[TOP TIP] firewalld and ipset (country blacklist)

In a previous post, I mentioned how to create an ipset blacklist. In recent versions of firewalld, the developers implemented support for ipset from within firewalld, thus there is no need to setup ipset separately. Here is a quick and easy way to create an IP/net blacklist by using the new firewall-cmd commands. At the same time I will demonstrate how to block entire countries from being able to access your server.

Create the blacklist:

firewall-cmd --permanent --new-ipset=blacklist --type=hash:net --option=family=inet --option=hashsize=4096 --option=maxelem=200000

* –permanent = use to make changes to the permanent configuration

  • –new-ipset = name of the new IP/net blacklist

  • –type = storage hash type, "net" is for subnets, while "ip" for individual ip addresses

  • –option=family = IPv4 or IPv6 network, inet is for IPv4

  • –option=hashsize = the initial hash size of the list

  • –option=maxelem = max number of elements

Download net blocks:

wget http://www.ipdeny.com/ipblocks/data/countries/all-zones.tar.gz
tar -vxzf all-zones.tar.gz

Choose which countries you would like to block, ipdeny.com provides net blocks by country. The above command will download all country zones together in one archive. Once extracted you should end up with various files, each named after a country, for example "cn.zone" for China. I can't tell you what to block, it all depends on what kind of service you provide and the location of your "real" requests. Personally, I run many major European sites and based on my logs, I block the following countries: ar bd bg br by cn co il in ir kp ly mn mu pa sd tw ua ro ru ve vn

After block the above countries, SPAM and hacking attempts dropped to nearly zero. Pretty much anything else comes via a European or American proxy, but that is easy to mitigate, once I file an abuse report to their network provider, the proxy is usually shut down rather quickly. While orchestrated and methodical hacks won't be mitigated by a simple country block list, everything else will be blocked, especially spam.

Populate the blacklist:

firewall-cmd --permanent --ipset=blacklist --add-entries-from-file=./cn.zone

The above command will load a country zone file to our blacklist. Make sure to change the path and filename to your chosen country zone file. You may also add individual IP addresses or net blocks by yourself, from the shell or by using a tool like fail2ban, with the following simple shell script (for example, save it as ~/bin/ban):

firewall-cmd --permanent --ipset=blacklist --add-entry=$1
firewall-cmd --ipset=blacklist --add-entry=$1

Run it like this:

ban 192.168.1.0/24

Redirect the blacklist to the drop zone

firewall-cmd --permanent --zone=drop --add-source=ipset:blacklist
firewall-cmd --reload

So far, we have created a blacklist and populated it with IP addresses and net blocks, but it is not blocking anything. In order to use our blacklist, we set it as a firewall "source", this means that anything that matches our blacklist will be redirected to a specific zone. Thus, by redirecting the blacklist to the "drop" zone, we effectively block all connections that match our blacklist. Simple and effective. The reload command at the end is needed to bring our permanent changes to the live/running firewall.

PS:

You may expand the above into a monthly script, run as a cron job, which clears the blacklist and re-downloads the list with the latest zones.

11 Replies

This guild is excellent and I have used it a few times. I am wondering if there is a way to whitelist 1 IP from a block that might be in the drop zone?

Since iptables rules are read from top to bottom, it might be possible to accomplish this by inserting (with -I) an ACCEPT rule for the IP you want to whitelist, to the top of your ruleset. For example:

sudo iptables -I INPUT -s 1.2.3.4 -j ACCEPT

What would you do if you want to exclusively use firewall-cmd for the whitelist?

@thebtm I found some instructions for you! The two below forum posts can walk you through the steps of how to accomplish whitelisting IP addresses with firewall-cmd.

While your solution might be a good one for newbies, it doesn't address IPv6 at all. The allzones.tar.gz file from ipdeny.com only contains IPv4 addresses. If you have IPv6 turned on in your Linode (the default, btw), you've left open an Abrams tank sized hole in your strategy for stuff like this:

https://www.computerworld.com/article/2510866/scariest-ipv6-attack-scenarios.html

Also, suppose you wanted to block (IPv4) traffic from a specific entity's addresses…say from QuadraNet -- a Los Angeles, CA server company that has the worst reputation in the industry and run by an Israeli fugitive who can't return home…full of spammers, scammers, phishers and 'bots. To mitigate this situation using your solution you would have to block all the IP (v4) addresses in the USA. Call me crazy but, IMHO, your Linode wouldn't be very useful after that.

Similarly, what if your system is attacked using a bogon (see: https://ipgeolocation.io/resources/bogon.html )? Bogons have no geolocation. Again, you're wide open…unless you want to blacklist every country on the internet…and, even then, the attack using the bogon address/network wouldn't be stopped.

All that being said, you need to be more nuanced in how you form your blacklists…and you absolutely need to handle IPv6.

-- sw

If you find something like this either too inflexible or otherwise insufficient, you could either replace or augment it with fail2ban.

I have left IPv6 turned off at this time. Yeah, some places use it but for the most part, in Canada, everyone has an IPv4 (as far as I can tell). Its great for documenting for in the future when IPv6 truly takes over.

plus, its just a lab server, to play around, $5 USD isn't that much a month or sum over a year is cheaper then a lot of servers.

I am sure I blocked the US but I could be wrong. I also run fail2ban and to top it off, only accessible via SSH-Key and only one key, If i lose my key, there is always the fall back to the console from the linode cloud site.

you can only do the best you can with what you know and hope the few combined methods will give that little bit of extra protection, but nothing is 100% for sure.

@thebtm --

You write:

you can only do the best you can with what you know and hope the few combined methods will give that little bit of extra protection, but nothing is 100% for sure.

You're right… I was merely suggesting that blocking at the level of countries is not fine-grained enough. In addition to (highly-optimized) blacklists, I use fail2ban(1) as well. The two together have convinced about 98% of the world's bad actors that they don't want to mess around with me ;-)

-- sw

After following this post, I created a quick script that might be beneficial to anyone else who stumbles across this thread when trying to block entire countries.

The script blocks both ipv4 and ipv6 via the lists from ipdeny.com, using the method that @forum:IfThenElse provided.

Feel free to modify/comment with improvements:

https://github.com/operator27c/firewalld-block-ipset

@tylong --

What are you going to do about things like:

  • ASN 62458 ( VpsQuan, LLC -- a Chinese company operating servers located in Wyoming);
  • ASN 135330 ( acdata.com -- a Hong Kong company operating in the US as klayer.com with servers located in the US);
  • ASN 208410 ( Internet Hosting, Ltd -- a Russian proxy operating in London with servers located in England);
  • etc, etc, etc…

All of these are guilty of the same transgressions as main-/motherland companies that would get blocked by your script.

Don't get me wrong… I block by country too (although I use a different source for data) but just simply blocking by country is not enough.

-- sw

@stevewi --

You raise a great point about foreign companies/parties using computing resources within an allowed country for malicious activities. For those instances, this method fails to address the problem.

As a countermeasure, I've put fail2ban on my servers with a very strict find/ban policy for offenders that are not automatically blocked by the bash script. SSH is also protected by Duo 2FA if someone should get my credentials.

The mass-blocking by country is more of a preventative action to lessen the load placed upon fail2ban, though that could change at any time from a targeted attack via resources in an allowed country.

I suppose the nuclear option would be to only allow a group of IP addresses to talk to the SSH port, but that assumes that you have a static address from your ISP, and still could be exploited/spoofed if they gather enough information.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct