Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Block all subnets of a certain country using iptables
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Block all subnets of a certain country using iptables

BitProcessorBitProcessor Member
edited January 2013 in Tutorials

Hi everybody,

We were experiencing extremely high loads on one of our web-servers, generating enormous loads on Apache, eventually resulting in the server running out of memory and just locking up.

Most IP's were coming from a certain country, so in the end, I ended up simply blocking all subnets from that specific country (no interesting information for them on our websites anyway).

I did this by using the following script:
http://www.cyberciti.biz/faq/block-entier-country-using-iptables/

Very effective - a tail -f /var/log/messages is very amusing once the script is active.
And of course, iptables --list -v -n ; gotta love those counters.

At the moment it is running on the webserver itself in test, will probable move it to our firewall at a later stage, if it proves to be effective (so far it seems to be very effective).

Thought I might share this with you guys, I'm probably not the only one experiencing this kind of trouble ;)
(And yeah, I should probably move to something like NGINX etc... but that's not an option right now ;) )

(a thank you goes out to my colleague for finding the above script on the internet)

Comments

  • Instead of manually playing about with IPTables rules, you're probably better off using a firewall like CSF. Easier to get around, etc..

  • rm_rm_ IPv6 Advocate, Veteran
    edited January 2013

    @BitProcessor said: enormous loads on Apache, eventually resulting in the server running out of memory

    So rather than properly configuring your web server, you resort to nazism, how sad.

  • He is using apache, what do you expect.. :P

    @rm_ said: So rather than properly configuring your web server, you resort to nazism, how sad.

  • thanks now I can block India
    @Chief should implement this imo

  • @Jacob said: Instead of manually playing about with IPTables rules, you're probably better off using a firewall like CSF. Easier to get around, etc..

    Exactly! You only need to add the two-letter ISO Country Code in the CC_DENY line of csf.conf and voila! :-)

  • jarjar Patron Provider, Top Host, Veteran

    @Jacob said: He is using apache, what do you expect.. :P

    Don't be a hater :P

    Clinging to my apache! :)

  • @Jacob said: He is using apache, what do you expect.. :P

    @Jacob - correction - the people using (abusing ? ;) ) that VM are using Apache

    @George_Fusioned said: @Jacob said: Instead of manually playing about with IPTables rules, you're probably better off using a firewall like CSF. Easier to get around, etc..

    Exactly! You only need to add the two-letter ISO Country Code in the CC_DENY line of csf.conf and voila! :-)

    @George_Fusioned & @Jacob - that implies installing CSF - I needed something quick and dirty that does the same

    @rm_ said: So rather than properly configuring your web server, you resort to nazism, how sad.

    Euhm ? What ? I'd prefer you take that back, instantly !

  • RobertClarkeRobertClarke Member, Host Rep

    I agree with @jacob, CSF is easy to install, and more extensive than doing it manually, better for rapid-fire IP blocking.

  • jarjar Patron Provider, Top Host, Veteran

    @RobertJFClarke said: CSF is easy to install

    Agreed. That would be the quick, copy/paste solution. Just about any other effective solution is going to be more work rather than less.

  • While you in CSF --

    unixsurgeon.com/kb/how-to-prevent-from-ddos.html

    Add some additional protection... ;)

  • @connercg

    there we go again, filter tools against 10gbps+ attack using 1gbit nic, seems legit

  • @BronzeByte

    It was presented as an additional option -- whether the OP decides implement any thing in the article is their choice, and I didn't create the article / URL name.

    I've personally used the connection limit (CT_LIMIT) from the article to address some issues I've had with multiple connection from an IP scraping an image repository.

  • @bitprocessor just out of interest - how did you get to be the sort of person that spams forums with the ill-thought-out, poorly executed crap on cybercity.biz ?

  • Eek.. you guys are way to harsh... give the guy a break.

Sign In or Register to comment.