How to drop an isp

How to drop an isp

[Dave Handler]

Greetings!

Sorry if I worded my subject wrong, it's the best I could do!

Ok, I'm on Fedora Core 3, running iptables 1.2 (which seems to be 
holding its own).  Logwatch sends me my logs every morning and I see 
people trying to tap in to tcp port 25.  I do lookups on the addresses 
and they all seems to be coming either from Taiwan or China.  A few in 
Europe and every once in while one from the US.

I've been googling around for how to block them.  I'm rather green to 
iptables and some of the options confuse me.  Is there a way I can block 
the whole ip from me?  I'll paste in a section where there where 
accepted packets:

Accepted 327 packets on interface eth0
  From 69.21.138.231 - 169 packets to tcp(22)
  From 70.86.208.18 - 6 packets to tcp(25)
  From 72.36.128.42 - 6 packets to tcp(25)
  From 202.107.195.52 - 128 packets to tcp(22)
  From 207.150.176.81 - 16 packets to tcp(25)
  From 219.133.247.226 - 1 packet to tcp(25)
  From 219.134.232.31 - 1 packet to tcp(25)


So for instance I probably would want to block 202.107.0.0 through 
202.107.255.255.  But I'm not really sure of the syntax I should be 
using.  And I don't want to screw up what I already have in place.

I'm going to chalk this one up as another learning experience!

Thanks in advance!

Dave

Re: How to drop an isp

[Nikolai Georgiev]

Dave Handler wrote:

> Greetings!
>
> Sorry if I worded my subject wrong, it's the best I could do!
>
> Ok, I'm on Fedora Core 3, running iptables 1.2 (which seems to be
> holding its own).  Logwatch sends me my logs every morning and I see
> people trying to tap in to tcp port 25.  I do lookups on the addresses
> and they all seems to be coming either from Taiwan or China.  A few in
> Europe and every once in while one from the US.
>
> I've been googling around for how to block them.  I'm rather green to
> iptables and some of the options confuse me.  Is there a way I can
> block the whole ip from me?  I'll paste in a section where there where
> accepted packets:
>
> Accepted 327 packets on interface eth0
>  From 69.21.138.231 - 169 packets to tcp(22)
>  From 70.86.208.18 - 6 packets to tcp(25)
>  From 72.36.128.42 - 6 packets to tcp(25)
>  From 202.107.195.52 - 128 packets to tcp(22)
>  From 207.150.176.81 - 16 packets to tcp(25)
>  From 219.133.247.226 - 1 packet to tcp(25)
>  From 219.134.232.31 - 1 packet to tcp(25)
>
>
> So for instance I probably would want to block 202.107.0.0 through
> 202.107.255.255.  But I'm not really sure of the syntax I should be
> using.  And I don't want to screw up what I already have in place.
>
iptables -I INPUT --src 202.107/16 --p tcp --dport 25 -j DENY

> I'm going to chalk this one up as another learning experience!
>
> Thanks in advance!
>
> Dave
>
>

Re: How to drop an isp

[Robert Nichols]

Dave Handler wrote:
> Greetings!
> 
> Sorry if I worded my subject wrong, it's the best I could do!
> 
> Ok, I'm on Fedora Core 3, running iptables 1.2 (which seems to be 
> holding its own).  Logwatch sends me my logs every morning and I see 
> people trying to tap in to tcp port 25.  I do lookups on the addresses 
> and they all seems to be coming either from Taiwan or China.  A few in 
> Europe and every once in while one from the US.
> 
> I've been googling around for how to block them.  I'm rather green to 
> iptables and some of the options confuse me.  Is there a way I can block 
> the whole ip from me?  I'll paste in a section where there where 
> accepted packets:
> 
> Accepted 327 packets on interface eth0
>  From 69.21.138.231 - 169 packets to tcp(22)
>  From 70.86.208.18 - 6 packets to tcp(25)
>  From 72.36.128.42 - 6 packets to tcp(25)
>  From 202.107.195.52 - 128 packets to tcp(22)
>  From 207.150.176.81 - 16 packets to tcp(25)
>  From 219.133.247.226 - 1 packet to tcp(25)
>  From 219.134.232.31 - 1 packet to tcp(25)

First of all, most of those packets (the 169 and the 128) are to
port 22 (ssh) not port 25 (smtp).  The port 22 traffic is a much
bigger security concern.

Are you running an SMTP server that accepts mail from the outside
world?  If so, you need to accept connections from anywhere that
might want to send you legitimate email.  If not, you can close off
incoming port 25 at the firewall.

Are you running sshd and intentionally accepting ssh connections
from the outside?  If not, you can block the port 22 traffic.  If
you need to accept ssh connections, you are getting into a whole
'nother area of security concerns that is mostly outside the scope
of firewalls, though you might use firewall filtering if there is
a fairly limited scope of IP addresses from which you want to
accept connections.

Another puzzling thing is that the default firewall setup in FC-3
(from system-config-securitylevel) keeps all incoming ports closed
except for those you explicitly open.  Before rolling your own
firewall, you might want to take a look at the default
configuration and build upon that.

-- 
Bob Nichols         Yes, "NOSPAM" is really part of my email address.