On 15/01/2019 01:29, Jobst Schmalenbach wrote:
On Mon, Jan 14, 2019 at 07:29:45AM +0000, Phil Perry (pperry@xxxxxxxxxx) wrote:On 14/01/2019 07:09, Jobst Schmalenbach wrote:HiI use ipdeny's aggregated country lists to do the same thing: http://www.ipdeny.com/ipblocks/data/aggregated/ I just feed this data directly into ipset/iptables via a script running on my firewall (not a C6 box). ipset is a really efficient way of doing this.Do you create a separate table, then feed every IP address (via ipset) into this chain? Would you mind sharing this script? thx Jobst
Below is my script for creating/updating an ipset to block my top 10 undesirable/abusive countries. It runs as a cron job up startup to initially populate it and again every X hours to update it on my EdgeRouter firewall device.
It can be relatively slow process creating very large sets, so we create a temp set and then swap the contents of the live set with the temp set and finally delete the temp set. This is a more efficient way of updating an existing set.
Once the ipset has been created, you can create rules in iptables to match against that set using -m set --match-set SETNAME.
Hope that helps -- Phil CountryList="cn ru ua kp kr br ro tr vn in" if [ -e /tmp/countries.txt ]; then rm /tmp/countries.txt fi for country in $CountryList; docurl -o /tmp/$country.txt http://www.ipdeny.com/ipblocks/data/aggregated/$country-aggregated.zone
cat /tmp/$country.txt >> /tmp/countries.txt
done
getnetblocks() {
cat <<EOF
# Generated by ipset
-N geotmp nethash --hashsize 1024 --probes 4 --resize 20
EOF
cat /tmp/countries.txt|egrep '^[0-9]'|egrep '/' |sed -e "s/^/-A geotmp /"
}
getnetblocks > /tmp/cnblock.txt
sudo ipset -! -R < /tmp/cnblock.txt
sudo ipset -W geotmp COUNTRIES-BLOCK
sudo ipset -X geotmp
rm /tmp/cnblock.txt
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
