Use iptables to block all non-US ssh traffic

base60 wrote:

> matt_left_coast wrote:
>> base60 wrote:
>>
>>
>>>matt_left_coast wrote:
>>>
>>>>Chris Barnes wrote:
>>>>
>>>>
>>>>
>>>>>This should be a simple question, and in fact, it is one that turned up
>>>>>in a Google search (see, I did my homework). What didn't turn up was
>>>>>an answer.
>>>>>
>>>>>
>>>>>Q: is there a simple way to use iptables to block all ssh traffic from
>>>>>non-US ip addresses? Iow, I already know how to block a given range
>>>>>of ip's. What I need is a quick and dirty list of non-US Ip's to
>>>>>block.
>>>>
>>>>
>>>>Unfortunately, there is no such list.
>>>
>>>Ah, actually, ICANN has a web page that lists which A's are assigned
>>>where. Don't recall the URL, but it wasn't hard to find.
>>>
>>>
>>>>Worse, there can be no such list.
>>>
>>>Hmmmmmm, I guess no-one told ICANN....
>>>
>>>
>>>>Blocks of IP addresses (Such as the class A addresses) were assigned to
>>>>major multy-national companies. There is no "list" of where these
>>>>companies deployed these addresses and it is not mandatory for the
>>>>addresses to be masqueraded.
>>>
>>>Correct, but it's a safe bet that the Class As assigned to China etc,
>>>aren't being used much in the US :)
>>>
>>>
>>>>A company may be based in the US, but blocks of the IP
>>>>addresses they have assigned to them are USED in Europe. The company
>>>>does not report where they deploy its addresses to anyone. You may get a
>>>>list of what companies or individuals have the addresses, but not where
>>>>the addresses were used.
>>>
>>>Well, starting with the ones assigned to China, Korea, etc., seems like
>>>a good start.
>>>
>>>Also, if you use tcpwrappers, you can toss in a block for all non-US
>>>based domains.
>>
>>
>> Again, ICANN only list WHO owns the class A's NOT where they are
>> deployed.
>
> Yeah, I understood your "argument" the first time...
>
>> Yeah, you can make up a mythical thing about China,
>
> Mythical? My my... you certainly showed me :)

What an ass.

>
>> cut what about the AT&T
>> "WORLD" net addresses (class A 11.0.0.0)? Are you sure that AT&T ONLY
>> deployed in the USA???? I doubt it. The 11.0.0.0 could be anywhere in the
>> world.
>
> Ah, well, pardon' moi for being so crass as to point out that IANA
> believes 11/8 to belong to the DOD... not ATT.

And just WHERE does the DOD deploy that address? The US? US basses in
Gremany??? But DO take a look at WHERE 12.x.x.x is OWNED. It is AT&T USA
but I have also shown that parts of that address range are deployed more
than just the USA with the VAST MAJORITY OF THE ADDRESSES UNACCOUNTED FOR.
Just because the address range was assingened to a company in the based in
USA does NOT mean that the addressed are DEPLOYED THERE.


>
> Feel free to refer to the following (current as of June 2005)
> rather than taking my word for it.
>
> http://www.iana.org/assignments/ipv4-address-space

What about it? It lists a bunch of companies, but just were does a
mutinationl company like HP deploy that address they have??? IT says the
name off where the address was ASSIGNED NOT DEPLOYED. You do know the
difference between assigned and deployed, right? WHere does this link show
where the IP address is DEPLOYED? You do know the difference between
assigned and deployed, right?

>
> Ignoring, for the moment, the apparent factual errors in your
> statement, your logic is also somewhat suspect.

You may think my logic is suspect, but I KNOW yours is FLAWED.

>
> Any Class A assigned to RIPE, APNIC, LACNIC, AfriNIC, etc. in the URL
> listed above could quite safely be blocked from ssh access. We do it..
> works just fine.

Wrong. The 12.0.0.0 address range assigned to AT&T--USA. From Arin:

OrgName: AT&T WorldNet Services
OrgID: ATTW
Address: AT&T
Address: 200 S. LAUREL AVE.
City: MIDDLETOWN
StateProv: NJ
PostalCode: 07748
Country: US


While the 12.x.x.x range is ASSIGNED to a USA address, it is deployed in the
USA, Canada and New Zealand with the vast majority of the addresses
UNACOUNTED FOR.

From: http://ip.ludost.net/

12.63.178.60 12.63.178.63 ca
12.63.178.64 12.206.123.159 us
12.206.123.160 12.206.123.175 nl
12.206.123.176 13.255.255.255 us

This clearly shows A: It is unknown where the vast majority of 12.x.x.x
addresses are DEPLOYED, and that just because the 12.x.x.x is ASSIGNED to
ATT USA, you can not assume that it is DEPLOYED inside the USA. You do know
the difference between deployed and assigned, right?


If you were allowing all the block that was assigned to ATT thought then you
would be letting non US sites through. If you were to block All of them,
then you are blocking some US sites. Then there are the large number of
unaccounted for sites that means that if you block the few that you know
are from outside the US, you still don't know where all the rest are from.

>
> In addition, we block almost every known domain that's not .us .gov
> .mil etc. -- including the proposed .xxx that they're dithering around
> with.

BFD. What about ".com, .net, .edu," all of which are used around the world.
If you block them, you are blocking MANY US sites, if you let them though,
you are letting trough many sites that are outside the USA. Are you
blocking all of com? BTW, did you know that a domain that ends in .us can
be used OUTSIDE the US. right?

>
> Occasionally -- as in once or twice a year -- someone legit is blocked,
> but that's easy to sort out because legit people tend to complain :)

This just proves that your methodology is flawed. Given the large number of
IP address and the relatively few people that probably visit your site, I
don't think your example proves much.


And just WHERE does the DOD deploy that address? But DO take a look at WHERE
12.x.x.x is OWNED. It is AT&T USA but I have also shown that parts of that
address range are deployed more than just the US with the VAST MAJORITY OF
THE ADDRESSES UNACCOUNTED FOR.

--

matt_left_coast wrote:
> base60 wrote:
>
>
>>matt_left_coast wrote:
>>
>>>base60 wrote:
>>>
>>>
>>>
>>>>matt_left_coast wrote:
>>>>
>>>>
>>>>>Chris Barnes wrote:
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>This should be a simple question, and in fact, it is one that turned up
>>>>>>in a Google search (see, I did my homework). What didn't turn up was
>>>>>>an answer.
>>>>>>
>>>>>>
>>>>>>Q: is there a simple way to use iptables to block all ssh traffic from
>>>>>>non-US ip addresses? Iow, I already know how to block a given range
>>>>>>of ip's. What I need is a quick and dirty list of non-US Ip's to
>>>>>>block.
>>>>>
>>>>>
>>>>>Unfortunately, there is no such list.
>>>>
>>>>Ah, actually, ICANN has a web page that lists which A's are assigned
>>>>where. Don't recall the URL, but it wasn't hard to find.
>>>>
>>>>
>>>>
>>>>>Worse, there can be no such list.
>>>>
>>>>Hmmmmmm, I guess no-one told ICANN....
>>>>
>>>>
>>>>
>>>>>Blocks of IP addresses (Such as the class A addresses) were assigned to
>>>>>major multy-national companies. There is no "list" of where these
>>>>>companies deployed these addresses and it is not mandatory for the
>>>>>addresses to be masqueraded.
>>>>
>>>>Correct, but it's a safe bet that the Class As assigned to China etc,
>>>>aren't being used much in the US :)
>>>>
>>>>
>>>>
>>>>>A company may be based in the US, but blocks of the IP
>>>>>addresses they have assigned to them are USED in Europe. The company
>>>>>does not report where they deploy its addresses to anyone. You may get a
>>>>>list of what companies or individuals have the addresses, but not where
>>>>>the addresses were used.
>>>>
>>>>Well, starting with the ones assigned to China, Korea, etc., seems like
>>>>a good start.
>>>>
>>>>Also, if you use tcpwrappers, you can toss in a block for all non-US
>>>>based domains.
>>>
>>>
>>>Again, ICANN only list WHO owns the class A's NOT where they are
>>>deployed.
>>
>>Yeah, I understood your "argument" the first time...
>>
>>
>>>Yeah, you can make up a mythical thing about China,
>>
>>Mythical? My my... you certainly showed me :)
>
>
> What an ass.

LOL :)

Ah, well, that certainly makes you butch! :)

You could just drop the "left_coast" thing and then maybe
you wouldn't feel the need to compensate....

>
>
>>>cut what about the AT&T
>>>"WORLD" net addresses (class A 11.0.0.0)? Are you sure that AT&T ONLY
>>>deployed in the USA???? I doubt it. The 11.0.0.0 could be anywhere in the
>>>world.
>>
>>Ah, well, pardon' moi for being so crass as to point out that IANA
>>believes 11/8 to belong to the DOD... not ATT.
>
>
> And just WHERE does the DOD deploy that address?

Don't know. Don't care. I mentioned it only to point out that
your facts aren't and your logic is rather lacking, also.

> The US? US basses in
> Gremany??? But DO take a look at WHERE 12.x.x.x is OWNED. It is AT&T USA
> but I have also shown that parts of that address range are deployed more
> than just the USA with the VAST MAJORITY OF THE ADDRESSES UNACCOUNTED FOR.
> Just because the address range was assingened to a company in the based in
> USA does NOT mean that the addressed are DEPLOYED THERE.

I'm curious: do you have a serious reading comprehension problem or are
you just the plain garden variety of dull?

Which part of, "Yeah, I understood your "argument" the first time..."
did you fail to understand?

Do you think that if you add sufficient caps to it that it will somehow
change into something that matters?


>
>
>
>>Feel free to refer to the following (current as of June 2005)
>>rather than taking my word for it.
>>
>>http://www.iana.org/assignments/ipv4-address-space
>
>
> What about it? It lists a bunch of companies, but just were does a
> mutinationl company like HP deploy that address they have??? IT says the
> name off where the address was ASSIGNED NOT DEPLOYED. You do know the
> difference between assigned and deployed, right? WHere does this link show
> where the IP address is DEPLOYED? You do know the difference between
> assigned and deployed, right?

LOL...

Um, is HP assigned to RIPE or APNIC?


>
>
>>Ignoring, for the moment, the apparent factual errors in your
>>statement, your logic is also somewhat suspect.
>
>
> You may think my logic is suspect, but I KNOW yours is FLAWED.

WELL, YOU'RE OBVIOUSLY WRONG BECAUSE I'VE USED MORE CAPS THAN YOU!!!!!

:-)

>
>
>>Any Class A assigned to RIPE, APNIC, LACNIC, AfriNIC, etc. in the URL
>>listed above could quite safely be blocked from ssh access. We do it..
>>works just fine.
>
>
> Wrong. The 12.0.0.0 address range assigned to AT&T--USA. From Arin:

I explicitly list blocks assigned to "RIPE, APNIC, LACNIC, AfriNIC"
and you tell me I'm wrong because of a block assigned to ARIN.

OK.... LOL.... lights on, but no-one home, eh? :-)


>
> OrgName: AT&T WorldNet Services
> OrgID: ATTW
> Address: AT&T
> Address: 200 S. LAUREL AVE.
> City: MIDDLETOWN
> StateProv: NJ
> PostalCode: 07748
> Country: US
>
>
> While the 12.x.x.x range is ASSIGNED to a USA address, it is deployed in the
> USA, Canada and New Zealand with the vast majority of the addresses
> UNACOUNTED FOR.

Yeah? OK? Again, kindly note that I wasn't talking about blocks
assigned to ARIN.

[...] balance of your idiotic post deleted unread.

I'm really not sure what you're problem is... but it would seem
obvious that you have one.

Since I'm not into tormenting mental defectives and arguing with
them clearly demonstrates a lack of judgement, I guess I'll just
ignore you.... but I suspect you're used to that, so no matter.

Goodnight and have a better tomorrow :)

base60 wrote:

> matt_left_coast wrote:
>> base60 wrote:
>>
>>
>>>matt_left_coast wrote:
>>>
<SNIP>
>>
>>
>> What an ass.
>
> LOL :)
>
> Ah, well, that certainly makes you butch! :)

Guess you are just a nelly queen.

>
> You could just drop the "left_coast" thing and then maybe
> you wouldn't feel the need to compensate....

Compensate for what? I clearly understand what is going on here well more
than you. I'm not the one that is trying to make a PARTIAL list of IP
addresses into a comprehensive list, the way you are.

>
>>
>>
>>>>cut what about the AT&T
>>>>"WORLD" net addresses (class A 11.0.0.0)? Are you sure that AT&T ONLY
>>>>deployed in the USA???? I doubt it. The 11.0.0.0 could be anywhere in
>>>>the world.
>>>
>>>Ah, well, pardon' moi for being so crass as to point out that IANA
>>>believes 11/8 to belong to the DOD... not ATT.
>>
>>
>> And just WHERE does the DOD deploy that address?
>
> Don't know. Don't care. I mentioned it only to point out that
> your facts aren't and your logic is rather lacking, also.
>
>> The US? US basses in
>> Gremany??? But DO take a look at WHERE 12.x.x.x is OWNED. It is AT&T USA
>> but I have also shown that parts of that address range are deployed more
>> than just the USA with the VAST MAJORITY OF THE ADDRESSES UNACCOUNTED
>> FOR. Just because the address range was assingened to a company in the
>> based in USA does NOT mean that the addressed are DEPLOYED THERE.
>
> I'm curious: do you have a serious reading comprehension problem or are
> you just the plain garden variety of dull?
>
> Which part of, "Yeah, I understood your "argument" the first time..."
> did you fail to understand?

Your PROOF that you actually DO understand. I have seen the claim, but
NOTHING to backup the claim.

>
> Do you think that if you add sufficient caps to it that it will somehow
> change into something that matters?
>
>

The OP asked for a list of addresses and what country they are used in. The
"list" you suggest is NOT comprehensive as your claim "I wasn't talking
about blocks assigned to ARIN." further down the list proves. My claim that
there is no comprehensive list still stands and is proven by my discussion
of the ATT example and your own admition.

>>
>>
>>
>>>Feel free to refer to the following (current as of June 2005)
>>>rather than taking my word for it.
>>>
>>>http://www.iana.org/assignments/ipv4-address-space
>>
>>
>> What about it? It lists a bunch of companies, but just were does a
>> mutinationl company like HP deploy that address they have??? IT says the
>> name off where the address was ASSIGNED NOT DEPLOYED. You do know the
>> difference between assigned and deployed, right? WHere does this link
>> show where the IP address is DEPLOYED? You do know the difference between
>> assigned and deployed, right?
>
> LOL...
>
> Um, is HP assigned to RIPE or APNIC?

It was one on the list at the URL that you posted, you have a problem with
me using the data YOU posted??? They are valid address that are assigned
and used. In order to supply a list of addresses by country, one would need
to deal with ALL addresses, not just the ones assignend to RIPE or APNIC.
The point still stands.

>
>
>>
>>
>>>Ignoring, for the moment, the apparent factual errors in your
>>>statement, your logic is also somewhat suspect.
>>
>>
>> You may think my logic is suspect, but I KNOW yours is FLAWED.
>
> WELL, YOU'RE OBVIOUSLY WRONG BECAUSE I'VE USED MORE CAPS THAN YOU!!!!!

And that make me wrong HOW?

>
> :-)
>
>>
>>
>>>Any Class A assigned to RIPE, APNIC, LACNIC, AfriNIC, etc. in the URL
>>>listed above could quite safely be blocked from ssh access. We do it..
>>>works just fine.
>>
>>
>> Wrong. The 12.0.0.0 address range assigned to AT&T--USA. From Arin:
>
> I explicitly list blocks assigned to "RIPE, APNIC, LACNIC, AfriNIC"
> and you tell me I'm wrong because of a block assigned to ARIN.
>
> OK.... LOL.... lights on, but no-one home, eh? :-)

And I am dealing with IP address that are valid addresses, as the OP asked
about. He is asking for a list of addresses by country, your listing of
"RIPE, APNIC, LACNIC, AfriNIC" does not address the issue of the OP. Like,
wow, do you even have a light?

>
>
>>
>> OrgName: AT&T WorldNet Services
>> OrgID: ATTW
>> Address: AT&T
>> Address: 200 S. LAUREL AVE.
>> City: MIDDLETOWN
>> StateProv: NJ
>> PostalCode: 07748
>> Country: US
>>
>>
>> While the 12.x.x.x range is ASSIGNED to a USA address, it is deployed in
>> the USA, Canada and New Zealand with the vast majority of the addresses
>> UNACOUNTED FOR.
>
> Yeah? OK? Again, kindly note that I wasn't talking about blocks
> assigned to ARIN.

Then you are NOT addressing the the needs of the OP the way I am and your
posing is meaningless. If you are only addressing SOME of the addressed and
not all, your "solution" would not work for the OP.

The OP asks for a list that he could use to filter addresses from outside
the US. There is no such comprehensive list. In order for the list to be
comprehensive, it MUST INCLUDE the addresses assigned by ARIN.

>
> [...] balance of your idiotic post deleted unread.

Can't deal with reality eh?

>
> I'm really not sure what you're problem is... but it would seem
> obvious that you have one.

My problem is that I am trying to help the OP and their needs. It is clear
your list does NOT address the needs of the OP.

>
> Since I'm not into tormenting mental defectives and arguing with
> them clearly demonstrates a lack of judgement, I guess I'll just
> ignore you.... but I suspect you're used to that, so no matter.
>
> Goodnight and have a better tomorrow :)

To give me a better tomarrow would be if you could comprehend the OP and
their needs.


--

matt_left_coast wrote:
> base60 wrote:
>

<yawn> [discarded]

base60 wrote:

> matt_left_coast wrote:
>> base60 wrote:
>>
>
> <yawn> [discarded]

Discard what you will, the FACT is, you are simply WRONG. The method you
claim list WHERE the IP address is used simply does not work as I
demonstrated by the AT&T example.

--

matt_left_coast-the-binky-boy wrote:
> base60 wrote:
>
>
>>matt_left_coast wrote:
>>
>>>base60 wrote:
>>>
>>
>><yawn> [discarded]
>
>
> Discard what you will, the FACT is, you are simply WRONG. The method you
> claim list WHERE the IP address is used simply does not work as I
> demonstrated by the AT&T example.
>

LOL... right.... the "ATT" 11/8 which is actually the DOD... yehp...
truely impressive demonstration of fact and logic :-)

Your mom is going to make you play hide-Mr.-binky with the pooch again
if she finds you on her computer.

base60 wrote:

> matt_left_coast-the-binky-boy wrote:
>> base60 wrote:
>>
>>
>>>matt_left_coast wrote:
>>>
>>>>base60 wrote:
>>>>
>>>
>>><yawn> [discarded]
>>
>>
>> Discard what you will, the FACT is, you are simply WRONG. The method you
>> claim list WHERE the IP address is used simply does not work as I
>> demonstrated by the AT&T example.
>>
>
> LOL... right.... the "ATT" 11/8 which is actually the DOD... yehp...
> truely impressive demonstration of fact and logic :-)

Look at 12.x.x.x, I quoted it and showed where quite a number of the ATT
addresses were deployed in outside the USA. Despite your unjustified
condescending attitude, you have been unable to deal with the FACT that the
12.x.x.x block was assigned to AT&T in the USA and AT&T has deployed those
addresses OUTSIDE the USA. Using YOUR method, those addresses that AT&T
deployed OUTSTIDE the USA would still be allowed to connect. Your method
would not work for someone wanting to limit connections to only USA based
computers, a PROVEN fact.

>
> Your mom is going to make you play hide-Mr.-binky with the pooch again
> if she finds you on her computer.

What a loser, can't deal with the facts so you start insulting.


--

matt_left_coast the binky boy who has taken it from behind far too many
times to be trying to pass himself off as bi wrote:

> base60 wrote:
>
>
>>matt_left_coast-the-binky-boy wrote:
>>
>>>base60 wrote:

Ignored again.

base60 wrote:

> matt_left_coast the binky boy who has taken it from behind far too many
> times to be trying to pass himself off as bi wrote:
>
>> base60 wrote:
>>
>>
>>>matt_left_coast-the-binky-boy wrote:
>>>
>>>>base60 wrote:
>
> Ignored again.

Of course you ignore it, if you did not, you would have to admit you are
wrong.

The simple fact is, you can not say that because an address was issued by a
particular agency to a company or individual in any particular country,
that the IP address is actually DEPLOYED in that country. You method does
NOT do what the OP wants, PERIOD. All your burring your head in the sand,
ignoring the fact or childish insults will not change the FACTS.

I am so sorry you can not understand the difference between ISSUED and
DEPLOYED.

--

matt_left_coast who likes to spend his downtime taking long soulful
walks on the beach with his longtime male canine companion wrote:
>
> base60 wrote:
>
>
>>matt_left_coast the binky boy who has taken it from behind far too many
>>times to be trying to pass himself off as bi wrote:
>>
>>
>>>base60 wrote:
>>>
>>>
>>>
>>>>matt_left_coast-the-binky-boy wrote:
>>>>
>>>>
>>>>>base60 wrote:
>>
>>Ignored again.
>
>
> Of course you ignore it, if you did not, you would have to admit you are
> wrong.

LOL... "I know you are but what am I?"

You're being ignored and ridiculed because you've made several factual
and logical blunders and you're compounding your errors with blind-em-
with-bullshit followups.

People would take you more seriously if you learned how to follow
a conversation and lost a bit of the 'tude.

As it is, you're just another \_@m3? with a keyboard.

Thanks for the morning entertainment, though.