[XCSSA] [SATLUG] testing?

X-otic Computer Systems of San Antonio xcssa at xcssa.org
Sat Aug 29 01:39:33 CDT 2009 

On Friday 28 August 2009 12:16:34 am Bruce Dubbs wrote:
[...]
> > Yeah.. Bruce has been known to block entire class-A blocks with iptables
> > because he doens't like your ISP's nationality... hehe..
>
> Not exactly right.  It is because of behavior from clients of ISPs in some
> places.  Besides, its continents, not countries.  e.g. RIPE, APNIC,
> AfriNIC, LACNIC.
> http://www.iana.org/assignments/ipv4-address-space/

Those groups of /8 blocks are assigned to the continental registries yes 
Bruce, but the individual /8 blocks are then broken up and divvied out to the 
various countries in that region. 

But to keep things educational... (cross posting to XCSSA)...
For those interested in this stuff, a good way to block entire countries is by 
doing ISO country code-->IP-block lookups, as you can do from here:
	http://ip.ludost.net/

And the block very specific "seedy" parts of the nets (where all the bot nets, 
scans and phishing spam comes from).  For example.. look up the IP blocks for 
ru ko cn and iptable block those sources on specific (or blanket) ip blocks.. 
like this:
	-A INPUT --source $IP-BLOCK-1 -p tcp -m tcp --dport 25 -j REJECT
	-A INPUT --source $IP-BLOCK-1 -p tcp -m tcp --dport 22 -j REJECT
	-A INPUT --source $IP-BLOCK-1 -p tcp -m tcp --dport 80 -j REJECT
	-A INPUT --source $IP-BLOCK-2 -p tcp -m tcp --dport 25 -j REJECT
	-A INPUT --source $IP-BLOCK-2 -p tcp -m tcp --dport 22 -j REJECT
	-A INPUT --source $IP-BLOCK-2 -p tcp -m tcp --dport 80 -j REJECT
	...
	-A INPUT --source $IP-BLOCK-56 -p tcp -m tcp --dport 25 -j REJECT
	-A INPUT --source $IP-BLOCK-56 -p tcp -m tcp --dport 22 -j REJECT
	-A INPUT --source $IP-BLOCK-56 -p tcp -m tcp --dport 80 -j REJECT

etc.. OR the "cool kid" way is to install and run the iptables kernel support 
(and related files) for "geoip" for doing IP blocking based on specific 
country codes, and then do it like THIS:
	-A INPUT -p tcp --dport 25 -m geoip --src-cc CN,RU,KO -j REJECT
	-A INPUT -p tcp --dport 22 -m geoip --src-cc CN,RU,KO -j REJECT
	-A INPUT -p tcp --dport 80 -m geoip --src-cc CN,RU,KO -j REJECT

Fun stuff...

Anyone running a setup like this.. or a tarpit?  

If so.. please share. :)

Tweeks

More information about the XCSSA mailing list