IP using iptables to redirect from a country to a predetermined page
Yesterday there was a client who wants his website to block all IP from China and from China to visit redirected to a predetermined page (or site)。Orthodox approach should be used apache + mod_geoip or nginx + http_geoip_module do,But I found that the customers use the apache / directAdmin / suexec,suexec and seems to have a problem with mod_geoip,VPSee do not want to move a large client configuration,We intend to use iptables to implement this requirement。The idea is that,Using iptables to all traffic from China to guide site 81 port,And start listening on port 81 on apache,Put a predetermined page (or site)。
First IPdeny Download to country code-programmed list of IP addresses,Such as downloading cn.zone:
# wget http://www.ipdeny.com/ipblocks/data/countries/cn.zone
After obtaining all the required IP addresses,Read cn.zone file with the following script line by line and added to the iptables:
#!/bin/bash # Redirect traffic from a specific country to a specific page # written by vpsee.com COUNTRY="cn" YOURIP="1.2.3.4" if [ "$(id -u)" != "0" ]; then echo "you must be root" 1>&2 exit 1 fi iptables -F iptables -X iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT iptables -A INPUT -i eth0 -j ACCEPT iptables -A OUTPUT -o eth0 -j ACCEPT # Redirect incoming http (80) from China to 81 for c in $COUNTRY do country_file=$c.zone IPS=$(egrep -v "^#|^$" $country_file) for ip in $IPS do echo "redirecting $ip" iptables -t nat -I PREROUTING -p tcp --dport 80 -s $ip -j DNAT \ --to-destination $YOURIP:81 done done iptables-save > /etc/sysconfig/iptables chmod go-r /etc/sysconfig/iptables service iptables restart
After this IP from China YOURIP visit the site will be automatically redirected to YOURIP:81 This port,We then modify the apache configuration,Add a Listen 81 DocumentRoot and well placed inside a predetermined page (or site) will be able to
linux iptables how to marshal a single IP and all IP segments (example)
Closure order is a single IP:
iptables -I INPUT -s 211.1.0.0 -j DROP
IP segment closure command is:
iptables -I INPUT -s 211.1.0.0/16 -j DROP
iptables -I INPUT -s 211.2.0.0/16 -j DROP
iptables -I INPUT -s 211.3.0.0/16 -j DROP
Command closure entire segment is:
iptables -I INPUT -s 211.0.0.0/8 -j DROP
Several segments of the closure order:
iptables -I INPUT -s 61.37.80.0/24 -j DROP
iptables -I INPUT -s 61.37.81.0/24 -j DROP
[Unblocking]
iptables -D INPUT -s IP地址 -j REJECT
If input connection command does not work,The connection parameters may be routed using the following command
iptables -A FORWARD -s 1.202.0.0/16 -j DROP
Unix available in the IP subnet like numerals 16,24,32,meaning is:16The first 16 bits represent the subnet mask is a full 1,24、32And so on。
iptables -A FORWARD -s 61.172.0.0/16 -i card name -j DROP
——–Some people say that this method is relatively easy to use,Firewall effective than you sentence——–
Only a phrase ban ip route #route add 61.172.0.0/16 reject
Sealing the whole sentence can #route add -net 61.172.0.0 netmask 255.255.0.0 reject
Some practical examples see below,Design problems the first few letters of the IP segment:
——If the content is to be closed 061.037.080.000-> 061.037.081.255 —–
iptables -I INPUT -s 61.37.80.0/24 -j DROP
iptables -I INPUT -s 61.37.81.0/24 -j DROP
—–What iptables command allows the seal 211.1.0.0 To 211.10.0.0 IP segment?———–
platinum reply to:2004-01-01 01:14:13
iptables -I INPUT -s 211.1.0.0/16 -j DROP
iptables -I INPUT -s 211.2.0.0/16 -j DROP
iptables -I INPUT -s 211.3.0.0/16 -j DROP
——If the content is to be closed the whole of such 211.0.0.0 – 211.255.255.255 ————-
iptables -I INPUT -s 211.0.0.0/8 -j DROP
Supplemented personally feel good three rules。
-A FORWARD -p tcp –syn -m limit –limit 1/s –limit-burst 5 -j ACCEPT
-A FORWARD -p tcp –tcp-flags SYN,ACK,END,RST RST -m limit –limit 1/s -j ACCEPT
-A FORWARD -p icmp –icmp-type echo-request -m limit –limit 1/s -j ACCEPT
Explanation:
first row:A maximum of 5 per second new connections
second line:Prevent all kinds of port scanning
The third row:Ping洪水攻击(Ping of Death)