2

This is my current IpTables setup:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:2022
ACCEPT     all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere             state INVALID
ACCEPT     udp  --  anywhere             anywhere             udp dpt:isakmp
ACCEPT     udp  --  anywhere             anywhere             udp dpt:ipsec-nat-t
DROP       all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  10.10.10.0/24        anywhere             policy match dir in pol ipsec proto esp
ACCEPT     all  --  anywhere             10.10.10.0/24        policy match dir out pol ipsec proto esp
DROP       all  --  anywhere             anywhere

I would like to block this IP address 5.79.71.205 that is used as malware by one of the VPN users.

Do I block the input on top like this?

sudo iptables -I INPUT -s 5.79.71.205 -p all -j DROP

or do I have to do this because the VPN (IKEv2) masquerades?

sudo iptables -I FORWARD -s 5.79.71.205 -j DROP

or do I have to block the output?

sudo iptables -I OUTPUT -d 5.79.71.205 -j DROP

Or even all of them?

Houman
  • 1,325
  • 3
  • 18
  • 30
  • Is `5.79.71.205` the _client's_ IP address? – Lenniey Apr 15 '19 at 10:16
  • No, the user is using the website adcrtb.com, which has a malware called kovter. It steals personal information. I would like to block websites like this so it can't be used by anyone else. I did a `nslookup adcrtb.com` to find all the IPs that resolve to that website. The ip above is one of them. – Houman Apr 15 '19 at 10:23
  • OK, the answer may depend on the complete setup, then (DROP INPUT would be enough to block the connections _from_ the IP, but not the connections _to_ the IP). Just remember: blocking an IP for a domain is _usually_ not the way to go, you maybe want to block them using a proxy or similar. – Lenniey Apr 15 '19 at 10:27
  • You can even use domain names in iptables, but they are static, so if they are behind some CDN or whatever it won't be of much use. A temporary solution using IP blacklists and a planned, automatic reevaluation of the iptables ruleset could be OK. But the longterm solution is a proxy using blacklists, for example. – Lenniey Apr 15 '19 at 11:21
  • Thanks @Lenniey for your confirmation. May you elaborate a bit more how a proxy using blacklists would work? I get the part with blacklists, which I could obtain from I-Block. You mean as in setting up a proxy on the Ubuntu server itself where all connections go through it? But isn't IPTables just do that? Thanks – Houman Apr 15 '19 at 11:34

1 Answers1

0

Jusat block in and out. Should solve your problem.

iptables -A INPUT -s 5.79.71.205 -j DROP
iptables -A OUTPUT -d 5.79.71.205 -j DROP

Duckro11
  • 31
  • 3