Re: tool to search within cidr blocks

[Grant Taylor <gtaylor@riverviewtech.net>]

On 10/23/2008 11:14 PM, Joey wrote:
> Hey Grant,

*wave*

> Here is what I can tell you.
> I run iptables -F which is supposed to clear everything.

*nod*

> I then load my config and what you see as a result of that load is what you 
> see in the iptables-save result.

Ok...  Do the pages you linked to before reflect what is below, or is 
what you have below a small subset of the over all config?

> I have a script that builds the iptables-save.cfg file from a file 
> containing IP numbers only.

I gathered that is what you were doing.  I don't see any thing wrong 
with doing that either.

> When I build the script you can see that certain things happen based on the 
> fact that I am reading in values and building each "chain" in order, so you 
> won't see all the defining of the chains at the top like the iptables-save 
> version.

*nod*

> Now I could be missing something somewhere in my declarations, but the code 
> is working in general.  I see IP's being blocked, as you can see I do a lot 
> of logging to insure I know what's going on.

Yep.

> The chains for fail2ban are built and managed by that app so I don't mess 
> with them.

Ah.

> I completely rebooted the box prior to doing the below.  Normally I never 
> rebooted the box, but new kernel came out so I figured we will start from a 
> clean slate.

I tend to do the same.

> I did a reduced list test:
> ----------------------------------------------------
> My quick file which is created by my app:
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> :SMTP_TRAFFIC - [0:0]
> -A INPUT -p tcp --dport 25 -m state --state NEW -j SMTP_TRAFFIC
> :LOG_ASIAN - [0:0]
> :CIDR-ASIAN - [0:0]
> -A SMTP_TRAFFIC -j CIDR-ASIAN
> -A LOG_ASIAN -j LOG --log-prefix "SPAM-BLOCK-CIDR-ASIAN"
> -A LOG_ASIAN -j DROP
> -A CIDR-ASIAN -s 58.14.0.0/15 -j LOG_ASIAN
> -A CIDR-ASIAN -s 58.16.0.0/13 -j LOG_ASIAN
> -A CIDR-ASIAN -s 58.24.0.0/15 -j LOG_ASIAN
> -A CIDR-ASIAN -s 58.29.0.0/16 -j LOG_ASIAN
> -A CIDR-ASIAN -s 58.30.0.0/15 -j LOG_ASIAN
> -A CIDR-ASIAN -s 58.32.0.0/11 -j LOG_ASIAN
> COMMIT
> ----------------------------------------------------
> I executed iptables-restore < above-file

Is the above file your current config, or just a small portion of your 
config that you created for this test?  I don't see hardly any thing 
compared to your previous iptables-save file.

> ----------------------------------------------------
> Executing iptables --list results in:
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination         
> SMTP_TRAFFIC  tcp  --  anywhere             anywhere            tcp dpt:smtp
> state NEW 
> 
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination         
> 
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination         
> 
> Chain CIDR-ASIAN (1 references)
> target     prot opt source               destination         
> LOG_ASIAN  all  --  58.14.0.0/15         anywhere            
> LOG_ASIAN  all  --  58.16.0.0/13         anywhere            
> LOG_ASIAN  all  --  58.24.0.0/15         anywhere            
> LOG_ASIAN  all  --  58.29.0.0/16         anywhere            
> LOG_ASIAN  all  --  58.30.0.0/15         anywhere            
> LOG_ASIAN  all  --  58.32.0.0/11         anywhere            
> 
> Chain LOG_ASIAN (6 references)
> target     prot opt source               destination         
> LOG        all  --  anywhere             anywhere            LOG level
> warning prefix `SPAM-BLOCK-CIDR-ASIAN' 
> DROP       all  --  anywhere             anywhere            
> 
> Chain SMTP_TRAFFIC (1 references)
> target     prot opt source               destination         
> CIDR-ASIAN  all  --  anywhere             anywhere      
> ----------------------------------------------------

This is what I would expect to see based on your iptables-save file above.

> Executing iptables-save resulted in:
> # Generated by iptables-save v1.2.11 on Fri Oct 24 00:08:34 2008
> *filter
> :INPUT ACCEPT [1091:155172]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [1287:150175]
> :CIDR-ASIAN - [0:0]
> :LOG_ASIAN - [0:0]
> :SMTP_TRAFFIC - [0:0]
> -A INPUT -p tcp -m tcp --dport 25 -m state --state NEW -j SMTP_TRAFFIC 
> -A CIDR-ASIAN -s 58.14.0.0/255.254.0.0 -j LOG_ASIAN 
> -A CIDR-ASIAN -s 58.16.0.0/255.248.0.0 -j LOG_ASIAN 
> -A CIDR-ASIAN -s 58.24.0.0/255.254.0.0 -j LOG_ASIAN 
> -A CIDR-ASIAN -s 58.29.0.0/255.255.0.0 -j LOG_ASIAN 
> -A CIDR-ASIAN -s 58.30.0.0/255.254.0.0 -j LOG_ASIAN 
> -A CIDR-ASIAN -s 58.32.0.0/255.224.0.0 -j LOG_ASIAN 
> -A LOG_ASIAN -j LOG --log-prefix "SPAM-BLOCK-CIDR-ASIAN" 
> -A LOG_ASIAN -j DROP 
> -A SMTP_TRAFFIC -j CIDR-ASIAN 
> COMMIT
> # Completed on Fri Oct 24 00:08:34 2008
> ----------------------------------------------------

Again, this is what I would expect to see based on your iptables-save 
file above.

> Let me know what you see or think...

Please try re-applying your iptables-save.cfg file from your previous 
post and let us know if your firewall is still blocking the 71.74.56.125 IP.

> Thanks!!!!!

You are welcome.



Grant. . . .