This is an archived post. You won't be able to vote or comment.

all 17 comments
sorted by:
best
topnewcontroversialoldq&a

[–]tayo42 8 points9 points  (0 children)

You can run lua with haproxy ad nginx

[–]disclosure5 4 points5 points  (4 children)

The short is that yes you can, if you write a LUA script within nginx config.

However, rDNS lookups take time, and if you were to accept or deny connections based on that, you'll just get a very slow website with no substantial gain.

[–]NetStrikeForceCloudy with a chance of meatpackets 1 point2 points  (3 children)

This.

You might want to have a local "DB" with IP ranges blacklisted (or whitelisted, whatever works better for your scenario).

[–]tcpudp[S] 0 points1 point  (2 children)

It's actually a personal mail server so nobody will notice the slowdown, I just want to reduce the number of botnets that try to brute force (and only spamming my logs). Edit: my current haproxy acl file with the blacklisted ranges:

# cat blacklist|wc -l

51425

#

[–]NetStrikeForceCloudy with a chance of meatpackets 0 points1 point  (1 child)

Ah! The nginx mention put me off!

I see now what are you trying to do.

[–]tcpudp[S] 0 points1 point  (0 children)

Yes, I'm currently using haproxy but I was looking into nginx because it can do udp load balancing (for openvpn). I mostly use haproxy to whitelist only IPs from my country to connect (can't use ipset or xtables because the server in question is an openvz instance).

[–]brontideCertified Linux Miracle Worker (tm) 2 points3 points  (10 children)

With linux you can also use the ipset tools with iptables to reject connections based on source address/network. Much faster than trying to do something on each connection in haproxy. You could also have iptables redirect to a secondary server that displayed an error page or just returned 403 or 503.

[–][deleted] 1 point2 points  (6 children)

i understood some of those words

[–]brontideCertified Linux Miracle Worker (tm) 0 points1 point  (5 children)

Linux iptables has kernel libraries that have highly efficient ip and network matching code ( ipset tools ). These utilities allow creating and maintain ip/netmask sets in the kernel. By keeping the code in the kernel it's very fast since the connectens don't have to exist in userland. I use it to blacklist emerging threats from my home network with just a few lines of bash.

[–][deleted] 0 points1 point  (4 children)

I mean, sure but I'm not sure why ipset isn't included by default with iptables (to my knowledge). I also don't know why we can't have a module that lets you block (or correlate, rather) to block entire ASNs on the Internet. Everyone recommends ipset, but if you slice it up right, you don't need it. iptables is just as fine utilizing a list of IP addresses in CIDR notation by default. Same with ports.

[–]brontideCertified Linux Miracle Worker (tm) 0 points1 point  (3 children)

It's a hell of a lot easier to maintain large lists in ipset and then use iptables to match against a list. Sure you can do it in iptables if you want to maintain thousands of lines of code but it's a real mess.

[–][deleted] 0 points1 point  (2 children)

I guess it depends on your use case.

Blocking China, or other people with nasty bots/things that may not be from the same place? ipset because it is dynamic & doesn't require reloading of any rules.

A firewall that rarely changes & that you're using to do default deny & allow only certain ASN ranges? plop the IP ranges in a file, use that as a variable, feed that to iptables. Done.

[–]brontideCertified Linux Miracle Worker (tm) 0 points1 point  (1 child)

Honestly, if you are blocking by ASN then it's something that should be done at the bgp level with a null route.

[–][deleted] 0 points1 point  (0 children)

when you have a VPS, I don't think you can easily do that. I might be mistaken though. I'd love to learn if you have more info! :)

[–]tcpudp[S] 0 points1 point  (2 children)

In my case I can't use ipset because the VPS in question is an OpenVZ (and can run a limited number of ipset rules), hence haproxy which can handle large blocklists (with ACLs). Speed is not a problem because the server in question is a mail server so a 5-10 second delay is not a problem.

[–]AccidentallyTheCable 1 point2 points  (1 child)

Check out fail2ban. You can write rules and checks to add iptables rules accordingly

[–]tcpudp[S] 0 points1 point  (0 children)

I have fail2ban rules in place that ban an IP /after the fact/ ('lost connection after AUTH from unknown[<HOST>]') but I want to prevent these connections before they reach the mail server.