Limiting Spam and Attacks

You can use a bridge to effectively limit spam and attacks by managing the IP Ranges per Country.The basis behind the thought here is that these IP Address Ranges probably do not need access to your network in any way, unless you are an International business. By blocking these country ranges you may be reducing SPAM and Malware by up to 25%.  In addition, in the event of a catastrophic virus outbreak you may create a window of time to secure your server by blocking these IP Ranges.  The following websites keep track of network subnets that are related to each country.

Lesson 9 / Lesson 11

These websites provide the subnets for each country.

http://www.countryipblocks.net/country-blocks/cidr/

http://ip.ludost.net

Why limit IP subnets?
Some may say, "if you want  a global business you need to allow access to your server from anywhere."  If you have ever run a mail server and see that 70-85% of all email is Spam you may reconsider that.  If you have ever run a web server and see scripting attacks from locations you cannot pronounce let allow speak their language, you may reconsider.  The fact is, there are a lot of attacks on your infrastructure and if you do not take steps to protect it you will lose it. Blocking country subnets may not stop those who use proxies and it will certainly not stop the guy down the street on your subnet....but it will make as difference and you will notice it within the hour.

Implementing these restrictions will require you to add statements to your iptables in order to specifically drop subnets.  The good thing about doing this from a bridge firewall is that you will do this once for the whole network.   From the command line you will need to add a line to indicate the subnet source that you want to drop on the INPUT table.  Here is an example that drops the subnet at 201.0.0.0/8.  Remember that the bridge is only using the FORWARD so this must be reflecting in your rules.

iptables -A FORWARD -s 201.0.0.0/8 -j DROP

As an alternative you may want to only limit access to countries via port 80.   This line will drop all attempts from the subnet at 201.0.0.0/8 in reaching any port except port 80.
iptables -A FORWARD -s 201.0.0.0/8 -p tcp --dport ! 80 -j DROP

Add A Script

When you view the number of subnets to work with you will realize that writing rules will get  to be a lot of work.  What you can do is create a file called banned and place it in your /etc/ directory and then add this script to your firewall to access the "banned" file.

##########################################
# BLOCK COUNTRY ATTACKS
BADIP=/etc/banned
BANNED=$( grep -v -E "^#" $BADIP )
for ip in $BANNED
do
iptables -A INPUT -p tcp -s $ip -j DROP
iptables -A FORWARD -p tcp -s $ip -j DROP
done

The /etc/banned file will look like this:

24.190.78.101
58.0.0.0/8
59.32.0.0/13
59.40.0.0/15
59.42.0.0/16
59.43.0.0/16
59.44.0.0/14
59.48.0.0/16
59.49.0.0/17