Ubuntu Firewalls [iptables]

June 27th, 2008  | Tags:

I’ve had rather a large amount of connections to my FTP server lately trying to login with the username of administrator, it turns out that they are all ip’s from china. I’ve known about iptables for awhile, but never really learned about them. My first instinct was to just drop the IP with the command

sudo iptables -A INPUT -s xxx.xxx.xxx.xxx -j DROP

This worked a treat and is all well and good but i didn’t fancy typing in that line for every IP that tried to bugger my connections so here’s what i did

1, sudo touch /etc/iptables.sav
2, sudo chmod 777 /etc/iptables.sav
3, sudo iptables-save > /etc/iptables.sav
4, vim /etc/iptables.sav and add these lines into it. The lines with DROP at the end are IP ranges from china and surrounding areas. The last 4 lines tell the system to drop the ip after 3 failed connections for 120 seconds.

-A INPUT -s 222.0.0.0/255.0.0.0 -j DROP
-A INPUT -s 220.0.0.0/254.0.0.0 -j DROP
-A INPUT -s 218.0.0.0/254.0.0.0 -j DROP
-A INPUT -s 210.0.0.0/254.0.0.0 -j DROP
-A INPUT -s 202.0.0.0/254.0.0.0 -j DROP
-A INPUT -s 124.0.0.0/254.0.0.0 -j DROP
-A INPUT -s 120.0.0.0/252.0.0.0 -j DROP
-A INPUT -s 116.0.0.0/252.0.0.0 -j DROP
-A INPUT -s 114.0.0.0/254.0.0.0 -j DROP
-A INPUT -s 60.0.0.0/254.0.0.0 -j DROP
-A INPUT -s 58.0.0.0/254.0.0.0 -j DROP
-A INPUT -s 200.0.0.0/254.0.0.0 -j DROP
-A INPUT -s 188.0.0.0/254.0.0.0 -j DROP
-A INPUT -s 186.0.0.0/254.0.0.0 -j DROP
-A INPUT -i eth1 -p tcp -m tcp –dport 22 -m state –state NEW -m recent –set –name DEFAULT –rsource
-A INPUT -i eth1 -p tcp -m tcp –dport 22 -m state –state NEW -m recent –update –seconds 120 –hitcount 3 –name DEFAULT –rsource -j DROP
-A INPUT -i eth1 -p tcp -m tcp –dport 21 -m state –state NEW -m recent –set –name DEFAULT –rsource
-A INPUT -i eth1 -p tcp -m tcp –dport 21 -m state –state NEW -m recent –update –seconds 120 –hitcount 3 –name DEFAULT –rsource -j DROP

5, save the file and run sudo iptables-restore < /etc/iptables.sav
6, run sudo iptables -L and make sure all your rules are added [please note if you’ve a big list this can take awhile as it does do DNS lookups.

Leave a comment | Trackback
« Ubuntu + NFS No longer using twitter »
  1. ephemient
    June 27th, 2008 at 17:25
    Reply | Quote | #1

    Or use -n, so that iptables skips the DNS lookups.

  2. Quico
    June 27th, 2008 at 17:48
    Reply | Quote | #2

    I use PAM_ABL for auto blacklisting these login attempts: http://www.hexten.net/wiki/index.php/Pam_abl

  3. djatlantic
    June 27th, 2008 at 20:50
    Reply | Quote | #3

    Use iplist/ipblock to block non-USA ip addresses. I used these to protect my openssh servers http://www.djatlantic.net/?p=312



TOP