Firewall Setup

We will use a combination of iptables and ipset to create sets of IP addresses that have their access to a host blocked. Most Linux distributions come with iptables pre-installed, but not ipset. The examples given here are for Ubuntu but there will be alternatives for other Linux distributions, just run ipset and the command to install its package wíll normally be displayed.

So, first we install the ipset package.

sudo apt install ipset

Next we use ipset to create two sets; one for IPv4 addresses and another for IPv6 addresses. In this example we create sets that automatically remove an IP address after one day.

sudo ipset create blacklist_ipv4 hash:ip timeout 86400 sudo ipset create blacklist_ipv6 hash:ip timeout 86400 family inet6

Finally we set up two iptables rules to drop connections when IP addresses in the sets are matched. We use iptables for the IPv4 set and ip6tables for the IPv6 set.

sudo iptables -I INPUT -m set --match-set blacklist_ipv4 src -j DROP sudo ip6tables -I INPUT -m set --match-set blacklist_ipv6 src -j DROP

At this point we are all set up, as the Phoenix plug will be responsible for adding IP addresses to the sets. However, you may want to add IP addresses manually, so here are a couple of examples.

sudo ipset add blacklist_ipv4 1.2.3.4 sudo ipset add blacklist_ipv6 2001:db8:85a3:8d3:1319:8a2e:370:7348

It is possible to represent IPv4 addresses as IPv6 addresses e.g. 1.2.3.4 can be represented as ::ffff:1.2.3.4. So, for curiosity value, I tried adding my IPv4 address to the IPv6 set, but unfortunately the firewall did not block my IPv4 address. No matter, we can use two sets rather than one, it will just require a little more work in the plug.

Self-Defending Phoenix Websites

Firewall Setup