Sinkhole Planning

0

I am currently planning on setting a network sinkhole in my... network. I have a list of sites that I want to block, around 300k of them. What is the recommended way to do this. My computer is its own DNS server.

Should I just add them to the hosts file and redirect the responses to the IDS or create BIND zones for each of them.

Which one is best in terms of system resource usage and reliability?

nizx

Posted 2014-02-24T18:43:30.153

Reputation: 103

When you say "sites", do you mean domain names? IP addresses? Network blocks? – David Schwartz – 2014-02-24T20:26:38.450

Yes, I mean sites, like facebook, porn sites, etc. – nizx – 2014-03-10T10:08:47.733

Answers

0

I know the peformance is better than iptables alone, but since it is part of the kernel I was unable to monitor is CPU utilization.

If they are single IP addresses, first download cidrmerge and the list will probably a bit shorter.

I recommend iptables with ipset. Using iptables by itself will kill performance. Each group can handle 65535 entries.

ipset create ban1 hash:net
ipset create ban2 hash:net
ipset create ban3 hash:net
ipset create ban4 hash:net
ipset create ban5 hash:net
ipset create ban6 hash:net
ipset create ban7 hash:net

saves all config including block list into text file

ipset save >config.txt

restores config from file

ipset restore 

iptables -A INPUT -m set -j DROP  --match-set ban1 src
iptables -A INPUT -m set -j DROP  --match-set ban2 src
iptables -A INPUT -m set -j DROP  --match-set ban3 src
iptables -A INPUT -m set -j DROP  --match-set ban4 src
iptables -A INPUT -m set -j DROP  --match-set ban5 src
iptables -A INPUT -m set -j DROP  --match-set ban6 src
iptables -A INPUT -m set -j DROP  --match-set ban7 src

**Current list:set is not working properly or you could do this
ipset create banned list:set
ipset add banned ban1
ipset add banned ban2
ipset add banned ban3
ipset add banned ban4
ipset add banned ban5
ipset add banned ban6
ipset add banned ban7
iptables -A INPUT -m set -j DROP  --match-set banned src
** end use this when they fix it**

you can script populating the list You will have to break the list into groups of 65535.

cat badip1.txt |xargs -n1 ipset add ban1 
cat badip2.txt |xargs -n1 ipset add ban2

finally save the config.(per above)

cybernard

Posted 2014-02-24T18:43:30.153

Reputation: 11 200

Nice, but what if I want to block by names. I get a blocklist from a site and want to just redirect each request for it to another IP/Server for tracking and monitoring. – nizx – 2014-03-13T00:42:15.433

iptables has a destination nat option to redirect traffic to any ip you like. Instead of looking up names I use whois on there IP and find out there CIDR and block all of them. facebook is 173.252.64.0/18 – cybernard – 2014-03-13T15:07:01.980

something like this: iptables -A PREROUTING -i eth0 -m set --match-set ban1 src -j DNAT --to-destination 192.168.2.2 – cybernard – 2014-03-14T01:05:02.817

Thank you. I think that will do it. I just need to script it and I am done. – nizx – 2014-03-14T15:17:14.057

Asked: 2014-02-24T18:43:30.153

Viewed: 245 times

Active: 2014-02-25T04:27:46.650