This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
blacklistcountrieswithshorewallandipset [2016/07/02 15:54] ian |
blacklistcountrieswithshorewallandipset [2020/02/13 22:55] (current) |
||
---|---|---|---|
Line 7: | Line 7: | ||
I use a dynamic ipset referenced by shorewall as a blacklist because I have no reason for IPs from certain countries to contact my server. | I use a dynamic ipset referenced by shorewall as a blacklist because I have no reason for IPs from certain countries to contact my server. | ||
- | < | + | **/ |
< | < | ||
Line 14: | Line 14: | ||
#Debug | #Debug | ||
# set -x | # set -x | ||
+ | |||
+ | exec 1> >(logger -s -t $(basename $0)) 2>&1 | ||
logger " | logger " | ||
- | /usr/ | + | / |
- | # Most files on ipdeny.com are now zero length, I grab and parse from the RIR instead | + | /sbin/ipset flush geoblock |
- | # for IP in $(/ | + | |
- | for IP in $(/ | + | #for IP in $(/ |
+ | |||
+ | for IP in $(/ | ||
do | do | ||
Line 34: | Line 38: | ||
ln -s / | ln -s / | ||
</ | </ | ||
+ | |||
+ | < | ||
+ | apt install ipset aggregate | ||
+ | chmod u+x / | ||
+ | </ | ||
+ | |||
Finally I told shorewall to use the ipset as its blacklist, and applied the blacklist to the public interface. | Finally I told shorewall to use the ipset as its blacklist, and applied the blacklist to the public interface. | ||
- | < | + | **/ |
< | < | ||
Line 43: | Line 53: | ||
+geoblock | +geoblock | ||
</ | </ | ||
- | < | + | **/ |
< | < | ||
Line 58: | Line 68: | ||
Here I populated an ipset called geoallow which contains only the countries I want to allow to ssh to my server. | Here I populated an ipset called geoallow which contains only the countries I want to allow to ssh to my server. | ||
- | < | + | **/ |
< | < |