I have a script to block any IP range with which I am being sync flooded. I have created a chain called SYNC_FLOOD to which is temporarily added the highest level of the CIDR address of a flooding IP address, in the form of (example) 171.0.0.0/8. My problem is that the SYNC_FLOOD chain doesn't block the address, whereas if I manually put the above address into the iptables INPUT chain, it does get blocked. Can anyone see or know what is wrong here? Thanks
Looking at this further, do I need to add this line to my SYNC_FLOOD for it to work?
iptables -A INPUT -j SYNC_FLOOD
Related
I'm trying to block a certain IP address or range to reach my WordPress server that's configured on my Google Compute Engine server.
I know I can block it via Apache, but even if I do my access_logs will still be filled with 403 error from requests from this IP.
Is there any way to block the IP entirely and don't even let it reach Apache?
Thanks in advance for any help.
If you want to block a single IP address, but allow all other traffic, the simplest option is probably to use iptables on the host. The GCE firewall rules are designed to control which IP addresses can reach your instance, but allowing everything on the internet except one address would probably be annoying to write.
To block a single IP address with iptables:
iptables -A INPUT -s $IP_ADDRESS -j DROP
or to just drop HTTP (but not HTTPS or other protocols):
iptables -A INPUT -s $IP_ADDRESS -p tcp --destination-port 80 -j DROP
Note that you'll need to run the above command as root in either case.
By default all incoming traffic to GCE is blocked except for the ports and range of IPs that are allowed to have access. Allowing everything to connect except a specific IP or a range of IP addresses is not supported on GCE firewall. As a workaround, you can setup a Load Balancer and allow incoming traffic from the LB IP address only to the instance. You can have more information in this Help Center article.
Yes you can block it using Gcloud Firewall.
Try creating the firewall rule from the command line or by logging into Google Cloud.
Example:
gcloud compute firewall-rules create tcp-deny --network example-network --source-ranges 10.0.0.0/8 --deny tcp:80
Above Rule will block the range 10.0.0.0/8 to port 80 (tcp).
Same can be done to block other IP Ranges over tcp and udp.
For more info check this: glcoud network config
Bitnami developer here
If you want to block a certain IP, you can use iptables as it's pointed in this post.
Also, if you want to have your iptables rules active when you reboot your machine you have to do the following:
sudo su
iptables-save > /opt/bitnami/iptables-rules
crontab -e
Now edit the file and include this line at the end:
#reboot /sbin/iptables-restore < /opt/bitnami/iptables-rules
This way, in every boot, the system will load the iptables rules and apply them.
To block offending IP, there are some methods on different levels to do it. From performance perspective, generally :
Network firewall > VM iptables > VM web server > VM application.
Google cloud has build-in firewall that no cost.
For example, this gcloud command create one firewall rule that can block 1 or more ips.
gcloud compute --project=your-project-id firewall-rules create your-firewall-rule-name --direction=INGRESS --priority=900 --network=default --action=DENY --rules=all --source-ranges=ip1,ip2,ip3…
Command parameters' reference see here https://cloud.google.com/sdk/gcloud/reference/compute/firewall-rules/create
You can also use Google cloud console or rest api to create it, but on console it's not easy to input lots of ips.
Build-in firewall's current limit:
One project can create 100 firewall rules.
One firewall rule can block 256 ip sources.
If there are 10 other firewall rules, you can block 90x256=23040 standalone ips, that is enough for general case.
Note: Google cloud app engine firewall is separated from build-in firewall.
Linux iptables
See other answers.
Web server
Apache, Nginx can also block ip.
Application
Not recommended block ip here. But application can help analysis which ip need to block, for example login failed many times.
If you want your system to automatically block all bad ip addresses in the GCP Firewall you can check out the Gatekeeper for Google Cloud Firewall.
It analyses your network connections and WordPress/Apache logs dynamically and creates approprate rules to ward off DoS and DDoS attacks as well as spying bots.
My rental server doesn't allow me to remote on via SSH, despite assuring me that everything is setup. How do I override RST packets on a Chromebook without using Python?
If I understand correctly, you want to drop TCP reset packets.
This blog post explains how to get a root shell and add an iptables rule.
Instead of the rule given in the article to get SSH access, try this rule:
iptables -I INPUT -p tcp --tcp-flags RST -j DROP
(Disclaimer: I don't know anything about chromebooks except that they run Linux.)
I am checking the internet connection of my computer and do not understand a few points.
The following is a result from $ netstat:
I do not understand why for some items in the list have localhost:xxxxx as their foreign address.
since netstat shows the internet connections, shouldn't this show IP addresses of outside my computer?
netstat per default tries to convert the data it finds into host names. It does so by reverse resolving the IP addresses via DNS.
For example, 127.0.0.1 gets replaced with localhost in this case.
The same happens with the ports, but there it doesn't happen via DNS, but via a file like /etc/services which provides a mapping between port numbers and service names.
You can prevent this with the netstat option -n.
I can target a client IP address on my router like:-
iptables -I INPUT -s 123.456.7.89 -j DROP
Is it possible to target the IP of the access point the client device is connecting through instead (or the SSID since each access point has it's own).
I've been looking at the match flag but can't find anything there. Thanks.
The only way is to filter by mac address, but it's not so easy.
Please spend some times with this picture:
Using the MAC module extension for iptables from here
The side effect explained here occurs when the netfilter code is
enabled in the kernel, the IP packet is routed and the out device for
that packet is a logical bridge device. The side effect is encountered
when filtering on the MAC source in the iptables FORWARD chains.
As should be clear from earlier sections, the traversal of the
iptables FORWARD chains is postponed until the packet is in the bridge
code. This is done so we can filter on the bridge port out device.
This has a side effect on the MAC source address, because the IP code
will have changed the MAC source address to the MAC address of the
bridge device.
It is therefore impossible, in the iptables FORWARD chains, to filter
on the MAC source address of the computer sending the packet in
question to the bridge/router. If you really need to filter on this
MAC source address, you should do it in the nat PREROUTING chain.
Agreed, very ugly, but making it possible to filter on the real MAC
source address in the FORWARD chains would involve a very dirty hack
and is probably not worth it.
Greetings.
I am working on a project form my company. We have an application that was written by one of our old techs - he was fired for browsing pornography websites work. Unfortunately, he took the source code of our application with him, and hard-coded the IP address of our external server into it. We have recently changed servers, and need to change where the application tries to access our database. I'd really prefer not to reinvent the wheel, and remake the application...
I tried using the route command, but no dice.
route -p [new server] mask 255.255.255.255 [old server] metric 50 if [interface]
I set up a temp webserver on port 80 of the new box, typed in the old IP address in a browser of a machine with the said route added to it's tables, and it still went to the old server.
Any help making the route command work, or plausible alternatives? Eg: software to redirect, router tricks...etc.
Note: We tried using a reverse name lookup on our private dns server, but that failed as well.
Since the IP address is hardcoded in the binary, you can probably grep for it. It's probably represented as four bytes. You can then replace it with the new IP address using a hex editor.
Assuming you have an iptables firewall somewhere on the route you can use DNAT:
iptables -t nat -A PREROUTING -d [old server] -j DNAT --to-destination [new server]
It doesn't matter where exactly you run this, so long as it sees packets addressed to [old server] and has a valid route to [new server], so that could be on the host running the application, any intermediate router, or your edge firewall.
Of course you could always just edit the address inside the binary itself....
In your firewall/router set up NAT for that public IP so that it routes to your new private ip.
You can't just add a route to the new sever like you mentioned, because at the first router hop the packet will be routed to the old server.
You might be able to point the route at the local host, add the old server as an IP address on a local interface, and write a proxy server to forward the requests to the old server.
The best option IMO is to figure out how to decompress the binary and hex edit it. Do you know what language it's written in? Or call your lawyer to get the source code back. =)
Use the hosts file to route all requests to external IP to a local IP: http://en.wikipedia.org/wiki/Hosts_(file)