Blocking by iptables¶
In most cases, blocking by request is preferred over blocking by IP address.
However, there are a number of cases when you need to block by IP address:
-
To reduce the traffic that the attacker requests generate.
-
To handle asynchronous traffic.
-
In the presence of additional resources not protected by Wallarm.
To block by IP address, use the block_with_iptables.rb
script, which is modifiable.
To effectively use the script, the filter node must regularly download
from the Wallarm cloud an updated list of the IP addresses to be blocked.
Allowlist
You can allowlist an IP address. An allowlisted IP address is allowed to request the web application's server and bypasses the denylist check.
Set up Blocking by IP Address¶
-
Contact Wallarm Support and request to create a system user with access to the denylists.
-
Install the
wallarm_extra_scripts
package. This package is in the Wallarm repository.Run the command:
sudo apt install wallarm-extra-scripts
sudo apt install wallarm-extra-scripts
sudo apt install wallarm-extra-scripts
sudo apt install wallarm-extra-scripts
sudo apt install wallarm-extra-scripts
sudo yum install wallarm-extra-scripts
sudo yum install wallarm-extra-scripts
sudo yum install wallarm-extra-scripts
The
block_with_iptables.rb
script will be installed automatically. On each start, the script creates or updates thewallarm_blacklist
chain in the tablefilter
. Each blocked IP address gets the ruleREJECT
. -
Create and configure the
iptables
to specify what traffic must be blocked. For example, to block all traffic on port 80 and port 443, run:iptables -N wallarm_check iptables -N wallarm_blacklist iptables -A INPUT -p tcp --dport 80 -j wallarm_check iptables -A INPUT -p tcp --dport 443 -j wallarm_check iptables -A wallarm_check -j wallarm_blacklist
-
Set up regular execution of the script by using the
cron
utility:-
Open the
root
user'scrontab
file for editing:crontab -e
-
Add the following lines to the file (replace the
/path/to/log
entry with the actual path to a log file, so that the script can write the logs into it):PATH=/bin:/sbin:/usr/bin:/usr/sbin */5 * * * * root timeout 90 /usr/share/wallarm-extra-scripts/block_with_iptables.rb >> /path/to/log 2>&1
These lines define the following behavior of a
cron
job:- The
block_with_iptables.rb
script will be executed every fifth minute on behalf of theroot
user. - If the script does not finish within the 90 second timeout, then its execution will be explicitly terminated.
- The script's logs will be written in the specified log file (e.g,
/path/to/log
); thestderr
error output stream will be redirected to thestdout
standard output stream.
- The
-
-
If necessary, set up script monitoring. You can monitor the script by checking the modification time
mtime
of the file/tmp/.wallarm.blacklist-sync.last
because it changes every time the script starts successfully. -
Allowlisting IP addresses.
To allowlist several IP addresses, run the following command for the range of IP addresses. Replace
1.2.3.4/30
with the necessary value:iptables -I wallarm_check -s 1.2.3.4/30 -j RETURN
To allowlist one IP address, replace
1.2.3.4
with the necessary value:iptables -I wallarm_check -s 1.2.3.4 -j RETURN