 Geo-IP
Blocking with IP Tables: Some Common Sense Firewall Rules
Tony Howlett
How many legitimate visitors to your company's Web site/intranet
are you expecting from South Korea this month? How about legitimate
business emails from China? None, you say? Consider that a recent
study by Spamhaus showed that the following countries led as sources
of spam:
United States 42%
South Korean 13.43%
China 8.43%
Taiwan 1%
These statistics say that by blocking the IP address blocks associated
with the top three non-U.S. spam-producing countries, you could
lower your spam load by 23%. Given that spam comprises more than
90% of mail traffic these days, this could lower the load on your
mail server by a whopping 20% without any new software or hardware.
The same also holds true for worm attacks, phishing attempts, and
other attacks. Better results can be gained for companies willing
to block more countries or regions. This is the concept and purpose
behind Geo-IP blocking.
I'm going to go out a limb here with the radical premise that
just because the Internet is supposed to give us access to the whole
world, we don't have to reciprocate and give the whole world access
to our network. Call me Internet isolationist or a security reactionary,
but most firms have no reason to allow users from the entire world
to potentially access their servers. For the Fortune 1000 or truly
multi-national firms, this may not be true, but almost all firms
could benefit from exercising some caution in what IP addresses
they allow to contact their networks.
The reason this makes sense is that an increasing amount of spam,
viruses, worms, and other malware is coming from countries other
than the United States. In fact, it is concentrating in a handful
of countries that have lax or no laws governing Internet crime.
This allows organized gangs of hackers or spamming corporations
to thrive. Also, with the CAN-SPAM Act passed by the U.S. legislature,
which sets strict rules on how spam can be sent, spam operators
may increasingly move their bases of operations overseas.
There are multiple ways to use the Geo-IP blocking strategy. The
implementation can either be a monolithic wall or a mosquito net.
Even if you don't want to block any access to your Web or mail servers,
you can limit access to interactive services such as telnet and
SSH to U.S.-only IP addresses (assuming all your systems administrators
are located in the United States). Either way, you can prevent a
lot of trouble by blocking access from certain address blocks completely
from your network. You can do this with some simple rules in iptables,
the popular Linux firewall.
Even if you don't control the firewall within your organization,
you can still run these rules on a Linux-based server and at least
secure that machine from threats from these regions. The examples
provided here assume the machine is used as a dedicated firewall
with two Ethernet interfaces and enough horsepower to handle a fairly
robust rule set. This article also requires at least a minimal knowledge
of iptables. For a primer on iptables, see the Netfilter Web site
(http://www.netfilter.org) or the many past articles in Sys
Admin.
In this article, I will make recommendations on which regions
and countries to block and also describe service-related restrictions,
such as limiting interactive login traffic. I will include examples
of the proper iptables syntax as well as a quick automation script
to facilitate adding blocks of IPs. My examples use iptables, but
these principles will work with any firewall or even a router. Just
replace the iptables syntax with the appropriate commands for your
device or operating system. Using these rules, administrators can
eliminate a large portion of the malicious traffic headed for their
networks.
Reasons to Implement Geo-IP Blocking
There are many reasons why Geo-IP blocking may make sense for
your network and some why it may not. Let's start with the pros:
- Quick -- You should be able to put these entries into your
firewall table within minutes, possibly an hour or longer if you
want to do all the zones mentioned. That's a small time investment
for a big return. There is some maintenance required to keep the
IP ranges up to date, but a little scripting can help you with
that.
- No cost -- There is no hardware to buy, no software to buy,
and probably the easiest ROI argument you ever made to your boss.
- Blanket protection -- Geo-IP blocking provides almost total
protection from attacks coming from the blocked areas. You don't
have to worry about a zero-day attack originating from these areas.
Granted, a truly talented hacker could spoof the IP addresses
and possibly foil this protection, but those attacks are a small
percentage of the cyber attacks that are hitting your public servers
every day.
- Easily reversible -- If you encounter problems with valid emails
not getting through, it is simple to remove the offending lines
from your iptables configuration.
- Blocking is only one way -- Users can still access sites in
the blocked regions; only inbound connections are prevented from
connecting. However, for increased protection and added benefits,
you can block outbound connections as well.
- Block access to objectionable sites -- If you make the rule
go both ways, this strategy will stop users from accessing any
sites in the region. Given that many hacking sites and call-home
Trojans go to offshore sites, this can help with security problems
that start inside your LAN.
Reasons Not to Geo-IP Block
- Large multi-national business -- Blocking entire regions wholesale
is probably not an option for administrators of multi-national
corporations. However, there are some strategies for using Geo-IP
blocking in a more limited manner, which are covered later.
- Doing business internationally -- If your company isn't large
but does conduct a lot of business overseas, then you'll need
to limit your Geo-IP blocking regimen. However, you can still
consider blocking countries or regions that you don't do business
with.
- Looking for a 100% solution -- Geo-IP blocking is not 100%
effective, but what is? Done correctly, however, Geo-IP blocking
provides you with an extra layer of protection to augment your
other spam-blocking measures.
Generally, the idea is to target countries known to be players
in the malware world. Because this method blocks all traffic, you
don't have to worry about new techniques being developed or your
software falling behind. You just block everything, period, end
of story.
IP Addressing
Before I get into the actual Geo-IP blocking strategies, an understanding
of how IP addresses are assigned is in order. IP address numbers
are originally delegated at the top level by an organization called
the Internet and Name Authority (IANA). This agency handles delegation
of large blocks of IP addresses to different entities (i.e., companies,
organizations, and countries). They don't actually have anything
to do with the way these addresses are used. They just keep track
of the numbers and delegate actual handling of the IP blocks to
the Regional Internet Registry (RIR) for each region of the world.
In the United States, the RIR that is responsible for our IP blocks
is called the American Registry for Internet numbers (ARIN). In
Asia, there is the Asian Pacific Network Information Center (APNIC).
For Europe, the Registry for IP European (RIPE) is the authority
for all IP numbers, and in Latin America, it's the Latin America
and Caribbean Network Information Center (LAPNIC).
Remember that, when using IPv4, the range of IP addresses is 1.1.1.1
to 255.255.255.255, making for just more than 4 billion possible
addresses. IANA has reserved large blocks of this space for private
use. These are as follows:
192.168.0.0 - 192.168.255.255
10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
These ranges cannot be used to route traffic on the public Internet.
Other ranges are reserved for special or future use. This still leaves
a lot of address space to hand out. Each RIR gets a number of contiguous
blocks from which to assign address space. As time has passed and
the Internet has grown, these distinctions have broken down a little.
With globe-spanning communications networks based in the United States,
you might find ARIN IP addresses in other countries and vice versa.
But generally, the IANA number assignments hold true.
Blocking Geo-IP Addresses
To get started, you must decide whether you want to block a complete
RIR or just a few countries in it. Blocking the whole region is
quick and easy and the appropriate ranges are listed in the next
section. However, this strategy can lead to unintentional blocking
and also might miss some regional address space that is registered
to a different RIR. If you want to be more thorough, you will need
to block country by country. You will need to do some research to
find all the addresses associated with the countries you want to
block.
An excellent site to get this information from is the IP to Country
database located at:
http://ip.ludost.net
This wonderful, free site is run by Vasil Koslev and keeps track of
all IP addresses associated with each country, updated daily. It allows
you to poll the database and generate a text file for all the countries
you want to block. You can also download the whole file and parse
it yourself. To begin blocking these segments, a simple iptables command
is all that is needed. For example:
iptables -A INPUT -s 58.0.0.0/24 -j DROP
You must issue a separate iptables command for each discrete IP block.
Obviously, typing all those statements for each IP range could get
tiresome. But there are scripts you can use to import text files into
your iptables. In its simplest form, the script would look something
like this:
#!/bin/bash
if [ -f geo-ip-block.txt ]
then
for BLOCKED_IP in 'cat geo-ip-block.txt'
do
iptables -A INPUT -s $BLOCKED_IP -j DROP
done
else
echo "No Geo-IP Blocking file exists"
fi
This script will read IP addresses from a file and add them to your
iptables. Just run the script at the command line or have it run at
startup to load your Geo-IP blocked addresses. This script doesn't
do any error checking on the IP format or anything fancy, but you
get the general idea.
Blocking IP ranges from any of the other RIRs works the same way.
Generate your list using the Ludost site (or any number of commercial
services that can do it for you). Note that the IP ranges listed
here are not guaranteed to be complete and are subject to change.
You should get an updated list before making your own rule sets.
APNIC
A large percentage of malware originates from Asian countries
(number 2 and number 3 spammer countries in the study mentioned
previously). Just blocking APNIC alone could lower malware hits
on your servers by 20% to 30%. However, be careful because a shotgun
approach to the Far East will also block Japan, where many companies
do business. Also, some Australian and New Zealand sites use APNIC
space. For a minimalist approach, I would recommend starting with
China, South Korea, and Taiwan. You can add or subtract countries
based on your own company's requirements.
Here are the APNIC ranges according to IANA:
58.0.0.0/8
61.0.0.0/8
124.0.0.0/8
126.0.0.0/8
168.208.0.0/16
196.192.0.0/16
202.0.0.0/8
210.0.0.0/8
218.0.0.0/8
220.0.0.0/8
222.0.0.0/8
RIPE
Blocking RIPE addresses is a little more risky because many multi-national
companies are based in Europe, and you may want access to their
Web sites, mail servers, etc. Russia is by far the top producer
of malware in the region along with Bulgaria, Hungary, Kazakhstan,
and Yugoslavia. Again, you can always adjust your settings if you
get complaints.
Here are the complete IANA ranges for RIPE:
80.0.0.0/8
81.0.0.0/8
82.0.0.0/8
83.0.0.0/8
84.0.0.0/8
85.0.0.0/8
86.0.0.0/8
87.0.0.0/8
88.0.0.0/8
89.0.0.0/8
90.0.0.0/8
91.0.0.0/8
193.0.0.0/8
194.0.0.0/8
195.0.0.0/8
212.0.0.0/8
213.0.0.0/8
217.0.0.0/8
AFRINIC
The AFRINIC is a relatively new RIR taking over IP assignments
for the African continent. Given that it's new, a lot of existing
sites are going to be on the RIPE address space, but it comprises
a single, large IP range and blocking is pretty easy:
41.0.0.0/8
LACNIC
Companies heavily involved in NAFTA trade should be very selective
about IP blocking in the LACNIC range. Countries to consider blocking
would be Brazil and Argentina, the biggest malware producers in
the region:
189.0.0.0/8
190.0.0.0/8
200.0.0.0/8
201.0.0.0/8
Limited Geo-IP Blocking Strategies
So far, I have described a wholesale blocking policy. But what
if you still want to allow access to your Web server from these
countries? You can write a more specific rule letting through Web
traffic but blocking all other services.
Here is an iptables rule for the script above that would block
all but Web traffic from the offending IPs:
Iptables -A INPUT -s $BLOCKED_IP -p tcp -dport ! 80 -j DROP
Note that it uses the iptables NOT operator "!", which can come in
very handy in constructing complex iptables statements. Just replace
the iptables command in the script shown previously with this one.
Also, there is the school of thought that would allow most access
but block interactive services, such as telnet, ssh, ftp, etc. Here
is an example of a rule that would reject only those services coming
from the suspect IPs:
Iptables -A INPUT -s $BLOCKED_IP -p tcp -dports 21,22,23 -j DROP
Conclusion
Some administrators might oppose this plan as having a limited
lifespan or being isolationist. However, if this approach protects
your network, even for a year or two, I think it is worth the minimal
effort of setting it up. If it causes problems or is no longer effective,
it can easily be removed.
Geo-IP blocking isn't a silver bullet by any means. It won't block
all malware headed for your network, and you will still need anti-virus
software, spam filters, and all the other tools necessary for a
healthy and secure network. This approach is just one way to lower
the chances that your network will be compromised and decrease the
load on your public servers. Used judiciously, Geo-IP blocking can
become one more tool in your security arsenal against the increasing
onslaught of malware.
Tony Howlett is President of Network Security Services, a network
consulting firm (http://www.netsecuritysvcs.com). He was
previously a founder and CTO of a regional CLEC/ISP. He holds the
CISSP and GSNA titles as well as a BBA in MIS. | 
