Differences

This shows you the differences between two versions of the page.

--- blacklistcountrieswithshorewallandipset [2013/03/09 10:54]
127.0.0.1 external edit
+++ blacklistcountrieswithshorewallandipset [2020/02/13 22:55] (current)
@@ Line 7: / Line 7: @@
 I use a dynamic ipset referenced by shorewall as a blacklist because I have no reason for IPs from certain countries to contact my server.
-<strong>/usr/local/sbin/ipset-geoblock-country.sh</strong>:
+**/usr/local/sbin/ipset-geoblock-country.sh**:
 <code>
 #!/bin/bash
+#Debug
 # set -x
-/usr/sbin/ipset -N geoblock nethash -exist
+exec 1> >(logger -s -t $(basename $0)) 2>&1
-# Most files on ipdeny.com are now zero length, I grab and parse from the RIR instead
-# for IP in $(/usr/bin/wget -O - http://www.ipdeny.com/ipblocks/data/countries/{cn,vn}.zone)
+logger "Start: $0"
-for IP in $(/usr/bin/wget -q -O - ftp://ftp.arin.net/pub/stats/apnic/delegated-apnic-latest | awk -F'|' 'BEGIN{OFS=&quot;&quot;} ( $2 == &quot;CN&quot; || $2 == &quot;VN&quot; ) &amp;&amp; $3 == &quot;ipv4&quot; {print $4,&quot;/&quot;,32-(log($5)/log(2))}' | aggregate)
+/sbin/ipset create geoblock hash:net -exist
+/sbin/ipset flush geoblock
+#for IP in $(/usr/bin/wget -O - http://www.ipdeny.com/ipblocks/data/countries/{ca,us}.zone)
+for IP in $(/usr/bin/wget -q -O - ftp://ftp.arin.net/pub/stats/apnic/delegated-apnic-latest | awk -F'|' 'BEGIN{OFS=""} ( $2 == "CN" || $2 == "VN" ) && $3 == "ipv4" {print $4,"/",32-(log($5)/log(2))}' | aggregate)
 do
 /usr/sbin/ipset -A geoblock $IP -exist
 done
+logger "End: $0"
 </code>
 and I symlinked that script into /etc/cron.weekly to add IPs to this ipset (fast lookup) list
@@ Line 29: / Line 38: @@
 ln -s /usr/local/sbin/ipset-geoblock-country.sh .
 </code>
+<code>
+apt install ipset aggregate
+chmod u+x /usr/local/sbin/ipset-geoblock-country.sh
+</code>
 Finally I told shorewall to use the ipset as its blacklist, and applied the blacklist to the public interface.
-<strong>/etc/shorewall/blacklist</strong>:
+**/etc/shorewall/blacklist**:
 <code>
@@ Line 38: / Line 53: @@
 +geoblock
 </code>
-<strong>/etc/shorewall/interfaces</strong>:
+**/etc/shorewall/interfaces**:
 <code>
@@ Line 53: / Line 68: @@
 Here I populated an ipset called geoallow which contains only the countries I want to allow to ssh to my server.
-<strong>/etc/shorewall/rules</strong>:
+**/etc/shorewall/rules**:
 <code>
@@ Line 67: / Line 82: @@
 It is important to create the ipset (even though its empty) on reboot, or shorewall won't start.
-Add the create to <strong>/etc/defaults/shorewall</strong> or anything that starts before shorewall:
+Add the create to **/etc/defaults/shorewall** or anything that starts before shorewall:
 <code>
 /usr/sbin/ipset -N geoblock nethash
 </code>
-and add the script to <strong>/etc/rc.local</strong> or anything that runs after the network is up:
+and add the script to **/etc/shorewall/started** or anything that runs after the network is up:
 <code>
-/usr/local/sbin/ipset-geoblock-country.sh
+#!/bin/bash
+/usr/local/sbin/ipset-geoblock-country.sh &
 </code>

Mr Zesty's BrainDump

User Tools

Site Tools

Differences

Page Tools