Mr Zesty's BrainDump

User Tools

Site Tools

Trace:
blacklistcountrieswithshorewallandipset

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
blacklistcountrieswithshorewallandipset [2017/10/29 16:02]
ian 		blacklistcountrieswithshorewallandipset [2020/02/13 22:55] (current)
Line 8: Line 8:
  
 **/usr/local/sbin/ipset-geoblock-country.sh**: **/usr/local/sbin/ipset-geoblock-country.sh**:
- 
-<code> 
-apt install ipset aggregate 
-</code> 
  
 <code> <code>
Line 18: Line 14:
 #Debug #Debug
 # set -x # set -x
 +
 +exec 1> >(logger -s -t $(basename $0)) 2>&1
  
 logger "Start: $0" logger "Start: $0"
  
-/usr/sbin/ipset -N geoblock nethash -exist +/sbin/ipset create geoblock hash:net -exist 
-# Most files on ipdeny.com are now zero length, I grab and parse from the RIR instead +/sbin/ipset flush geoblock 
-# for IP in $(/usr/bin/wget -O - http://www.ipdeny.com/ipblocks/data/countries/{cn,vn}.zone) + 
-for IP in $(/usr/bin/wget -q -O - ftp://ftp.arin.net/pub/stats/apnic/delegated-apnic-latest | awk -F'|' 'BEGIN{OFS=''} ( $2 == 'CN|| $2 == 'VN) && $3 == 'ipv4{print $4,'/',32-(log($5)/log(2))}' | aggregate)+#for IP in $(/usr/bin/wget -O - http://www.ipdeny.com/ipblocks/data/countries/{ca,us}.zone) 
 + 
 +for IP in $(/usr/bin/wget -q -O - ftp://ftp.arin.net/pub/stats/apnic/delegated-apnic-latest | awk -F'|' 'BEGIN{OFS=""} ( $2 == "CN|| $2 == "VN) && $3 == "ipv4{print $4,"/",32-(log($5)/log(2))}' | aggregate)
  
 do do
Line 38: Line 38:
 ln -s /usr/local/sbin/ipset-geoblock-country.sh . ln -s /usr/local/sbin/ipset-geoblock-country.sh .
 </code> </code>
 +
 +<code>
 +apt install ipset aggregate
 +chmod u+x /usr/local/sbin/ipset-geoblock-country.sh
 +</code>
 +
 Finally I told shorewall to use the ipset as its blacklist, and applied the blacklist to the public interface. Finally I told shorewall to use the ipset as its blacklist, and applied the blacklist to the public interface.
  
-<strong>/etc/shorewall/blacklist</strong>:+**/etc/shorewall/blacklist**:
  
 <code> <code>
Line 47: Line 53:
 +geoblock +geoblock
 </code> </code>
-<strong>/etc/shorewall/interfaces</strong>:+**/etc/shorewall/interfaces**:
  
 <code> <code>
Line 62: Line 68:
 Here I populated an ipset called geoallow which contains only the countries I want to allow to ssh to my server. Here I populated an ipset called geoallow which contains only the countries I want to allow to ssh to my server.
  
-<strong>/etc/shorewall/rules</strong>:+**/etc/shorewall/rules**:
  
 <code> <code>
blacklistcountrieswithshorewallandipset.1509307366.txt.gz · Last modified: 2020/02/13 22:55 (external edit)

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Noncommercial-Share Alike 4.0 International
CC Attribution-Noncommercial-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki
free spam filter