Register

If you already have an account with us, please use the login panel below to access your account.

z1g

Use IPTables to block traffic by country

Rate this Entry
It has been a few years since I have done anything with a web page or a hosted server and I was amazed how quickly after setting up a test forum that bots were registering and spamming the empty forums. There are security measures within the forum software to help prevent bot registrations, but after 30 minutes of a base install I had 10 bot registrations and multiple forum posts. Additionally the security measures within the forum software(captcha, random question, e-mail verification) that does not prevent the bots from trying to register, wasting CPU cycles and bandwidth.

Since this particular server is a low budget hosted server there is no firewall in front of it and I cannot afford the monthly cost of one. I implemented webalyzer for apache usage statistics and could see that 90% of the traffic was coming from Russia and China(surprising I know). Then I rubbed my two brain cells together and figured if webalyzer can determine where the traffic is coming from that IPTABLES should be able to block it so off to google I went.

I found the following script:
Code:
#!/bin/bash
### Block all traffic from Ruddia (ru) and CHINA (CN). Use ISO code ###
ISO="ru cn"
 
### Set PATH ###
IPT=/sbin/iptables
WGET=/usr/bin/wget
EGREP=/bin/egrep
 
### No editing below ###
SPAMLIST="countrydrop"
ZONEROOT="/root/iptables"
DLROOT="http://www.ipdeny.com/ipblocks/data/countries"
 
cleanOldRules(){
$IPT -F
$IPT -X
$IPT -t nat -F
$IPT -t nat -X
$IPT -t mangle -F
$IPT -t mangle -X
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
}
 
# create a dir
[ ! -d $ZONEROOT ] && /bin/mkdir -p $ZONEROOT
 
# clean old rules
cleanOldRules
 
# create a new iptables list
$IPT -N $SPAMLIST
 
for c  in $ISO
do
    # local zone file
    tDB=$ZONEROOT/$c.zone
 
    # get fresh zone file
    $WGET -O $tDB $DLROOT/$c.zone
 
    # country specific log message
    SPAMDROPMSG="$c Country Drop"
 
    # get 
    BADIPS=$(egrep -v "^#|^$" $tDB)
    for ipblock in $BADIPS
    do
       $IPT -A $SPAMLIST -s $ipblock -j LOG --log-prefix "$SPAMDROPMSG"
       $IPT -A $SPAMLIST -s $ipblock -j DROP
    done
done
 
# Drop everything 
$IPT -I INPUT -j $SPAMLIST
$IPT -I OUTPUT -j $SPAMLIST
$IPT -I FORWARD -j $SPAMLIST
 
# call your other iptable script
# /path/to/other/iptables.sh
 
exit 0
I saved this as countryblock.sh and ran it. I did an iptables --list and saw all the blocked goodness.

ipdeny.com has a complete list of all the country codes so it is easy to find what you want to block.

Since these ranges change the script can be added to crontab to run weekly or monthly. I would imagine weekly is probably overkill.

After implementing this script I can see the 8 to 12 bots that were constantly trying to register have gone away. I know proxies can still be used to circumvent this, but every bit helps.
Tags: None Add / Edit Tags
Categories
Uncategorized

Comments

  1. locked_on's Avatar
    I had to do something similar for a website that Novi did, except I was limited to filters in the Apache config because we had no server control. It is amazing the lengths Crackers will go to to wreck havoc. You can find a lot of good black lists out there.