This shows you the differences between two versions of the page.
Next revision | Previous revision | ||
blacklistcountrieswithshorewallandipset [2013/03/09 10:54] 127.0.0.1 external edit |
blacklistcountrieswithshorewallandipset [2020/02/13 22:55] (current) |
||
---|---|---|---|
Line 7: | Line 7: | ||
I use a dynamic ipset referenced by shorewall as a blacklist because I have no reason for IPs from certain countries to contact my server. | I use a dynamic ipset referenced by shorewall as a blacklist because I have no reason for IPs from certain countries to contact my server. | ||
- | < | + | **/ |
< | < | ||
#!/bin/bash | #!/bin/bash | ||
+ | #Debug | ||
# set -x | # set -x | ||
- | /usr/ | + | exec 1> >(logger -s -t $(basename $0)) 2>& |
- | # Most files on ipdeny.com are now zero length, I grab and parse from the RIR instead | + | |
- | # for IP in $(/ | + | logger " |
- | for IP in $(/ | + | |
+ | / | ||
+ | /sbin/ipset flush geoblock | ||
+ | |||
+ | #for IP in $(/ | ||
+ | |||
+ | for IP in $(/ | ||
do | do | ||
/ | / | ||
done | done | ||
+ | |||
+ | logger "End: $0" | ||
</ | </ | ||
and I symlinked that script into / | and I symlinked that script into / | ||
Line 29: | Line 38: | ||
ln -s / | ln -s / | ||
</ | </ | ||
+ | |||
+ | < | ||
+ | apt install ipset aggregate | ||
+ | chmod u+x / | ||
+ | </ | ||
+ | |||
Finally I told shorewall to use the ipset as its blacklist, and applied the blacklist to the public interface. | Finally I told shorewall to use the ipset as its blacklist, and applied the blacklist to the public interface. | ||
- | < | + | **/ |
< | < | ||
Line 38: | Line 53: | ||
+geoblock | +geoblock | ||
</ | </ | ||
- | < | + | **/ |
< | < | ||
Line 53: | Line 68: | ||
Here I populated an ipset called geoallow which contains only the countries I want to allow to ssh to my server. | Here I populated an ipset called geoallow which contains only the countries I want to allow to ssh to my server. | ||
- | < | + | **/ |
< | < | ||
Line 67: | Line 82: | ||
It is important to create the ipset (even though its empty) on reboot, or shorewall won't start. | It is important to create the ipset (even though its empty) on reboot, or shorewall won't start. | ||
- | Add the create to < | + | Add the create to **/ |
< | < | ||
/ | / | ||
</ | </ | ||
- | and add the script to < | + | |
+ | and add the script to **/etc/shorewall/started** | ||
< | < | ||
- | / | + | # |
+ | |||
+ | / | ||
</ | </ | ||