6

This question has obviously been asked many times in many different forms, but I can't find an actual answer to the specific plan I've got. We run a popular European Commercial deals site, and are getting a large amount of incoming registrations/traffic from countries who cannot even take part in the deals we offer (and many of the retailers aren't even known outside Western Europe).

I've identified the problem area to block a lot of this traffic, but (as expected) there are thousands of IP ranges required.

My question now (finally!). On a test server, I created a script to block each range within iptables, but the amount of time it took to add the rules was large, and then iptables was unresponsive after this (especially when attempting a iptables -L).

What is the most efficient way of blocking large numbers of IP ranges:

  • iptables? Or a plugin where I can preload them efficiantly?
  • hosts.deny?
  • .htaccess (nasty as I'd be running it in apache on every load balanced web server)?
John Gardeniers
  • 27,262
  • 12
  • 53
  • 108
kwiksand
  • 463
  • 1
  • 8
  • 16
  • Are the registrations valid or just bogus data? – Mark Mar 05 '11 at 20:46
  • possible duplicate of [Best way to block a country by IP address?](http://serverfault.com/questions/166812/best-way-to-block-a-country-by-ip-address) – John Gardeniers Mar 05 '11 at 22:09
  • Hi John, yes it's very similar but that post (like the many others that I found were all talking about how to obtain the block lists, NOT how to actual deal with the issue of blocking thousands of addresses/blocks. Mark: The registrations are often completely invalid and despite our anti fraud practices, are still creating issues. The other thing is to use the site (properly) you need a European bank account and shop via European only retailers. The general consensus is that we block these requests completely. – kwiksand Mar 06 '11 at 14:02

5 Answers5

4

What we've found best is using the MaxMinds database at sign-up time. The free version locks down to country, and you can pay for more granularity.

The advantage of only doing it at signup time is that you're not going to make life awkward for customers who've already signed up who're travelling.

Niall Donegan
  • 3,859
  • 19
  • 17
3

as far as I understand, the question is not where to get the list of ip addresses that need to be blocked, but rather how to block them with iptables efficiently. A script that does series of "iptables -A" commands is going to take very long time to load rules and during this time firewall runs with inconsistent policy. This has significant impact on its performance, too.

I suggest you try module ipset ( http://ipset.netfilter.org/ ) . It allows you to manipulate tables of address blocks directly, you only need one iptables rule to match the whole set. You'll need to experiment with different types of sets to find the one that can accommodate the number of ip address blocks you need to block and give you performance you need. In any case it is much better at matching long lists of address blocks and allows you to reload it using command line tool without touching the rules.

Note that not all Linux distributions include ipsets in their default configuration so you may need to recompile kernel modules and iptables.

Country address blocks change from time to time so you'll need to update your address set periodically. To reload the set that is already being used you can use command line tool "ipset" and it is easy to wrap it in a shell script to automate the process. Or you could use fwbuilder to generate your iptables policy and use the script it generates to manage ipset as well ( http://www.fwbuilder.org/4.0/docs/users_guide/address-table-object.html , see "5.2.13.1. Using Address Tables Objects with iptables IP sets" in this chapter)

vadimk
  • 326
  • 2
  • 3
  • Thanks vadimik, this is exactly what I was looking for. You're right, the list of addresses/ranges themselves is easy to come by, but actually putting the block into place on my system (without creation of >9.000 iptables rules!) – kwiksand Mar 06 '11 at 13:58
1

Linux iptables is passable for basic firewalling, miserable for everything else.

The pf firewall (used by most BSD Unices) will make your life a lot easier. The tables feature in the pf firewall is analogous to the ipset module under netfilter.

OpenBSD, FreeBSD, NetBSD, pfSense, and OPNSense all use pf. I love OpenBSD as a firewall distro, but if you need a GUI for your firewall, pfSense and OPNSense will get the job done.

As for what to put into the pf tables, I keep an updated tarball of CIDR blocks by country here.

0

I use http://www.countryipblocks.net. I like that it is free (no sign up required) and supports many different formats for routers, web servers, etc.

MDaubs
  • 196
  • 3
0

List of per-country IP blocks in a format that can be easily used by many firewalls (I am using PF tables on FreeBSD which can be loaded from a file): http://www.ipdeny.com/ipblocks/