Building a better world with people, process, & technology

Targeted IP Blocking – Align Web Services to Your Target Markets

Every morning I review a report on internet traffic coming through my servers. I am usually checking to ensure Google is indexing my sites properly, identifying potential prospects from web hits, verifying the spam and anti-virus filters are doing their jobs, and reviewing any new attack vectors that might compromise my perimeter security. The last brought an interesting point to the fore.

Much, if not all, the undesired traffic to my open internet servers originated from Korea and China. This actually accounted for quite a large percentage of my traffic overall. Taking a closer look at the profile, it became obvious that eliminating traffic from these countries would reduce overall bandwidth requirements and improve general serviceability of the public facing network. Since we have no intention of pursuing business in China or Korea, this strategy on the surface provides better focus of network resources to address the needs of our current and target client base.

Achieving this was relatively simple, however there were some challenges. We needed to ensure that legitimate clients travelling abroad still had access to critical services and we could not block responses from those countries as certain software update sites are hosted in those geographies. We adopted a script initially created by Vivek Gite and posted at his blog site to block traffic by country using iptables in Linux and modified it accordingly to allow for the above capabilities. We also tuned the initial script for better run time performance profiling and reduced the demand on the network of the service provider hosting the list of international IP mappings by country.

The end result of implementing this strategy is generally more reliable network performance and a large reduction in network based attacks on our infrastructure. The reduction in the attack level has reduced the overhead of verifying security has held up against each attack as well since these costs increase linearly with the number of attacks against the network. We implemented the firewall as a hierarchical tree and have an optional configuration to allow for use of ipsets if they are identified as supported in the target system.

You can download our enhanced version of the script from sourceforge or read the running commentary at Vivek Gite’s blog site for additional information or alternative implementations of the script.

15 Comments

  1. August 13, 2013    

    Very good work, thank you very much for the country_block script, i am using it to drop russia, seems that i am assaulted from russia with any kind of spam, hack, dos , and so on ….. no more mother russia on my server 🙂
    Thank you very much !

  2. Simon's Gravatar Simon
    September 1, 2014    

    Is you link broekn?

    • September 2, 2014    

      Thanks Simon – we had restructured our corporate pages and had not updated the link in this post – the link is now updated.

  3. November 5, 2014    

    Thanks David, very useful.

  4. GHN's Gravatar GHN
    April 6, 2015    

    Can you please give me a step by step method describing how to implement this on my edge ClearOS box, I would very much like to block unnecessary / unwated traffic from countries I have no desire to communicate with. Thank you for your efforts creating this improved script, I have been looking for something like this for a very long time.

    I’m not great with iptables but would like to learn more, this script seems like a great drop in solution for packet dropping unwanted country IP’s

    I would like to know how to backup the original iptables, incase I need to revert
    how to step by step implement this to block many countries

    what can you tell me about the resource load required as some others have mentioned in the Vivek post?

    what are your thoughts on IP sets

    TIA

    • April 6, 2015    

      I had implemented this initially as just a SysV init script but have made it work with systemd as well. I created a project on sourceforge today to hold the source files and an rpm for each of SysV and systemd initializations. If you install one of those RPMs it ‘should’ allow you to configure this by making simple changes in the /etc/sysconfig/iptables-cb-config file. I’ll be verifying the clean install today on our AWS instance.

  5. Vanessa's Gravatar Vanessa
    October 14, 2015    

    Hi David

    Thanks for creating this.

    I’m on a VPS using Ubuntu 14.04 LTS. Could you provide a step-by-step beginners guide on how to install and activate your scripts?

    I unzipped the file on my VPS. But what do I do next? I read the README and it says the apply config settings in /ect/sysconfig/iptables-cb. So do I need to create this folder and copy one of the unzipped files there? There are 6 files, not sure which one does what or what to do next.

    • October 14, 2015    

      Vanessa – we don’t run on Ubuntu, but if 14.04 is still a SysV init, you would likely perform the following steps:

      1. Copy iptables.cb and iptables-cb-config to /etc/sysconfig – edit the configuration per the README
      2. Copy ipset.init and iptables-cb.init to the /etc/rc.d/init.d directory. Note that I would rename the files to not have the .init extension if copying to those directories.
      3. Enable the ipset and iptables-cb services (the renamed / copied files in the /etc/rc.d/init.d directory) through whatever mechanism Ubuntu uses to enable services

      The first time the service is run, it should populate the cache of IPs by country from the online sources. The RPM files install the prerequisites, but if you are installing manually on Ubuntu you will need to install those yourself (wget, egrep, iptables, and optionally ipset)

      • Vanessa's Gravatar Vanessa
        October 17, 2015    

        David,

        Thanks for replying with the detailed “How To”. Perhaps, it can be included in the README of a future version.

        Unfortunately, I was unable to get this installed. Ubuntu (checked 12.04 and 14.04) doesn’t have a etc/sysconfig folder.

        Any ideas? In my /etc/network/interfaces file I import my iptable rules via: pre-up iptables-restore < /etc/path_to/my_iptables.rules.

        Wondering if I can do they same thing with your iptables.cb and iptables-cb-config files? For example: pre-up iptables-restore < /etc/path_to/iptables-cb-config

        I suppose I would also need to modify "iptables-cb.init" so it can know the new path?

        • October 17, 2015    

          You are free to modify the script however you wish – if you can identify the ‘Ubunutu’ way of implementing and configuring system services, just reply to this thread so others can benefit. I tried to keep the structure of the script such that it could be customized for different distributions by changing a few environment settings at the top.

          Frankly, if you’re not familiar with system administration actions at a command line level in your environment, the easiest thing to do is likely just create the /etc/sysconfig folder and follow the previous instructions.

  6. March 14, 2016    

    Hi

    First of all thnx let that be clear

    The only thing is that to many make this script and i know you guys all respect each other and are linking and thanking each other
    But for the end user its al to much and makes it so confusing
    I just wish there is a script that would work without all the confusing factors

    Just on this site yours ofcourse there is mention of 3 scripts Why ?
    There are 2 kinds of script to be downloaded from here Why ?

    I mean just make your script even if it is build from some one else idea and script you just build your own and then you can give support on that script

    GHNApril 6, 2015 asked for a how to and you answered that you created a project on sourceforge but i dont seem to be able to find that and again very confusing because here you place no link Why?

    Anyway i reinstalled jessie today and will see if i can get it to work the original script has worked always for me The perl version is absolutly a crappy thing and ask for to much extra’s to be installed on debian Wheezy its not posible to install that version for a amature so i scrapped that version and will give yourse a try.

    Again dont get me wrong i think all users all over the world are very gratefull to people like you To be honnest you guys make our life a bit easyer So Thnx for that.

    grtzzz from a cold Holland

  7. March 14, 2016    

    Just download the file

    https://sourceforge.net/projects/iptablescb/files/iptables-cb-1.0-2/?

    make dir etc/sysconfig
    drop the files inside
    chmodd the files 755 maybe not all but i did
    execute commando /etc/sysconfig/iptables-cb.init start

    it will start running just let it go
    i did got some type of errors i did not understand but after a couple of secs they where gone

    lets see what it did and execute first get a couple of beers or 2 liter coffee 🙂
    iptables -L

    voila all ip’s that are banned will run before your eyes

    o yeah in the config it says that all banned country’s still have acces to your server on port 80 and 443 when i am correct
    just put # in front and get rid of those forum spammers aswell

    i hope i did it all correct if not the creator can edit it

    i love these scripts specially for forums i hate those chinese spammers
    Good luck

    and thank the creator he just made your life easy’er and you can sleep better

    Questio:
    does the original iptables and those who will be added in the future still work ?
    Easyscp install creates some rules thats why i ask

    • March 14, 2016    

      Jack – it was a little hard to follow your commentary so I’ll follow up with a few comments of my own regarding this comment and the one prior.

      1. It looks like you found the sourceforge project by clicking through the link in the article… wonderful!
      2. I don’t know the people who wrote the other scripts – but I wrote this one for pretty clear reasons outlined in the article – namely I didn’t like having the perl dependencies and wanted this to run on a machine with fairly standard minimal tooling. I’ve added options to use ipset, even though it’s not often installed by default because it cleans up the tables a bit and might be a little more efficient. Even so, the hierarchical organization of the table entries I create is far more efficient than a straight listing of all IPs at one level
      3. I leave the defaults as allowing port 80 and 443 because most people would prefer their Korean and Chinese products get firmware updates than not and blocking those ports blocks firmware updates on a lot of DVD and BluRay players – including my own
      4. We have multiple versions of the script because the startup automation for systemV and systemd are a little different and we want the script run automatically through those init managers when the machine starts. Nobody should have to remember to start their firewalls after the machine boots – it should be automatic
      5. Our script was written to leave any other rules in the iptables alone – we believe that people who have implemented their own rules shouldn’t be given tools that undo the firewall rules they’ve spent so much time crafting. I have no idea what easycp is nor do I really care – it’s up to you to figure out your software interactions and I just try to ensure our contribution does not intrude on other apps.

      This is not a “supported” product – it is an opensource tool to help people better manage their own traffic and MAYBE improve security on the servers of anyone who cares to use it. That said – use at your own risk, but we believe use of the tool decreases risk overall.

  8. John Wheeler's Gravatar John Wheeler
    April 2, 2016    

    Hi,
    I have loaded these files onto Linux VPS running Centos 6.7

    Get these errors:

    [root@s18494787 sysconfig]# /etc/sysconfig/iptables-cb.init start
    iptables-cb.init: Applying cb firewall rules: Moving outdated zone files from /var/iptables to /var/iptables/arch/20160402
    cp: cannot stat `/var/cache/country_ips/custom.zone’: No such file or directory
    Archiving unblocked zones: kr
    Archiving unblocked zones: cn
    Archiving unblocked zones: ru
    Archiving unblocked zones: af
    /etc/sysconfig/iptables-cb.init: line 229: CBL_REGEN: command not found
    /etc/sysconfig/iptables-cb.init: line 233: CBL_REGEN: command not found
    /etc/sysconfig/iptables-cb.init: line 236: [: -lt: unary operator expected
    cp: missing destination file operand after `/tmp/tmp.OK9TDLWVeI’
    Try `cp –help’ for more information.
    /etc/sysconfig/iptables-cb.init: line 316: af_27_cbnet: command not found
    /etc/sysconfig/iptables-cb.init: line 316: af_27_cbnet: command not found

    Any thoughts as to remedy the errors.

    • April 19, 2016    

      It looks like you may be trying to run the configuration file – those files in /etc/sysconfig are used to hold the configuration options and save state for iptables. Run the system V style init script for iptables_country_block in /etc/rc.d/init.d if your system is using System V style init scripts – otherwise add the script to your init process in the manner proscribed by the OS vendor and run it the same way you run your other init scripts on startup.

Leave a Reply to David Picard Cancel reply

Your email address will not be published. Required fields are marked *

Whitepapers & Presentations

Contact us for access

We are proficient in BPM delivery with hands on platform expertise in Pegasystems PRPC platform!