On 08/21/2013 11:07 PM, John Griffiths wrote:
I thought I had the idea of how to add an IP to be dropped like
iptables
but after some further reading, I am not sure.
I add IPs to iptables that I find are trying to hack into or abuse the
system by using a script to examine log files and compile a list of IPs
and add them to iptables. Of course that requires a restart of iptables
for the new rules to take effect.
I thought I could add the IPs to the DROP zone as sources. That
apparently is not what I should do. That leaves me with what I should do
and can it be done.
You can bind IP addresses to the drop zone. But with lots of IP
addresses this will result in performance hit.
Therefore I would propose to use an ipset for this.
Create an ipset and add all ip addresses in it. Then add a permanent
direct rule to the firewall to DROP these. The performance hit should be
much lower (I have not tested it with that many entries, though).
Here are some steps to get this working for you. Please modify as needed.
1) Create droplist shell script in /usr/local/bin and add IP addresses
to the droplist ipset:
cat > /usr/local/bin/droplist.sh <<EOF
#!/bin/bash
case "\$1" in
start)
echo "Create droplist"
/sbin/ipset create droplist hash:ip hashsize 4096
RETVAL=\$?
# Add IP addresses here (see examples below)...
################################################
/sbin/ipset add droplist 192.168.0.5
/sbin/ipset add droplist 192.168.0.6
################################################
;;
stop)
echo "Destroy droplist"
/sbin/ipset destroy droplist
RETVAL=\$?
;;
esac
exit $RETVAL
EOF
chmod ug+rx /usr/local/bin/droplist.sh
2) Create the service to create the droplist before firewalld starts:
cat > /etc/systemd/system/droplist.service <<EOF
[Unit]
Description=Droplist
Before=firewalld.service
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/local/bin/droplist.sh start
ExecStop=/usr/local/bin/droplist.sh stop
[Install]
WantedBy=basic.target
EOF
3) Use the droplist permanently in firewalld. A firewalld reload is
needed to activate it (firewall-cmd --reload):
cat > /etc/firewalld/direct.xml <<EOF
<?xml version="1.0" encoding="utf-8"?>
<direct>
<rule ipv="ipv4" table="filter" chain="INPUT"
priority="0">-m set
--match-set droplist src -j DROP</rule>
</direct>
EOF
Please remember that you can not destroy a set that is in use by the
firewall. Also if a set is needed in a rule, the set has to be created
before the rule can be added to the firewall. But you can add entries to
and remove entries from the set while it is in use already. It is not
possible to mix IPv4 and IPv6 addresses in a set. Use one set for IPv4
and another one for IPv6 instead. Please have a look at the ipset man
page. If you are also using network address, please use hash:net.
As firewalld is not able to handle ipsets itself, you have to make sure
that the ipset you want to use in the firewall is created before
firewalld starts, otherwise adding the rule using the set will fail.
ipset does not provide an init or systemd service atm.
You can add permanent direct rules with firewalld version 0.3.4 with the
direct.xml file in /etc/firewalld. The D-Bus interface for permanent
direct rules is in the GIT repo since some days now and the command line
support and UI stuff will be there soon.
BTW: The addition of address sets is on my the TODO list for rich
language, but this will most likely take some time.
I have over 8000 host IPs that I drop using:
-A INPUT -s 222.221.2.210 -j DROP
-A INPUT -s 222.221.12.13 -j DROP
-A INPUT -s 222.221.12.104 -j DROP
-A INPUT -s 222.221.88.88 -j DROP
How do I drop connections to hosts that have abused the privilege of
connecting to a service?
I was using
for i in `grep DROP iptables | awk '{print $4}' | sort -n -t. -k1,1
-k2,2 -k3,3 -k4,4`
do
firewall-cmd --permanent --zone=drop --add-source=${i}/32
done
That is extremely slow by the way since two files are written for each
add. Took a long time to add 8000+ records. It would be nice to have a
batch mode to do multiple inserts.
The public zone is still default. The network interface is in zone home
and my VPN connection is in zone work.
Any guidance is greatly appreciated.
John
_______________________________________________
firewalld-users mailing list
firewalld-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/firewalld-users
Regards,
Thomas