieb.kunst.uni-frankfurt.de
141.0.0.0/8
N end .EU

88.0.0.0/8
85.0.0.0/8

Additionally, here is a link to all currently assigned IPv4 IP blocks throughout the world, as promulgated by IANA (Internet Assigned Numbers Authority).

http://www.iana.org/assignments/ipv4-address-space

There is another way to block IPs using .htaccess on your apache webserver. I have to do some digging to get that worked out and I plan to post more info about that at a later date.

To use the IPTables method, you must have root access on your server… a Virtual Private Server (VPS) or a dedicated server. The great thing about using IPTables instead of .htaccess is that IPTables blocks access to all of your server processes…mysql, sendmail (smtp), apache (http), SSH, etc. Using the .htaccess method only blocks access to your http server and leaves the rest open to attack.

Please post any questions or comments that you have and I’ll try to answer them.

Good Luck!

Category : Other | Tags : , , , , , , , , ,
2 Comments on “Blocking International Network Traffic From Your Server

Comments are closed.

  • Lately I’ve had a tremendous number of attempts on multiple protocols (mostly ssh) to get through my iptables firewall. This is a great post and thank you for sharing. Perhaps I can iterate on it a bit by creating the block list from the source (note, this covers more networks than the above list, most specifically afrinic):

    /usr/bin/curl http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.csv > /etc/rc.firewall.AddressSpace

    for line in `grep -G “afrinic.net\|lacnic.net\|ripe.net\|apnic.net” /etc/rc.firewall.AddressSpace | cut -f 1 -d “/”`; do network=`echo $line|sed ‘s/^0*//’`;/sbin/iptables -I INPUT -s $network/8 -m state –state NEW -j DROP; done

    for line in `grep -G “afrinic.net\|lacnic.net\|ripe.net\|apnic.net” /etc/rc.firewall.AddressSpace | cut -f 1 -d “/”`; do network=`echo $line|sed ‘s/^0*//’`;/sbin/iptables -I FORWARD -s $network/8 -m state –state NEW -j DROP; done

    A couple of points. The conversion with sed is important as some networks, like 014/8 were added into iptables as 12.0.0.0/8. Dropping the leading zero fixed the problem. I also created a FORWARD rule as my firewall sends packets to other boxes in the DMZ. Finally, the -m state –state NEW is important if you want to allow your box (and in my case boxes behind it) to connecting outbound to foreign sites.

  • Thanks for the comment, Peter. I added ‘-m state –state NEW’ to my original post to allow international access for outbound requests.