Blocking by iptables¶

In most cases, blocking by request is preferred over blocking by IP address.
However, there are a number of cases when you need to block by IP address:

To reduce the traffic that the attacker requests generate.
To handle asynchronous traffic.
In the presence of additional resources not protected by Wallarm.

To block by IP address, use the block_with_iptables.rb script, which is modifiable.

To effectively use the script, the filter node must regularly download
from the Wallarm cloud an updated list of the IP addresses to be blocked.

Allowlist

You can allowlist an IP address. An allowlisted IP address is allowed to request the web application's server and bypasses the denylist check.

Set up Blocking by IP Address¶

Contact Wallarm Support and request to create a system user with access to the denylists.
Install the wallarm_extra_scripts package. This package is in the Wallarm repository.

Run the command:
Debian 9.x (stretch/stretch-backports)Debian 10.x (buster)Ubuntu 16.04 LTS (xenial)Ubuntu 18.04 LTS (bionic)Ubuntu 20.04 LTS (focal)CentOS 7.xAmazon Linux 2.0.2021x and lowerCentOS 8.x
sudo apt install wallarm-extra-scripts
sudo apt install wallarm-extra-scripts
sudo apt install wallarm-extra-scripts
sudo apt install wallarm-extra-scripts
sudo apt install wallarm-extra-scripts
sudo yum install wallarm-extra-scripts
sudo yum install wallarm-extra-scripts
sudo yum install wallarm-extra-scripts
The block_with_iptables.rb script will be installed automatically. On each start, the script creates or updates the wallarm_blacklist chain in the table filter. Each blocked IP address gets the rule REJECT.

Create and configure the iptables to specify what traffic must be blocked. For example, to block all traffic on port 80 and port 443, run:

iptables -N wallarm_check
iptables -N wallarm_blacklist
iptables -A INPUT -p tcp --dport 80 -j wallarm_check
iptables -A INPUT -p tcp --dport 443 -j wallarm_check
iptables -A wallarm_check -j wallarm_blacklist

Set up regular execution of the script by using the cron utility:
1. Open the root user's crontab file for editing:
```
crontab -e
```
2. Add the following lines to the file (replace the /path/to/log entry with the actual path to a log file, so that the script can write the logs into it):
```
PATH=/bin:/sbin:/usr/bin:/usr/sbin
*/5 *  * * *  root  timeout 90 /usr/share/wallarm-extra-scripts/block_with_iptables.rb >> /path/to/log 2>&1
```
  These lines define the following behavior of a cron job:
  - The block_with_iptables.rb script will be executed every fifth minute on behalf of the root user.
  - If the script does not finish within the 90 second timeout, then its execution will be explicitly terminated.
  - The script's logs will be written in the specified log file (e.g, /path/to/log); the stderr error output stream will be redirected to the stdout standard output stream.
If necessary, set up script monitoring. You can monitor the script by checking the modification time mtime of the file /tmp/.wallarm.blacklist-sync.last because it changes every time the script starts successfully.
Allowlisting IP addresses.

To allowlist several IP addresses, run the following command for the range of IP addresses. Replace 1.2.3.4/30 with the necessary value:
```
iptables -I wallarm_check -s 1.2.3.4/30 -j RETURN
```
To allowlist one IP address, replace 1.2.3.4 with the necessary value:
```
iptables -I wallarm_check -s 1.2.3.4 -j RETURN
```