Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


iptables block by country - performance hit?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

iptables block by country - performance hit?

raindog308raindog308 Administrator, Veteran
edited April 2013 in General

I have a server where CSF/LFD blocks 10-20 IPs a day, every day. 100% of these are from China or Russia - the usual port scanning, brute-forcing, a hundred FIN_WAIT2 connections, etc.

I'm thinking of something like this:

http://www.cyberciti.biz/faq/block-entier-country-using-iptables/

CSF has a "block by country" config also but it warns that it can put a load on a VPS...I imagine some of those chains get really long given how scattered IP distribution is.

Anyone do this?

Comments

  • great-firewall-of-let

    LOL! Nice tag

    Hmmm, I wonder if that is faster than doing it at the application level :P

  • Unsure how well this scales @raindog308. CSF I assume uses iptables.

    Iptables when mass rule making/banning goes downhill ... umm the latency per request climbs.

    ipset is a good fast alternative to use. Bound to be a country based blocking means out there. This is a good read on ipset and some benchmark comparisons:
    http://daemonkeeper.net/781/mass-blocking-ip-addresses-with-ipset/

  • bnmklbnmkl Member
    edited April 2013

    Really interesting. Thanks.

    50,000 rules : iptables - 12.06 seconds to complete, ipset - 1.28.

  • ^ yeppers @bnmkl. iptables drives me nuts sort of. Never got a proper handle on managing my gazillion rules.... Always saw latency on my old hardware...

    So the ipset is quite interesting... Haven't deployed it and compared to what I know. But that write up is pretty good.

  • Thanks for the article :P

  • csf uses iptables and also china has large number of ip blocks. There will be small performance hit but not much.

  • goexodusgoexodus Member
    edited April 2013

    if you use Virtual machines you can also use zentyal as gateway and whitelist countries.

    http://www.howtoforge.com/zentyal-as-a-gateway-the-perfect-setup

  • Think of it this way, every IP address connecting to your server will be evaluated aganst a list (that may or may not even be accurate).

    This sadly will incur a performance penalty, though it's often unnoticeable.

    Blocking entire countries is not a real solution, I'm afraid. Maybe starting with the originating subnets of the offending users might be an idea.

  • Well @Wintereise always brings sober reality.

    There are a number of hacks out there for country blocking. Iptables only, no, don't try it.

    ipset + country blocking... yeah should scale better.

    Here's a doc someone wrote in 2012 for CentOS... Read and replicate... Someone care to test and see scale/times?

    [source: http://www.magentomod.com/blog.php#Blocking ]

    What is IPSet? IPSet basically allows you to store multiple IP addresses and/or ports in a table and match across all of them at once. The table seeks are much faster than using individual IPTables rules. IPSet framework is included in 2.6.x kernels and CentOS 6 by default.
    For Centos 6.2 and kernel > 2.6.34 use latest IPset > 6.7.
    Installing IPSet, kmod-ipset, patched iptables for CentOS 5:
    ~$] rpm -ivh http://centos.alt.ru/pub/repository/centos/5/x86_64/ipset-4.5-1.el5.x86_64.rpm
    ~$] rpm -ivh http://centos.alt.ru/pub/repository/centos/5/x86_64/kmod-ipset-4.5-1.el5.x86_64.rpm
    ~$] rpm -ivh http://centos.alt.ru/pub/repository/centos/5/x86_64/iptables-1.3.5-5.6.1.el5.x86_64.rpm
    Our objective is to block China(cn) Korea(kr) Taiwan(tw) Pakistan(pk) Singapore(sg) HongKong(hk) Peru(pe). ~60K entries
    Here we are using nethash set type because the IP database at ipdeny.com which we will be using to block IPs provides IPs in IP-Address/CIDR-length form which is supported only by nethash.
    Creating IPset:
    ~$] ipset -N geoblock nethash
    ~$] for IP in $(wget -O - http://www.ipdeny.com/ipblocks/data/countries/{cn,kr,pk,tw,sg,hk,pe}.zone)
    ~$] do
    ~$] ipset -A geoblock $IP
    ~$] done

    ~$] ipset save geoblock
    Matching against the IPSet in IPTables:
    ~$] iptables -A INPUT -m set --set geoblock src -j DROP
    ~$] service iptables save
    ~$] service iptables restart
    Now connections from all IPs that exist in the set geoblock will be blocked.


    That says 60k entries to block China + Korea + Taiwan + Pakistan + Singapore + Hong Kong + Peru.... Tests from scale of earlier link I posted was 50K entries in around 1.2ms... So I'd think 1.5ms or less, depending on load, hardware, etc.

  • jarjar Patron Provider, Top Host, Veteran

    Could be a trade off. The amount of IPs I have to ban every day from China could easily create the same performance loss by 5pm. I have to clear it daily or everyone would think I despise good network performance.

    Sometimes I wish I could block China. The clients I've had from China have just been such a pleasure to do business with. Their ISP, however, well Red Forman explains best what I'd like to do to the higher ups at ChinaNet.

  • How many IPs are you plugging in and flushing @jarland? Latency increase tops?

    Give that tutorial a spin and compare. Perma bans, well tiered up to perma bans are way to do this... First offense a time out of 60 seconds, 300seconds second time and keep going... Log and history...

  • jarjar Patron Provider, Top Host, Veteran

    It's reduced lately but it's been as high as 50 or so ips per day, just brute forcing ever IP on the nice.

  • Hmmm that's simple.... Low load @jarland... Cumulative could be issue if aren't regularly flushing...

    I need to schedule a hot date with ipset and pace it. I run some very big blocklists.... per offending IP basis. You have to offend to end up on my block list.

    Iptables worked like turtle at 20k and under entry limit. Reloading the rules at reboot was especially painful. So will blow up a test VPS trying it out with ipset instead... see if my gripes are gone there.

  • WintereiseWintereise Member
    edited April 2013

    @jarland said: The amount of IPs I have to ban every day from China could easily create the same performance loss by 5pm.

    I really doubt that. You're thinking of banning the code of the country with more or less the most amount of IPs originated (All from two upstreams too, even) over 50 issues a day? This can be automated rather easily, and shouldn't even be something that bothers you, to be honest.

    Expand your banning scripts to look up the announced subnet, and add a null on it.

     route add -net 172.16.1.0/24 reject
    

    If on supported systems, you can even try the 'blackhole' method.

    ip route add blackhole 172.16.1.0/24
    
  • KuJoeKuJoe Member, Host Rep

    Is this for a website? If so, just use mod_geoip and blacklist the country code.

  • while ipset is nice, it wont work on OVZ VEs (not sure if this is an issue for you?) since its not a supported module yet.

    if you going to go the route of country blocks without ipset, your best off to group the rules by subnet and jump to a set of rules for that subnet so that only the subnets and the relevant rules are being checked against vs the thousands of rules.

    i have a shell script here that i've put a little time into lately, if your interested in the logic and such.

  • pubcrawlerpubcrawler Banned
    edited April 2013

    Darnit OVZ bites me in hind end again @ctalkington. Thanks for the heads up for a bozo not in know yet, me.

    See your script is pure iptables. What are any country level blocks you may have tested adding up to in total records/ranges blocked? And, how are the response times and startup reloading the rules?

  • @pubcrawler well for "af cn hk kr pe pk sg tw vn", I generally see like the below for ipdeny source (ipdbinfo is higher count but seems to contain more false positives based on initial testing from ping sites with multiple test sites):

    Chain countryblock-af (8 references)
    Chain countryblock-cn (1935 references)
    Chain countryblock-hk (548 references)
    Chain countryblock-kr (331 references)
    Chain countryblock-pe (105 references)
    Chain countryblock-pk (83 references)
    Chain countryblock-sg (278 references)

    I did this on a VZ HN so it can protect multiple VEs without much overhead but I've done it on several 3rd party VPS providers too without issue.

    response times don't really seem that impacted but I have to admit I didn't do much a before and after as it was still speedy quick. here is a little example showing it doesn't really seem to have much impact for IPs that are meant to get in:

    7 36 ms 15 ms 15 ms as6461.350ecermak.il.ibone.comcast.net [66.208.2
    29.254]
    8 16 ms 16 ms 16 ms xe-4-2-0.cr2.ord2.us.above.net [64.125.22.213]
    9 48 ms 48 ms 48 ms xe-2-0-0.cr2.dfw2.us.above.net [64.125.25.138]
    10 49 ms 50 ms 48 ms xe-0-0-0.cr1.dfw2.us.above.net [64.125.30.73]
    11 49 ms 48 ms 48 ms xe-0-1-0.er1.dfw2.us.above.net [64.125.27.74]
    12 54 ms 50 ms 49 ms 209.66.115.54.t01344-01.above.net [209.66.115.54
    ]
    13 50 ms 49 ms 49 ms VZ HN [REDACTED]
    14 49 ms 50 ms 49 ms VZ VE [REDACTED]

  • @pubcrawler also based on previous, it creates about 27 initial rules, that then jump to matching chain. basically it drills down vs trying to go through whole list at once:

    IN/OUT/FWD -> COUNTRYBLOCK -> BASEOCTET -> SPECIFIC OCTET -> DROP

  • @pubcrawler you could also make a similar script that reads a list of IPs in CIDR from a file vs downloaded source. i may eventually do such a thing as a way to add custom rules and/or a script/web service could append IP if felt it was being attacked etc. could even build my own little admin, etc. def lots of options.

  • Http traffic? Use the nginx geoip module and block the country

  • budingyunbudingyun Member
    edited April 2013

    It's CSF LFD. Blocking ssh bruteforce from specific country.

    edit: The easier method just change the ssh port.

  • @budingyun Yes, and smaller log files

  • raindog308raindog308 Administrator, Veteran

    @KuJoe said: Is this for a website?

    It's actually for the entire server. Daily I get CSF/LFD telling me about

    • brute force attempts on dovecot, ftp, etc. I don't usually see it on ssh because I don't run the ssh on port 22

    • port scanning

    • some IP opening 200 connections to apache and it sitting in FIN_WAIT2, etc.

  • actually i use that firewall, and block some countries, dont have nothing to do with me

    LV, CN, RU, IN, and more.

    the problem is when you restart your server, iptables has to remove/add all again, can take a while, depending how many countries you have blocked, and how many blocks are per country.

    also remember, not all the country blocks are 100% accurate, but maybe yes 99.9%

Sign In or Register to comment.