IPtables correct usage help - Linux, Unix, and *nix like Operating Systems forum at WebmasterWorld - WebmasterWorld

Forum Moderators: bakedjake

Message Too Old, No Replies

IPtables correct usage help

willeffects

11:17 am on Feb 28, 2008 (gmt 0)

10+ Year Member

Hello Group,

Every night from around 8pm to 5am PST I get slammed from Asia Pacific network with site rippers, spam bots, and spam mailers. A lot of the time this causes my server to run out of memory and eventually start shutting down its own services and force me to reboot it. Right now, whenever I see my load go up I am running this script:

netstat -a -n ¦ grep :80 ¦ cut -d : -f2 ¦ awk '{print $2}' ¦ sort ¦ uniq -c ¦ sort

99% of the time if an ip has more then 100 active connections it is from Asia Pacific and when I drop it with iptables things go back to normal.

I am using the following syntax:
iptables -I INPUT -s 193.61.107.151 -j DROP

Though tonight I noticed that some IP's seem to stay in the connection list and their # of connections went up even an hour or so after I added them to iptables. I even tried running the command again at a few times and keep seeing some of the bad ips.

I am not a sysadmin and more or less a linux newbie. If anyone could please verify that I am using iptables correctly and or have any suggestions for me, id greatly appreciate it.

Thanks,
Will

mcavic

11:59 pm on Feb 28, 2008 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

I tried the command on my machine, and it worked fine. The existing connections will stay open for a while unless you restart Apache (but iptables should block the inbound traffic).

I don't know why it would continue to allow new connections, though. Are you sure that iptables is running? Adding the rule doesn't automatically start it.

willeffects

2:54 am on Feb 29, 2008 (gmt 0)

10+ Year Member

thanks for checking.

Yes it is working. Perhaps there is some reason why some connections just appear to take longer to drop off? Does a restart of apache on a live site cause problems with mysql tables?

mcavic

5:49 am on Feb 29, 2008 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Restarting apache shouldn't bother mysql. At least, no more than rebooting the machine would. On second thought, though, I don't think it's necessary. Apache should drop the connections in less than a minute. After that, the connections will stay in the TIME_WAIT or FIN_WAIT state for an amount of time, maybe 5 minutes, depending on your kernel.

willeffects

7:56 am on Feb 29, 2008 (gmt 0)

10+ Year Member

Does anyone have any idea what a normal threshold of active connections *should* be? I know i've seen google bot over 100 active connections sometimes but it seems almost everything else over 75 is not legit.

Im trying to figure out if theres some way I can automate this process, but im afraid of banning legit crawlers.

Any ideas?

willeffects

9:03 am on Mar 4, 2008 (gmt 0)

10+ Year Member

Does anyone see anything wrong with blocking these entire networks? I seem to get slammed by various IP's within them daily. Im wondering if everyone else is as well?

#McColo Corporation
deny from 208.66.192.0/22

#RIPE Network Coordination Centre
deny from 80.0.0.0/8
deny from 81.0.0.0/8
deny from 82.0.0.0/8
deny from 83.0.0.0/8
deny from 84.0.0.0/8
deny from 85.0.0.0/8
deny from 86.0.0.0/8
deny from 87.0.0.0/8
deny from 88.0.0.0/8
deny from 89.0.0.0/8
deny from 90.0.0.0/8
deny from 91.0.0.0/8
deny from 193.0.0.0/8
deny from 194.0.0.0/8
deny from 195.0.0.0/8
deny from 212.0.0.0/8
deny from 213.0.0.0/8
deny from 217.0.0.0/8
deny from 217.174.203.41
deny from 218.0.0.0/8

#Latin American and Caribbean IP address Regional Registry
deny from 190.0.0.0/8
deny from 200.0.0.0/8
deny from 201.0.0.0/8

#Asia Pacific Network Information Centre
deny from 202.0.0.0/7
deny from 203.0.0.0/7
deny from 210.0.0.0/7
deny from 212.0.0.0/8
deny from 221.0.0.0/8
deny from 222.0.0.0/8

#Japan Network Information Center
deny from 133.0.0.0/8

#African Network Information Center
deny from 196.0.0.0/8

#Alexa Internet
deny from 209.237.237.0/24
deny from 209.237.238.0/24

#SevenTwentyfour Incorporated
deny from 209.167.50.16/28

#Cyveillance Inc.
deny from 63.148.99.224/27

#Performance Systems International Inc
deny from 38.112.0.0/13