Wednesday, December 31, 2008

Vyatta Rules to Block China / Pacific Rim IP's

Created a set of Vyatta rules to block all traffic from Pacific Rim nations. I usually do this as a matter of course with firewalls with customers. To get the addresses I combed through IANA's database.

The first set should be the first set of rules inbound on your outside interface.

set firewall name INBOUND rule 5 action drop
set firewall name INBOUND rule 5 source address 202.0.0.0/7
set firewall name INBOUND rule 5 log enable
set firewall name INBOUND rule 6 action drop
set firewall name INBOUND rule 6 source address 210.0.0.0/8
set firewall name INBOUND rule 6 log enable
set firewall name INBOUND rule 7 action drop
set firewall name INBOUND rule 7 source address 218.0.0.0/7
set firewall name INBOUND rule 7 log enable
set firewall name INBOUND rule 8 action drop
set firewall name INBOUND rule 8 source address 220.0.0.0/7
set firewall name INBOUND rule 8 log enable
set firewall name INBOUND rule 9 action drop
set firewall name INBOUND rule 9 source address 222.0.0.0/8
set firewall name INBOUND rule 9 log enable
set firewall name INBOUND rule 10 action drop
set firewall name INBOUND rule 10 source address 59.0.0.0/8
set firewall name INBOUND rule 10 log enable
set firewall name INBOUND rule 11 action drop
set firewall name INBOUND rule 11 source address 60.0.0.0/7
set firewall name INBOUND rule 11 log enable
set firewall name INBOUND rule 12 action drop
set firewall name INBOUND rule 12 source address 114.0.0.0/7
set firewall name INBOUND rule 12 log enable
set firewall name INBOUND rule 13 action drop
set firewall name INBOUND rule 13 source address 116.0.0.0/6
set firewall name INBOUND rule 13 log enable
set firewall name INBOUND rule 14 action drop
set firewall name INBOUND rule 14 source address 120.0.0.0/6
set firewall name INBOUND rule 14 log enable
set firewall name INBOUND rule 15 action drop
set firewall name INBOUND rule 15 source address 124.0.0.0/7
set firewall name INBOUND rule 15 log enable
set firewall name INBOUND rule 16 action drop
set firewall name INBOUND rule 16 source address 126.0.0.0/8
set firewall name INBOUND rule 16 log enable


This second set of rules should be set for inbound on your inside interface.

set firewall name OUTBOUND rule 5 action drop
set firewall name OUTBOUND rule 5 destination address 202.0.0.0/7
set firewall name OUTBOUND rule 5 log enable
set firewall name OUTBOUND rule 6 action drop
set firewall name OUTBOUND rule 6 destination address 210.0.0.0/8
set firewall name OUTBOUND rule 6 log enable
set firewall name OUTBOUND rule 7 action drop
set firewall name OUTBOUND rule 7 destination address 218.0.0.0/7
set firewall name OUTBOUND rule 7 log enable
set firewall name OUTBOUND rule 8 action drop
set firewall name OUTBOUND rule 8 destination address 220.0.0.0/7
set firewall name OUTBOUND rule 8 log enable
set firewall name OUTBOUND rule 9 action drop
set firewall name OUTBOUND rule 9 destination address 222.0.0.0/8
set firewall name OUTBOUND rule 9 log enable
set firewall name OUTBOUND rule 10 action drop
set firewall name OUTBOUND rule 10 destination address 59.0.0.0/8
set firewall name OUTBOUND rule 10 log enable
set firewall name OUTBOUND rule 11 action drop
set firewall name OUTBOUND rule 11 destination address 60.0.0.0/7
set firewall name OUTBOUND rule 11 log enable
set firewall name OUTBOUND rule 12 action drop
set firewall name OUTBOUND rule 12 destination address 114.0.0.0/7
set firewall name OUTBOUND rule 12 log enable
set firewall name OUTBOUND rule 13 action drop
set firewall name OUTBOUND rule 13 destination address 116.0.0.0/6
set firewall name OUTBOUND rule 13 log enable
set firewall name OUTBOUND rule 14 action drop
set firewall name OUTBOUND rule 14 destination address 120.0.0.0/6
set firewall name OUTBOUND rule 14 log enable
set firewall name OUTBOUND rule 15 action drop
set firewall name OUTBOUND rule 15 destination address 124.0.0.0/7
set firewall name OUTBOUND rule 15 log enable
set firewall name OUTBOUND rule 16 action drop
set firewall name OUTBOUND rule 16 destination address 126.0.0.0/8
set firewall name OUTBOUND rule 16 log enable

If you are using any local services on the firewall itself, consider applying the rules to the local section of the outside interface.

2 comments:

atomist said...

A good realtime block list (more spammy stuff) but helps if you do mail stuff (we dropped the mail/spam ratio a significant chunk):
http://www.spamhaus.org/drop/drop.lasso

They have a bunch of examples on scripts here: http://www.spamhaus.org/faq/answers.lasso?section=DROP%20FAQ

Michael Picher said...

Thanks for that.

I wanted the access list to just flat out drop all traffic from those IP's. There's no reason I need to hear from them or any of my computers need to talk out to them.

Maybe it's a little draconian, and yes I know they can relay off some other machine. I'll take any little bit of safety I can get.