-j DROP script?

Discussion of non-phpBB related topics with other phpBB.com users.
Forum rules
General Discussion is a bonus forum for discussion of non-phpBB related topics with other phpBB.com users. All site rules apply.
Post Reply
MontanaBighorn
Registered User
Posts: 49
Joined: Thu May 10, 2007 2:30 am
Location: Montana
Contact:

-j DROP script?

Post by MontanaBighorn »

I currently use -j DROP in my router commands to keep international spammers out of my forum, and would like to block entire countries where the spammers originate (I'm aware of the response time impact this will have). Since my small website is regionally specific anyway, nobody outside of the US needs access. This is a sample of what's in my Commands page on my router:

iptables -I FORWARD -s 218.0.0.0/8 -j DROP
iptables -I FORWARD -s 112.0.0.0/8 -j DROP
iptables -I FORWARD -s 59.0.0.0/8 -j DROP
iptables -I FORWARD -s 58.22.0.0/15 -j DROP
iptables -I FORWARD -s 208.88.96.0/21 -j DROP
iptables -I FORWARD -s 117.0.0.0/8 -j DROP
iptables -I FORWARD -s 125.0.0.0/8 -j DROP
iptables -I FORWARD -s 192.245.43.0/24 -j DROP
iptables -I FORWARD -s 121.0.0.0/8 -j DROP
iptables -I FORWARD -s 124.0.0.0/8 -j DROP
iptables -I FORWARD -s 123.0.0.0/8 -j DROP
iptables -I FORWARD -s 122.0.0.0/8 -j DROP
iptables -I FORWARD -s 116.0.0.0/8 -j DROP
iptables -I FORWARD -s 113.0.0.0/8 -j DROP

China alone has over 8000 IP scopes that I'd like to add, but I don't want to manually create each line with the applicable IP scope. Is there any type of script or website where I can simply paste a list of all 8000+ IP scopes that will create my commands for me to copy and paste back into my router? I have to believe there is a way to automate this redundant coding.
Thanks much!

User avatar
AbaddonOrmuz
Recognised Extension Developer
Posts: 745
Joined: Wed Dec 25, 2013 9:06 pm
Location: /dev/null
Name: Alfredo Ramos
Contact:

Re: -j DROP script?

Post by AbaddonOrmuz »

Are you using a VPS? Most companies offer cloud firewalls to block access even before they reach your server.

You might have better luck on sysadmin support boards.

MontanaBighorn
Registered User
Posts: 49
Joined: Thu May 10, 2007 2:30 am
Location: Montana
Contact:

Re: -j DROP script?

Post by MontanaBighorn »

I'm running a dedicated Windows 2016 Server on a commercial cable connection out of my basement. There is no support beyond myself. I currently spend nearly an hour each morning cleaning up foreign registrations and have disabled registrations completely until I can solve the spam issue that I've been battling for years now. If I can just find a script where I can paste a list of the offending IP scopes and have the commands generated that I can paste back into my router, it would be ideal.
Thanks,

User avatar
EA117
Registered User
Posts: 1253
Joined: Wed Aug 15, 2018 3:23 am
Contact:

Re: -j DROP script?

Post by EA117 »

MontanaBighorn wrote:
Fri Jan 10, 2020 8:56 pm
I'm running a dedicated Windows 2016 Server on a commercial cable connection out of my basement.
Yep, you are "the guy" then. 😜

One approach that comes to mind and could possibly give you more flexibility is to not try and stop it at the router (despite the ways in which it's more optimal that way) and block it at the Windows TCPIP stack itself. Since on the actual Windows machine, you'll have more flexibility to use or create whatever PowerShell or other scripts already exist out there for doing what you want. Which may be more difficult to do at the router, depending on how closed of a system the router is.

Looking for scripts and open projects already built around MaxMind's free databases might reveal useful options. I extended an existing script out there to just delete & update a Windows Firewall rule every day with the blocks and allows I need. Mine are not about "countries" though, and come from a non-MaxMind source.

If you don't mind letting the traffic get all the way to the web server process & phpBB code before becoming rejected, Filter by Country is an extension in development which is a very convenient way (from a phpBB management perspective) to implement exactly what you're after.

Not sure if Mark has updated yet to solve the fact MaxMind now requires a free registration & access key in order to download. That just happened this month, and is a new requirement for the free MaxMind databases. So you might need to wait for that before trying out the phpBB extension.

MontanaBighorn
Registered User
Posts: 49
Joined: Thu May 10, 2007 2:30 am
Location: Montana
Contact:

Re: -j DROP script?

Post by MontanaBighorn »

What I need is just a redundant script that will print out the lines of commands:

iptables -I FORWARD -s 218.0.0.0/8 -j DROP

Except repeated 8444 times with each individual CIDR IP scope after I paste the list of 8444 IP scopes that I downloaded from that website. The script or web page that I'm looking for would just generate the commands. For example,

iptables -I FORWARD -s X -j DROP where X is the variable.

I visit the IP by country web page and get all the IP scopes from each country I want to block. I then paste the IP addresses into the variable field. Let's say the website generated 3 IP scopes:

1.1.1.1/8
2.2.2/6
3.3.3.3/4

so I copy and paste those IP scopes into the variable field, run the script or web page, and it generates the following:

iptables -I FORWARD -s 1.1.1.1/8 -j DROP
iptables -I FORWARD -s 2.2.2.2/6 -j DROP
iptables -I FORWARD -s 3.3.3.3/4 -j DROP

I can then copy the generated commands and paste them into my router command page. It would save me from having to create 8444 lines of commands manually. Does that make better sense?
Thanks

User avatar
AbaddonOrmuz
Recognised Extension Developer
Posts: 745
Joined: Wed Dec 25, 2013 9:06 pm
Location: /dev/null
Name: Alfredo Ramos
Contact:

Re: -j DROP script?

Post by AbaddonOrmuz »

Assuming you have a file where you have an IP scope per line, you could use xargs:

Code: Select all

xargs -d '\n' -I {} -a ip_scopes.txt echo "iptables -I FORWARD -s {} -j DROP" > /tmp/iptables.txt
With the following sample ip_scopes.txt content, it would generate a /tmp/iptables.txt file with the following content:

ip_scopes.txt

Code: Select all

1.1.1.1/8
2.2.2/6
3.3.3.3/4
/tmp/iptables.txt

Code: Select all

iptables -I FORWARD -s 1.1.1.1/8 -j DROP
iptables -I FORWARD -s 2.2.2/6 -j DROP
iptables -I FORWARD -s 3.3.3.3/4 -j DROP
If you want to add more IP scopes, just paste them in ip_scopes.txt and run the command again.

You could also add the rules to iptables directly, but I would test it first with the previous command.

Code: Select all

xargs -d '\n' -I {} -a ip_scopes.txt sudo iptables -I FORWARD -s {} -j DROP

Post Reply

Return to “General Discussion”