Closed GoogleCodeExporter closed 9 years ago
IPSet tables filled slow, best way to fill IPSet tables in script
/etc/storage/started_script.sh (called in background after router started)
iptables rules needed reload in
/etc/storage/post_iptables_script.sh
/etc/storage content needed save via
mtd_storage.sh save
or via WebUI (>= -058 build)
Original comment by andy.pad...@gmail.com
on 16 May 2013 at 9:06
Thanks for the reply. I don't think I explain my issue clearly so hopefully you
understand what I'm trying to achieve.
I know about these files and utilize them in conjunction with the script above
which I have modified today to use the IPSet save/restore functions to be more
efficient with larger lists (takes seconds to restore thousands of IP's rather
then adding them manually from a list which I was previously doing).
Now currently my setup is as follows;
1) "/opt/bin/firewall" is executed on start-up which restores the IPSets and
creates new IPTables rules
2) A cronjob runs every hour and scans "/tmp/syslog.log" for "DROP" entries and
adds the IP's to the blacklist and saves it.
This works on a small scale, but it isn't ideal in a situation where a random
botnet is flooding random ports with thousands of IP's every second as syslog
only has a certain number of entries to prevent over-sized log files. Here's an
example of what my syslog looks like after seconds of being attacked;
/opt/home/admin # cat /tmp/syslog.log | grep DROP | wc -l
1038
As you can see, it takes merely seconds/minutes for over 1038 lines of my
syslog to be DROP messages from the kernel due to the attacking botnet's size.
What I want to-do is edit some of the default IPTables rules with the following
so rather then having to scan syslog for dropped messages IPTables will update
my IPSet blacklist dynamically which would be a much cleaner solution.
"-j SET --add-set Blacklist src"
At the moment I believe that the default rules are coded into the firmware and
at some point during the boot process copied to;
/tmp/ipt_filter.default
/tmp/ipt_filter.rules
The problem is they can't be modified after building the firmware and nothing
from /tmp is saved on reboot. I am aware I can use IPTables to destroy and
recreate certain rules with the extra addition but I feel this isn't a good
long term solution.
So what I am asking is a way to edit the rules listed in /tmp that will carry
over if the router is rebooted so that IPTables can self manage the blacklist
dynamically when IP's are dropped which at this point I believe is not
possible. Below is my updated script which should give you a clearer idea of
what I'm trying to achieve.
http://pastebin.com/2mMj5NLU
Lines 144 - 152 are how I am setting up my blacklist on reboot
Lines 80 - 95 are how I am currently scanning the syslog on a cronjob to update
the IPSet blacklist
Hopefully this makes sense. Thanks again.
Original comment by c_u_late...@hotmail.com
on 16 May 2013 at 11:00
Seems like maybe I was over-thinking a solution to have IPTables manage my
IPSet blacklist dynamically, solved the problem by adding a rule to the logdrop
chain and removing the default rules manually.
iptables -D logdrop 1
iptables -I logdrop -m state --state NEW -j SET --add-set Blacklist src
Feel free to close this issue.
Original comment by c_u_late...@hotmail.com
on 16 May 2013 at 4:01
Original issue reported on code.google.com by
c_u_late...@hotmail.com
on 15 May 2013 at 3:57