iptables +block country
Harry Strongburg
harry.ubuntu at harry.lu
Mon Aug 16 06:13:25 UTC 2010
On Mon, Aug 16, 2010 at 02:00:19AM -0400, Tom H wrote:
> On Mon, Aug 16, 2010 at 12:31 AM, NoOp <glgxg at sbcglobal.net> wrote:
> > #!/bin/bash
> > # china blocklist
> > # generated from http://blacklists.linuxadmin.org
> > /sbin/iptables -A INPUT -p tcp -s 58.14.0.0/15 -j REJECT
> > /sbin/iptables -A INPUT -p tcp -s 58.16.0.0/13 -j REJECT
> > /sbin/iptables -A INPUT -p tcp -s 58.24.0.0/15 -j REJECT
>
> I'd use "DROP" rather than "REJECT".
I also agree with this statement. If you are having genuine problems
with scan-bots, REJECTing them is bad. You should DROP instead.
Why?
1) It makes known to them that you "exist", if they didn't already know.
2) Wastes bandwidth sending a rejection to them.
3) It saves their time (if their scanner program is not threaded), if
you REJECT them.
I disagree with the blocking of entire CIDR ranges, but that's up to you
to decide if you want to have the chance of blocking legit users, simply
because those around them are abusive.
More information about the ubuntu-users
mailing list