1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

firewall module

Discussion in 'Plesk for Linux - 8.x and Older' started by atomicmak, Nov 14, 2006.

  1. atomicmak

    atomicmak Guest

    0
     
    i want to block all incoming traffic from china and korea and japan to my servers.

    now the question is plesk firewall module dont allow bulk network adding facility.

    can neone tell me easy procedure step by step ?

    i have all country network list of ip ranges with me.
     
  2. atomicturtle

    atomicturtle Golden Pleskian

    29
     
    Joined:
    Nov 20, 2002
    Messages:
    2,110
    Likes Received:
    7
    Location:
    Washington, DC
    assuming youve got your list (call it blacklist) like this:

    10.10.10.0/24
    10.10.20.0/24

    this shell script would do it:

    for i in `cat /etc/rc.d/blacklist`; do
    iptables -A INPUT -s $i -j REJECT
    done
     
  3. atomicmak

    atomicmak Guest

    0
     
    will this stop the iprange to connect to my server in any ways on any port ?

    also i have heared that applying this would load up system when someone tries to connect from this ip range to my server.

    my server will get more load due to checking for this ip range each time someone access my server on any port.

    please help.

    i think this thread will help lot other newbie.
     
  4. atomicmak

    atomicmak Guest

    0
     
    also what if my server get restart ?

    or iptables or anything restarts ?

    do i need to re add those ip's with script given by you ?
     
  5. atomicturtle

    atomicturtle Golden Pleskian

    29
     
    Joined:
    Nov 20, 2002
    Messages:
    2,110
    Likes Received:
    7
    Location:
    Washington, DC
    That is a rule that will block traffic from the IP ranges specified completely. It will return an ICMP unreachable error to the connecting system on the other end.

    I run about 40,000 rules on each one of my servers with no performance impact on the system.

    Yes you will need to add that script to rc.local, or some other startup script to have it automatically run at boot time.
     
  6. atomicmak

    atomicmak Guest

    0
     
    one last question.

    what if i put like this in that blacklist file ?


    #china

    10.10.10.0/24
    10.10.20.0/24

    #korea

    11.11.10.0/24
    11.11.20.0/24

    #japan

    12.11.10.0/24
    12.11.20.0/24


    will that work or i just need to put iP's only ?
     
  7. atomicmak

    atomicmak Guest

    0
     
    here is my rc.local file

    #vi /etc/rc.d/rc.local

    #!/bin/sh
    #
    # This script will be executed *after* all the other init scripts.
    # You can put your own initialization stuff in here if you don't
    # want to do the full Sys V style init stuff.

    touch /var/lock/subsys/local
    /etc/rc.d/init.d/urchin start

    for i in `cat /etc/rc.d/blacklist`; do
    iptables -A INPUT -s $i -j REJECT
    done
    ====================================
    will this do ?
    or i need anything extra to be done ?

    also will this work instead of rc.local ?

    #/etc/rc.d/init.d/iptables save
     
  8. atomicturtle

    atomicturtle Golden Pleskian

    29
     
    Joined:
    Nov 20, 2002
    Messages:
    2,110
    Likes Received:
    7
    Location:
    Washington, DC
    Youd need to change the script to:

    for i in `cat /etc/rc.d/blacklist | grep -v ^#`; do

    to allow comments.
     
  9. WarBirD

    WarBirD Guest

    0
     
    I have a question, why does it not work to do IP ranges in the firewall, block them i mean ? The fields to do that are in there and even the description tells me that its possible but when I try, it says that the IP range is invalid.

    I am not good in doing scripts etc. and I hoped that the PLESK firewall could do that for me. Why does it not work ?

    Greets

    WarBirD
     
Loading...