Using an Iptables blacklist effectively?

Discussion in 'Technical' started by forrie, Sep 2, 2009.

  1. forrie

    forrie New Member

    I've migrated my processes from a FreeBSD/PF configuration to a CentOS 5.3 system (forgive my newbie status on IPTables).

    In FreeBSD/PF I can write a one-liner that will block a table of IPs completely, and it doesn't hit the rdr (redirect) chain.

    In Iptables, I have (for example):

    iptables -N abuse

    iptables -I abuse -s x.x.x.x -j DROP

    there are a couple thousand IP or / network in that list. It takes forever to load.

    One obvious mistake I found on my own (duh) is that it needs another rule to place it in the INPUT table or something; but in my case, when I do this, it appends to the INPUT table, and isn't being consulted -- so clearly I've done something incorrectly.

    But what I'm noticing is that despite this, the IPs are getting through -- I do a "tail -f maillog" and I see them hitting my system.

    Further, some of the ports are in the FORWARD chain that go to an internal DMZ system (ie: mail, imap).

    As I get a little lost in what I'm reading (grin), what I think needs to happen is all these numbers must be inserted in the INPUT chain, I'm not sure if that will be good enough, or if I also have to block at the FORWARD (would be redundant).

    To get myself up and running quickly, with some sensible rules, I downloaded and used the "ipkungfu" script - easy enough to use.

    I have 2 other tables that I use, the one above is a list of IP/networks I never want to have access to my system; another list, is only to block SMTP, another is a GEOIP table of networks I never want touching my system.

    The address/rules are loaded in a simple for-next loop from BASH. It takes forever, thus I'm wondering if there is a more efficient way to load these.

    It also occurs to me that these should be loaded first; or at least after any other security-related rules.

    I wonder if someone could clarify how to do what I need correctly, perhaps more efficiently.

    Thank you!

Share This Page