On Tue, Feb 4, 2020 at 5:34 AM Jerry Geis <jerry.geis@xxxxxxxxx> wrote:
> Hi All,
>
> Over the last 20 some years I have a file with about 200K worth of address
> that have "wrongly" tried to connect to my boxes running centos. So the
> file has one line per address or group of addresses like:
> 2.244.112.0/24
>
> So using the OLD iptables I would run through my file build the
> iptables.txt file and start that with DROP for the IP address. iptables ran
> through the big list in no time.
>
> I was trying to run a script to go through each line and run:
> firewall-cmd --zone=drop --add-source="$ipblock" --permanent
> but this takes a long time.
>
> What is a "better" way or more efficient way to keep my long list of bad
> addresses and apply them? Thanks,
>
> Jerry
>
Hi,
If you are using CentOS 7, you can use ipset.
You can add all your IPs and IP ranges to an ipset and do operations on it.
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-setting_and_controlling_ip_sets_using_firewalld
The same should have worked for CentOS 8 except for this,
https://bugzilla.redhat.com/show_bug.cgi?id=1774742
---
Lee
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
