firewall module

[atomicmak]

i want to block all incoming traffic from china and korea and japan to my servers.

now the question is plesk firewall module dont allow bulk network adding facility.

can neone tell me easy procedure step by step ?

i have all country network list of ip ranges with me.

 

[atomicturtle]

assuming youve got your list (call it blacklist) like this:

10.10.10.0/24
10.10.20.0/24

this shell script would do it:

for i in `cat /etc/rc.d/blacklist`; do
iptables -A INPUT -s $i -j REJECT
done

 

[atomicmak]

will this stop the iprange to connect to my server in any ways on any port ?

also i have heared that applying this would load up system when someone tries to connect from this ip range to my server.

my server will get more load due to checking for this ip range each time someone access my server on any port.

please help.

i think this thread will help lot other newbie.

 

[atomicmak]

also what if my server get restart ?

or iptables or anything restarts ?

do i need to re add those ip's with script given by you ?

 

[atomicturtle]

That is a rule that will block traffic from the IP ranges specified completely. It will return an ICMP unreachable error to the connecting system on the other end.

I run about 40,000 rules on each one of my servers with no performance impact on the system.

Yes you will need to add that script to rc.local, or some other startup script to have it automatically run at boot time.

 

[atomicmak]

one last question.

what if i put like this in that blacklist file ?


#china

10.10.10.0/24
10.10.20.0/24

#korea

11.11.10.0/24
11.11.20.0/24

#japan

12.11.10.0/24
12.11.20.0/24


will that work or i just need to put iP's only ?

 

[atomicmak]

here is my rc.local file

#vi /etc/rc.d/rc.local

#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.

touch /var/lock/subsys/local
/etc/rc.d/init.d/urchin start

for i in `cat /etc/rc.d/blacklist`; do
iptables -A INPUT -s $i -j REJECT
done
====================================
will this do ?
or i need anything extra to be done ?

also will this work instead of rc.local ?

#/etc/rc.d/init.d/iptables save

 

[atomicturtle]

Youd need to change the script to:

for i in `cat /etc/rc.d/blacklist | grep -v ^#`; do

to allow comments.

 

[WarBirD]

I have a question, why does it not work to do IP ranges in the firewall, block them i mean ? The fields to do that are in there and even the description tells me that its possible but when I try, it says that the IP range is invalid.

I am not good in doing scripts etc. and I hoped that the PLESK firewall could do that for me. Why does it not work ?

Greets

WarBirD