All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
iptables, on which interface to block bogons?
Hello,
my aim is to block so called "bogons" (http://iplists.firehol.org/?ipset=fullbogons)
I will do it thru ipset (probably with hash:net parameter as the total number of IPs is few hundred million)
But i need to block it on proper interface, because my server host few virtual servers whose main net interface is venet0
My dedicated OpenVZ VPS host server has these interfaces:
em1, lo, venet0
I could block it on all interfaces like this:
iptables -I INPUT -m set --match-set badips src -j DROP
iptables -I FORWARD -m set --match-set badips src -j DROP
(badips is an ipset set name; btw my iptables is like this currently)
But i have doubts not to block 127.**** or 10.8.0.2 (vpn) kind of VPS traffic. On which interface/s i should block bogons on my dedicated host server please in my case?
Thank You
Comments
I would suggest using a separate ruleset chain and adding a whitelist set (type hash:net) as the first entry, you can add your local subnets and 127.0.0.0/8 to make sure they never get blocked.
EDIT: you should probably create the INPUT/FORWARD rules just for the public facing interfaces, particularly if you have a lot of VPN, or egress traffic.
You mean for blacklist/DROP kind of rules by defining "-i em1" in the rules and it will prevent just remote incoming traffic and ignore outgoing bogon ip traffic? So i assume VPS venet0 outgoing traffic is using INPUT/FORWARD chain, if not there would not be reason for whitelisting 127.0.0.0/8.
I would recommend just using CSF firewall and use the block list for bogons and enable ipset in the config