iptables +block country

NoOp glgxg at sbcglobal.net
Mon Aug 16 17:39:10 UTC 2010 

On 08/16/2010 12:32 AM, Sandy Harris wrote:
> On Mon, Aug 16, 2010 at 12:31 PM, NoOp <glgxg at sbcglobal.net> wrote:
> 
>> With apologies to our Chinese list subscribers...
> 
> I'm not Chinese, but I am in China. I'm not inclined to accept the
> apology. We have enough trouble with Great Firewall without
> also having to contend with blocking on your end.

Why? You aren't authorized to log into any of my machines, so why should
my private blocking have anything to do with you? Neither are any of
these, but for some reason they want to be my best new friend:

2010-08-15 21:38:55 TCP from 221.195.73.68:12200 to x.x.x.x:8090
2010-08-15 21:38:55 TCP from 221.195.73.68:12200 to x.x.x.x:29505
2010-08-15 21:40:35 TCP from 221.192.199.35:12200 to x.x.x.x:8080
2010-08-15 21:47:25 TCP from 211.154.135.19:6000 to x.x.x.x:1433
2010-08-15 21:48:45 TCP from 221.195.73.68:12200 to x.x.x.x:29505
2010-08-15 21:48:45 TCP from 221.195.73.68:12200 to x.x.x.x:8090
2010-08-15 21:57:25 TCP from 211.154.135.19:6000 to x.x.x.x:1433
2010-08-15 22:12:18 UDP from 61.11.91.43:1085 to x.x.x.x:137
2010-08-15 22:19:02 TCP from 221.192.199.48:12200 to x.x.x.x:8085
2010-08-15 22:28:55 TCP from 221.192.199.48:12200 to x.x.x.x:8085
2010-08-15 22:32:17 TCP from 58.251.60.228:12200 to x.x.x.x:9415
2010-08-15 22:42:15 TCP from 58.251.60.228:12200 to x.x.x.x:9415
2010-08-15 22:43:21 TCP from 221.192.199.48:12200 to x.x.x.x:8085
2010-08-15 22:46:22 TCP from 221.195.73.68:12200 to x.x.x.x:2479
2010-08-15 22:46:22 TCP from 221.195.73.68:12200 to x.x.x.x:3246
2010-08-15 22:46:22 TCP from 221.195.73.68:12200 to x.x.x.x:9090
2010-08-15 22:50:43 TCP from 58.218.204.110:12200 to x.x.x.x:9415
2010-08-15 22:50:43 TCP from 58.218.204.110:12200 to x.x.x.x:8080
2010-08-15 22:50:43 TCP from 58.218.204.110:12200 to x.x.x.x:9000
2010-08-15 22:50:43 TCP from 58.218.204.110:12200 to x.x.x.x:80
2010-08-15 22:50:43 TCP from 58.218.204.110:12200 to x.x.x.x:8118
2010-08-15 22:50:43 TCP from 58.218.204.110:12200 to x.x.x.x:8088
2010-08-15 22:50:43 TCP from 58.218.204.110:12200 to x.x.x.x:8008
2010-08-15 22:50:43 TCP from 58.218.204.110:12200 to x.x.x.x:7212
2010-08-15 22:51:21 TCP from 221.192.199.48:12200 to x.x.x.x:8085
2010-08-15 22:56:15 TCP from 221.195.73.68:12200 to x.x.x.x:3246
2010-08-15 22:56:15 TCP from 221.195.73.68:12200 to x.x.x.x:2479
2010-08-15 22:56:15 TCP from 221.195.73.68:12200 to x.x.x.x:9090
2010-08-15 23:00:35 TCP from 58.218.204.110:12200 to x.x.x.x:7212
2010-08-15 23:00:35 TCP from 58.218.204.110:12200 to x.x.x.x:80
2010-08-15 23:00:35 TCP from 58.218.204.110:12200 to x.x.x.x:9415
2010-08-15 23:00:35 TCP from 58.218.204.110:12200 to x.x.x.x:9000
2010-08-15 23:00:35 TCP from 58.218.204.110:12200 to x.x.x.x:8008
2010-08-15 23:00:35 TCP from 58.218.204.110:12200 to x.x.x.x:8088
2010-08-15 23:00:35 TCP from 58.218.204.110:12200 to x.x.x.x:8080
2010-08-15 23:00:35 TCP from 58.218.204.110:12200 to x.x.x.x:8118
2010-08-15 23:01:15 TCP from 221.192.199.48:12200 to x.x.x.x:8085
2010-08-15 23:12:08 TCP from 61.147.107.56:6000 to x.x.x.x:2967

> 
>> I'm tiring of unsecured probes from unsecured Chinese machines. ...
> 
> Understandable.

Really? Would you be so understanding if I launched thousands of port
scans against your machines?

> 
>> So on
>> every local machine I've simply decided to block all of China.
> 
> Can you do something more restricted that is just as
> effective? Reject requests for SSH connections from
> China? Reject only blocks from which you have seen
> probes? ...?

I already use denyhosts for ssh. But I opened VNC briefly to work on a
remote system & here's an attempt (from my ~/.xsession-errors log)
within minutes:

14/08/2010 11:30:51 AM [IPv6] Got connection from client
::ffff:58.211.96.102
14/08/2010 11:30:51 AM   other clients:
14/08/2010 11:30:51 AM Client Protocol Version 3.8
14/08/2010 11:30:51 AM Advertising security type 18
14/08/2010 11:30:51 AM Advertising security type 2
14/08/2010 11:30:51 AM Client ::ffff:58.211.96.102 gone

> 
>> http://blacklist.linuxadmin.org/ has a handy tool to blocklist by
>> country & port. I've modified the ouput to block via iptables, but
>> wonder if the following sample is correct:
>>
>> #!/bin/bash
>> # china blocklist
>> # generated from http://blacklists.linuxadmin.org
>>
>> /sbin/iptables -A INPUT -p tcp -s 58.14.0.0/15 -j REJECT
>> /sbin/iptables -A INPUT -p tcp -s 58.16.0.0/13 -j REJECT
>> /sbin/iptables -A INPUT -p tcp -s 58.24.0.0/15 -j REJECT
>>
>> Any advise as to if this is correct?
> 
> I do not know if it is correct as far as it goes. It is certainly
> not complete. My current IP address (from China Telecom
> in Shanghai) is not on it.
> 

By 'handy tool', I was primarily referring to the autogen of the iptable
script. The reason your current IP may not be in the list is likely
because the zone data hasn't been updated by the local registry:
http://www.ipdeny.com/blog/missing-or-incorrect-data-in-zone-files/
and hasn't been updated:
http://www.cidr-report.org/cgi-bin/as-report?as=AS4812&view=4637
http://www.cidr-report.org/as2.0/#Bogons

More information about the ubuntu-users mailing list