From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: ** X-Spam-Status: No, score=2.7 required=3.0 tests=DKIM_ADSP_CUSTOM_MED, DKIM_INVALID,DKIM_SIGNED,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 01A1BC2BA1A for ; Sat, 25 Apr 2020 03:34:11 +0000 (UTC) Received: from shelob.surriel.com (shelob.surriel.com [96.67.55.147]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id B95D520767 for ; Sat, 25 Apr 2020 03:34:10 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="h+dxKcEU" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org B95D520767 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kernelnewbies-bounces@kernelnewbies.org Received: from localhost ([::1] helo=shelob.surriel.com) by shelob.surriel.com with esmtp (Exim 4.92.3) (envelope-from ) id 1jSBZh-0001FQ-0l; Fri, 24 Apr 2020 23:33:53 -0400 Received: from mail-ot1-x32d.google.com ([2607:f8b0:4864:20::32d]) by shelob.surriel.com with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.92.3) (envelope-from ) id 1jSBZd-0001FG-84 for kernelnewbies@kernelnewbies.org; Fri, 24 Apr 2020 23:33:49 -0400 Received: by mail-ot1-x32d.google.com with SMTP id i27so16183938ota.7 for ; Fri, 24 Apr 2020 20:33:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ohtJNuDyRyYrbTNgtYcu0Kckd8YsqverGjB5Vh8ggjY=; b=h+dxKcEU1sZbvULAzLUs2IgP8fC5cE/YyTX2HPRzUIVag2D7MkQCAZkNtpWfn4fBRg aiCyJppRxrOaIOPbxqkUJM2hNL7G50f6nk2LR0Leh0tISjEpv9NkYWebREwS2lc6R0Mz 13TQz/Ep0thqJAKTR5P+FH/yUOHBAbMc8ZMvbBuLzos7nK97SNWwbh0nE8V+LbMD0QhG CEQiRXvwxhDIzuK1af2qtOYc+y+airS/QFJDZgpTSxwtokrf2uxOqa2VaF/IPdkCf6VR 9m/6VUxeFFLoVGl8ZSxVppgyBbY4YYiZ50yIQqS8etyjB4USlE8bVKOwJEJu9ygFiBF7 aQxg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ohtJNuDyRyYrbTNgtYcu0Kckd8YsqverGjB5Vh8ggjY=; b=DTvs9IzND10/QbumtxB0NkA+hFqC6+lLvq3sgwB6BOXdwLFbVGDcOts9x83XNH/Cxi uCUd9yYDZKo+zqQXJKzqXO8YVYRERuZ6h0WivLvgUeRp7o9Edip3D7bxvMLdBEhHh6gO QfO6HIGwUWtIjwC55RjOVUwvG+a0e8zVX9TiYg8TOctO9JLVP6TCWrGxCLSnSWbhuWge Iltcl0LVOr6POtMTgSjpNiYcGTOgAf73Ki3niq7Ug5dGfTGFZIDxAWbxBdfELPR35jre 6C7lJJsL8TJKPI1eH9J5YUzxrx55J+TLqMJe09mqaH7xxGZ5maUcq6aOPNB0TrCF3dNu KzNg== X-Gm-Message-State: AGi0PuaE77hQM7G3J6FftdXronJ+lJ+qbRf5YR6wLE3yE6uQyrqDmHBk nhRl5eoVQHMCnG21pypGJNe2YoXp98SN3JVflEk= X-Google-Smtp-Source: APiQypIxuw3+Hdlh7mov7549WnTiDQA/BEtEnKTunbcVf/xA+UtxqZhTaFvcSHiKWM6XxkeZ/Jdexd+s0ij4a0bvgds= X-Received: by 2002:a9d:1eaa:: with SMTP id n39mr10706761otn.238.1587785566251; Fri, 24 Apr 2020 20:32:46 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Keh-Ming Luoh Date: Fri, 24 Apr 2020 20:32:35 -0700 Message-ID: Subject: Re: iptables and combining additional rule sources To: noloader@gmail.com Cc: kernelnewbies X-BeenThere: kernelnewbies@kernelnewbies.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Learn about the Linux kernel List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: multipart/mixed; boundary="===============7598996406765998370==" Errors-To: kernelnewbies-bounces@kernelnewbies.org --===============7598996406765998370== Content-Type: multipart/alternative; boundary="000000000000a7f1b705a41522c1" --000000000000a7f1b705a41522c1 Content-Type: text/plain; charset="UTF-8" Assuming these IP address are treated the same way in your iptables rule, ipset may help to make it simpler. On Fri, Apr 24, 2020 at 3:30 PM Jeffrey Walton wrote: > Hi Everyone, > > We are having trouble with our MediaWiki installation on a low-end VM. > The VM is servicing a lot of spam traffic, and it is driving cpu usage > up to about 80%. The 404's appear to be more expensive then the 200's. > GoDaddy wrote to us and told us they were going to suspend our service > if we don't get cpu usage down. > > I experimented with several Apache and MediaWiki plugins and I have a > design I like. The plugin scans the URL, detects the problematic URLs, > and sends the ip address to a privileged out-of-proc proxy to update > iptables. The proxy is privileged and can update iptables rules. It > also maintains a database to remove the host after 45 days. > > The problem I am having is, adding the new information to the existing > iptables rules in /etc/sysconfig/iptables. I want to write my rules to > a separate file and then tell /etc/sysconfig/iptables to include it at > the correct position. > > I read the iptables(8), iptables-save(8) and iptables-restore(8) man > pages, but I don't see how to combine the different sources. > > How do I tell iptables to include a second external source at a > specific location? > > # iptables --version > iptables v1.4.21 > > Thanks in advance. > > ========================= > > Here is an example of /etc/sysconfig/iptables with the position I want > to insert the MediaWiki ban rules. > > # cat /etc/sysconfig/iptables > *nat > :PREROUTING ACCEPT [4276:232374] > :POSTROUTING ACCEPT [270:136514] > :OUTPUT ACCEPT [270:136514] > COMMIT > > *filter > :INPUT ACCEPT [0:0] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [269:205262] > > -A INPUT -p icmp -j ACCEPT > -A INPUT -i lo -j ACCEPT > > ### I want to insert rules here ### > *include my-mediawiki-rules > > ### Back to normal rules ### > -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT > -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT > -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT > ... > > _______________________________________________ > Kernelnewbies mailing list > Kernelnewbies@kernelnewbies.org > https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies > --000000000000a7f1b705a41522c1 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Assuming these IP address are treated the same way in your= iptables rule, ipset may help to make it simpler.


<= /div>

On Fri, Apr 24, 2020 at 3:30 PM Jeffrey Walton <noloader@gmail.com> wrote:
Hi Everyone,

We are having trouble with our MediaWiki installation on a low-end VM.
The VM is servicing a lot of spam traffic, and it is driving cpu usage
up to about 80%. The 404's appear to be more expensive then the 200'= ;s.
GoDaddy wrote to us and told us they were going to suspend our service
if we don't get cpu usage down.

I experimented with several Apache and MediaWiki plugins and I have a
design I like. The plugin scans the URL, detects the problematic URLs,
and sends the ip address to a privileged out-of-proc proxy to update
iptables. The proxy is privileged and can update iptables rules. It
also maintains a database to remove the host after 45 days.

The problem I am having is, adding the new information to the existing
iptables rules in /etc/sysconfig/iptables. I want to write my rules to
a separate file and then tell /etc/sysconfig/iptables to include it at
the correct position.

I read the iptables(8), iptables-save(8) and iptables-restore(8) man
pages, but I don't see how to combine the different sources.

How do I tell iptables to include a second external source at a
specific location?

# iptables --version
iptables v1.4.21

Thanks in advance.

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=

Here is an example of /etc/sysconfig/iptables with the position I want
to insert the MediaWiki ban rules.

# cat /etc/sysconfig/iptables
*nat
:PREROUTING ACCEPT [4276:232374]
:POSTROUTING ACCEPT [270:136514]
:OUTPUT ACCEPT [270:136514]
COMMIT

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [269:205262]

-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT

### I want to insert rules here ###
*include my-mediawiki-rules

### Back to normal rules ###
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
...

_______________________________________________
Kernelnewbies mailing list
Kernel= newbies@kernelnewbies.org
https://lists.kernelnewbies.org/mailma= n/listinfo/kernelnewbies
--000000000000a7f1b705a41522c1-- --===============7598996406765998370== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies --===============7598996406765998370==--