Using IPset with IPtables in Ubuntu LTS 10.04 to block large IP ranges
Posted on June 8, 2010
Filed Under IT Solutions | 1 Comment
There are a large number of firewall and security appliances on the market, some good some awful. I tend to use a lot of Cisco security products. With the current supply chain problems in getting hold of Cisco products I have been looking around the market. I have noticed that a number of products are systems which have FreeBSD or Linux at the heart under a nice shiny badge.
I thought I will put together a solution myself based on the same ingredients. The reason why is because I have realised that I have become dependent on main stream vendors to deploy solutions, and don’t always fully address the need. With the push to virtualisation, it would be good to have a powerful virtualised firewall just like the big boys. So he is what I have done so far.
High performance Ubuntu Firewall
If you run a webserver you will know that your webserver is scanned and probed from particular networks from originating from a hot-spot of countries. If your web application does not require access from these places, then why not just block it.
Well it can prove expensive in terms of performance, to block a whole country can take 1000′s of rules (http://www.countryipblocks.net/). Well using this solution you can do things some of the big boys cant do ( Sonicwall !). Using iptables and IPset you can create 1000′s of rules and objects without impacting heavily on performance.
Iptables is already part of all Linux Distributions, However IPset is not. You have to install it and it can be a bit awkward. However it is a piece of cake in Ubuntu 10.04 LTS.
sudo apt-get install ipset ipset-source
m-a a-i ipset
Performing the previous commands will install the required kernel modules using module-assistant, and also the user space tools. You are know ready to create your very large firewall rules. This is so much easier than patching the kernel with patcho-matic and recompiling iptables. This is how you use it
Create your sets, you can get your network list from http://www.countryipblocks.net/ and write a script to generate the creation of the list.
ipset –create feckoff nethash
ipset –add feckoff 27.8.0.0/12
ipset –add feckoff 27.24.0.0/13
ipset –add feckoff 27.8.0.0/12
ipset –add feckoff 27.24.0.0/13
ipset –add feckoff 27.36.0.0/13
ipset –add feckoff 27.44.0.0/14
ipset –add feckoff 27.50.128.0/17
ipset –add feckoff 27.54.192.0/18
ipset –add feckoff 27.144.0.0/16
ipset –add feckoff 27.148.0.0/10
ipset –add feckoff 27.212.0.0/12
ipset –add feckoff 58.14.0.0/13
ipset –add feckoff 58.22.0.0/14
……. etc etc 100′s of subnets later you have added all your subnets, DONT MIX /32 networks or hosts
Now here comes the important bit. Now you have created your IPset you can now apply it to your rule base.
iptables -A INPUT -m set –set feckoff src -j DROP
You have just blocked 1000′s of subnets with one command in your ruleset
In an ideal world you would not really want to block a whole range of subnets like this, It is not the best use of resources. However there are times when this is required to increase security of your webserver against a particular type of attack.
What Next
Well I think I will add the following
- OpenVPN
- Snort
- FreeRadius ( So I can use 802.1x )
- Layer7 Filter for IPtables
- Some Clustering/ Load balancing
I could end up with with some pretty powerful firewall here. Any one fancy helping me write a GUI for management, or crafting in webmin.
Let me know your comments, who would be interested in VM firewall protecting your virtual server environment.
Comments
One Response to “Using IPset with IPtables in Ubuntu LTS 10.04 to block large IP ranges”
Leave a Reply
-
About
Jason Simmons is an Information Technology professional with over 20 years experience. This website is designed to provide a technical resource for technology implementers, and provide comments and insight for business managers on how Information technology can be applied for benefit.
-
Recently Written
- get-console.com
- What does IPBRICK actually do for users?
- Hewlett Packard networking, throws down the gauntlet !
- The paradox of choice
- Unified communications on a HP Micro Proliant Server
- Using IMAP+ with Evolution on Ubuntu 10.04 LTS
- How to quote for IT professional services
- Juniper kit is actually quite good !
- Bespoke multi media services
- IPBrick Enterprise Linux
-
Categories
-
Monthly Archives
- December 2011
- October 2011
- August 2011
- April 2011
- July 2010
- June 2010
- May 2010
- March 2010
- December 2009
- June 2009
- October 2008
- September 2008
- July 2008
- June 2008
- January 2008
- December 2007
- April 2007
- February 2007
- January 2007
- September 2006
- April 2006
- November 2005
- October 2005
- August 2005
- June 2005
- May 2005
Thanks for this article it’s the first I’ve seen on installing and configuring ipset. I’m keen to start using ipset with my Debian Lenny boxes as I’m currently using a bash script which is way too slow.
Have tried to get ipset running with Debian Lenny and no joy. So then I ran up a Ubuntu 10.10 server and followed your instructions but I get an error with that as well when it starts to build the ipset package I get something about an incompatible pointer type.
Any suggestions or other options would be most appreciated.