Mr Zesty's BrainDump

User Tools

Site Tools

Trace:
blacklistcountrieswithshorewallandipset

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
blacklistcountrieswithshorewallandipset [2016/07/02 15:49]
ian [Startup at boot] 		blacklistcountrieswithshorewallandipset [2020/02/13 22:55] (current)
Line 7: Line 7:
 I use a dynamic ipset referenced by shorewall as a blacklist because I have no reason for IPs from certain countries to contact my server. I use a dynamic ipset referenced by shorewall as a blacklist because I have no reason for IPs from certain countries to contact my server.
  
-<strong>/usr/local/sbin/ipset-geoblock-country.sh</strong>:+**/usr/local/sbin/ipset-geoblock-country.sh**:
  
 <code> <code>
 #!/bin/bash #!/bin/bash
  
 +#Debug
 # set -x # set -x
  
-/usr/sbin/ipset -N geoblock nethash -exist +exec 1> >(logger -s -t $(basename $0)) 2>&
-# Most files on ipdeny.com are now zero length, I grab and parse from the RIR instead + 
-# for IP in $(/usr/bin/wget -O - http://www.ipdeny.com/ipblocks/data/countries/{cn,vn}.zone) +logger "Start: $0" 
-for IP in $(/usr/bin/wget -q -O - ftp://ftp.arin.net/pub/stats/apnic/delegated-apnic-latest | awk -F'|' 'BEGIN{OFS=&quot;&quot;} ( $2 == &quot;CN&quot; || $2 == &quot;VN&quot; ) &amp;&amp; $3 == &quot;ipv4&quot; {print $4,&quot;/&quot;,32-(log($5)/log(2))}' | aggregate)+ 
 +/sbin/ipset create geoblock hash:net -exist 
 +/sbin/ipset flush geoblock 
 + 
 +#for IP in $(/usr/bin/wget -O - http://www.ipdeny.com/ipblocks/data/countries/{ca,us}.zone) 
 + 
 +for IP in $(/usr/bin/wget -q -O - ftp://ftp.arin.net/pub/stats/apnic/delegated-apnic-latest | awk -F'|' 'BEGIN{OFS=""} ( $2 == "CN|| $2 == "VN) && $3 == "ipv4{print $4,"/",32-(log($5)/log(2))}' | aggregate)
  
 do do
 /usr/sbin/ipset -A geoblock $IP -exist /usr/sbin/ipset -A geoblock $IP -exist
 done done
 +
 +logger "End: $0"
 </code> </code>
 and I symlinked that script into /etc/cron.weekly to add IPs to this ipset (fast lookup) list and I symlinked that script into /etc/cron.weekly to add IPs to this ipset (fast lookup) list
Line 29: Line 38:
 ln -s /usr/local/sbin/ipset-geoblock-country.sh . ln -s /usr/local/sbin/ipset-geoblock-country.sh .
 </code> </code>
 +
 +<code>
 +apt install ipset aggregate
 +chmod u+x /usr/local/sbin/ipset-geoblock-country.sh
 +</code>
 +
 Finally I told shorewall to use the ipset as its blacklist, and applied the blacklist to the public interface. Finally I told shorewall to use the ipset as its blacklist, and applied the blacklist to the public interface.
  
-<strong>/etc/shorewall/blacklist</strong>:+**/etc/shorewall/blacklist**:
  
 <code> <code>
Line 38: Line 53:
 +geoblock +geoblock
 </code> </code>
-<strong>/etc/shorewall/interfaces</strong>:+**/etc/shorewall/interfaces**:
  
 <code> <code>
Line 53: Line 68:
 Here I populated an ipset called geoallow which contains only the countries I want to allow to ssh to my server. Here I populated an ipset called geoallow which contains only the countries I want to allow to ssh to my server.
  
-<strong>/etc/shorewall/rules</strong>:+**/etc/shorewall/rules**:
  
 <code> <code>
blacklistcountrieswithshorewallandipset.1467488959.txt.gz · Last modified: 2020/02/13 22:55 (external edit)

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Noncommercial-Share Alike 4.0 International
CC Attribution-Noncommercial-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki
free spam filter