>>>>> Hi, my site is being ravaged by an IP but dropping the IP via >>>>> shorewall is seeming to have no effect. I'm using his IP from nginx >>>>> logs. IP blocking in shorewall has always worked before. What could >>>>> be happening? >>>> >>>> >>>> I'm blocking like this with the firewall running on the web server: >>>> >>>> /etc/shorewall/rules >>>> DROP net:1.2.3.4 $FW >>>> >>>> Could shorewall/iptables see a different IP address than the one seen by >>>> nginx? >>> >>> >>> Most likely the file is configured but the firewall service wasn't >>> restarted or the rules no loaded. >> >> >> I restarted shorewall plenty. :) I believe the issue was either a >> persistent connection which conntrack-tools would have allowed me to >> flush, or my blocking in /etc/shorewall/rules instead of >> /etc/shorewall/blrules, or both. >> > > What exactly is your issue? That is, what makes you think you even > have an issue? > > The reason I ask is that all iptables is going to do is drop packets > when they reach the kernel. They still go through your network and > network card and consume some CPU (even more if you're logging them). > If you're being flooded by a very large volume of packets then that > will saturate your connection and simply dropping them at the server > won't fix the latency this will cause for the good packets. In such > an attack you need to block those packets as far upstream as you can > before connections start getting saturated. This might be outside of > your network perimeter. This is why DDoS attacks are so potent, if > you use something like fail2ban to just set iptables are done you're > fixing the barn doors after the horses have already left.
I said I was under attack but it was really just an unthrottled and very greedy bot. fail2ban would have gotten him. But while we're on the subject, how would you recommend thwarting a DDoS attack against a dedicated server in a hosted environment? Cloudflare? - Grant
