[docs] Describe how to block IPs using a firewall (#2459)

* [docs] Describe how to block IPs using a firewall

This adds some documentation on how to block one, multiple or whole IP
ranges using the firewall. This can be helpful to protect from DDoS
attacks or block certain parties from being able to communicate with
your instance at all.

* [docs] Fix indenting of nft rule

* [docs] Split iptables and nftables into sections
This commit is contained in:
Daenney 2024-01-03 11:14:38 +01:00 committed by GitHub
parent 3ab6214449
commit a15415b1a2
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -88,3 +88,86 @@ For fail2ban, you can use the following regex, which triggers fail2ban on failed
```regex ```regex
statusCode=401 path=/auth/sign_in clientIP=<HOST> .* msg=\"Unauthorized: statusCode=401 path=/auth/sign_in clientIP=<HOST> .* msg=\"Unauthorized:
``` ```
## IP blocking
GoToSocial implements rate-limiting in order to try and protect your instance from one party taking up all your processing capacity. However, if you know this traffic isn't legitimate or coming from an instance you don't wish to federate with anyway, you can block the IP(s) the traffic is originating from instead and spare GoToSocial from having to do any work.
### Linux
Blocking IPs is done with iptables or nftables. If you're using a firewall frontend like UFW or firewalld, use their facilities to block an IP.
In iptables, people tend to add a `DROP` rule for an IP in the `filter` table on the `INPUT` chain. On nftables, it's often done on a table with a chain with the `ip` or `ip6` address family. In both those cases the kernel has already done a lot of unnecessary processing of the incoming traffic, just for it to then be blocked by an IP match.
When using iptables, this can be done more effectively using the `mangle` table and the `PREROUTING` chain. You can check this blog post on [how that works in iptables][iptblock]. For nftables, you want to block using [the `netdev` family][nftnetdev] instead.
[iptblock]: https://javapipe.com/blog/iptables-ddos-protection/
[nftnetdev]: https://wiki.nftables.org/wiki-nftables/index.php/Nftables_families#netdev
#### iptables
An example of blocking an IP using `iptables`:
```
iptables -t mangle -A PREROUTING -s 1.0.0.0/8 -j DROP
ip6tables -t mangle -A PREROUTING -s fc00::/7 -j DROP
```
When using iptables, adding many rules slows things down significantly, including reloading the firewall when adding/removing rules. Since you may wish to block many IP addresses, use [the `ipset` module][ipset] and add a single block rule for the set instead.
[ipset]: https://ipset.netfilter.org/ipset.man.html
Start by creating your sets and adding some IPs to them:
```
ipset create baddiesv4 hash:ip family inet
ipset create baddiesv6 hash:ip family inet6
ipset add baddiesv4 1.0.0.0/8
ipset add baddiesv6 fc00::/7
```
Then, update your iptables rules to target the set instead:
```
iptables -t mangle -A PREROUTING -m set --match-set baddiesv4 src -j DROP
ip6tables -t mangle -A PREROUTING -m set --match-set baddiesv6 src -j DROP
```
#### nftables
For nftables, you can use something like:
```
table netdev filter {
chain ingress {
set baddiesv4 {
type ipv4_addr
flags interval
elements = { \
1.0.0.0/8, \
2.2.2.2/32 \
}
}
set baddiesv6 {
type ipv6_addr
flags interval
elements = { \
2620:4f:8000::/48, \
fc00::/7 \
}
}
type filter hook ingress device <interface name> priority -500;
ip saddr @baddiesv4 drop
ip6 saddr @baddiesv6 drop
}
}
```
### BSDs
When using pf, you can create a persistent table, typically named `<badhosts>`, to which you add the IP addresses you want to block. Tables can also read from other files, so it's possible to keep the list of IPs outside of your main `pf.conf`.
An example of how to do this can be found [in the pf manual][manpf].
[manpf]: https://man.openbsd.org/pf.conf#TABLES