RE: Blocking Netranges Based on IP-to-Country CSV

RE: Blocking Netranges Based on IP-to-Country CSV

[Hudson Delbert J Contr 61 CS/SCBN]

depends on what you call a 'legitimate' connection.
if the guy is browsing the web and comes upon say perhaps .....your website
why would he not be considered 'legitimate' because you dont like the
'reputation'...

####################################
# delbert.hudson@losangeles.af.mil #
#        61cs/scbn, 3-0182         #
####################################


-----Original Message-----
From: netfilter-bounces@lists.netfilter.org
[mailto:netfilter-bounces@lists.netfilter.org]On Behalf Of Nick Drage
Sent: Friday, September 17, 2004 4:46 AM
To: netfilter@lists.netfilter.org
Subject: Re: Blocking Netranges Based on IP-to-Country CSV


On Thu, Sep 16, 2004 at 09:33:03AM -0700, Hudson Delbert J Contr 61 CS/SCBN
wrote:
> 
> why do this ?

There's a good set of reasons on:

http://ip-to-country.webhosting.info/

> seems a bit nasty in nature.

Depends how you use the information.  And to be honest considering the
reputation of some sources of traffic, such as Korea and South America,
which might be unlikely to have legitimate connections to your site, it
would be handy to block them all.

> we dont even do this sort of thing? see email addy...

But you're a worldwide organisation, and I think there's much more that
you can do with this than just block.  For example, has anything figured
out a way to tie this into logging rules, it would great to see which
countries I'm being attacked from.

-- 
mors omnia vincit

Re: Blocking Netranges Based on IP-to-Country CSV

[Nick Drage]

On Fri, Sep 17, 2004 at 01:16:00PM -0700, Hudson Delbert J Contr 61 CS/SCBN wrote:

> depends on what you call a 'legitimate' connection.

It does.

> if the guy is browsing the web and comes upon say perhaps .....your website
> why would he not be considered 'legitimate' because you dont like the
> 'reputation'...

Then this is a legitimate connection.  If you want your website to be
accessible to all then you wouldn't use this system to filter
connections.

Does anyone have statistics on attacks received by source country?
Anyone managed to get this up and running to look at log files?

-- 
mors omnia vincit

Blocking Netranges Based on IP-to-Country CSV

[nutbrownhares]

With all due respect, I initially asked a technical question: given a data file, how does one block ranges from that file.  I didn't ask if people agreed or disagreed with why we want to do this.   The "why" isn't relevant to the discussion.  I'm also not interested in whether it is or is not 100% effective; I know it isn't.  It will still eliminate 95% of the traffic I want to stop.  So far I've seen a lot of political opinions.  Does anyone have a technical answer?

Re: Blocking Netranges Based on IP-to-Country CSV

[Jason Opperisano]

On Mon, 2004-09-20 at 09:57, nutbrownhares@tds.net wrote:
> With all due respect, I initially asked a technical question: given a data file, how does one block ranges from that file.  I didn't ask if people agreed or disagreed with why we want to do this.   The "why" isn't relevant to the discussion.  I'm also not interested in whether it is or is not 100% effective; I know it isn't.  It will still eliminate 95% of the traffic I want to stop.  So far I've seen a lot of political opinions.  Does anyone have a technical answer?
> 

true that.

FILE="/path/to/file"

for ADDR in `cat $FILE`; do
  iptables -A mychain -s $ADDR -j DROP
done

the above assumes that $FILE contains a list of IP addresses or
IP/PREFIX values, one per line.  it also assumes that "mychain" exists,
and that you want to block the addresses in $FILE by source.  adjust as
needed for your exact situation.

-j

-- 
Jason Opperisano <opie@817west.com>

RE: Blocking Netranges Based on IP-to-Country CSV

[Alexis]

Ok, now, from south america WHERE WE THE INDIANS LIVE, and with this
question understood from the first moment and before all the short minded
discussion.

The approach for this technical issue ill do is a script to insert those
rules. Off course there could be a lot of other approaches but.

If my csv is something like this

CountryA,a.b.c.d/16
countryA,z.x.d.e/12

Ill do something like

---cut here


#!/usr/bin/perl -w

open FILE,"<file.csv";

while(<FILE>)
{
@a=split(",",$_);
System("iptables -A CHAIN -s $a[0] -j DROP");
}
Close FILE;

---cut here

But, i think that you can choose the method based on these directive

"if theres more banned addresses of permited" < set policy to drop and add
the allowed ones with a script like the posted one.
"if theres more allowed addresses of banned" < to set policy to accept is
not a good idea, at least you may add a drop at the bottom of the chain and
use the script provided.

Off course there could be other approaches, but i hope it helps.

Regards


 

-----Mensaje original-----
De: netfilter-bounces@lists.netfilter.org
[mailto:netfilter-bounces@lists.netfilter.org] En nombre de
nutbrownhares@tds.net
Enviado el: Lunes, 20 de Septiembre de 2004 10:58
Para: netfilter@lists.netfilter.org
Asunto: Blocking Netranges Based on IP-to-Country CSV

With all due respect, I initially asked a technical question: given a data
file, how does one block ranges from that file.  I didn't ask if people
agreed or disagreed with why we want to do this.   The "why" isn't relevant
to the discussion.  I'm also not interested in whether it is or is not 100%
effective; I know it isn't.  It will still eliminate 95% of the traffic I
want to stop.  So far I've seen a lot of political opinions.  Does anyone
have a technical answer?

RE: Blocking Netranges Based on IP-to-Country CSV

[Hudson Delbert J Contr 61 CS/SCBN]

	why do this ?

	seems a bit nasty in nature.

	we dont even do this sort of thing? see email addy...

~piranha

-----Original Message-----
From: netfilter-bounces@lists.netfilter.org
[mailto:netfilter-bounces@lists.netfilter.org]On Behalf Of McFall, Gary
Sent: Wednesday, September 15, 2004 5:58 AM
To: 'netfilter@lists.netfilter.org'
Subject: Blocking Netranges Based on IP-to-Country CSV


Due to a number of issues, my organization is looking at being able to block
certain country domains at the firewall.  To be proactive, we want to
automate that process via iptables & the CSV available at
<http://ip-to-country.webhosting.info <http://ip-to-country.webhosting.info>
>.

We have created a C program (IPCheck) in the /bin directory which, when
given an IP long number, checks the ip-to-country CSV and returns a value
for permit or not.  We want to process the packet based on that return.  

I'm a relative newbie with iptables & scripts.  Listed below is some very
crude code, some of which is a verbal description of intent.  Any
suggestions on how to shore this up so that it will work?  Or should this
concept be a new module in iptables?

#
#    ***** DROP BAD IPS *****
#
/bin/IPCheck `grep -w "SRC =" | cut -d = -f 2`
if return = "Bad IP"
$IPT -A INPUT -$ETH0 $RATELIMIT -j INBADIPS

      ***** RULES - DROP  BAD IPS *****
#    ***** REVIEW LOG AT /var/log/iptables.log *****
#
$IPT -A  INBADIPS -j LOG --log-level debug --log-prefix "BADIP:  " -j DROP

Thanks in advance for your help.

Gary McFall

Re: Blocking Netranges Based on IP-to-Country CSV

[Nick Drage]

On Thu, Sep 16, 2004 at 09:33:03AM -0700, Hudson Delbert J Contr 61 CS/SCBN wrote:
> 
> why do this ?

There's a good set of reasons on:

http://ip-to-country.webhosting.info/

> seems a bit nasty in nature.

Depends how you use the information.  And to be honest considering the
reputation of some sources of traffic, such as Korea and South America,
which might be unlikely to have legitimate connections to your site, it
would be handy to block them all.

> we dont even do this sort of thing? see email addy...

But you're a worldwide organisation, and I think there's much more that
you can do with this than just block.  For example, has anything figured
out a way to tie this into logging rules, it would great to see which
countries I'm being attacked from.

-- 
mors omnia vincit

Re: Blocking Netranges Based on IP-to-Country CSV

[Pascal Vilarem]

my 2 cts :

Nick Drage wrote:

>On Thu, Sep 16, 2004 at 09:33:03AM -0700, Hudson Delbert J Contr 61 CS/SCBN wrote:
>  
>
>>why do this ?
>>    
>>
>
>There's a good set of reasons on:
>
>http://ip-to-country.webhosting.info/
>
>  
>
good set of reasons... but none of these is a good reason :-)

>>seems a bit nasty in nature.
>>    
>>
>
>Depends how you use the information.  And to be honest considering the
>reputation of some sources of traffic, such as Korea and South America,
>which might be unlikely to have legitimate connections to your site, it
>would be handy to block them all.
>
>  
>
let me disagree... youre gonna drop eberybody from one country... most 
of them are innofensive...
and more : the really bad guys will just have to hack a good looking 
computer in a "good" country.
And then they will bypass this miraculous system...

You will just FEEL safe but you wont be at all... and you'll just hit 
everybody but your "target" :-\

It IS ab bit nasty... and more : it is blind ineffective.

>>we dont even do this sort of thing? see email addy...
>>    
>>
>
>But you're a worldwide organisation, and I think there's much more that
>you can do with this than just block.  For example, has anything figured
>out a way to tie this into logging rules, it would great to see which
>countries I'm being attacked from.
>
>  
>
If you're dealing with "bad guys" you'd better invest in a Intrusion 
prevention system...
start on a snort or prelude basis for example... then you'd be able to 
adapt dynamically netfilter.

if you have to protect some data, authenticate your users/customers no 
matter from which country they are.

grtx.

Re: Blocking Netranges Based on IP-to-Country CSV

[Nick Drage]

On Sat, Sep 18, 2004 at 03:25:47PM +0200, Pascal Vilarem wrote:
> my 2 cts :

> >Depends how you use the information.  And to be honest considering the
> >reputation of some sources of traffic, such as Korea and South America,
> >which might be unlikely to have legitimate connections to your site, it
> >would be handy to block them all.
> >
> let me disagree... youre gonna drop eberybody from one country... most 
> of them are innofensive...
> and more : the really bad guys will just have to hack a good looking 
> computer in a "good" country.
> And then they will bypass this miraculous system...

It is unlikely that blocking packets according to their source country
will be the only step in a security system, however it will filter out a
lot of the traffic that subsequent systems have to deal with.

> You will just FEEL safe but you wont be at all... and you'll just hit 
> everybody but your "target" :-\

That would be an error in the use of the system, not in the system
itself.  It's just a tool.

> It IS ab bit nasty... and more : it is blind ineffective.

No it isn't - say I've got a VPN gateway for my 1000 home users to
connect into the corporate network.  I know some of them are in Britain,
France and Germany, so I just want to permit connections from those
three countries because I know they're possibly legitimate.  I know my
employees don't live anywhere else, so I can filter out any traffic from
any other country, so reducing the attacks that the other software on
the VPN gateway has to deal with.

> >But you're a worldwide organisation, and I think there's much more that
> >you can do with this than just block.  For example, has anything figured
> >out a way to tie this into logging rules, it would great to see which
> >countries I'm being attacked from.
>
> If you're dealing with "bad guys" you'd better invest in a Intrusion
> prevention system...  start on a snort or prelude basis for example...
> then you'd be able to adapt dynamically netfilter.

That still wont' tell me which country I'm being attacked from, I'd be
interested to see if certain countries deserve the reputation they have.

As for dynamically adaprtive rules... does anyone here have experience
of using these?  Or easy or difficult is it to fake the source of an
attack and so block legitimate traffic?

> if you have to protect some data, authenticate your users/customers no 
> matter from which country they are.

Yes - this system certainly isn't a replacement for that, but then it
doesn't purport to be afaict.

Oh, and how far off-topic are we yet? ;)

-- 
mors omnia vincit

RE: Blocking Netranges Based on IP-to-Country CSV

[Alexis]

Feel's just great reading this from south america. 
 

-----Mensaje original-----
De: netfilter-bounces@lists.netfilter.org
[mailto:netfilter-bounces@lists.netfilter.org] En nombre de Nick Drage
Enviado el: Domingo, 19 de Septiembre de 2004 8:09
Para: netfilter@lists.netfilter.org
Asunto: Re: Blocking Netranges Based on IP-to-Country CSV

On Sat, Sep 18, 2004 at 03:25:47PM +0200, Pascal Vilarem wrote:
> my 2 cts :

> >Depends how you use the information.  And to be honest considering 
> >the reputation of some sources of traffic, such as Korea and South 
> >America, which might be unlikely to have legitimate connections to 
> >your site, it would be handy to block them all.
> >
> let me disagree... youre gonna drop eberybody from one country... most 
> of them are innofensive...
> and more : the really bad guys will just have to hack a good looking 
> computer in a "good" country.
> And then they will bypass this miraculous system...

It is unlikely that blocking packets according to their source country will
be the only step in a security system, however it will filter out a lot of
the traffic that subsequent systems have to deal with.

> You will just FEEL safe but you wont be at all... and you'll just hit 
> everybody but your "target" :-\

That would be an error in the use of the system, not in the system itself.
It's just a tool.

> It IS ab bit nasty... and more : it is blind ineffective.

No it isn't - say I've got a VPN gateway for my 1000 home users to connect
into the corporate network.  I know some of them are in Britain, France and
Germany, so I just want to permit connections from those three countries
because I know they're possibly legitimate.  I know my employees don't live
anywhere else, so I can filter out any traffic from any other country, so
reducing the attacks that the other software on the VPN gateway has to deal
with.

> >But you're a worldwide organisation, and I think there's much more 
> >that you can do with this than just block.  For example, has anything 
> >figured out a way to tie this into logging rules, it would great to 
> >see which countries I'm being attacked from.
>
> If you're dealing with "bad guys" you'd better invest in a Intrusion 
> prevention system...  start on a snort or prelude basis for example...
> then you'd be able to adapt dynamically netfilter.

That still wont' tell me which country I'm being attacked from, I'd be
interested to see if certain countries deserve the reputation they have.

As for dynamically adaprtive rules... does anyone here have experience of
using these?  Or easy or difficult is it to fake the source of an attack and
so block legitimate traffic?

> if you have to protect some data, authenticate your users/customers no 
> matter from which country they are.

Yes - this system certainly isn't a replacement for that, but then it
doesn't purport to be afaict.

Oh, and how far off-topic are we yet? ;)

--
mors omnia vincit

Re: Blocking Netranges Based on IP-to-Country CSV

[Mohamed Eldesoky]

On Fri, 17 Sep 2004 12:46:13 +0100, Nick Drage <nickd@metastasis.org.uk> wrote:
> On Thu, Sep 16, 2004 at 09:33:03AM -0700, Hudson Delbert J Contr 61 CS/SCBN wrote:
> >
> > why do this ?
> 
> There's a good set of reasons on:
> 
> http://ip-to-country.webhosting.info/
> 
> > seems a bit nasty in nature.
> 
> Depends how you use the information.  And to be honest considering the
> reputation of some sources of traffic, such as Korea and South America,
> which might be unlikely to have legitimate connections to your site, it
> would be handy to block them all.
> 

I don't like this reason at all, but let me agree with you temporarily.
What if a client with good reputation "ie, from your country :-)" is
spending his vacation in South America, and wanted to check something
in your website ??

> > we dont even do this sort of thing? see email addy...
> 
> But you're a worldwide organisation, and I think there's much more that
> you can do with this than just block.  For example, has anything figured
> out a way to tie this into logging rules, it would great to see which
> countries I'm being attacked from.
> 
> --
> mors omnia vincit
> 
> 



-- 
Mohamed Eldesoky
www.eldesoky.net
RHCE

Re: Blocking Netranges Based on IP-to-Country CSV

[Nick Drage]

On Sun, Sep 19, 2004 at 12:09:53PM +0300, Mohamed Eldesoky wrote:

<snip>

> > Depends how you use the information.  And to be honest considering the
> > reputation of some sources of traffic, such as Korea and South America,
> > which might be unlikely to have legitimate connections to your site, it
> > would be handy to block them all.
> 
> I don't like this reason at all, but let me agree with you temporarily.
> What if a client with good reputation "ie, from your country :-)" is
> spending his vacation in South America, and wanted to check something
> in your website ??

Then don't reject packets according to country :)

-- 
mors omnia vincit

Re: Blocking Netranges Based on IP-to-Country CSV

[Mohamed Eldesoky]

On Sun, 19 Sep 2004 12:01:11 +0100, Nick Drage <nickd@metastasis.org.uk> wrote:
> On Sun, Sep 19, 2004 at 12:09:53PM +0300, Mohamed Eldesoky wrote:
> 
> <snip>
> 
> > > Depends how you use the information.  And to be honest considering the
> > > reputation of some sources of traffic, such as Korea and South America,
> > > which might be unlikely to have legitimate connections to your site, it
> > > would be handy to block them all.
> >
> > I don't like this reason at all, but let me agree with you temporarily.
> > What if a client with good reputation "ie, from your country :-)" is
> > spending his vacation in South America, and wanted to check something
> > in your website ??
> 
> Then don't reject packets according to country :)
> 

I am against the idea of rejecting based on the country.
It reminds me of that domain registration site that rejected all of
our credit cards, because they don't like that region. F**k'm, we are
dealing with other registrars :-)

> --
> mors omnia vincit
> 
> 



-- 
Mohamed Eldesoky
www.eldesoky.net
RHCE

Re: Blocking Netranges Based on IP-to-Country CSV

[George Alexandru Dragoi]

Good point, not to mention disliking a country sounds so nazi :D
So, whats the reason is banning some countryes?


On Sun, 19 Sep 2004 14:17:52 +0300, Mohamed Eldesoky
<eldesoky.lists@gmail.com> wrote:
> 
> 
> On Sun, 19 Sep 2004 12:01:11 +0100, Nick Drage <nickd@metastasis.org.uk> wrote:
> > On Sun, Sep 19, 2004 at 12:09:53PM +0300, Mohamed Eldesoky wrote:
> >
> > <snip>
> >
> > > > Depends how you use the information.  And to be honest considering the
> > > > reputation of some sources of traffic, such as Korea and South America,
> > > > which might be unlikely to have legitimate connections to your site, it
> > > > would be handy to block them all.
> > >
> > > I don't like this reason at all, but let me agree with you temporarily.
> > > What if a client with good reputation "ie, from your country :-)" is
> > > spending his vacation in South America, and wanted to check something
> > > in your website ??
> >
> > Then don't reject packets according to country :)
> >
> 
> I am against the idea of rejecting based on the country.
> It reminds me of that domain registration site that rejected all of
> our credit cards, because they don't like that region. F**k'm, we are
> dealing with other registrars :-)
> 
> 
> 
> > --
> > mors omnia vincit
> >
> >
> 
> --
> Mohamed Eldesoky
> www.eldesoky.net
> RHCE
> 
> 



-- 
Bla bla

Re: Blocking Netranges Based on IP-to-Country CSV

[Nick Drage]

On Sun, Sep 19, 2004 at 02:45:48PM +0300, George Alexandru Dragoi wrote:
> Good point, not to mention disliking a country sounds so nazi :D

It does, but its not.

> So, whats the reason is banning some countryes?

Why not?  Don't you effectively ban huge ranges of IP addresses, and
therefore countries, every time you restrict access to a host?  Imagine
I'm going travelling, and I know I'm only going to South America, so I
want to open up my ssh daemon to more addresses.  However I don't want
to permit the entire Internet to have a go at the daemon, but I'm
willing to open it up to South America to increase the risk slightly
in return for permitting myself SSH access wherever I am.

I must admit I'm a little worried that everyone is thinking that this
will be used to prevent access by certain countries for nefarious /
racist reasons when there are so many useful applications.

-- 
mors omnia vincit

Re: Blocking Netranges Based on IP-to-Country CSV

[Thomas Lußnig]

Hi,
i read some time the discussion about IP blocking based on Country.
Also there are some postitive Arguments for this idee. I personly think
that an include of this feature is
- Extereme overload for IP-tables since it need extreme large table of 
ip lists
- Is extreme faulty since IP's are not original assinged to country but 
locations like Europe.
- Political / Programming aspects. The kernel and iptables contain 
technical part wich mean
  plock an port, ip , range based on time flages etc.. It never 
contained Localisation like different languages for
 error reports and never country based selections.
- How you wan't to do the next step someone say i not wan't to select 
based on country bot wan't different web server
 for region's with different main language. ASIA -> UTF8/Chinese Europe 
Latin1/Frensh,German,English America => Spain/english
 there are many god ground for large selection map but NONE OF THEM is 
good enaught to include such maps in the kernel or iptables.

Cu Thomas

Re: Blocking Netranges Based on IP-to-Country CSV

[Chris Brenton]

On Mon, 2004-09-20 at 08:06, Thomas Lußnig wrote:
>
> - Extereme overload for IP-tables since it need extreme large table of 
> ip lists

I beg to disagree. Most range blocking is done more on a region basis
rather than by individual country (i.e. permit countries in Europe but
maybe block Asia-Pacific). Given that IP ranges are delegated in large
blocks (class A and B being the norm), it actually takes very few rules.
For example I've had iptables firewalls pushing 400 Mb with region based
filtering in place. Worked like a champ.

> - Is extreme faulty since IP's are not original assinged to country but 
> locations like Europe.

Agreed, so if you are trying to target a specific country, you may run
into problems in areas like Europe. Blocking by region is less of an
issue but you can still run into problems (like class A blocks in Asia
that are also used in Australia, etc.).

> - How you wan't to do the next step someone say i not wan't to select 
> based on country bot wan't different web server
>  for region's with different main language. ASIA -> UTF8/Chinese Europe 
> Latin1/Frensh,German,English America => Spain/english

Actually, I'm pretty sure you could do this today with Squid. ;-)

Obviously a portion of this is "intent". If its to reduce risk, its one
thing. Banning based on color or creed is another. For example there are
Spanish people all over the world so banning based on the language
sounds like its more about discrimination rather than lowering risk.

HTH,
Chris

Re: Blocking Netranges Based on IP-to-Country CSV

[George Alexandru Dragoi]

I understand to permit connections only comming from 1-2 countryes for
reasons like cheap  and huge bandwith from your country but very
expensive and low bandwith from the rest of internet (I actually done
this, permitting only from Romania, check metropolitana.loginet.ro
with a workarround for eliminating huge numbers of iptables rules,
there are also romanian ips), but permitting everybody excepting some
countryes doesnt count for security reasons, kiddies/crackers use
compromised machines from all world to continue their "work".


On Mon, 20 Sep 2004 08:26:11 -0400, Chris Brenton
<cbrenton@chrisbrenton.org> wrote:
> On Mon, 2004-09-20 at 08:06, Thomas Lußnig wrote:
> >
> > - Extereme overload for IP-tables since it need extreme large table of
> > ip lists
> 
> I beg to disagree. Most range blocking is done more on a region basis
> rather than by individual country (i.e. permit countries in Europe but
> maybe block Asia-Pacific). Given that IP ranges are delegated in large
> blocks (class A and B being the norm), it actually takes very few rules.
> For example I've had iptables firewalls pushing 400 Mb with region based
> filtering in place. Worked like a champ.
> 
> > - Is extreme faulty since IP's are not original assinged to country but
> > locations like Europe.
> 
> Agreed, so if you are trying to target a specific country, you may run
> into problems in areas like Europe. Blocking by region is less of an
> issue but you can still run into problems (like class A blocks in Asia
> that are also used in Australia, etc.).
> 
> > - How you wan't to do the next step someone say i not wan't to select
> > based on country bot wan't different web server
> >  for region's with different main language. ASIA -> UTF8/Chinese Europe
> > Latin1/Frensh,German,English America => Spain/english
> 
> Actually, I'm pretty sure you could do this today with Squid. ;-)
> 
> Obviously a portion of this is "intent". If its to reduce risk, its one
> thing. Banning based on color or creed is another. For example there are
> Spanish people all over the world so banning based on the language
> sounds like its more about discrimination rather than lowering risk.
> 
> HTH,
> Chris
> 
> 



-- 
Bla bla

Re: Blocking Netranges Based on IP-to-Country CSV

[Chris Brenton]

On Mon, 2004-09-20 at 07:53, Nick Drage wrote:
>
> > So, whats the reason is banning some countryes?
> 
> Imagine
> I'm going travelling, and I know I'm only going to South America, so I
> want to open up my ssh daemon to more addresses.  However I don't want
> to permit the entire Internet to have a go at the daemon, but I'm
> willing to open it up to South America to increase the risk slightly
> in return for permitting myself SSH access wherever I am.

Well said. I find it kind of strange that people are cool with blocking
ranges of ports, but as soon as you get into blocking ranges of IP
addresses they get squeamish and may even label you a bigot.

Its simply a matter of risk Vs. business need. My business model
requires an SMTP server so I accept the risk of exposing that port to
Internet access. My business model *does not* require NetBIOS/IP, so
those ports are obviously blocked. Why accept the risk involved if there
is no business argument for it?

Blocking IP ranges is exactly the same thing. If I do business in
Canada, the UK, etc., then obviously I have to accept the risk of
exposing my services to those IP blocks. If I don't do business in China
and know I never will, what's the point in accepting the risk of attack
from that country?

Cheers,
Chris

Blocking Netranges Based on IP-to-Country CSV

[Gary & Mic McFall]

Due to a number of issues, my organization is reviewing the ability to
block certain country domains at the firewall.  To be proactive, we want
to automate that process via iptables & the CSV available at
<http://ip-to-country.webhosting.info>.

We have created a C program (IPCheck) in the /bin directory which, when
given an IP long number, checks the ip-to-country CSV and returns a
value for permit or not.  We want to process the packet based on that
return.  

I'm a relative newbie with iptables & scripts.  Listed below is some
very crude code, some of which is a verbal description of intent.  Any
suggestions on how to shore this up so that it will work?  Or should
this concept be a new module in iptables?

#
#    ***** DROP BAD IPS *****
#
/bin/IPCheck `grep -w "SRC =" | cut -d = -f 2`
if return = "Bad IP"
$IPT -A INPUT -$ETH0 $RATELIMIT -j INBADIPS

      ***** RULES - DROP  BAD IPS *****
#    ***** REVIEW LOG AT /var/log/iptables.log *****
#
$IPT -A  INBADIPS -j LOG --log-level debug --log-prefix "BADIP:  " -j
DROP

Thanks in advance for your help.

Gary McFall

Re: Blocking Netranges Based on IP-to-Country CSV

[Frank Gruellich]

Hello,

* Gary & Mic McFall <nutbrownhares@tds.net> 15. Sep 04:
> To be proactive, we want to automate that process via iptables & the
> CSV available at <http://ip-to-country.webhosting.info>.

I am very suspicious to configure packet filters with external
(untrusted) data.

> We have created a C program (IPCheck) in the /bin directory

Maybe it should go to /usr/local/bin/... anyway.

> We want to process the packet based on that return.

Make it to return 0 for bad and !0 for 'good' IP#s.

> I'm a relative newbie with iptables & scripts.

<URL:http://iptables-tutorial.frozentux.net/iptables-tutorial.html>

> Listed below is some very crude code,

Aah... yes.

> Any suggestions on how to shore this up so that it will work?

# You need to create the userdefined chain bevor using it:
$IPT -N INBADIPS

> #    ***** DROP BAD IPS *****
> /bin/IPCheck `grep -w "SRC =" | cut -d = -f 2`

# What are you going to use as input?  This grep needs a source to
# parse.  Will it result in a list of IP#s?  I assume a single $IP.

> if return = "Bad IP"
> $IPT -A INPUT -$ETH0 $RATELIMIT -j INBADIPS

# This will not work. Use:
if /usr/local/bin/IPCheck $IP
then
	$IPT -A INPUT -i eth0 -s $IP -j INBADIPS
fi
# What do you mean with $RATELIMIT?  Are you looking for
# <URL:http://iptables-tutorial.frozentux.net/iptables-tutorial.html#TABLE.LIMITMATCH>?

>       ***** RULES - DROP  BAD IPS *****
> #    ***** REVIEW LOG AT /var/log/iptables.log *****
> $IPT -A  INBADIPS -j LOG --log-level debug --log-prefix "BADIP:  " -j DROP

# You can't have to targets in a rule.  Split it:
$IPT -A INBADIPS -j LOG --log-level debug --log-prefix="BADIP: "
$IPT -A INBADIPS -j DROP

Some questions you should ask yourself:
 + Is this a gateway?  Should it go to FORWARD?
 + Will IP#s stay for ever at blacklist?  How and when to remove them?
 + Is this really what you want?

Hope I understood you,
 regards, Frank.
-- 
Sigmentation fault

Blocking Netranges Based on IP-to-Country CSV

[McFall, Gary]

Due to a number of issues, my organization is looking at being able to block
certain country domains at the firewall.  To be proactive, we want to
automate that process via iptables & the CSV available at
<http://ip-to-country.webhosting.info <http://ip-to-country.webhosting.info>
>.

We have created a C program (IPCheck) in the /bin directory which, when
given an IP long number, checks the ip-to-country CSV and returns a value
for permit or not.  We want to process the packet based on that return.  

I'm a relative newbie with iptables & scripts.  Listed below is some very
crude code, some of which is a verbal description of intent.  Any
suggestions on how to shore this up so that it will work?  Or should this
concept be a new module in iptables?

#
#    ***** DROP BAD IPS *****
#
/bin/IPCheck `grep -w "SRC =" | cut -d = -f 2`
if return = "Bad IP"
$IPT -A INPUT -$ETH0 $RATELIMIT -j INBADIPS

      ***** RULES - DROP  BAD IPS *****
#    ***** REVIEW LOG AT /var/log/iptables.log *****
#
$IPT -A  INBADIPS -j LOG --log-level debug --log-prefix "BADIP:  " -j DROP

Thanks in advance for your help.

Gary McFall

Re: Blocking Netranges Based on IP-to-Country CSV

[Aleksandar Milivojevic]

McFall, Gary wrote:
> Due to a number of issues, my organization is looking at being able to block
> certain country domains at the firewall.  To be proactive, we want to
> automate that process via iptables & the CSV available at
> <http://ip-to-country.webhosting.info <http://ip-to-country.webhosting.info>

They claim my IP address is in USA.  Which is kind of incorrect.  So if 
you decide to finally block all those bad nasty Americans, you'll end up 
blocking good friendly peace loving Canadians too.  Not to mention that 
no beaver will be able to reach your web site, eh ;-)

-- 
Aleksandar Milivojevic <amilivojevic@pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7