Question

11

Block China with iptables

rated 0 times [ 11] [ 0] / answers: 1 / hits: 40053 / 1 Year ago, wed, may 31, 2023, 8:59:57

I just logged in on a GitLab server and noticed that it had 18.974 failed logins since I last checked the server - almost 5 days. I checked the Ip's and it seems that almost all of them were from China and tried to gain access with SSH and Brute Force. I started to block some Ip's but then i realized that it is a huge waste of time and a better idea would be to block the entire country.

Is there any way i can block ALL China or any other country with iptables?

I found some articles on the internet but almost all of them are bash scripts. I'm a newbie on Linux so i don't really understand all those scripts. I find iptables really interesting and i want to learn more about it.

Any ideas ?
Thank you!

Answers

Only authorized users can answer the question. Please sign in first, or register a free account.

otatorm

Add To Favorites

Follow

Total Points: 218

Total Questions: 113

Total Answers: 124

Location: British Indian Ocean Territory

Member since Tue, Feb 22, 2022

2 Years ago

answered 1 Year ago eaderitable · Accepted Answer

Using iptables to automatically identify, and thereafter block, bad guys for ssh can be done using the recent module. The following segment must come after your generic ESTABLISHED,RELATED line:

[…]

$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state ESTABLISHED,RELATED -j ACCEPT



[…]

# Secure Shell on port 22.

#

# Sometimes I uncomment the next line to simply disable external SSH access.

# Particulalry useful when I am rebooting often, thereby losing my current BADGUY table.

# $IPTABLES -A INPUT -i $EXTIF -m state --state NEW -p tcp -s $UNIVERSE -d $EXTIP --dport 22 -j DROP



# Dynamic Badguy List. Detect and DROP Bad IPs that do password attacks on SSH.

# Once they are on the BADGUY list then DROP all packets from them.

# Sometimes make the lock time very long. Typically to try to get rid of coordinated attacks from China.

$IPTABLES -A INPUT -i $EXTIF -m recent --update --hitcount 3 --seconds 90000 --name BADGUY_SSH -j LOG --log-prefix "SSH BAD:" --log-level info

$IPTABLES -A INPUT -i $EXTIF -m recent --update --hitcount 3 --seconds 90000 --name BADGUY_SSH -j DROP

$IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 22 -m recent --set --name BADGUY_SSH -j ACCEPT

Now, the recent (the last year or two) problem with China is that they have become very clever and very often once they get blocked from one IP address they simply switch to another on the same sub-net and continue. This runs the risk of running out of default recent table entries (I think the default is 200). I monitor this and then look up the actual IP segment, and permanently block the entire segment. In my case, I do not care about collateral damage, i.e. blocking someone innocent:

#

# After a coordinated attack involving several sub-nets from China, they are now banned forever.

# List includes sub-nets from unknown origin, and perhaps Hong Kong

#

$IPTABLES -A INPUT -i $EXTIF -s 1.80.0.0/12   -d $UNIVERSE -j DROP

$IPTABLES -A INPUT -i $EXTIF -s 27.148.0.0/14 -d $UNIVERSE -j DROP

$IPTABLES -A INPUT -i $EXTIF -s 27.152.0.0/13 -d $UNIVERSE -j DROP

$IPTABLES -A INPUT -i $EXTIF -s 43.229.0.0/16 -d $UNIVERSE -j DROP

$IPTABLES -A INPUT -i $EXTIF -s 43.255.0.0/16 -d $UNIVERSE -j DROP

[…]

Where in the above:

# The location of the iptables program

#

IPTABLES=/sbin/iptables



#Setting the EXTERNAL and INTERNAL interfaces and addresses for the network

#

EXTIF="enp4s0"

INTIF="enp2s0"

EXTIP="...deleted..."

INTNET="192.168.111.0/24"

INTIP="192.168.111.1/32"

UNIVERSE="0.0.0.0/0"

You can get the entire list of IP addresses for China, or any country, in iptables, or other, format here. However the list is both surprisingly long and rather dynamic. Myself, I decided not to block the entire list.