Request a Demo
Back

Implementing a Dynamic Blocklist with IPtables

1 November 2023 | by Xavier Bellekens

One effective method of bolstering your network’s security is by integrating IPtables, Linux’s native firewall, with a dynamic blocklist. This blog post will guide you through the process of implementing this security measure, ensuring you are protected against known malicious IP addresses.

Understanding Dynamic Blocklists

A dynamic blocklist is an updated list of IP addresses identified as threats. By integrating this blocklist with IPtables, you are proactively preventing these potentially harmful IP addresses from accessing your network.

Why Combine IPtables and Dynamic Blocklists?

IPtables is a versatile and powerful tool that manages network packet filtering rules. When combined with a dynamic blocklist, it allows for automated and real-time updates to firewall rules, offering an additional layer of network protection.

Step-by-Step Guide: Implementing a Dynamic Blocklist with IPtables

1. Preparing Your Environment

Before diving into the script and automation, ensure you have a designated directory to store your blocklists and scripts:

mkdir /etc/iptables_blocklist
cd /etc/iptables_blocklist

2. Obtaining Dynamic Blocklists

Lupovis provides uparalleled blocklists catering to a variety of specific security needs ranging from sectorial and geographical blocklists that are meticulously compiled to identify 0-day adversaries, human actors, bots, mass scanners, and a plethora of other potential threats to global blocklists.

This is made possible through an extensive network of sensors strategically placed across the internet, dedicated to analyzing and interpreting the incessant noise of online activity.

These sensors work tirelessly, classifying and categorizing the internet’s cacophony in real-time, ensuring that Lupovis’ blocklists are consistently accurate, reliable, and up-to-date.

As a result, organizations can trust in the efficacy of these blocklists to provide a robust layer of security, defending their networks against a wide array of cyber threats. With Lupovis, users are not just accessing blocklists; they are leveraging a comprehensive threat intelligence system that stands at the forefront of internet security.

To obtain our dynamic blocklists subscribe here

3. Crafting the Update Script

Create a script named update_blocklist.sh:

#!/bin/bash
BLOCKLIST_URL="LUPOVIS Dynamic Blocklists"
PREVIOUS_BLOCKLIST="/etc/iptables_blocklist/previous_blocklist.txt"
CURRENT_BLOCKLIST="/etc/iptables_blocklist/current_blocklist.txt"
IPTABLES="/sbin/iptables"
IPSET="/sbin/ipset"
BLOCKLIST_SET_NAME="myblocklist"
# Download the current blocklist
curl -s $BLOCKLIST_URL -o $CURRENT_BLOCKLIST
# Create the ipset set if it does not exist
$IPSET list -n | grep -q $BLOCKLIST_SET_NAME || $IPSET create $BLOCKLIST_SET_NAME hash:ip
# Add new IPs to the blocklist
comm -23 <(sort $PREVIOUS_BLOCKLIST | sort | uniq) <(sort $CURRENT_BLOCKLIST | sort | uniq) | while read -r IP; do
  $IPSET add $BLOCKLIST_SET_NAME $IP
done
# Remove outdated IPs from the blocklist
comm -13 <(sort $PREVIOUS_BLOCKLIST | sort | uniq) <(sort $CURRENT_BLOCKLIST | sort | uniq) | while read -r IP; do
  $IPSET del $BLOCKLIST_SET_NAME $IP
done
# Ensure the IPtables rule is in place
$IPTABLES -C INPUT -m set --match-set $BLOCKLIST_SET_NAME src -j DROP 2>/dev/null || $IPTABLES -I INPUT -m set --match-set $BLOCKLIST_SET_NAME src -j DROP
# Save the current blocklist as the previous one for the next run
cp $CURRENT_BLOCKLIST $PREVIOUS_BLOCKLIST

Make the script executable:

chmod +x /etc/iptables_blocklist/update_blocklist.sh

4. Automating the Update Process

To keep your blocklist updated, create a cron job to run the script regularly:

crontab -e

Add the following line to execute the script every hour:

0 * * * * /etc/iptables_blocklist/update_blocklist.sh

Save and exit the editor.

Best Practices and Considerations

  • Update Frequency: Ensure you adjust the cron job’s frequency based on how often the external blocklist is updated.
  • Monitor Your Scripts: Regularly check that your script is running as expected and monitor the logs for any errors.
  • Use ipset for Performance: Utilizing ipset ensures that even large blocklists won’t hinder your system’s performance.

Conclusion

Integrating a dynamic blocklist with IPtables is a proactive measure to enhance your network’s security. By following this guide, you can automatically block traffic from known malicious IP addresses, keeping your network safe and secure. Don’t leave your system vulnerable; implement a dynamic blocklist with IPtables today and fortify your network defenses!

1 November 2023 | by Xavier Bellekens

Sep 25, 2024

Transforming MSSPs: The Role of Cyber Deception in SOC Operations

Read More
Sep 2, 2024

Jenkins Path Traversal Vulnerability

Read More
Jan 3, 2024

Detecting Canary Tokens and Seeds Without Raising an Alert

Read More

Speak to an Expert

Whether you have a specific security issue or are looking for more information on our Deception as a Service platform, simply request a call back with one of our security experts, at a time that suits you.