What's new

Using badips.com's blacklists with iptables

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

nickvisel

New Around Here
Hi,

My name is Nick, and I'm terribly aware it may be a bit worrisome for me to hand out a script and some information as my very first post here, but I read/lurk here a lot, and didn't feel comfortable sticking this on Merlin's github wiki (though he is welcome to take it). Hope this is helpful, and let me know if there are better methods for implementing this on our beautiful ASUS routers.

For the record, this was only tested on an RT-AC68U, but I don't see any reason why this wouldn't work on any Merlin'd Asus router. Cheers!


Using badips.com's blacklists with iptables
Credits: Merlin; badips.com; www.timokorthals.de; anyone who did anything with linux ever.

More info here: http://www.badips.com/

The original script found here: http://www.timokorthals.de/?p=334

Why you would want to do this: To maybe reduce some malicious network traffic to your router and stop questionable IPs from brute-forcing their way into your router.

I modified this script in a couple areas to change the location of the iptables binary and make sure the script runs in the /jffs/scripts folder (not necessarily needed). I also had iptables delete the list after flushing, because otherwise I experienced some nonfatal errors during the script's run. Copy and paste this script into a file named badips.sh

#!/bin/bash
# Script for blocking IPs which have been reported to www.badips.com
# Usage: Just execute by e.g. cron every day
# ---------------------------

_ipt=/usr/sbin/iptables # Location of iptables (might be correct)
_input=badips.db # Name of database (will be downloaded with this name)
_pub_if=eth0 # Device which is connected to the internet (ex. $ifconfig for that)
_droplist=droplist # Name of chain in iptables (Only change this if you have already a chain with this name)
_level=5 # Blog level: not so bad/false report (0) over confirmed bad (3) to quite aggressive (5) (see www.badips.com for that)
_service=ssh # Logged service (see www.badips.com for that)

# Change directory to /jffs/scripts to place the database file
cd /jffs/scripts
# Get the bad IPs
wget -qO- http://www.badips.com/get/list/${_service}/$_level > $_input || { echo "$0: Unable to download ip list."; exit 1; }

### Setup our black list ###
# First flush the droplist, then delete it.
$_ipt -F $_droplist
$_ipt -X $_droplist
# Create a new chain
$_ipt -N $_droplist

# Filter out comments and blank lines
# store each ip in $ip
for ip in `cat $_input`
do
# Append everything to $_droplist
$_ipt -A $_droplist -i ${_pub_if} -s $ip -j LOG --log-prefix "Drop Bad IP List"
$_ipt -A $_droplist -i ${_pub_if} -s $ip -j DROP
done

# Finally, insert or append our black list
$_ipt -I INPUT -j $_droplist
$_ipt -I OUTPUT -j $_droplist
$_ipt -I FORWARD -j $_droplist

exit 0
____
I saved the file as badips.sh and for the purposes of the tutorial, I'm using that as the name of the script above. Enable JFFS if you haven't yet and make sure it's working before you continue. You will need to transfer this to /jffs/scripts somehow (I used scp). I also found it necessary to run these commands and fix something wrong with the hex code in the script after copying it from my computer to the router. Methinks it had something to do with using either notepad++ or the copying text from a browser to notepad++. Anyways, run this:

cat /jffs/scripts/badips.sh | tr -d '\r' >> /jffs/scripts/badipsnew.sh
rm /jffs/scripts/badips.sh
mv /jffs/scripts/badipsnew.sh /jffs/scripts/badips.sh

You should reference this script in one of the startup scripts (I suggest firewall-start) by adding this command to it:

sh /jffs/scripts/badips.sh

If you're curious, start the command, then run
and watch the CPU usage. My RT-AC68U jumped up to ~20% CPU usage for maybe two minutes while it was adding the iptables. YMMV.

If you want the script to update iptables daily, run this command:

cru a badips "* 10 * * * sh /jffs/scripts/badips.sh"

This will run the script every day at 10am (the time when I will most likely not be at home using the internet).

To make this effectively persistent and work across router reboots:

Create an 'init-start' script or add the line to it (don't forget to shebang init-start with #!/bin/bash)

If it already exists, you can do this by running

echo 'cru a badips "* 10 * * * sh /jffs/scripts/badips.sh"' >> /jffs/scripts/init-start
Otherwise run

nano /jffs/scripts/init-start && chmod a+x /jffs/scripts/init-start

type this out:

#!/bin/bash
cru a badips "* 10 * * * sh /jffs/scripts/badips/sh"

and save it. chmod then runs and makes the script executable.

The reason you want to run this with init-start is because crontabs resides in memory and is essentially empty whenever the router reboots.

I've tested this over a couple reboots, and my script runs when the router reboots, and every day at 10am.

Running
iptables -n -L
will give you a list of ips that iptables is dropping packets from. It will be a long list. You can also check in on the system log in the router's UI to get information about packets being dropped

Hope this helps some of you get a good working and updating firewall and stop random ips from trying to SSH into your router.
 
Last edited:
From experience I know for a fact using IPTables to ban multiple IP's is very inefficient. Personally I use IPSet as it was designed for this type of thing and can ban hundreds of thousands of IP's without any performance hit.

I have a guide I wrote for the community which I based off a personal firewall script which may be of some use to you.

http://forums.smallnetbuilder.com/showthread.php?t=16798
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top