Icecast - Mar 2020 - Blocking IP addresses on a per mountpoint level

Thanks.

Indeed - but is it it possible to block IP addresses on a per mountpoint
level? For example, my user with /mountpointA.ogg does not mind being
hammered by connections from 93.184.216.34 [example.com] but my user with
/mountpointB.ogg wants to block that IP address.

Using iptables I've blocked connections, at a server level, from example.com
for my User B but my User A doesn't mind their connection being probed once
per minute 24/7/365 by a badly-configured player from that IP address.

Thank you

Chip Scooter

On Thu, 26 Mar 2020 at 11:30, Marius Flage <marius at flage.org> wrote:
> I believe the easiest is just to do this using iptables ('iptables -A
> INPUT -s 93.184.216.34 -j DROP'). There's also an geoip module
available
> for iptables.
>
> --
> Marius
> On 26.03.2020 12:16, Chip wrote:
>
> Hi
>
> Several questions below:
>
> a) is it possible to block IP addresses on a per mountpoint level e.g. my
> user with /mountpointA.ogg does not mind being hammered by connections from
> 93.184.216.34 [example.com] but my user with /mountpointB.ogg wants to
> block that IP address.
>
> b) is it possible to geoblock ranges of IP addresses and whole countries
> on a per mountpoint basis?
>
> c) what options do people use for geoblocking? I'm on a VPS so ipset is
> currently not an option.
>
> Many thanks in advance
>
> Chip Scooter
>
> _______________________________________________
> Icecast mailing listIcecast at
xiph.orghttp://lists.xiph.org/mailman/listinfo/icecast
>
> _______________________________________________
> Icecast mailing list
> Icecast at xiph.org
> http://lists.xiph.org/mailman/listinfo/icecast
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.xiph.org/pipermail/icecast/attachments/20200326/63d40720/attachment.html>

Ah,

I must have overlooked that requirement in my first reply. I don't think
you can do it natively in Icecast, and doing this in the kernel will be
too low level and too wide a block, so I guess a web application
firewall or a reverse proxy is the way to go. Maybe setting up HAproxy
or similar could solve this?

--
Marius

On 26.03.2020 13:49, Chip wrote:
> Thanks.
>
> Indeed - but is it it possible to block IP addresses on a per
> mountpoint level? For example, my user with /mountpointA.ogg does not
> mind being hammered by connections from 93.184.216.34 [example.com
> <http://example.com>] but my user with /mountpointB.ogg wants to
block
> that IP address.
>
> Using iptables I've blocked connections, at a server level, from
> example.com <http://example.com> for my User B but my User A
doesn't
> mind their connection being probed once per minute 24/7/365 by a
> badly-configured player from that IP address.
>
> Thank you
>
> Chip Scooter
>
> On Thu, 26 Mar 2020 at 11:30, Marius Flage <marius at flage.org
> <mailto:marius at flage.org>> wrote:
>
>     I believe the easiest is just to do this using iptables ('iptables
>     -A INPUT -s 93.184.216.34 -j DROP'). There's also an geoip
module
>     available for iptables.
>
>     --
>     Marius
>
>     On 26.03.2020 12:16, Chip wrote:
>>     Hi
>>
>>     Several questions below:
>>
>>     a) is it possible to block IP addresses on a per mountpoint level
>>     e.g. my user with /mountpointA.ogg does not mind being hammered
>>     by connections from 93.184.216.34 [example.com
>>     <http://example.com>] but my user with /mountpointB.ogg wants
to
>>     block that IP address.
>>
>>     b) is it possible to geoblock ranges of IP addresses and whole
>>     countries on a per mountpoint basis?
>>
>>     c) what options do people use for geoblocking? I'm on a VPS so
>>     ipset is currently not an option.
>>
>>     Many thanks in advance
>>
>>     Chip Scooter
>>
>>     _______________________________________________
>>     Icecast mailing list
>>     Icecast at xiph.org <mailto:Icecast at xiph.org>
>>     http://lists.xiph.org/mailman/listinfo/icecast
>     _______________________________________________
>     Icecast mailing list
>     Icecast at xiph.org <mailto:Icecast at xiph.org>
>     http://lists.xiph.org/mailman/listinfo/icecast
>
>
> _______________________________________________
> Icecast mailing list
> Icecast at xiph.org
> http://lists.xiph.org/mailman/listinfo/icecast
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.xiph.org/pipermail/icecast/attachments/20200326/def1bdde/attachment.html>

On 26/03/2020 13:49, Chip wrote:
> Thanks.
>
> Indeed - but is it it possible to block IP addresses on a per
> mountpoint level? For example, my user with /mountpointA.ogg does not
> mind being hammered by connections from 93.184.216.34 [example.com
> <http://example.com>] but my user with /mountpointB.ogg wants to
block
> that IP address.

If the mountpoints are at different ports you can specify that in
iptables as well:

iptables -A INPUT -s 93.185.216.34 --dport xxx -j DROP

That will only block connections from that IP address to the given
destionation port.

Regards,

 - Jeroen



-- 
Bankai Software bv
Jeroen van Oosten
Telefoon: 088-2344999
E-mail: jvoosten at bankai.nl
KvK inschrijving: 67066267
PGP key: B2308F8E

"If you think it's expensive to hire a professional to do the job, wait
until you hire an amateur." --Red Adair

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.xiph.org/pipermail/icecast/attachments/20200326/97889386/attachment.html>

Thanks.

Maybe something like this might do it:

   - https://mediarealm.com.au/articles/icecast-stream-geoblocking/

I should have searched more before asking the question(s) :o)

Cheers

Chip Scooter


On Thu, 26 Mar 2020 at 13:00, Marius Flage <marius at flage.org> wrote:
> Ah,
>
> I must have overlooked that requirement in my first reply. I don't
think
> you can do it natively in Icecast, and doing this in the kernel will be too
> low level and too wide a block, so I guess a web application firewall or a
> reverse proxy is the way to go. Maybe setting up HAproxy or similar could
> solve this?
>
> --
> Marius
> On 26.03.2020 13:49, Chip wrote:
>
> Thanks.
>
> Indeed - but is it it possible to block IP addresses on a per mountpoint
> level? For example, my user with /mountpointA.ogg does not mind being
> hammered by connections from 93.184.216.34 [example.com] but my user with
> /mountpointB.ogg wants to block that IP address.
>
> Using iptables I've blocked connections, at a server level, from
> example.com for my User B but my User A doesn't mind their connection
> being probed once per minute 24/7/365 by a badly-configured player from
> that IP address.
>
> Thank you
>
> Chip Scooter
>
> On Thu, 26 Mar 2020 at 11:30, Marius Flage <marius at flage.org>
wrote:
>
>> I believe the easiest is just to do this using iptables ('iptables
-A
>> INPUT -s 93.184.216.34 -j DROP'). There's also an geoip module
available
>> for iptables.
>>
>> --
>> Marius
>> On 26.03.2020 12:16, Chip wrote:
>>
>> Hi
>>
>> Several questions below:
>>
>> a) is it possible to block IP addresses on a per mountpoint level e.g.
my
>> user with /mountpointA.ogg does not mind being hammered by connections
from
>> 93.184.216.34 [example.com] but my user with /mountpointB.ogg wants to
>> block that IP address.
>>
>> b) is it possible to geoblock ranges of IP addresses and whole
countries
>> on a per mountpoint basis?
>>
>> c) what options do people use for geoblocking? I'm on a VPS so
ipset is
>> currently not an option.
>>
>> Many thanks in advance
>>
>> Chip Scooter
>>
>> _______________________________________________
>> Icecast mailing listIcecast at
xiph.orghttp://lists.xiph.org/mailman/listinfo/icecast
>>
>> _______________________________________________
>> Icecast mailing list
>> Icecast at xiph.org
>> http://lists.xiph.org/mailman/listinfo/icecast
>>
>
> _______________________________________________
> Icecast mailing listIcecast at
xiph.orghttp://lists.xiph.org/mailman/listinfo/icecast
>
> _______________________________________________
> Icecast mailing list
> Icecast at xiph.org
> http://lists.xiph.org/mailman/listinfo/icecast
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.xiph.org/pipermail/icecast/attachments/20200326/869ad5ea/attachment.html>

Thanks - very cool.

They might indeed be on different ports. I'll need to investigate.

Cheers

Chip Scooter

On Thu, 26 Mar 2020 at 13:16, Jeroen van Oosten <jvoosten at bankai.nl>
wrote:
> On 26/03/2020 13:49, Chip wrote:
>
> Thanks.
>
> Indeed - but is it it possible to block IP addresses on a per mountpoint
> level? For example, my user with /mountpointA.ogg does not mind being
> hammered by connections from 93.184.216.34 [example.com] but my user with
> /mountpointB.ogg wants to block that IP address.
>
>
> If the mountpoints are at different ports you can specify that in iptables
> as well:
>
> iptables -A INPUT -s 93.185.216.34 --dport xxx -j DROP
>
> That will only block connections from that IP address to the given
> destionation port.
>
> Regards,
>
>  - Jeroen
>
>
> --
> Bankai Software bv
> Jeroen van Oosten
> Telefoon: 088-2344999
> E-mail: jvoosten at bankai.nl
> KvK inschrijving: 67066267
> PGP key: B2308F8E
>
> "If you think it's expensive to hire a professional to do the job,
wait until you hire an amateur." --Red Adair
>
> _______________________________________________
> Icecast mailing list
> Icecast at xiph.org
> http://lists.xiph.org/mailman/listinfo/icecast
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.xiph.org/pipermail/icecast/attachments/20200326/b0912157/attachment.html>