Author
Message
lazardo DD-WRT User Joined: 17 Apr 2014 Posts: 135 Location: SF Bay Area
Posted: Thu Jun 04, 2015 6:37 Post subject: real time iptables
This script does near real-time blocking and INPUT chain management. It was developed to lighten up load for local and remote logging and was tuned for low-power, small memory systems.
Runs after dd-wrt built-in firewall, tested on WRT54GL, 16M, 200MHz BCM5352 w build 25974 mini. Working on a preload CIDR variation for known offenders.
I'd be interested in tuning or flaws of course
Start: # ./rt_block &
Check: # ps | grep -v SW
Check: # iptables -L INPUT -nv --line-numbers
Stop: # killall tail
Notes: Insert point is INPUT chain just below RELATED,ESTABLISHED to block early without impacting outbound connections.
Code:
#!/bin/sh
# rt_block.sh - near real time block-list
# lazardo, dd-wrt forum
MAX=64
RULE=2
last=$((MAX + RULE))
# trim previous rules
CNT=$(iptables -L INPUT -n --line-numbers | grep ' DROP ' | tail -1)
CNT=${CNT%% *}
if [ "$CNT" != "" ]; then
while [ $CNT -ge $last ]; do
iptables -D INPUT $((CNT--))
done
else
CNT=0
fi
prev=""
echo "in: $RULE; del:$last; max:$MAX" > /tmp/rt_block.start
iptables -L INPUT -nv --line-numbers >> /tmp/rt_block.start
# main loop
tail -n 0 -F /var/log/messages |
while read log; do
addr=${log##* SRC=}
[ "$addr" == "$log" ] && continue
addr=${addr%% DST=*}
[ "$addr" == "$prev" ] && continue
iptables -I INPUT $RULE -s $addr -j DROP
[ $((++CNT)) -ge $last ] && iptables -D INPUT $last
prev=$addr
done
Cheers,
Back to top
Sponsor
lazardo DD-WRT User Joined: 17 Apr 2014 Posts: 135 Location: SF Bay Area
Posted: Mon Jun 08, 2015 0:32 Post subject:
* Added optional static front-loaded IP list for known problems.
* Integrated rule purge and status
* New version attached as 'rt_block.tgz', md5sum: 22ac0c0dea5d487f77efea91050e5247
Hear is the INPUT chain a few minutes after running rt_block. The built-in firewall works fine, this just reduces log entries and resources used.
* static front load rules are 2..18. These are the well known problem source addresses and so remain until purged.
* real-time DROP rules are 19..30. These will grow to $MAX, then pruned from the bottom as new ones arrive.
Code: Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 415K 29M ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 5 296 DROP 0 -- * * 120.0.0.0/6 0.0.0.0/0
3 0 0 DROP 0 -- * * 110.0.0.0/7 0.0.0.0/0
4 3 156 DROP 0 -- * * 222.0.0.0/8 0.0.0.0/0
5 7 330 DROP 0 -- * * 60.0.0.0/7 0.0.0.0/0
6 0 0 DROP 0 -- * * 58.0.0.0/7 0.0.0.0/0
7 0 0 DROP 0 -- * * 202.0.0.0/8 0.0.0.0/0
8 1 40 DROP 0 -- * * 210.0.0.0/7 0.0.0.0/0
9 3 120 DROP 0 -- * * 218.0.0.0/7 0.0.0.0/0
10 1 52 DROP 0 -- * * 116.0.0.0/6 0.0.0.0/0
11 2 116 DROP 0 -- * * 220.0.0.0/7 0.0.0.0/0
12 2 80 DROP 0 -- * * 54.214.0.0/16 0.0.0.0/0
13 2 120 DROP 0 -- * * 124.0.0.0/7 0.0.0.0/0
14 0 0 DROP 0 -- * * 112.0.0.0/6 0.0.0.0/0
15 0 0 DROP 0 -- * * 54.245.0.0/16 0.0.0.0/0
16 1 40 DROP 0 -- * * 54.244.0.0/16 0.0.0.0/0
17 0 0 DROP 0 -- * * 50.112.0.0/16 0.0.0.0/0
18 0 0 DROP 0 -- * * 180.0.0.0/8 0.0.0.0/0
19 0 0 DROP 0 -- * * 89.209.17.80 0.0.0.0/0
20 0 0 DROP 0 -- * * 69.59.235.85 0.0.0.0/0
21 0 0 DROP 0 -- * * 31.148.219.9 0.0.0.0/0
22 0 0 DROP 0 -- * * 198.20.69.98 0.0.0.0/0
23 0 0 DROP 0 -- * * 85.25.103.50 0.0.0.0/0
24 0 0 DROP 0 -- * * 37.203.214.106 0.0.0.0/0
25 0 0 DROP 0 -- * * 178.19.108.165 0.0.0.0/0
26 0 0 DROP 0 -- * * 94.23.212.183 0.0.0.0/0
27 0 0 DROP 0 -- * * 94.102.52.31 0.0.0.0/0
28 0 0 DROP 0 -- * * 192.99.45.171 0.0.0.0/0
29 1 44 DROP 0 -- * * 167.114.9.11 0.0.0.0/0
30 0 0 DROP 0 -- * * 46.29.248.181 0.0.0.0/0
31 22021 7256K ACCEPT udp -- vlan1 * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
32 0 0 logdrop udp -- vlan1 * 0.0.0.0/0 0.0.0.0/0 udp dpt:520
33 0 0 logdrop udp -- br0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:520
34 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:520
35 0 0 ACCEPT tcp -- vlan1 * 0.0.0.0/0 192.168.1.251 tcp dpt:27501
36 162 13527 logdrop icmp -- vlan1 * 0.0.0.0/0 0.0.0.0/0
37 0 0 logdrop 2 -- * * 0.0.0.0/0 0.0.0.0/0
38 54 3340 ACCEPT 0 -- lo * 0.0.0.0/0 0.0.0.0/0 state NEW
39 552K 54M ACCEPT 0 -- br0 * 0.0.0.0/0 0.0.0.0/0 state NEW
40 2536 435K logdrop 0 -- * * 0.0.0.0/0 0.0.0.0/0
EDIT : Forgot to mention that the included static list is what I use, primarily CH and AWS blocks.
You should create a list with CIDR blocks and/or individual IP entries for your own problem children.
[PATCH] Fix for '#' comments in rt_block.list:
Code:
--- rt_block 2015-06-07 16:14:39.000000000 -0700
+++ rt_block.new 2015-06-10 20:55:56.724299572 -0700
@@ -23,7 +23,7 @@
while read addr; do
iptables -I INPUT $BASE -s $addr -j DROP
done
- CIDR=$(cat $LIST | wc -l)
+ CIDR=$(grep -v '^#' $LIST | wc -l)
}
_last () {
[PATCH] Fix for RST. A lot of SPT=443 drops from closed connections were being blocked which could be an issue.
Code:
--- rt_block 2015-06-12 10:35:35.664176657 -0700
+++ ../rt_block.new 2015-06-12 10:37:37.022995823 -0700
@@ -71,6 +71,7 @@
while read raw; do
addr=${raw##* SRC=}
[ "$addr" == "$raw" ] && continue
+ [ "${addr##* RST}" != "$addr" ] && continue
addr=${addr%% DST=*}
[ "$addr" == "$prev" ] && continue
As always, test in your environment before making persistent, I am not a network expert.
To flush and restart:
Code: # killall tail; ./rt_block -p; rt_block &
Cheers,
The chart shows 60% reduction in firewall logging resources even during development when rt_build was not always in place.
Back to top
netguru76 DD-WRT User Joined: 14 Sep 2014 Posts: 52
Back to top