In many cases, you may need to mask IP addresses under Linux. For example, as an end user, you may want to be safe from spyware or IP tracking. Or when you are running P2P software. You may want to filter web links for anti-P2P activity. If you are a system administrator, you may want to block spam IP addresses from accessing your corporate mail server. Or you want to block certain countries from accessing your web service for some reason. In many cases, however, your block list of IP addresses can quickly grow to tens of thousands of IPs. How to deal with this?
Problems with Netfilter/IPtables
In Linux, it is easy to ban IP addresses with the netfilter/iptables framework:
- $ sudo iptables -A INPUT -s 1.1.1.1-p TCP -j DROP
If you want to completely block a range of IP addresses, you can do it very simply with the following command:
- $ sudo iptables -A INPUT -s 1.1.2.0/24-p TCP -j DROP
However, what do you do when you have 1000 unique IP addresses without CIDR (Classless Inter-Domain Routing) prefixes? You have to have 1000 iptable rules! This is obviously not suitable for large-scale shielding.
- $ sudo iptables -A INPUT -s 1.1.1.1-p TCP -j DROP
- $ sudo iptables -A INPUT -s 2.2.2.2-p TCP -j DROP
- $ sudo iptables -A INPUT -s 3.3.3.3-p TCP -j DROP
- ....
What is an IP set?
This is where the IP set comes into play. An IP set is a kernel feature that allows multiple (independent) IP addresses, MAC addresses or even port numbers to be encoded and efficiently stored in a bitmap/hash kernel data structure. Once the IP set is created, you can create an iptables rule to match the set.
You will soon see the benefits of IP aggregation, which allows you to match multiple IP addresses with one iptable rule! You can construct IP sets with multiple IP addresses and port numbers, and rules can be updated dynamically without performance impact.
Install IPset Tool in Linux
In order to create and manage IP sets, you need to use a userspace tool called ipset.
To install on Debian, Ubuntu or Linux Mint:
- $ sudoapt-get install ipset
To install on Fedora or CentOS/RHEL 7:
- $ sudoyum install ipset
Ban IP using IPset command
Let me show you how to use the ipset command with a simple example.
First, let's create a new IP set called banthis (any name):
- $ sudo ipset create banthis hash:net
The second parameter (hash:net) is required and represents the type of the collection. There are several types of IP sets . IP sets of type hash:net use hashes to store multiple CIDR blocks. If you want to store individual IP addresses in a collection, you can use the hash:ip type.
Once an IP set is created, you can check it with the following command:
- $ sudo ipset list
This displays a list of available IP collections with details of collection members. By default, each IP set can contain 65536 elements (in this case CIDR blocks). You can increase the limit by appending the "maxelem N" option.
- $ sudo ipset create banthis hash:net maxelem 1000000
Now let's add IP blocks to this set:
- $ sudo ipset add banthis 1.1.1.1/32
- $ sudo ipset add banthis 1.1.2.0/24
- $ sudo ipset add banthis 1.1.3.0/24
- $ sudo ipset add banthis 1.1.4.10/24
You will see that the collection members have changed.
- $ sudo ipset list
Now it's time to create an iptables rule that uses the IP set. The key here is to use the "-m set --match-set" option.
Now let's create an iptable rule that prevents the previous IP blocks from accessing the web service through port 80. This can be done with the following command:
- $ sudo iptables -I INPUT -m set--match-set banthis src -p tcp --destination-port 80-j DROP
If you want, you can save a specific set of IPs to a file from which you can restore it later:
- $ sudo ipset save banthis -f banthis.txt
- $ sudo ipset destroy banthis
- $ sudo ipset restore -f banthis.txt
In the command above, I used the destroy option to delete an existing IP set to see if I could restore it.
Automatic IP address disabled
Now you should see the power of the IP collection. Maintaining IP blacklists is a tedious and time-consuming task. In fact, there are many free or paid services that can help you with this. As an added bonus, let's see how to automatically add IP blacklists to the IP set.
First let's get the free blacklist from iblocklist.com , this site has different free and paid lists. The free version is in P2P format.
Next I'm going to use an open source Python tool called iblocklist2ipset to convert the blacklist in P2P format into an IP set.
First, you need to have pip installed (refer to this guide to install pip).
Install iblocklist2ipset using the following command.
- $ sudo pip install iblocklist2ipset
On some distributions like Fedora, you may need to run:
- $ sudo python-pip install iblocklist2ipset
Now go to iblocklist.com and grab the URL of any P2P list (such as the "level1" list).
Paste the URL into the command below.
- $ iblocklist2ipset generate \
- --ipset banthis "http://list.iblocklist.com/?list=ydxerpxkpcfqjaybcssw&fileformat=p2p&archiveformat=gz" \
- > banthis.txt
After the above command runs, you will get a file called banthis.txt. If you look at its contents, you'll see something like this:
- create banthis hash:net family inet hashsize 131072 maxelem 237302
- add banthis 1.2.4.0/24
- add banthis 1.2.8.0/24
- add banthis 1.9.75.8/32
- add banthis 1.9.96.105/32
- add banthis 1.9.102.251/32
- add banthis 1.9.189.65/32
- add banthis 1.16.0.0/14
You can load this file with the following ipset command:
- $ sudo ipset restore -f banthis.txt
The automatically created IP set can now be viewed:
- $ sudo ipset list banthis
At the time of this writing, the "level1" class table contains a list of 237,000 blocked IPs. You can see that many IP addresses have been added to the IP set.
Finally, create an iptables command to block these bad guys!
Summarize
In this article, I describe how you can block unwanted IP addresses with a powerful ipset. At the same time, it is combined with the third-party tool iblocklist2ipset, so that you can maintain your IP block list smoothly. For those curious about the performance gains of ipset, the graph below shows the benchmark results of iptables with and without ipset (note the time axis).
Tell me how you like this. :-)
via: http://xmodulo.com/block-unwanted-ip-addresses-linux.html
Author: Dan Nanni Translator: geekpi Proofreading: wxy
This article was originally translated by LCTT , and was launched by Linux China with honor