[nos-bbs] Blocking intruders (ipset exercise) latest JNOS dev

Maiko Langelaar (Personal) maiko at pcsinternet.ca
Wed May 3 13:22:07 EDT 2023

On my test system, I have recently switched to 'ipset' to manage
my 'database of intruders, unwanted probes, dos attacks, etc'.

1) Setup ip6tables - just the forwarding portion between linux and jnos :

      sysctl -w net.ipv6.conf.all.forwarding=1

      ip6tables --flush

     # allow the only remote system I currently test with
     ip6tables -A FORWARD -s 2001:x:x::y::/64 -j ACCEPT

     # block systems contained in my 'ipset' database
     ip6tables -A FORWARD -m set --match-set myipv6set src -j DROP

     # allow forwarding between JNOS and the Linux host
     ip6tables -A FORWARD -i eth0 -o tun8 -j ACCEPT
     ip6tables -A FORWARD -i tun8 -o eth0 -j ACCEPT

    Note : eth0 is to the internet, tun8 is the tap0 for my IPV6 jnos

2) Create the ipset as follows :

      ipset create myipv6set hash:net family inet6

3) Enable the nolistener feature on JNOS 2.0odev :

      ip nolisten 1

4) Keep an eye on the logs, and from time to time you might see :

      17:49:20 network: 2x2x:96:xxxx:b0cc:e:2:2:9:49838 - no TCP (443) 
      17:49:21 network: 2x2x:96:xxxx:b0cc:e:2:2:9:49838 - no TCP (443) 

It's like a video game :]

5) Do a whois on the ip address to try and get a block size :

       whois 2x2x:96:xxxx:b0cc:e:2:2:9

    This particular one gave me the following, perfect :

       CIDR: 2x2x:96:xxxx::/48

6) Then simply use the command below to add to the 'ipset' database,
     and you will no longer see them attempting to access your JNOS :

    bash-5.1# ipset add myipv6set 2x2x:96:xxxx::/48

Note : I have masked the true IP address .. just cause ...

This works for IPV4 as well, similar commands. It's instant !

Hope this is helpful (not everyone will want to do it this way of 
course) ...

Maiko / VE4KLM

More information about the nos-bbs mailing list