Why?
Why filtering IP packets from that country?
In many developing countries --- South Korea and China, for example --- the security of computers connected to the Internet is very poor.
The necessity of firewall is not recognized there. For instance, some investigations by the government of Korea revealed that the people believed they shouldn't use firewalls, because firewalls slow down the servers and the network. And the investigations also revealed that illegally-copied softwares were widely used (Microsoft SQL Server which was targeted by Slammer), so security patches weren't applied much.
Helped with that situation, new worms spread fast in those countries and don't disappear. As a matter of fact, CodeRed, Nimda, and Slammer were most prosperous in Korea.
Furthermore, the accesses of the NaverRobot --- which is a search-engine crawler run by a Korea company, famous for its troublesome web access (the interval and frequency of the robot's web accesses is almost DoS attack) and ill-manner (its User-Agent is "googlebot" !) --- is intolerable.
I analyzed the log of my web server, ftp server, mail server, and I found that the almost all accesses from that country were worm's connections and port scans, or spams which were sent with the backdoors provided by worms, and the DoS accesses from NaverRobot!
I have to shut out the accesses from those countries --- I thought.
What's this?
The shell scripts in this page intend to filter out accesses from Korea(.kr), China(.cn), Taiwan(.tw), India(.in), and Indonesia(.id). These scripts use iptables (a Linux network filtering utility), so Linux kernel 2.4 (or later) and iptables utility are required.
Many asia countries allocate their IP address area from APNIC (Asia Pacific Network Information Centre, which manages IP address area of Asia Pacific.
The APNIC's allocating list is opened to the public at /stats/apnic. The scripts are based on the information of the APNIC site, and specifies these addresses to iptables utility to shut out the TCP connection from these addresses (We can connect to these addresses with TCP, though).
Disclaimer
This software is distributed WITHOUT ANY WARRANTY.
As TCP connections from those countries and areas are shut out, you may experience some trouble. If you have friends or customers in those countries and areas, you shouldn't use scripts in this page. You will be unable to get mails from them!
How it works?
Filtering with iptables
Linux 2.4 and 2.6 have the system named "netfilter", which provides some powerful network functions. The iptables utility is a wrapper of setting netfilter.
This script uses iptables to check the source address of "the packets which intend to start TCP connection to me". If the source address is Korea IP address and so on, the Linux kernel discards the packet.
As The netfilter watches "new TCP connection to me", "new TCP connection from me to Korea IP addresses" are not filtered. So we can connect to Korea sites.
Since only new TCP connection packets are dispatched to KRFILTER chain and processed, the processing load is minimized.
How to use
Download
Download the scripts.
To keep up with APNIC's list, these scripts are updated every month.
Apply filters
Create two iptables chains, "KRFILTER" and "KRFILTERED". To use iptables, you must be root. The "#" symbols in explanations represent the prompt.
# iptables -N KRFILTER # iptables -N KRFILTERED
Run the shell script and append rules to KRFILTER chain.
# sh ALL.sh.txt
Append a rule, accepting the packets which aren't caught by the filters, to KRFILER chain.
# iptables -A KRFILTER -j ACCEPT
Append a rule, discarding the packets caught by the filters, to KRFILERED chain.
# iptables -A KRFILTERED -j DROP
If you want to record the information of the dropping packets, use following commands instead. You can view the log by "dmesg" command (or in syslog).
# iptables -A KRFILTERED -j LOG --log-prefix "Rej-TCP " # iptables -A KRFILTERED -j DROP
Append a rule, dispatching the SYN packets (which initiates new TCP connection), to INPUT chain.
# iptables -A INPUT -p tcp -m state --state NEW -j KRFILTER
That's all.
It takes time and effort to type in these commands, so it is good idea to write that sequence in system booting-up script.
Stop filtering
To delete the filtering rule, show the rule list of INPUT chain first.
# iptables -L INPUT Chain INPUT (policy ACCEPT) target prot opt source destination KRFILTER tcp -- anywhere akane.hakusan.tsg.ne.jpstate NEW
Delete the rule dispatching packets to KRFILTER chain (the top (= 1) rule in the example).
# iptables -D INPUT 1
Flush and delete KRFILTER chain and KRFILTERED chain.
# iptables -F KRFILTER # iptables -X KRFILTER # iptables -F KRFILTERED # iptables -X KRFILTERED
Known bugs
IP range not dominated by APNIC
Not all of the IP addressed used in Asia countries are in the APNIC's list.
For example, in Japan, 133.11.0.0/16 and 157.82.0.0/16 owned by The University of Tokyo are not listed in. And, some /8 IP address ranges of major Internet providers are used in Japan, but not in the list.
It may be insufficient to block the addresses in APNIC list only.
status of www.hakusan.tsg.ne.jp:
Yesterday (7 -29 , in Month-Day format), www.hakusan.tsg.ne.jp filtered out 581 accesses from Korea, China, Hong-Kong, Taiwan, India, Indonesia.
Appendix
0.0.0.0/0 formatted list
The address-list before appending "iptables" command.
<- Up