ThreatSTOP - Active Internet Security - IPTables Configuration

Partners

IPTables Configuration

In order for your firewall to access our servers, you must make our DNS server
your Primary, or at least authoritative for the zone threatstop.local.

To make our nameserver your primary, add the following line as the first one in your /etc/resolv.conf file:

nameserver 24.249.204.58

Make sure that you allow TCP DNS queries outbound.

Then you need to create rules on your firewall to block requests coming to and from the
ThreatSTOP Basic lists.

To add this to your iptables firewall, you can use the following as an example:

# Add the inbound rule
iptables -A threatstop -s basic.threatstop.local -j LOG --log-prefix "ThreatSTOP Block "
iptables -A threatstop -s basic.threatstop.local -j DROP

iptables -A threatstop -s basic1.threatstop.local -j LOG --log-prefix "ThreatSTOP Block "
iptables -A threatstop -s basic1.threatstop.local -j DROP

iptables -A threatstop -s basic2.threatstop.local -j LOG --log-prefix "ThreatSTOP Block "
iptables -A threatstop -s basic2.threatstop.local -j DROP

iptables -A threatstop -s basic3.threatstop.local -j LOG --log-prefix "ThreatSTOP Block "
iptables -A threatstop -s basic3.threatstop.local -j DROP

iptables -A threatstop -s basic4.threatstop.local -j LOG --log-prefix "ThreatSTOP Block "
iptables -A threatstop -s basic4.threatstop.local -j DROP

# Add the outbound rule
iptables -A threatstop -d basic.threatstop.local -j LOG --log-prefix "ThreatSTOP Block "
iptables -A threatstop -d basic.threatstop.local -j DROP

iptables -A threatstop -d basic1.threatstop.local -j LOG --log-prefix "ThreatSTOP Block "
iptables -A threatstop -d basic1.threatstop.local -j DROP

iptables -A threatstop -d basic2.threatstop.local -j LOG --log-prefix "ThreatSTOP Block "
iptables -A threatstop -d basic2.threatstop.local -j DROP

iptables -A threatstop -d basic3.threatstop.local -j LOG --log-prefix "ThreatSTOP Block "
iptables -A threatstop -d basic3.threatstop.local -j DROP

iptables -A threatstop -d basic4.threatstop.local -j LOG --log-prefix "ThreatSTOP Block "
iptables -A threatstop -d basic4.threatstop.local -j DROP

# Add the ThreatSTOP chains to the INPUT, OUTPUT and FORWARD chains.
iptables -I INPUT -j threatstop
iptables -I OUTPUT -j threatstop
iptables -I FORWARD -j threatstop

The -I option inserts the chain at the begining of the chain so it is hit first.

iptables will not update the IP addresses in the rules unless you flush and reload them. We have a sample script that registered users can download to accomplish this.

We update the lists every 2 hours. Here is an example cron job that you an use:

# Update the ThreatSTOP lists. Every 2 hours, 15 minutes after the hour (00:15, 02:15, 04:15, etc.)
15 */2 * * * /usr/local/sbin/ts-iptables.sh 2>&1

Main Menu