Jobst Schmalenbach
2019-Jan-15 01:29 UTC
[CentOS] CentOS 6.X, iptables 1.47 and GeoLite2 Country Database
On Mon, Jan 14, 2019 at 07:29:45AM +0000, Phil Perry (pperry at elrepo.org) wrote:> On 14/01/2019 07:09, Jobst Schmalenbach wrote: > > Hi > I use ipdeny's aggregated country lists to do the same thing: > > http://www.ipdeny.com/ipblocks/data/aggregated/ > > I just feed this data directly into ipset/iptables via a script running on > my firewall (not a C6 box). ipset is a really efficient way of doing this.Do you create a separate table, then feed every IP address (via ipset) into this chain? Would you mind sharing this script? thx Jobst -- Computers are like air conditioners, they stop working properly if you open Windows! | |0| | Jobst Schmalenbach, General Manager | | |0| Barrett & Sales Essentials |0|0|0| +61 3 9533 0000, POBox 277, Caulfield South, 3162, Australia
Phil Perry
2019-Jan-15 07:43 UTC
[CentOS] CentOS 6.X, iptables 1.47 and GeoLite2 Country Database
On 15/01/2019 01:29, Jobst Schmalenbach wrote:> > On Mon, Jan 14, 2019 at 07:29:45AM +0000, Phil Perry (pperry at elrepo.org) wrote: >> On 14/01/2019 07:09, Jobst Schmalenbach wrote: >>> Hi >> I use ipdeny's aggregated country lists to do the same thing: >> >> http://www.ipdeny.com/ipblocks/data/aggregated/ >> >> I just feed this data directly into ipset/iptables via a script running on >> my firewall (not a C6 box). ipset is a really efficient way of doing this. > > > Do you create a separate table, then feed every IP address (via ipset) into this chain? > Would you mind sharing this script? > > thx > Jobst > > >Below is my script for creating/updating an ipset to block my top 10 undesirable/abusive countries. It runs as a cron job up startup to initially populate it and again every X hours to update it on my EdgeRouter firewall device. It can be relatively slow process creating very large sets, so we create a temp set and then swap the contents of the live set with the temp set and finally delete the temp set. This is a more efficient way of updating an existing set. Once the ipset has been created, you can create rules in iptables to match against that set using -m set --match-set SETNAME. Hope that helps -- Phil CountryList="cn ru ua kp kr br ro tr vn in" if [ -e /tmp/countries.txt ]; then rm /tmp/countries.txt fi for country in $CountryList; do curl -o /tmp/$country.txt http://www.ipdeny.com/ipblocks/data/aggregated/$country-aggregated.zone cat /tmp/$country.txt >> /tmp/countries.txt done getnetblocks() { cat <<EOF # Generated by ipset -N geotmp nethash --hashsize 1024 --probes 4 --resize 20 EOF cat /tmp/countries.txt|egrep '^[0-9]'|egrep '/' |sed -e "s/^/-A geotmp /" } getnetblocks > /tmp/cnblock.txt sudo ipset -! -R < /tmp/cnblock.txt sudo ipset -W geotmp COUNTRIES-BLOCK sudo ipset -X geotmp rm /tmp/cnblock.txt
Jobst Schmalenbach
2019-Jan-16 02:04 UTC
[CentOS] CentOS 6.X, iptables 1.47 and GeoLite2 Country Database
On Tue, Jan 15, 2019 at 07:43:02AM +0000, Phil Perry (pperry at elrepo.org) wrote:> On 15/01/2019 01:29, Jobst Schmalenbach wrote: > > On Mon, Jan 14, 2019 at 07:29:45AM +0000, Phil Perry (pperry at elrepo.org) wrote: > > > On 14/01/2019 07:09, Jobst Schmalenbach wrote: > Below is my script for creating/updating an ipset to block my top 10 > Hope that helpsThanks, it did, cleared up conflicting info I found on the Internet. I also wanted to go the "other way": disallow everything but 2 countries (AU,NZ). There are even more conflicting ideas about how to do this, but I figured it out. Also I cannot see a difference in speed between using (maxmind) -A filter_countries -m geoip --src-cc AU,NZ -j ACCEPT and (ipdeny) -A filter_countries -m set --set au.geoblock src -j ACCEPT which is really good! Jobst -- The future isn't what it used to be (it never was). | |0| | Jobst Schmalenbach, General Manager | | |0| Barrett & Sales Essentials |0|0|0| +61 3 9533 0000, POBox 277, Caulfield South, 3162, Australia
Apparently Analagous Threads
- CentOS 6.X, iptables 1.47 and GeoLite2 Country Database
- CentOS 6.X, iptables 1.47 and GeoLite2 Country Database
- CentOS 6.X, iptables 1.47 and GeoLite2 Country Database
- CentOS 6.X, iptables 1.47 and GeoLite2 Country Database
- Weird bandwith behaviour (download throughput) on CentOS based gateway