Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Register

Quick Links


Shells Virtual Desktop
BMail.ag - Secure Email Service
Server.net
CPLicense.net
VPS Server
Buy VPN
Vultr
VMs for AI
HostDare
HostDare
ReliableSite White-Label Dedicated Hosting for Resellers
InterServer VPS
BMail.ag - Secure Email Service
Best VPN
High-Performance Bare Metal Server Solutions
Karvl.com
Server Mania Cloud Hosting
DataWagon Hosting
AlphaVPS Hosting
Evoxt.com
Clouvider
VPS Hosting with NVMe
Residential IPs in the US & 4G Mobile Proxies in EU & US with Unlimited Bandwidth
ReliableSite White-Label Dedicated Hosting for Resellers
Rabisu - Hosting Solutions
Shells Virtual Desktop

Categories

In this Discussion

Home Help
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

iptables, on which interface to block bogons?

postcdpostcd Member
edited October 2017 in Help

Hello,

my aim is to block so called "bogons" (http://iplists.firehol.org/?ipset=fullbogons)
I will do it thru ipset (probably with hash:net parameter as the total number of IPs is few hundred million)
But i need to block it on proper interface, because my server host few virtual servers whose main net interface is venet0

My dedicated OpenVZ VPS host server has these interfaces:
em1, lo, venet0

I could block it on all interfaces like this:

iptables -I INPUT -m set --match-set badips src -j DROP

iptables -I FORWARD -m set --match-set badips src -j DROP

(badips is an ipset set name; btw my iptables is like this currently)

But i have doubts not to block 127.**** or 10.8.0.2 (vpn) kind of VPS traffic. On which interface/s i should block bogons on my dedicated host server please in my case?

Thank You

Comments

  • cochoncochon Member
    edited October 2017

    I would suggest using a separate ruleset chain and adding a whitelist set (type hash:net) as the first entry, you can add your local subnets and 127.0.0.0/8 to make sure they never get blocked.

    iptables --new-chain ipsets
iptables --append ipsets --match set --match-set whitelist src --jump RETURN
iptables --append ipsets --match set --match-set dshield src --jump DROP
iptables --append ipsets --match set --match-set bogons src --jump DROP
iptables --append ipsets --match set --match-set torexit src --jump DROP
iptables --append INPUT   --jump ipsets
iptables --append FORWARD --jump ipsets

    EDIT: you should probably create the INPUT/FORWARD rules just for the public facing interfaces, particularly if you have a lot of VPN, or egress traffic.

  • postcdpostcd Member

    create the INPUT/FORWARD rules just for the public facing interfaces

    You mean for blacklist/DROP kind of rules by defining "-i em1" in the rules and it will prevent just remote incoming traffic and ignore outgoing bogon ip traffic? So i assume VPS venet0 outgoing traffic is using INPUT/FORWARD chain, if not there would not be reason for whitelisting 127.0.0.0/8.

  • AlexJonesAlexJones Member

    I would recommend just using CSF firewall and use the block list for bogons and enable ipset in the config

Sign In or Register to comment.