Blocking by iptables

In most cases, blocking by request is preferred over blocking by IP address. However, there are a number of cases when you need to block by IP address:

  • To reduce the traffic that the attackers requests generate.
  • Asynchronous traffic handling.
  • Presence of additional resources not protected by WAF.

To block by IP address, use the block_with_iptables.rb script that you can modify to create your own script.

To effectively use the script, the filter node must on regular basis download from the Wallarm cloud an updated list of the IP addresses that must be blocked.

Whitelist

You can whitelist an IP address. A whitelisted IP address is allowed to request the web application's server and bypasses the blacklist check.

Set up Blocking by IP Address

  1. Contact Wallarm Support and request to create a system user with access to the black lists.

  2. Install the wallarm_extra_scripts package. The package is in the Wallarm repository.

    Run the command:

    Debian 8.x (jessie)
    Debian 9.x (stretch)
    Debian 10.x (buster)
    Ubuntu 14.04 LTS (trusty)
    Ubuntu 16.04 LTS (xenial)
    Ubuntu 18.04 LTS (bionic)
    CentOS 6.x
    CentOS 7.x
    Amazon Linux 2
    apt-get install wallarm-extra-scripts
    apt-get install wallarm-extra-scripts
    apt-get install wallarm-extra-scripts
    apt-get install wallarm-extra-scripts
    apt-get install wallarm-extra-scripts
    apt-get install wallarm-extra-scripts
    yum install wallarm-extra-scripts
    yum install wallarm-extra-scripts
    yum install wallarm-extra-scripts

    The block_with_iptables.rb script install automatically. On each start, the script creates or updates the wallarm_blacklist chain in the table filter. Each blocked IP address gets the rule REJECT.

  3. Create and configure the tables iptables and specify what traffic must be blocked. For example, to block all traffic on port 80 and port 443, run:

    shell
    iptables -N wallarm_check
       iptables -N wallarm_blacklist
       iptables -A INPUT -p tcp --dport 80 -j wallarm_check
       iptables -A INPUT -p tcp --dport 443 -j wallarm_check
       iptables -A wallarm_check -j wallarm_blacklist

  4. Set up regular execution of the script. For example, to create the file /etc/cron.d/wallarm-blacklist-sync and set it to run every 5 minutes, run:

    PATH=/bin:/sbin:/usr/bin:/usr/sbin
      */5 *  * * *  root  timeout 90 /usr/share/wallarm-extra-scripts/block_with_iptables.rb »/path/to/log 2>&1
    
  5. If necessary, set up script monitoring. You can monitor the script by checking the modification time mtime of the file /tmp/.wallarm.blacklist-sync.last that changes every time the script starts successfully.

  6. Whitelisting IP addresses.

    To whitelist several IP addresses, run the following command for the range of IP addresses. Replace 1.2.3.4/30 with the necessary value:

    iptables -I wallarm_check -s 1.2.3.4/30 -j RETURN
    

    To whitelist one IP address, replace 1.2.3.4 with the necessary value:

    iptables -I wallarm_check -s 1.2.3.4 -j RETURN
    

results matching ""

    No results matching ""