IP Blacklisting Experiment using IPTABLES

written by Jeff Borders
last revised on 04/25/06
 
Problem:  Customer was getting too many dictionary attacks on their TCP port 22 (sshd).  Since their business is only in the Columbus area and sometimes from out of state, I limited their inbound traffic to roughly US only.  By looking up the ip blocks from http://www.iana.org/assignments/ipv4-address-space, I was able to get an approximation of where certain ip blocks originate.  This is not fool proof and I'm sure I'll be making changes to this list in the future.
 
Solution:  Download files and put them in your /etc/rc.d directory.  Run ip_blacklist from rc.local or from firewall script to block ip addresses by region.
 
Download ip_blacklist, ipblocks-apnic.txt, ipblocks-lacnic.txt and ipblocks-ripe.txt. 
#!/bin/sh
#
# ip_blacklist
#
# Using a portion of Monmotha's IPTABLES script,
# read in individual blacklisted ips and ips
# by geographical region.  Specifically, APNIC,
# LACNIC and RIPE. Asia/Pacific, Latin and Central
# america, and Europe respectively.
#
# Format of ipblocks files are:
# a.0.0.0/255.0.0.0:comment
#
PATH=/usr/bin:/bin:/sbin
IPTABLES=/sbin/iptables
blacklisted_ips=/etc/rc.d/block-ip.all
blacklisted_ips_by_region_file="ipblocks-apnic.txt ipblocks-lacnic.txt ipblocks-ripe.txt"

cd /etc/rc.d

if [ -f ${blacklisted_ips} ]; then
	while read line; do
		shost=`echo $line | egrep -e '[[:digit:]]' | sed 's/\:.*$//'`
		echo "Blacklisting ${shost}";
		${IPTABLES} -t filter -A INPUT -s ${shost} -j DROP
		${IPTABLES} -t filter -A FORWARD -s ${shost} -j DROP
	done < ${blacklisted_ips}
fi

for i in ${blacklisted_ips_by_region_file} ; do
  while read line; do
	shost=`echo $line | egrep -e '[[:digit:]]' | sed 's/\:.*$//'`
	echo "Blacklisting by region ${shost}";
	${IPTABLES} -t filter -A INPUT -s ${shost} -j DROP
	${IPTABLES} -t filter -A FORWARD -s ${shost} -j DROP
  done < ${i}
done

#########################################
# block-ip.all
# Use the format listed below and add
# any ip addresses that are sending
# you spam or doing port attacks.

# ipblocks-apnic.txt
# Asia-Pacific-Alaska-Hawaii (APNIC)
58.0.0.0/255.0.0.0:APNIC
59.0.0.0/255.0.0.0:APNIC
60.0.0.0/255.0.0.0:APNIC
61.0.0.0/255.0.0.0:APNIC
121.0.0.0/255.0.0.0:APNIC
122.0.0.0/255.0.0.0:APNIC
123.0.0.0/255.0.0.0:APNIC
124.0.0.0/255.0.0.0:APNIC
125.0.0.0/255.0.0.0:APNIC
126.0.0.0/255.0.0.0:APNIC
202.0.0.0/255.0.0.0:APNIC
203.0.0.0/255.0.0.0:APNIC
210.0.0.0/255.0.0.0:APNIC
211.0.0.0/255.0.0.0:APNIC
218.0.0.0/255.0.0.0:APNIC
219.0.0.0/255.0.0.0:APNIC
220.0.0.0/255.0.0.0:APNIC
221.0.0.0/255.0.0.0:APNIC
222.0.0.0/255.0.0.0:APNIC
222.0.0.0/255.0.0.0:APNIC

# ipblocks-lacnic.txt
# Latin and Central America (LACNIC)
189.0.0.0/255.0.0.0:LACNIC
190.0.0.0/255.0.0.0:LACNIC
200.0.0.0/255.0.0.0:LACNIC
201.0.0.0/255.0.0.0:LACNIC

# ipblocks-ripe.txt
# Europe and Middle East (RIPE NCC)
62.0.0.0/255.0.0.0:RIPE NCC
80.0.0.0/255.0.0.0:RIPE NCC
81.0.0.0/255.0.0.0:RIPE NCC
82.0.0.0/255.0.0.0:RIPE NCC
83.0.0.0/255.0.0.0:RIPE NCC
84.0.0.0/255.0.0.0:RIPE NCC
85.0.0.0/255.0.0.0:RIPE NCC
86.0.0.0/255.0.0.0:RIPE NCC
87.0.0.0/255.0.0.0:RIPE NCC
88.0.0.0/255.0.0.0:RIPE NCC
89.0.0.0/255.0.0.0:RIPE NCC
90.0.0.0/255.0.0.0:RIPE NCC
91.0.0.0/255.0.0.0:RIPE NCC
193.0.0.0/255.0.0.0:RIPE NCC
194.0.0.0/255.0.0.0:RIPE NCC
195.0.0.0/255.0.0.0:RIPE NCC
212.0.0.0/255.0.0.0:RIPE NCC
213.0.0.0/255.0.0.0:RIPE NCC
217.0.0.0/255.0.0.0:RIPE NCC