blocklist_net_ua from firehol
I have been doing this for a while, but now have found that ipset fit in very well here.
- Adding and removing ips from a set is easier than fiddling with iptables syntax.
- The timeout feature comes in very handy.
- Basically the iptables rules can be static.
RIPE: blocking by country
Do these first thing in mangle:
- PREROUTING; in short, drop traffic you already know you don't want as early as possible in netfilter; waste not one extra CPU cycle processing such packets.
- DROP all INVALID packets; netfilter doesn't know why they arrived nor where they should go, so just drop them.
- Determine countries you *never* want to exchange traffic with and DROP packets to and from those IPs. But be aware. Sometimes apparently legitimate sites (like alibaba and linux-questions) will be blocked.
- I made a simple mod for Smoothwall Express that automates block sets; it can probably be easily adapted for general netfilter use. It uses the Exploited Servers, Chinese, Nigerian, Russian and LACNIC lists from wizcrafts. The sets are auto-updated daily. I had also used the 90-day list from openbl for a while. The problem with some of these blocklists is that they occasionally get *too* zealous and block legitimate sites. So I added admin whitelisting capability. And then added admin blocklist capability for completeness. The set of blocklists to be used is configurable. It's fairly easy to add parsers for other list formats.
- GAR is another Smoothwall Express mod, but is closely tied to Smoothwall; I mention it because I think it does almost exactly what you want. It watches snort/suricata alerts and drops packets for a period of time to and from any IP that causes an alert. Theory: if you see someone outside your home checking the locks on your windows, will you let him in your front door if he knocks? Of course not. So if a host (IP addr) probes your network for services that don't exist (such as SQL, ftpd, telnetd), or tries a known exploit, don't let any packets go to or from that IP for some specified period of time.
- DROP all traffic to and from TEST NET addresses and other address blocks that should never be routed.
- DROP all internet-side traffic to and from private addresses unless you know that there are some private LANs between you and the actual internet.