Blocking by iptables¶

In most cases, blocking by request is preferred over blocking by IP address.
However, there are a number of cases when you need to block by IP address:

• To reduce the traffic that the attacker requests generate.

• To handle asynchronous traffic.

• In the presence of additional resources not protected by Wallarm.

To block by IP address, use the block_with_iptables.rb script, which is modifiable.

To effectively use the script, the filter node must regularly download
from the Wallarm cloud an updated list of the IP addresses to be blocked.

Set up Blocking by IP Address¶

1. Contact Wallarm Support and request to create a system user with access to the denylists.

2. Install the wallarm_extra_scripts package. This package is in the Wallarm repository.

   Run the command:

   Debian 9.x (stretch/stretch-backports)Debian 10.x (buster)Ubuntu 16.04 LTS (xenial)Ubuntu 18.04 LTS (bionic)Ubuntu 20.04 LTS (focal)CentOS 7.xAmazon Linux 2.0.2021x and lowerCentOS 8.x

   sudo apt install wallarm-extra-scripts
   

   sudo apt install wallarm-extra-scripts
   

   sudo apt install wallarm-extra-scripts
   

   sudo apt install wallarm-extra-scripts
   

   sudo apt install wallarm-extra-scripts
   

   sudo yum install wallarm-extra-scripts
   

   sudo yum install wallarm-extra-scripts
   

   sudo yum install wallarm-extra-scripts
   

   The block_with_iptables.rb script will be installed automatically. On each start, the script creates or updates the wallarm_blacklist chain in the table filter. Each blocked IP address gets the rule REJECT.

3. Create and configure the iptables to specify what traffic must be blocked. For example, to block all traffic on port 80 and port 443, run:

   iptables -N wallarm_check
   iptables -N wallarm_blacklist
   iptables -A INPUT -p tcp --dport 80 -j wallarm_check
   iptables -A INPUT -p tcp --dport 443 -j wallarm_check
   iptables -A wallarm_check -j wallarm_blacklist
   

4. Set up regular execution of the script by using the cron utility:

   1. Open the root user's crontab file for editing:

      crontab -e
      

   2. Add the following lines to the file (replace the /path/to/log entry with the actual path to a log file, so that the script can write the logs into it):

      PATH=/bin:/sbin:/usr/bin:/usr/sbin
      */5 *  * * *  root  timeout 90 /usr/share/wallarm-extra-scripts/block_with_iptables.rb >> /path/to/log 2>&1
      

      These lines define the following behavior of a cron job:

      • The block_with_iptables.rb script will be executed every fifth minute on behalf of the root user.
      • If the script does not finish within the 90 second timeout, then its execution will be explicitly terminated.
      • The script's logs will be written in the specified log file (e.g, /path/to/log); the stderr error output stream will be redirected to the stdout standard output stream.

5. If necessary, set up script monitoring. You can monitor the script by checking the modification time mtime of the file /tmp/.wallarm.blacklist-sync.last because it changes every time the script starts successfully.

6. Allowlisting IP addresses.

   To allowlist several IP addresses, run the following command for the range of IP addresses. Replace 1.2.3.4/30 with the necessary value:

   iptables -I wallarm_check -s 1.2.3.4/30 -j RETURN
   

   To allowlist one IP address, replace 1.2.3.4 with the necessary value:

   iptables -I wallarm_check -s 1.2.3.4 -j RETURN
   

Was this page helpful?

How can we improve this article? (Optional)

Information is unclear or confusing

Insufficient information

Outdated or incorrect information

0/240

Send