Jesse Lawson

Bestselling author and open-source evangelist.

Jan 1, 0001 - Server Admin Tutorials

Quickly Block Traffic with ipset and iptables

To piggy-back off of the third preventive control in increasing security against bad bots and spam, you can quickly block traffic with an iptables entry that utilizes ipset.****

If you’re not already using ipset, first see if you have ipset installed.

ipset list

If you have it installed then you wont see the “can’t find that package” error. If you need to install it, then run sudo apt-get install ipset.

With ipset now installed, let’s create a new list that we’ll fill up with spammy/bad IPs.

ipset create blacklist hash:ip

Nothing special will happen, but now we will have a new blacklist ipset list to use. Next, we’ll tell iptables to read from our blacklist whenever traffic comes a-knockin’.

iptables -I INPUT -m set --match-set blacklist src -p TCP --destination-port 80 -j DROP

What we’re doing here is creating a new iptables entry that says “if you get any web traffic (port 80) from IP addresses in my blacklist, then DROP them. You might wonder why I’m using DROP here instead of REJECT. Think of spammy traffic like an unsolicited sales call. Would it be better to answer the call and say “I’m not interested” or would would it be better to just disconnect the phone line? Okay, okay, obviously it’s impractical to just unplug our phones (if you still use a landline, that is) but you get the idea. DROPing the traffic doesn’t really tell the requester whether or not something exists here, but if we have systematically REJECTed all of their attempts into the server, that might encourage them to strengthen their attacks against us.

Next comes the fun part: you need to get a list of bad IPs that you want to block. You can follow my tutorial here for a non-technical way of collecting the IP addresses of all your visitors in WordPress, or this tutorial here for a way to grep through log files, or come up with your own way to parse your log files and get a list of IP addresses that you definitely, 100% want to block. With your list, you’ll want to create a new bash file in some working directory on your server where you do all your madness.

nano whatsinthebagsharkorsomething.sh

Now with that open, push your window to the side and open up Sublime or Notepad or whatever text editor you use and add ipset add blacklist to the beginning of each IP address in the list of IPs you want to block. For example, the result of this tutorial on how to parse log files for IPs is a list of IP addresses, one per line. For example:

12.345.67.890
23.456.78.901
34.567.89.012
… (and so on)

Somehow add the ipset addition command to the beginning of each IP address in your file, then copy and paste that file into your console with nano opened to our new file. Basically, you want whatsinthebagsharkorsomething.sh to look like this before you Ctrl+X then Y:

ipset add blacklist 12.345.67.890
ipset add blacklist 23.456.78.901
ipset add blacklist 34.567.89.012
… (and so on)

From here, we’ll run chmod +x whatsinthebagsharkorsomething.sh and then run the file with ./whatsinthebagsharorsomething.sh. Your shell will hang for just a bit, then you’ll be presented with your prompt again. To verify that the addresses are now being blocked, simply list the ipset list with the following command:

ipset list

You should see a list of all the IP addresses you just added.

**Update 1: **Some people have emailed me expressing concern for speed. As it turns out, combining ipset with iptables in the above fashion is almost ***11-times faster ***than using iptables alone. See for yourself.

Update 2: If you want to get a little academic on the subject, consider Using Throttling and Traffic Shaping to Combat Botnet Spam (link).