kernelnewbies.kernelnewbies.org archive mirror
 help / color / mirror / Atom feed
* iptables and combining additional rule sources
@ 2020-04-24 22:28 Jeffrey Walton
  2020-04-25  3:06 ` Valdis Klētnieks
                   ` (3 more replies)
  0 siblings, 4 replies; 9+ messages in thread
From: Jeffrey Walton @ 2020-04-24 22:28 UTC (permalink / raw)
  To: kernelnewbies

Hi Everyone,

We are having trouble with our MediaWiki installation on a low-end VM.
The VM is servicing a lot of spam traffic, and it is driving cpu usage
up to about 80%. The 404's appear to be more expensive then the 200's.
GoDaddy wrote to us and told us they were going to suspend our service
if we don't get cpu usage down.

I experimented with several Apache and MediaWiki plugins and I have a
design I like. The plugin scans the URL, detects the problematic URLs,
and sends the ip address to a privileged out-of-proc proxy to update
iptables. The proxy is privileged and can update iptables rules. It
also maintains a database to remove the host after 45 days.

The problem I am having is, adding the new information to the existing
iptables rules in /etc/sysconfig/iptables. I want to write my rules to
a separate file and then tell /etc/sysconfig/iptables to include it at
the correct position.

I read the iptables(8), iptables-save(8) and iptables-restore(8) man
pages, but I don't see how to combine the different sources.

How do I tell iptables to include a second external source at a
specific location?

# iptables --version
iptables v1.4.21

Thanks in advance.

=========================

Here is an example of /etc/sysconfig/iptables with the position I want
to insert the MediaWiki ban rules.

# cat /etc/sysconfig/iptables
*nat
:PREROUTING ACCEPT [4276:232374]
:POSTROUTING ACCEPT [270:136514]
:OUTPUT ACCEPT [270:136514]
COMMIT

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [269:205262]

-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT

### I want to insert rules here ###
*include my-mediawiki-rules

### Back to normal rules ###
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
...

_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies

^ permalink raw reply	[flat|nested] 9+ messages in thread

end of thread, other threads:[~2020-04-29  9:31 UTC | newest]

Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-04-24 22:28 iptables and combining additional rule sources Jeffrey Walton
2020-04-25  3:06 ` Valdis Klētnieks
2020-04-25  6:55   ` Jeffrey Walton
2020-04-25 16:53     ` Valdis Klētnieks
2020-04-25 17:16       ` Jeffrey Walton
2020-04-25  3:32 ` Keh-Ming Luoh
2020-04-25  7:01   ` Jeffrey Walton
2020-04-26 12:42 ` Aruna Hewapathirane
2020-04-29  9:30 ` Thorondir

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).