Does anyone know how to block access from a country ?
Our firewall gets beat on by the
Ukraine
Russia
China
Korea
and we have no dealings with anybody from this country, Is there a way to block all IP addresses originating in China , Ukraine , Russia and Korea etc as well.
Thank You
Lalatendu
Our firewall gets beat on by the
Ukraine
Russia
China
Korea
and we have no dealings with anybody from this country, Is there a way to block all IP addresses originating in China , Ukraine , Russia and Korea etc as well.
Thank You
Lalatendu
Share this post:
Responses (10)
-
Accepted Answer
-
Accepted Answer
Hi Nick!
Just a follow-up as I (tried to) used that script in ClearOS 6, even tho I am not certain it ever worked... Thought I would add it to my ClearOS 7 boxes. Anyway, that thread is full of stuff that has lead me off the path and confused me a bit and might confuse others as well. Especially naming of the files needed.
To summarize, we still need the three (3) scripts, each in the directory locations noted in Marcel's posts. The main script, (which you updated and made simpler), should be made executable. What should the main script be named? Will 'blockcountry.sh' be okay?
In the scripts you block "non-RIPE countries" meaning the RIPE countries are allowed. I need some RIPE countries blocked. What change needs to be done to ensure that whatever country specified in the ISO= line are blocked? Including RIPE addresses?
What should we name the other two (2) scripts that are needed? Do they need the .sh extension?
I've learned a lot from that thread but I am not sure now that it ever worked for me in ClearOS 6!
Thanks Nick!
John -
Accepted Answer
The main script is here. It does not reference RIPE. That was only for my own notes as I am most likely to only travel in Europe. Choose your countries as you want. All this script does is make an ipset list of country IP's. It can then be used as a block list or an allow list.
Otherwise use the elements from Marcel's post here, but you should craft your own firewall rules. Remember to make /rc.d/rc.local executable.
Note the scripts all check if ipset is loaded. As belt and braces I also have a file /etc/sysconfig/modules/ip_set.modules with "modprobe ip_set" in it. -
Accepted Answer
Nick,
In trying to make things very easy for anyone, especially me, I think I have things consolidated and sorted out having reread the entire original thread a few times and adding in the new/current main script. Please let me know if this is what it should be?
Do we need the dollar sign ($) in front of iptables. ($iptables) for ClearOS 7? I recall an issue there but might have just been in the GUI.
--------------------------------------
STEP A
1). First, install ipset at the CLI by doing a: "yum install ipset --enablerepo=clearos-core".
* (IPSET 7.1 was already installed in ClearOS 7).
2). The following code goes into a file you create and named "country_list.sh" and it goes into "/etc/cron.monthly".
3). Make this file executable: with chmod 755 /etc/cron.monthly/country_list.sh.
4). Add two (2) letter country codes for countries you wish to block in ISO="codes go here"
#!/bin/bash
# A list of the ISO country codes can be found at http://en.wikipedia.org/wiki/ISO_3166-1
# Countries are case insensitive for this script
ISO="at be ch cy cz de dk es fr gb gr ie it lu mt nl pt eu va sm mc je gg im"
if [ "`lsmod | grep ip_set`" = "" ]; then
modprobe ip_set
fi
# Destroy country-list-temp in case it exists and is populated
ipset destroy -q country-list-temp
# Make sure the new lists exist
ipset create country-list nethash maxelem 524288 -exist
ipset create country-list-temp nethash maxelem 524288 -exist
# Load the country list
curl -s -d country=1 --data-urlencode "country_list=$ISO" -d format_template=prefix https://ip.ludost.net/cgi/process | grep -v ^# | while read -r line
do
ipset -A -exist country-list-temp $line
done
# Make the temp list current
ipset swap country-list country-list-temp
# Destroy the (now old) temp list
ipset destroy -q country-list-temp
# Create save list for loading on boot
ipset save country-list > /usr/src/ipset_country-list.save
sed -i 's/create/create -exist/g' /usr/src/ipset_country-list.save
sed -i 's/add/add -exist/g' /usr/src/ipset_country-list.save
logger -t country-list "Updated"
STEP B
1). The following code is added into a file you will create and name: "/etc/clearos/firewall.d/20-ipset-blocks".
2). In the lines that end in DROP, add the ports you wish to block, i.e.: --dports 80,25,443,587,993" and etc.
3). If you only want to drop only TCP or UDP ports, comment out or remove the appropriate line.
# IPv4 only for now
#------------------
if [ "$FW_PROTO" != "ipv4" ]; then
return 0
fi
if [ "`lsmod | grep ip_set`" = "" ]; then
modprobe ip_set
fi
# Block country addresses (exempt permitted countries)
#
# note the > /dev/null 2>&1 is needed for some odd reason
ipset create country-list nethash -exist > /dev/null 2>&1
$IPTABLES -I INPUT -m conntrack --ctstate NEW -m set ! --match-set country-list src -p tcp -m multiport --dports 587,993,1194 -m state --state NEW -j DROP
$IPTABLES -I INPUT -m conntrack --ctstate NEW -m set ! --match-set country-list src -p udp -m multiport --dports 1194,1195 -m state --state NEW -j DROP
STEP C
1). The following code is added into an existing file: "/etc/rc.d/rc.local"
# Load in all previously saved ipset sets
if [ "`lsmod | grep ip_set`" = "" ]; then
modprobe ip_set
fi
ipset restore < /usr/src/ipset_country-list.save
STEP D
1). To start it up for the first time, from the CLI (root prompt) type in "/etc/cron.monthly/country_list.sh"
2). Restart the firewall by;
...a). at the root CLI entering: "service firewall restart" or
...b). reboot your Clear box. -
Accepted Answer
The firewall rules look a bit dodgy and should be updated a bit to use $IPTABLES and not iptables. Also note the extra bit at the beginning. Mine are:
I am using a different state match which may perform a little better. I also don't use the "-i" parameter as it is not needed, but it does make the rules more specific.# IPv4 only for now
#------------------
if [ "$FW_PROTO" != "ipv4" ]; then
return 0
fi
if [ "`lsmod | grep ip_set`" = "" ]; then
modprobe ip_set
fi
# Block country addresses (exempt permitted countries)
#
# note the > /dev/null 2>&1 is needed for some odd reason
ipset create country-list nethash -exist > /dev/null 2>&1
$IPTABLES -I INPUT -m conntrack --ctstate NEW -m set ! --match-set country-list src -p tcp -m multiport --dports 587,993,1194 -m state --state NEW -j DROP
$IPTABLES -I INPUT -m conntrack --ctstate NEW -m set ! --match-set country-list src -p udp -m multiport --dports 1194,1195 -m state --state NEW -j DROP
Note your firewall rule is only blocking TCP ports. As a general idea if you don't have a port open there is no need to block it, but, if you wanted, you could block everything but TCP with:$IPTABLES -I INPUT -i eth0 -m set --match-set country-list src ! -p tcp -m state --state NEW -j COUNTRY_BLOCK
There is a step E. Restart the firewall. You can check the block rule exists with an:iptables -nvL INPUT
Ipset will already be installed if you have the Attack Detector of IDS/IPS installed and it looks like it is part of the defaule installation these days. -
Accepted Answer
Hi Nick!
I completely forgot about TCP and UDP and somehow imagined a complete port block without specifying either protocol never seeing tcp in the block rule! Old and still learning even after using this and commenting on it years ago! (Love this stuff... still)!
And thanks for reminding me to restart the firewall... again forgot about that bit!
You ARE amazing when it comes to this stuff! Thank-you!
I will add the bits you provided to my code post to make it a fairly complete and east country block setup.
Thanks again!
John -
Accepted Answer
Nick Howitt wrote:
The firewall rules look a bit dodgy and should be updated a bit to use $IPTABLES and not iptables. Also note the extra bit at the beginning. Mine are:
I am using a different state match which may perform a little better. I also don't use the "-i" parameter as it is not needed, but it does make the rules more specific.# IPv4 only for now
#------------------
if [ "$FW_PROTO" != "ipv4" ]; then
return 0
fi
if [ "`lsmod | grep ip_set`" = "" ]; then
modprobe ip_set
fi
# Block country addresses (exempt permitted countries)
#
# note the > /dev/null 2>&1 is needed for some odd reason
ipset create country-list nethash -exist > /dev/null 2>&1
$IPTABLES -I INPUT -m conntrack --ctstate NEW -m set ! --match-set country-list src -p tcp -m multiport --dports 587,993,1194 -m state --state NEW -j DROP
$IPTABLES -I INPUT -m conntrack --ctstate NEW -m set ! --match-set country-list src -p udp -m multiport --dports 1194,1195 -m state --state NEW -j DROP
Note your firewall rule is only blocking TCP ports. As a general idea if you don't have a port open there is no need to block it, but, if you wanted, you could block everything but TCP with:$IPTABLES -I INPUT -i eth0 -m set --match-set country-list src ! -p tcp -m state --state NEW -j COUNTRY_BLOCK
There is a step E. Restart the firewall. You can check the block rule exists with an:iptables -nvL INPUT
Ipset will already be installed if you have the Attack Detector of IDS/IPS installed and it looks like it is part of the defaule installation these days.
Dumb question:
How do i choose which countries to block/allow? -
Accepted Answer
It is in the script a few posts earlier. You've only picked out the firewall part of the solution. The full solution is also in the HowTo here. -
Accepted Answer
-
Accepted Answer
Nick Howitt wrote:
It is in the script a few posts earlier. You've only picked out the firewall part of the solution. The full solution is also in the HowTo here.
I want to block only from a specific list of countries.
So can i replace$IPTABLES -I INPUT -m conntrack --ctstate NEW -m set ! --match-set country-list src -p tcp -m multiport --dports 587,993,1194 -m state --state NEW -j DROP
with
$IPTABLES -I INPUT -m conntrack --ctstate NEW -m set --match-set country-list src -p tcp -m multiport --dports 587,993,1194 -m state --state NEW -j DROP
I'm gonna try it and post back.
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »