This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
blacklistcountrieswithshorewallandipset [2016/07/02 15:49] ian [Startup at boot] |
blacklistcountrieswithshorewallandipset [2020/02/13 22:55] (current) |
||
---|---|---|---|
Line 7: | Line 7: | ||
I use a dynamic ipset referenced by shorewall as a blacklist because I have no reason for IPs from certain countries to contact my server. | I use a dynamic ipset referenced by shorewall as a blacklist because I have no reason for IPs from certain countries to contact my server. | ||
- | < | + | **/ |
< | < | ||
#!/bin/bash | #!/bin/bash | ||
+ | #Debug | ||
# set -x | # set -x | ||
- | /usr/ | + | exec 1> >(logger -s -t $(basename $0)) 2>& |
- | # Most files on ipdeny.com are now zero length, I grab and parse from the RIR instead | + | |
- | # for IP in $(/ | + | logger " |
- | for IP in $(/ | + | |
+ | / | ||
+ | /sbin/ipset flush geoblock | ||
+ | |||
+ | #for IP in $(/ | ||
+ | |||
+ | for IP in $(/ | ||
do | do | ||
/ | / | ||
done | done | ||
+ | |||
+ | logger "End: $0" | ||
</ | </ | ||
and I symlinked that script into / | and I symlinked that script into / | ||
Line 29: | Line 38: | ||
ln -s / | ln -s / | ||
</ | </ | ||
+ | |||
+ | < | ||
+ | apt install ipset aggregate | ||
+ | chmod u+x / | ||
+ | </ | ||
+ | |||
Finally I told shorewall to use the ipset as its blacklist, and applied the blacklist to the public interface. | Finally I told shorewall to use the ipset as its blacklist, and applied the blacklist to the public interface. | ||
- | < | + | **/ |
< | < | ||
Line 38: | Line 53: | ||
+geoblock | +geoblock | ||
</ | </ | ||
- | < | + | **/ |
< | < | ||
Line 53: | Line 68: | ||
Here I populated an ipset called geoallow which contains only the countries I want to allow to ssh to my server. | Here I populated an ipset called geoallow which contains only the countries I want to allow to ssh to my server. | ||
- | < | + | **/ |
< | < |