Using IPset with IPtables in Ubuntu LTS 10.04 to block large IP ranges

There are a large number of firewall and security appliances on the market, some good some awful. I tend to use a lot of Cisco security products. With the current supply chain problems in getting hold of Cisco products I have been looking around the market. I have noticed that a number of products are systems which have FreeBSD or Linux at the heart under a nice shiny badge.

I thought I will put together a solution myself based on the same ingredients. The reason why is because I have realised that I have become dependent on main stream vendors to deploy solutions, and don’t always fully address the need. With the push to virtualisation, it would be good to have a powerful virtualised firewall just like the big boys. So he is what I have done so far.

High performance Ubuntu Firewall

If you run a webserver you will know that your webserver is scanned and probed from particular networks from originating from a hot-spot of countries. If your web application does not require access from these places, then why not just block it.

Well it can prove expensive in terms of performance, to block a whole country can take 1000’s of rules (http://www.countryipblocks.net/). Well using this solution you can do things some of the big boys cant do ( Sonicwall !). Using iptables and IPset you can create 1000’s of rules and objects without impacting heavily on performance.

Iptables is already part of all Linux Distributions, However IPset is not. You have to install it and it can be a bit awkward. However it is a piece of cake in Ubuntu 10.04 LTS.

sudo apt-get install ipset ipset-source
m-a a-i ipset

Performing the previous commands will install the required kernel modules using module-assistant, and also the user space tools. You are know ready to create your very large firewall rules. This is so much easier than patching the kernel with patcho-matic and recompiling iptables. This is how you use it

Create your sets, you can get your network list from http://www.countryipblocks.net/ and write a script to generate the creation of the list.

ipset –create feckoff nethash
ipset –add feckoff 27.8.0.0/12
ipset –add feckoff 27.24.0.0/13
ipset –add feckoff 27.8.0.0/12
ipset –add feckoff 27.24.0.0/13
ipset –add feckoff 27.36.0.0/13
ipset –add feckoff 27.44.0.0/14
ipset –add feckoff 27.50.128.0/17
ipset –add feckoff 27.54.192.0/18
ipset –add feckoff 27.144.0.0/16
ipset –add feckoff 27.148.0.0/10
ipset –add feckoff 27.212.0.0/12
ipset –add feckoff 58.14.0.0/13
ipset –add feckoff 58.22.0.0/14
……. etc etc 100’s of subnets later you have added all your subnets, DONT MIX /32 networks or hosts

Now here comes the important bit. Now you have created your IPset you can now apply it to your rule base.

iptables -A INPUT -m set –set feckoff src -j DROP

You have just blocked 1000’s of subnets with one command in your ruleset

In an ideal world you would not really want to block a whole range of subnets like this, It is not the best use of resources. However there are times when this is required to increase security of your webserver against a particular type of attack.

What Next

Well I think I will add the following

  1. OpenVPN
  2. Snort
  3. FreeRadius ( So I can use 802.1x )
  4. Layer7 Filter for IPtables
  5. Some Clustering/ Load balancing

I could end up with with some pretty powerful firewall here. Any one fancy helping me write a GUI for management, or crafting in webmin.

Let me know your comments, who would be interested in VM firewall protecting your virtual server environment.


Comments:

Thanks for this article it’s the first I’ve seen on installing and configuring ipset. I’m keen to start using ipset with my Debian Lenny boxes as I’m currently using a bash script which is way too slow.

Have tried to get ipset running with Debian Lenny and no joy. So then I ran up a Ubuntu 10.10 server and followed your instructions but I get an error with that as well when it starts to build the ipset package I get something about an incompatible pointer type.

Any suggestions or other options would be most appreciated.

Comment by Keith, December 2010 05:26:00 AM

can you please provide an instruction on Ubuntu 12.04.1 too?

(the “ipset-source” package was deleted from the precise 12.04repository)

thanks

Comment by rubo77, September 2012 12:45:04 AM

Take a look at the script on this page http://forums.gentoo.org/viewtopic-t-863121.html

I have just loaded ipset and the above script to update the ipset rules every 10 minutes. Rather than use the source for a block list used in the scipt, I use the one found on openBL.org

I have this running on Ubuntu server 12.04

Comment by JMF, September 2012 12:48:25 AM

I have followed step by step in this tutorial, everything is describe, how to install and use iptables with geoip to block countries.
http://terminal28.com/how-to-block-countries-using-iptables-debian/

Comment by sethuper, October 2013 11:02:16 PM

sethuper, That looks like a good solution. Would be interested to see the impact on performance.

Comment by Jason Simmons, October 2013 06:36:33 PM
Leave a comment
You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>



Search

Recent Posts

Recent Comments

Older Posts