Linode Forum
https://forum.linode.com/

Blocking an ip address range
https://forum.linode.com/viewtopic.php?f=19&t=8005		 Page 1 of 2
Author:  crazyfruitbat [ Sat Nov 05, 2011 10:20 pm ]
Post subject:  Blocking an ip address range
Hey guys, I'm using webmin to control my firewall and I want to ban baidu - they are constantly hitting my forum and ignoring robots.txt

I started banning the odd ip address in webmin, now I'm getting hundreds of all the baidu crawlers - probably a good 60-70 at any given time in the day and making a massive log file on the server.

So I want to ban by the entire range on webmin but I can't figure out of to do it. One address of Baidu is 180.76.5.24 so I'm guessing 180.76.5.0/24 is the block for the whole range?

I have put 180.76.5.0/24 into webmin so block but it's not having any effect.Have I missed something from here?

Image

Cheers
Chris
Author:  vonskippy [ Sat Nov 05, 2011 10:26 pm ]
Post subject: 
Think bigger, much BIGGER

#whois 180.76.5.24

Code:
180.76.5.24

inetnum:        180.76.0.0 - 180.76.255.255
netname:        Baidu
descr:          Beijing Baidu Netcom Science and Technology Co., Ltd.
descr:          Baidu Plaza, No.10, Shangdi 10th street,Haidian District Beijing,100080
country:        CN
admin-c:        WN141-AP
tech-c:         JC2179-AP
mnt-by:         MAINT-CNNIC-AP
mnt-lower:      MAINT-CNNIC-AP
mnt-routes:     MAINT-CNNIC-AP
status:         ALLOCATED PORTABLE
changed:        hm-changed@apnic.net 20090715
Author:  Obsidian [ Sat Nov 05, 2011 10:31 pm ]
Post subject: 
What's with the drop-down by the source IP? Does that contain anything useful, like a "within" setting perhaps?
Author:  crazyfruitbat [ Sat Nov 05, 2011 10:41 pm ]
Post subject: 
Haha thanks guys - cheers for the additional range, where did you find that amount of detail from?

As for the drop down - I have:
<ignored>
Equals
Does not equal
Author:  crazyfruitbat [ Sat Nov 05, 2011 10:57 pm ]
Post subject: 
Vonskippy, if the address range is 180.76.0.0 - 180.76.255.255 how can I ban the entire range? I read somewhere that the /24 does that but it may be wrong...
Author:  vonskippy [ Sat Nov 05, 2011 11:08 pm ]
Post subject: 
180.76.0.0/16 = 180.76.0.1-180.76.255.254

/24 is just a Class C network range

http://en.wikipedia.org/wiki/Subnetwork

Scroll down to the CIDR part for a good overview how the /24 (and others) subnetting works.

Pretty much any WHOIS utility will tell you the IP Range for any given IP.
Author:  crazyfruitbat [ Sat Nov 05, 2011 11:19 pm ]
Post subject: 
Ok thanks mate - I have added it to the firewall rules using webmin and double checked it on ssh

Code:
DROP       all  --  180.76.0.0/16        anywhere 


Let's see how it goes!
Author:  crazyfruitbat [ Sun Nov 06, 2011 7:56 am ]
Post subject: 
Ok, as I thought it's not working - I just caught a load on my website now

180.76.5.52 is just one I picked out. Seems like the firewall is just not working ;(
Author:  jebblue [ Sun Nov 06, 2011 12:42 pm ]
Post subject: 
Do this and report the results:

sudo iptables -L -n|grep "180.76.0.0/16"
Author:  crazyfruitbat [ Sun Nov 06, 2011 7:00 pm ]
Post subject: 
Cheer jebblue, here is the result:
Code:
DROP       all  --  180.76.0.0/16        0.0.0.0/0     
Author:  db3l [ Sun Nov 06, 2011 7:20 pm ]
Post subject: 
I suspect you may need to take a wider view of your rules. Even if you have a specific DROP rule as you show, if there's an earlier rule in the chain that, for example, permits all web traffic to port 80, it'll never reach the DROP rule.

I'd dump the entire iptables and trace the rules that apply to the INPUT chain (and any associated chains called from it depending on how Webmin set up the filter) and reason about what would happen with the most recent source address, for example, that seemed to get through.

You'll still then need to figure out how to adjust the filters the way you want with Webmin (which I don't have any familiarity with), but at least you'll have an idea of why what is happening is happening.

-- David
Author:  crazyfruitbat [ Sun Nov 06, 2011 10:06 pm ]
Post subject: 
The only rules I have is for these specific addresses and fail2ban.

If I was to do this outside of webmin (ssh etc), what would you advise?
Author:  vonskippy [ Sun Nov 06, 2011 10:10 pm ]
Post subject: 
Just post ALL your rules (#iptables -L)

It wouldn't have to be for that specific Source Network.

As db3l mentioned, you could have a global rule bypassing your specific DROP rule.

Might be easier to help if you stated which Distro you're using.
Author:  crazyfruitbat [ Mon Nov 07, 2011 8:23 am ]
Post subject: 
Thanks guys. My Distro is Ubuntu 10.04

Here is the output:

Code:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
fail2ban-ssh  tcp  --  anywhere             anywhere            multiport dports ssh 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain Hackers (0 references)
target     prot opt source               destination         
DROP       all  --  59.151.24.211        anywhere            

Chain baidu (0 references)
target     prot opt source               destination         
DROP       all  --  180.76.0.0/16        anywhere            
DROP       all  --  119.63.196.0/24      anywhere            
DROP       all  --  180.76.5.149         anywhere            
DROP       all  --  180.76.5.99          anywhere            
DROP       all  --  180.76.5.92          anywhere            
DROP       all  --  180.76.5.91          anywhere            
DROP       all  --  180.76.5.158         anywhere            
DROP       all  --  180.76.5.139         anywhere            
DROP       all  --  180.76.5.140         anywhere            
DROP       all  --  anywhere             anywhere            

Chain fail2ban-ssh (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere 


Thanks for all the help, I really do appreciate it!
Author:  db3l [ Mon Nov 07, 2011 4:21 pm ]
Post subject: 
crazyfruitbat wrote:
Thanks guys. My Distro is Ubuntu 10.04

Here is the output:

Code:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
fail2ban-ssh  tcp  --  anywhere             anywhere            multiport dports ssh



So this chain essentially allows anything through to your node (other than ssh traffic that might be blocked by the fail2ban-ssh chain, though that's currently empty). It has no block rules (nor calls any other chain with any), and its policy is to accept all traffic by default. Basically your node is wide open to incoming traffic.

Your baidu chain is never called, so nothing you have in it makes any difference. If you add a rule to the INPUT chain to call the baidu chain as the target you can invoke those exclusion rules, but I'm not sure of the process to do that by webmin. You can do it manually, but I don't know if or when webmin might rewrite the rules losing local changes. Although, if the baidu chain was created by webmin, it's odd it doesn't add a call to it itself.

BTW, although you can do it either way, I prefer to exclude anything not permitted in filters rather than permit anything not excluded. So I generally recommend having all default policies as DROP and then rules specifically for permitted traffic. Though I'll admit that is a matter of preference.

-- David
Page 1 of 2 All times are UTC-04:00
Powered by phpBB® Forum Software © phpBB Group
http://www.phpbb.com/