context: linux servers running iptables firewall needing a bluetack static blocklist
problem: moblock and other ipfiltering services running simultaneously with a firewall e.g. iptables, cause a security crisis in the firewall because of the hierarchical nature of ip filtering viz a vis a packet allowed by moblock will enter the server without any further checks
solution: this procedure is for linux servers to load iptables with a firewall script which includes dynamic rules and your bluetack blocklist. the resulting firewall configuration has zero gaps
source for advanced policy firewall (apf) http://www.rfxnetworks.com/apf.php
i employ this solution on a twin xeon box at less than 5% cpu cost to block 2.6 million ips (64% of the internet) my blocklist file is 10MB
apf is a script loading a set of rules into iptables. start iptables before running the apf script
install apf and configure for your server, apf is very well documented. it is important to read every line of conf.apf
after you have configured apf, we are interested to load a blocklist when we run apf. look at default file bt.rules (nothing to change) and you see:
# Load our Deny Hosts rules
glob_deny_download
glob_deny_hosts
deny_hosts
i use glob_deny_download to block static ip ranges, the format for glob_deny_download is shown in the default file glob_deny.rules
use BLM to create a file with the ip ranges to be blocked and name it glob_deny_hosts. i have successfully used the CIDR format, if you find a better format please tell me. place the file in the apf root by default /etc/apf/
... view existing iptables rules -
/sbin/iptables -L
... then run apf
/etc/rc.d/init.d/apf restart >> /dev/null 2>&1
... check the ip ranges are loaded -
/sbin/iptables -L
note on apf.conf:
1. i set packet filtering policy to DROP
2. default SYSCTL_CONNTRACK="34576" which you may need to increase if you are running a big system. higher = more memory use but zero dropped packets because of congestion. you can test the correct value by polling the server from outside, when it is delayed and not responding then the value is too low for the traffic volume. remember you need a good amount of reserved free sessions to combat DDOS when more sessions than normal will be used to handle the DDOS traffic + good traffic
if after installing apf and loading a blocklist you have cpu running out of control look first at configuring your sessions value SYSCTL_CONNTRACK
3. i disable logging to reduce load on mem, cpu and disk. and error logging is set on critical
4. the apf script has a daily cron restart which is important to keep iptables fresh, it is installed by default. if you automate the creation of your glob_deny_hosts file then apf will load the latest file on next cron restart
5. the antidos configuration of apf is a separate service parsing the kernel log file looking for attack events. to run antidos you need to configure the service separate from conf.apf
let me know if this was useful
Full Version: advanced policy firewall (apf) for linux servers
THANK YOU! Being new to Linux, getting my IPTables set up was giving me all sorts of problems. This was so easy... 
you are welcome
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.