Christophe Casalegno

OVH : How to block an ip address on your server if you are behind a Load Balancing IP (LBIP / IPLB)

>Hello World 😉 If you use or manage OVH dedicated servers, you probably know this excellent and cheap service : Load Balancing (LBIP or IPLB in French). This is an IP address carried directly by the OVH network which spreads traffic load across the IPs of your OVH dedicated servers / public cloud / private cloud or VPS. It improves performance during traffic spikes, tolerance in the event of failures and optimizes response times. Today you can connect 16 backends (http, https, tcp or udp) to your OVH LBIP and you can’t use it (for the moment) in a VRACK.

For more information on LBIP (in french) you can watch this video simple and realy usefull to understand how it works.

The problem : when you use this product, like other market load balancer, you can’t see “directly” hosts connected to your server but a private IP address used by the Load Balancer but you can configure this service with the OVH API to proxypass the ip address to your server.

But if you try to blacklist an ip address on your server with : iptables -A INPUT -s xxx.xxx.xxx.xxx -j DROP -v , but that can’t work fine because attackers aren’t directly connected to your server.

If you need to block an attack against your website you can also directly match content with iptables to block the attacker like : iptables -I INPUT 1 -p tcp --dport 80 -m string --algo bm --string "X-Forwarded-For: xxx.xxx.xxx.xxx" -j LOG_DROP

You can also create a simple script to use a more friendly syntax, just enter this in to your .sh file :
 
#!/bin/sh
iptables -I INPUT 1 -p tcp --dport 80 -m string --algo bm --string "X-Forwarded-For: $1" -j DROP

 
Now you can use ./yourscript.sh xxx.xxx.xxx.xxx to blacklist an adress or |xargs -l ./yourscript to do this for a list.
 
Warning : there is a limit to this method : you can’t use it in https. For doing this the solution can be to use OVH API to active firewall on IPBL : i’ll test it next time. Other possibility is to assign an IPFO (IP FailOver) on the LBIP for use the classic OVH firewall method over the manager or over API.
 
Need to managed your dedicated linux server / vps / cloud ? Email : sales@digital-netcom.com

Christophe Casalegno
You can follow me on : Twitter | Facebook | Linkedin | Telegram

Leave a Comment