How do I list IP addresses blocked by iptables?

Question

To prevent brute force attacks against ssh I've added some iptables rules (below). The question is: How can I list the blocked IP addresses?

(1)
iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH -j DROP

I referred https://www.cyberciti.biz/faq/linux-howto-check-ip-blocked-against-iptables/ — Praneeth Nidarshan, Jan 21 '19 at 06:13
@dynamic this only lists the rules specified on the `INPUT` chain, not the IP(s) dropped by the rule unless the IP(s) is/are specified in the rule, which is clearly not the case here, only dport 22 is specified. — Tcll, Mar 29 '21 at 17:36

score 16 · Accepted Answer · edited May 25 '18 at 15:19

16

One option would be to log any of your dropped packets with a rule like:

iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl -j LOG --log-prefix "FW_DROPPED: "

Insert that immediately before the DROP rule. Then, you can grep the syslog file for anything with "FW_DROPPED" in it and the list of IPs will be there. The entries in the log file look something like this:

Jun  3 08:05:57 some-machine kernel: [15852451.420557] FW_DROPPED: IN=eth0 OUT= MAC=00:50:ba:4a:d9:e3:00:12:17:3a:e3:64:08:00 SRC=228.23.45.189 DST=192.168.1.1 LEN=48 TOS=0x00 PREC=0x00 TTL=106 ID=10941 PROTO=TCP SPT=58212 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0

So, snipping out what follows "SRC=" will show you the dropped IPs. Sort that, eliminating duplicates, and you'll have your list.

I've found the Iptables Tutorial to be the most useful documentation for iptables/netfilter.

edited May 25 '18 at 15:19

Jérôme B

142
2
7

answered Jun 03 '09 at 16:12

yukondude

297
4
11

Yes, this is the way to do it. – Brent Jun 03 '09 at 16:18
1

This would require you to duplicate your rules as you don't log and drop in the same rule. – David Pashley Jun 03 '09 at 16:23
4

It would be even better if he creates a user chain where he logs and drops the offending packets. By doing this, unnecessarily duplication is removed. It can be done like this: iptables -N attacks; iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH -j attacks; iptables -A attacks -j LOG --log-prefix "FW_DROPPED: "; iptables -A attacks -j DROP – Cristian Ciupitu Jun 03 '09 at 17:00
1

Agreed. Tables/chains are the way to go; the whole point of iptables, really. I create separate tables for accepted, silently dropped, audibly rejected, discarded, suspected floods, illegal, suspected probes, suspected scans, unknown types, and watched traffic. My FWs are based on this old script (warning: self-promotion): http://code.google.com/p/klondike-firewall/source/browse/trunk/klondike-standalone.sh – yukondude Jun 03 '09 at 17:27
1

The ipt_recent module that ipozgaj and David Pashley referenced is a pretty nifty addition, although it can't provide the same fine-grained reason a particular IP was dropped (as you can with different --log-prefix settings) or keep track of a long history of attacks with timestamps. Definitely a good idea to use both techniques in concert though. – yukondude Jun 03 '09 at 19:00

score 6 · Answer 2 · answered Jun 03 '09 at 16:19

6

You can find details under /proc/net/ipt_recent/SSH.

This article has more information.

answered Jun 03 '09 at 16:19

David Pashley

23,497
2
46
73

This article does not seem to exist anymore. – Dan Metheus Nov 17 '19 at 23:17
1

On newer kernels, this is /proc/net/xt_recent/SSH – swisscheese Apr 09 '20 at 07:28

score 4 · Answer 3 · answered Jun 03 '09 at 16:18

4

Look at

/proc/net/ipt_recent/YOURNAME

where YOURNAME is the name you used with --name option in your iptables rule.

answered Jun 03 '09 at 16:18

ipozgaj

1,081
10
10

On some distros (e.g. Debian), the valid path is: `/proc/net/xt_recent/[list-name]` – itachi Mar 09 '17 at 10:40

score 3 · Answer 4 · edited Dec 12 '13 at 12:44

3

Here is a simple one liner:

$ iptables -L -n --line

edited Dec 12 '13 at 12:44

slm

7,615
16
56
76

answered Dec 12 '13 at 12:26

giorgio79

1,837
9
26
36

score 1 · Answer 5 · answered Jun 03 '09 at 18:49

What I do, for example for input address spoofing, is to define the chain SPOOF_REJECT:

iptables -N SPOOF_REJECT
iptables -A SPOOF_REJECT -j LOG --log-prefix "Input spoof detected: "
iptables -A SPOOF_REJECT -j REJECT

then to send packets to this chain if they are spoofed:

iptables -A INPUT -i $EXT_DEV1 -s $INT_NET -j SPOOF_REJECT
iptables -A INPUT -i $EXT_DEV2 -s $INT_NET -j SPOOF_REJECT

You could do something like this for each category of packets you drop or reject to get a line in the syslog to look for, then periodically grep, cut, sort, to get just the IP addresses from these log lines.

The benefit to using individual chains for each category is that your configuration gets more straightforward and it gets easier to read your iptables configuration. As you add more and more rules, you'll be glad that you used individual chains for specific different actions.

How exactly, do you detect spoofed packets? In my experience this is impossible in the general case. — MarkR, Jun 03 '09 at 20:25
The above is just an example. Here, I'm looking for any packet arriving at the INPUT chain that is coming from an external device yet claims to come from an IP address internal to my network. In this case, I can absolutely detect address spoofing, but yes, in the general case things are different. — Eddie, Jun 04 '09 at 02:22

score 1 · Answer 6 · answered Mar 20 '12 at 06:46

"The question is: How can I list the blocked IP addresses?"

Create a BANNED chain:

iptables -N BANNED
iptables -F BANNED

Create a logging chain:

iptables -N BANNEDLOG
iptables -F BANNEDLOG
iptables -A BANNEDLOG -j LOG --log-prefix "BANNED:" --log-level 6
iptables -A BANNEDLOG -j DROP

Add jump to banned chain in the INPUT chain before most other rules

...
iptables -A INPUT -j BANNED
...

Now add ipaddresses to the banned chain:

flock -w 5 /var/lock/iptables -c 'iptables -A BANNED -s 140.130.20.202/32 -i eth0 -m comment --comment "2012-03-19 23:49:33 accesslog" -j BANNEDLOG'
etc...

You can also use it like a database with the comment options, so you can know when and why etc. flock is important when iptables is being frequently updated by many processes - it appears that iptables doesn't have any locking built in to it.

To view the banned addresses and rules in the banned chain:

iptables -S BANNED

To view just sorted unique ipaddresses:

iptables -S BANNED | egrep -o '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' | sort -u

I have a number of daemons running on my servers checking the syslog files and weblogs, so if anything nasty is being attempted by anyone, their address is automatically banned for a few days, depending on type and severity and number of previous attacks. The info is logged into a mysql database, and periodically expired. The addresses are also distributed to every other machine in the cluster over mysql replication so they are also protected and keep in sync. My software also looks up the owner of the network and mails a complaint to the ISP.

After 10 years of work, I hope to make it available for everyone to use soon. I currently have about 1.5 million ip address histories and hundreds of thousands of mail and ssh attacks reported, helping to clean the net. If more would use it then I hope it would have more impact.

How do I list IP addresses blocked by iptables?

6 Answers6