DROP_HOSTILE whitelisting

I’ve encountered a problem with access to the online shop ozon.ru (a Russian analogue of Amazon), which only appeared when the ‘Drop packets from and to hostile networks’ option was enabled.

изображение726×149 5.37 KB

I spent some time looking for the solution, and ended up finding this topic, and I tried running location update and re-exporting my location list with the ipset command suggested by @ross_codes:

/usr/bin/location export --directory=/var/lib/location/ipset --family=ipv4 --format=ipset

Unfortunately this didn`t help, so I searched website’s ip-addresses in updated location list and XD set, but there were neither addresses nor their subnets there. Also, the website appears to be not listed at Spamhaus or any other blocklist, so it’s shouldn’t be blocked by HOSTILE rule at all.

I’m kinda new here, so I`m not familiar with older core versions, but if I undersood it right - modern versions’ DROP_HOSTILE uses rules from HOSTILE_DROP_IN and HOSTILE_DROP_OUT iptabels, which don’t reference to any blocklists.

I fixed this issue using method from another topic, and whitelisted all the shop`s ip-addresses i could find in /etc/sysconfig/firewall.local, using code below (based on @casabenedetti’s code from the original post):

#!/bin/sh
# Used for private firewall rules

# See how we were called.
case "$1" in
  start)
        ## add your 'start' rules here

        ## Ozon ip addresses
	if ! iptables --check HOSTILE_DROP_OUT -p tcp -d 185.73.194.82 --dport 443 -j ACCEPT  >/dev/null 2>&1 ; then
		iptables --verbose --insert HOSTILE_DROP_OUT -p tcp -d 185.73.194.82 --dport 443 -j ACCEPT
		iptables --verbose --insert HOSTILE_DROP_OUT -p tcp -d 185.73.194.82 --dport 443 -m limit --limit 10/sec --limit-burst 20 -j LOG --log-prefix "OZON_HOSTILE_BYPASS_OUT "
	fi


	if ! iptables --check HOSTILE_DROP_IN -p tcp -s 185.73.194.82 --sport 443 -j ACCEPT  >/dev/null 2>&1 ; then
		iptables --verbose --insert HOSTILE_DROP_IN -p tcp -s 185.73.194.82 --sport 443 -j ACCEPT
		iptables --verbose --insert HOSTILE_DROP_IN -p tcp -s 185.73.194.82 --sport 443 -m limit --limit 10/sec --limit-burst 20 -j LOG --log-prefix "OZON_HOSTILE_BYPASS_OUT_IN "
	fi


	if ! iptables --check HOSTILE_DROP_OUT -p tcp -d 185.73.193.119 --dport 443 -j ACCEPT  >/dev/null 2>&1 ; then
		iptables --verbose --insert HOSTILE_DROP_OUT -p tcp -d 185.73.193.119 --dport 443 -j ACCEPT
		iptables --verbose --insert HOSTILE_DROP_OUT -p tcp -d 185.73.193.119 --dport 443 -m limit --limit 10/sec --limit-burst 20 -j LOG --log-prefix "OZON_HOSTILE_BYPASS_OUT "
	fi


	if ! iptables --check HOSTILE_DROP_IN -p tcp -s 185.73.193.119 --sport 443 -j ACCEPT  >/dev/null 2>&1 ; then
		iptables --verbose --insert HOSTILE_DROP_IN -p tcp -s 185.73.193.119 --sport 443 -j ACCEPT
		iptables --verbose --insert HOSTILE_DROP_IN -p tcp -s 185.73.193.119 --sport 443 -m limit --limit 10/sec --limit-burst 20 -j LOG --log-prefix "OZON_HOSTILE_BYPASS_OUT_IN "
	fi


	if ! iptables --check HOSTILE_DROP_OUT -p tcp -d 185.73.195.117 --dport 443 -j ACCEPT  >/dev/null 2>&1 ; then
		iptables --verbose --insert HOSTILE_DROP_OUT -p tcp -d 185.73.195.117 --dport 443 -j ACCEPT
		iptables --verbose --insert HOSTILE_DROP_OUT -p tcp -d 185.73.195.117 --dport 443 -m limit --limit 10/sec --limit-burst 20 -j LOG --log-prefix "OZON_HOSTILE_BYPASS_OUT "
	fi


	if ! iptables --check HOSTILE_DROP_IN -p tcp -s 185.73.195.117 --sport 443 -j ACCEPT  >/dev/null 2>&1 ; then
		iptables --verbose --insert HOSTILE_DROP_IN -p tcp -s 185.73.195.117 --sport 443 -j ACCEPT
		iptables --verbose --insert HOSTILE_DROP_IN -p tcp -s 185.73.195.117 --sport 443 -m limit --limit 10/sec --limit-burst 20 -j LOG --log-prefix "OZON_HOSTILE_BYPASS_OUT_IN "
	fi

	if ! iptables --check HOSTILE_DROP_OUT -p tcp -d 185.73.195.116 --dport 443 -j ACCEPT  >/dev/null 2>&1 ; then
		iptables --verbose --insert HOSTILE_DROP_OUT -p tcp -d 185.73.195.116 --dport 443 -j ACCEPT
		iptables --verbose --insert HOSTILE_DROP_OUT -p tcp -d 185.73.195.116 --dport 443 -m limit --limit 10/sec --limit-burst 20 -j LOG --log-prefix "OZON_HOSTILE_BYPASS_OUT "
	fi


	if ! iptables --check HOSTILE_DROP_IN -p tcp -s 185.73.195.116 --sport 443 -j ACCEPT  >/dev/null 2>&1 ; then
		iptables --verbose --insert HOSTILE_DROP_IN -p tcp -s 185.73.195.116 --sport 443 -j ACCEPT
		iptables --verbose --insert HOSTILE_DROP_IN -p tcp -s 185.73.195.116 --sport 443 -m limit --limit 10/sec --limit-burst 20 -j LOG --log-prefix "OZON_HOSTILE_BYPASS_OUT_IN "
	fi

	if ! iptables --check HOSTILE_DROP_OUT -p tcp -d 185.73.195.108 --dport 443 -j ACCEPT  >/dev/null 2>&1 ; then
		iptables --verbose --insert HOSTILE_DROP_OUT -p tcp -d 185.73.195.108 --dport 443 -j ACCEPT
		iptables --verbose --insert HOSTILE_DROP_OUT -p tcp -d 185.73.195.108 --dport 443 -m limit --limit 10/sec --limit-burst 20 -j LOG --log-prefix "OZON_HOSTILE_BYPASS_OUT "
	fi


	if ! iptables --check HOSTILE_DROP_IN -p tcp -s 185.73.195.108 --sport 443 -j ACCEPT  >/dev/null 2>&1 ; then
		iptables --verbose --insert HOSTILE_DROP_IN -p tcp -s 185.73.195.108 --sport 443 -j ACCEPT
		iptables --verbose --insert HOSTILE_DROP_IN -p tcp -s 185.73.195.108 --sport 443 -m limit --limit 10/sec --limit-burst 20 -j LOG --log-prefix "OZON_HOSTILE_BYPASS_OUT_IN "
	fi
        ## Ozon ip addresses



	;;
  stop)
        ## add your 'stop' rules here

        ## Ozon ip addresses
	if   iptables --check HOSTILE_DROP_OUT -p tcp -d 185.73.194.82 --dport 443 -j ACCEPT  >/dev/null 2>&1 ; then
		iptables --verbose --delete HOSTILE_DROP_OUT -p tcp -d 185.73.194.82 --dport 443 -j ACCEPT
		iptables --verbose --delete HOSTILE_DROP_OUT -p tcp -d 185.73.194.82 --dport 443 -m limit --limit 10/sec --limit-burst 20 -j LOG --log-prefix "OZON_HOSTILE_BYPASS_OUT "
	fi


	if   iptables --check HOSTILE_DROP_IN -p tcp -s 185.73.194.82 --sport 443 -j ACCEPT  >/dev/null 2>&1 ; then
		iptables --verbose --delete HOSTILE_DROP_IN -p tcp -s 185.73.194.82 --sport 443 -j ACCEPT
		iptables --verbose --delete HOSTILE_DROP_IN -p tcp -s 185.73.194.82 --sport 443 -m limit --limit 10/sec --limit-burst 20 -j LOG --log-prefix "OZON_HOSTILE_BYPASS_OUT_IN "
	fi


	if   iptables --check HOSTILE_DROP_OUT -p tcp -d 185.73.193.119 --dport 443 -j ACCEPT  >/dev/null 2>&1 ; then
		iptables --verbose --delete HOSTILE_DROP_OUT -p tcp -d 185.73.193.119 --dport 443 -j ACCEPT
		iptables --verbose --delete HOSTILE_DROP_OUT -p tcp -d 185.73.193.119 --dport 443 -m limit --limit 10/sec --limit-burst 20 -j LOG --log-prefix "OZON_HOSTILE_BYPASS_OUT "
	fi


	if   iptables --check HOSTILE_DROP_IN -p tcp -s 185.73.193.119 --sport 443 -j ACCEPT  >/dev/null 2>&1 ; then
		iptables --verbose --delete HOSTILE_DROP_IN -p tcp -s 185.73.193.119 --sport 443 -j ACCEPT
		iptables --verbose --delete HOSTILE_DROP_IN -p tcp -s 185.73.193.119 --sport 443 -m limit --limit 10/sec --limit-burst 20 -j LOG --log-prefix "OZON_HOSTILE_BYPASS_OUT_IN "
	fi


	if   iptables --check HOSTILE_DROP_OUT -p tcp -d 185.73.195.117 --dport 443 -j ACCEPT  >/dev/null 2>&1 ; then
		iptables --verbose --delete HOSTILE_DROP_OUT -p tcp -d 185.73.195.117 --dport 443 -j ACCEPT
		iptables --verbose --delete HOSTILE_DROP_OUT -p tcp -d 185.73.195.117 --dport 443 -m limit --limit 10/sec --limit-burst 20 -j LOG --log-prefix "OZON_HOSTILE_BYPASS_OUT "
	fi


	if   iptables --check HOSTILE_DROP_IN -p tcp -s 185.73.195.117 --sport 443 -j ACCEPT  >/dev/null 2>&1 ; then
		iptables --verbose --delete HOSTILE_DROP_IN -p tcp -s 185.73.195.117 --sport 443 -j ACCEPT
		iptables --verbose --delete HOSTILE_DROP_IN -p tcp -s 185.73.195.117 --sport 443 -m limit --limit 10/sec --limit-burst 20 -j LOG --log-prefix "OZON_HOSTILE_BYPASS_OUT_IN "
	fi


	if   iptables --check HOSTILE_DROP_OUT -p tcp -d 185.73.195.116 --dport 443 -j ACCEPT  >/dev/null 2>&1 ; then
		iptables --verbose --delete HOSTILE_DROP_OUT -p tcp -d 185.73.195.116 --dport 443 -j ACCEPT
		iptables --verbose --delete HOSTILE_DROP_OUT -p tcp -d 185.73.195.116 --dport 443 -m limit --limit 10/sec --limit-burst 20 -j LOG --log-prefix "OZON_HOSTILE_BYPASS_OUT "
	fi


	if   iptables --check HOSTILE_DROP_IN -p tcp -s 185.73.195.116 --sport 443 -j ACCEPT  >/dev/null 2>&1 ; then
		iptables --verbose --delete HOSTILE_DROP_IN -p tcp -s 185.73.195.116 --sport 443 -j ACCEPT
		iptables --verbose --delete HOSTILE_DROP_IN -p tcp -s 185.73.195.116 --sport 443 -m limit --limit 10/sec --limit-burst 20 -j LOG --log-prefix "OZON_HOSTILE_BYPASS_OUT_IN "
	fi


	if   iptables --check HOSTILE_DROP_OUT -p tcp -d 185.73.195.108 --dport 443 -j ACCEPT  >/dev/null 2>&1 ; then
		iptables --verbose --delete HOSTILE_DROP_OUT -p tcp -d 185.73.195.108 --dport 443 -j ACCEPT
		iptables --verbose --delete HOSTILE_DROP_OUT -p tcp -d 185.73.195.108 --dport 443 -m limit --limit 10/sec --limit-burst 20 -j LOG --log-prefix "OZON_HOSTILE_BYPASS_OUT "
	fi


	if   iptables --check HOSTILE_DROP_IN -p tcp -s 185.73.195.108 --sport 443 -j ACCEPT  >/dev/null 2>&1 ; then
		iptables --verbose --delete HOSTILE_DROP_IN -p tcp -s 185.73.195.108 --sport 443 -j ACCEPT
		iptables --verbose --delete HOSTILE_DROP_IN -p tcp -s 185.73.195.108 --sport 443 -m limit --limit 10/sec --limit-burst 20 -j LOG --log-prefix "OZON_HOSTILE_BYPASS_OUT_IN "
	fi
        ## Ozon ip addresses


        ;;
  reload)
        $0 stop
        $0 start
        ## add your 'reload' rules here
        ;;
  *)
        echo "Usage: $0 {start|stop|reload}"
        ;;
esac

And it helped! Connection to the website is actually working now.

But it’s obviously not a permanent fix, and it’s really feels more like a kluge, so I wonder if there is a better solution to my problem.
And if there is none - I hope this topic will help someone with similar problem.

Welcome to the community. Unfortunately, this I think is the only solution. The ultimate solution would be if the service administrators, move their services to the unbanned servers. But I am very incredulous about this. The alternative is to use a new service, if posible.

Consider that even if a GUI system were implemented in IPFire to unblock those IPs by choice, the main problem is that the firewall would be at risk. If a server is banned like that, there must be a valid reason. Taking away the protections in those cases, I don’t see it as good. This is what I think.

I report a scenario:

1. You unblock port 443 on the hostile IP x.x.x.x.
2. You come across a site www…com
3. Lo and behold that site contains viruses, because it is hosted on the very server banned x.x.x.x
4. Imagine what could happen to your PC.

This scenario cannot happen, if you keep the hostile IP x.x.x.x blocked.

Do you understand the problem?

May be able to change firewall settings
https://www.ipfire.org/blog/introducing-elementary-network-protection-dropping-all-traffic-from-and-to-hostile-networks-by-default

Okay, I think I understand. Spamhaus built into IPFire sounds like a great system to me. I apologize for the post I removed .

I understand this, that’s why I’m not diabling this DROP feature completely - it’s extremely useful in most cases, but the service that is being blocked - is a giant online-marketplace (that’s also the reason why I can’t use alternatives - this service is neccecary for the company I’m working in). It`s being used across all the country, and it’s very unlikely for it to be compromised or blacklisted.

Also, neither the domain name nor it’s IP addresses are listed at spamhaus:

No issues at spamhaus1513×701 101 KB

185.73.194.82754×705 24.1 KB

185.73.193.119891×841 36.9 KB

That’s why it’s weird, that it’s even getting blocked at the first place.

I understand. In cases like this you come to a compromise. I, too, have decided to open for now.

The case that the IPs are not in the spamlist is strange. It should not block in this case . For this I am waiting for suggestions from other users.

However, I remember there was another link where there were spamlists. It seems to me that something had changed. Did you look here?
https://www.spamhaus.org/drop/asndrop.json

Oh, it’s actually listed here.

That’s explains why connection is blocked…

But why is it even in the blacklist? It’s just an online shop…
I guess we’ll never know.

Correct. We would never know. Maybe because the servers that host bad actors cost less? Who knows.

Thank you for the help
I’ll try to contact ozon’s support and notify them about this, maybe they will do something about it

You can only do that. That is what I did with my service as well, but I received no response. Hopefully, a big store will be more willing to explain