How do i batch update Linode Firewall Sources IP Address?
Hi,
Is there a way wherein i can add batch IP address into the rules other than the GUI in our site? I am lazy to add thousands of IP address x Xnumber of rules.
My goal is to prevent ddos attacks of my gameservers since cloudflare only protects web ports.
5 Replies
What firewall are you talking about? iptables? Linode Cloud Firewall?
If it's iptables, then the answer to your question is absolutely yes. You can manage it with shell scripts (provided the GUI you mention doesn't do anything strange).
If its the Cloud Firewall, then presumably you can manage it with the Linode API but I don't know that for sure.
-- sw
The curl json method mentioned in the Linode API docs stevewi linked above works for me, al though since I'm participating in the beta program I must use api.linode.com/v4beta/
The Cloud Firewall is limited to 255 individual ip addresses and/or 255 network masks. Since I'm assuming the "thousands" of ips mentioned are different player ip addresses in different netmasks you virtually aren't going to be able to fit each one into the Cloud Firewall. In your case you'll likely have to either whitelist or blacklist large netmasks and then use iptables for further filtering.
Or perhaps send player ips to the firewall when flooded. However Linode won't like frequent updates to the cloud firewall so if you get flooded often and are constantly updating the firewall they might ask you to stop.
When using a large number of ip addresses in iptables I would also recommend installing ipset since it can handle many addresses better than iptables can alone. ipset can also allow you to use iptables raw PREROUTING which is more efficient than mangle or INPUT despite raw not having access to conntrack since ipset can both remember and update ip timeouts and allows removing/adding ips without disrupting other connections. You can read more about iptables and linux kernel efficiency here:
https://blog.cloudflare.com/how-to-drop-10-million-packets/
It's worth noting ipset also works with tc filter too.
Hi,
Yes i am using Linode's Cloud Firewall.. thanks @ryanbearden for that heads up about the 255 individual IP address that is something i need to take into consideration. My plan was to whitelist a country's e.g Philippine ip addresses to only connect to my game server. My linode is running on Windows Server 2022 and somehow i like the cloud firewall. My initial plan is to just manually add legit player ip address and just maintain that 255 threshold but if there are other things that might work in case?
To build on what @ryanbearden said, ipset tables live in kernel space so large ipsets will consume large amounts of kernel memory.
That being said, ipsets are extremely useful…
The other thing you have to worry about is that most (if not all) ISPs manage their available address space by assigning customers to “DHCP pools”. This means that, once an ISP customer logs off their internet connection, the ISP can automatically give the IP address to another customer. The upshot is that your players’ IP addresses will change periodically…player IP addresses are not static. This fact has to be be factored into whatever scheme you use as well.
-- sw
Thanks for the responses. I have already found a way to create a system that will update the windows firewall using netsh advfirewall firewall command combined from A text file created from sqlcmd. Players will have to just register their current ip address. it goes to db, then pulled into text file then punch into firewall's allowed remote ip.