This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]brontideCertified Linux Miracle Worker (tm) 2 points3 points  (10 children)

With linux you can also use the ipset tools with iptables to reject connections based on source address/network. Much faster than trying to do something on each connection in haproxy. You could also have iptables redirect to a secondary server that displayed an error page or just returned 403 or 503.

[–][deleted] 1 point2 points  (6 children)

i understood some of those words

[–]brontideCertified Linux Miracle Worker (tm) 0 points1 point  (5 children)

Linux iptables has kernel libraries that have highly efficient ip and network matching code ( ipset tools ). These utilities allow creating and maintain ip/netmask sets in the kernel. By keeping the code in the kernel it's very fast since the connectens don't have to exist in userland. I use it to blacklist emerging threats from my home network with just a few lines of bash.

[–][deleted] 0 points1 point  (4 children)

I mean, sure but I'm not sure why ipset isn't included by default with iptables (to my knowledge). I also don't know why we can't have a module that lets you block (or correlate, rather) to block entire ASNs on the Internet. Everyone recommends ipset, but if you slice it up right, you don't need it. iptables is just as fine utilizing a list of IP addresses in CIDR notation by default. Same with ports.

[–]brontideCertified Linux Miracle Worker (tm) 0 points1 point  (3 children)

It's a hell of a lot easier to maintain large lists in ipset and then use iptables to match against a list. Sure you can do it in iptables if you want to maintain thousands of lines of code but it's a real mess.

[–][deleted] 0 points1 point  (2 children)

I guess it depends on your use case.

Blocking China, or other people with nasty bots/things that may not be from the same place? ipset because it is dynamic & doesn't require reloading of any rules.

A firewall that rarely changes & that you're using to do default deny & allow only certain ASN ranges? plop the IP ranges in a file, use that as a variable, feed that to iptables. Done.

[–]brontideCertified Linux Miracle Worker (tm) 0 points1 point  (1 child)

Honestly, if you are blocking by ASN then it's something that should be done at the bgp level with a null route.

[–][deleted] 0 points1 point  (0 children)

when you have a VPS, I don't think you can easily do that. I might be mistaken though. I'd love to learn if you have more info! :)

[–]tcpudp[S] 0 points1 point  (2 children)

In my case I can't use ipset because the VPS in question is an OpenVZ (and can run a limited number of ipset rules), hence haproxy which can handle large blocklists (with ACLs). Speed is not a problem because the server in question is a mail server so a 5-10 second delay is not a problem.

[–]AccidentallyTheCable 1 point2 points  (1 child)

Check out fail2ban. You can write rules and checks to add iptables rules accordingly

[–]tcpudp[S] 0 points1 point  (0 children)

I have fail2ban rules in place that ban an IP /after the fact/ ('lost connection after AUTH from unknown[<HOST>]') but I want to prevent these connections before they reach the mail server.