David Česal

David Česal

Osobní blog

Blokování IP adresy v iptables

31.5.2017    David Česal

Blokování IP adresy v iptables

Instalace a vytvoření složky

apt-get -y install ipset
mkdir -p /etc/ipblock/

Skript zajišťující aktualizaci seznamu IP adres

#!/bin/bash
echo "Updating firehol IP lists.."
cd /etc/ipblock/firehol/
git pull origin master

ipset -! create alwaysallow hash:ip
ipset -! create blockedips hash:net

echo "Adding allowed IPs.."
ipset -q -A alwaysallow XXX.XXX.XXX.XXX
ipset -q -A alwaysallow YYY.YYY.YYY.YYY

tmpname=$(mktemp)
echo "Using temp filename "$tmpname
declare -a lists=("blocklist_de" "turris_greylist" "tor_exits")

for setname in "${lists[@]}"
do
        setsrc=/etc/ipblock/firehol/$setname.ipset
        ipset -! create $setname hash:ip

        # Read current content
        ipset list -file $tmpname $setname
        sed -i -e 1,8d $tmpname
        # Add new
        echo "Adding IPs to list "$setname" from "$setsrc
        for ip in $(comm -13 <(sort $tmpname -u) <(cat $setsrc | egrep -v "^\s*(#|$)" | sort -u));
        do
                ipset -q -A $setname $ip;
                echo "Added IP "$ip
        done
        rm $tmpname

        # Remove old
        ipset list -file $tmpname $setname
        sed -i -e 1,8d $tmpname
        echo "Removing old IPs from ipset"
        for ip in $(comm -23 <(sort $tmpname -u) <(cat $setsrc | egrep -v "^\s*(#|$)" | sort -u));
        do
                ipset del $setname $ip
                echo "Removed IP "$ip
        done
        rm $tmpname
done

echo "Restoring iptables.."
/sbin/iptables-restore < /etc/iptables.rules
echo "All done"

Starý skript zajišťující aktualizaci seznamu IP adres

vi /etc/ipblock/script.sh

#!/bin/bash
rm /etc/ipblock/*.zone
wget -P /etc/ipblock http://www.ipdeny.com/ipblocks/data/countries/cn.zone
wget -P /etc/ipblock http://www.ipdeny.com/ipblocks/data/countries/ru.zone
wget -P /etc/ipblock http://www.ipdeny.com/ipblocks/data/countries/ar.zone

ipset -! create china hash:net
ipset -! create russia hash:net
ipset -! create argentina hash:net
ipset -! create blockedips hash:net

echo "Adding China IPs.."
for i in $(cat /etc/ipblock/cn.zone); do ipset -q -A china $i; done
echo "Adding Russia IPs.."
for i in $(cat /etc/ipblock/ru.zone); do ipset -q -A russia $i; done
echo "Adding Argentina IPs.."
for i in $(cat /etc/ipblock/ar.zone); do ipset -q -A argentina $i; done

echo "Restoring iptables.."
/sbin/iptables-restore < /etc/iptables.rules
echo "All done"

Nastavení práv skriptu

chmod +x /etc/ipblock/script.sh

Aplikace ipsetu v iptables

vi /etc/iptables.rules

přidat:

-A INPUT -p tcp -m set --match-set china src -j DROP
-A INPUT -p tcp -m set --match-set russia src -j DROP
-A INPUT -p tcp -m set --match-set argentina src -j DROP
-A INPUT -p tcp -m set --match-set blockedips src -j DROP

Spuštění skriptu

/etc/ipblock/script.sh

Přidat do CRONu - aktualizace jednou denně

vi /etc/crontab
# IP block
0 5 * * * root /etc/ipblock/script.sh >/dev/null 2>&1
service cron restart

Kontrola funkčnosti:

ipset list
iptables -L

Vypsání všech setů (bez IP adres)

ipset list -t

Smazání všech setů

ipset destroy

Ruční přidání IP adresy:

ipset -A blockedips 182.100.67.0/24

Jiné seznamy IP adres

https://github.com/firehol/blocklist-ipsets/blob/master/README.md

git clone https://github.com/firehol/blocklist-ipsets --branch master --single-branch /etc/ipblock/firehol

#!/bin/bash
echo "Updating firehol IP lists.."
cd /etc/ipblock/firehol/
git pull origin master

ipset -! create alwaysallow hash:ip
ipset -! create firehol-blocklistde hash:ip timeout 86180
ipset -! create firehol-turris hash:ip timeout 86150
ipset -! create firehol-tor hash:ip timeout 86130
ipset -! create blockedips hash:net

echo "Adding allowed IPs.."
ipset -q -A alwaysallow XXX.XXX.XXX.XXX
ipset -q -A alwaysallow XXX.XXX.XXX.XXX

echo "Adding Firehol Blocklist.de IPs.."
for i in $(cat /etc/ipblock/firehol/blocklist_de.ipset | egrep -v "^\s*(#|$)"); do ipset -q -A firehol-blocklistde $i; done
echo "Adding Firehol Turris IPs.."
for i in $(cat /etc/ipblock/firehol/turris_greylist.ipset | egrep -v "^\s*(#|$)"); do ipset -q -A firehol-turris $i; done
echo "Adding TOR exist nodes IPs.."
for i in $(cat /etc/ipblock/firehol/tor_exits.ipset | egrep -v "^\s*(#|$)"); do ipset -q -A firehol-tor $i; done

echo "Restoring iptables.."
/sbin/iptables-restore < /etc/iptables.rules
echo "All done"

# Create chain
-N LOG_AND_DROP
-A LOG_AND_DROP -m limit --limit 5/min -j LOG --log-prefix "iptables dropped: " --log-level 7
-A LOG_AND_DROP -j DROP
# Allow all
-A INPUT -p tcp -m set --match-set alwaysallow src -j ACCEPT
-A OUTPUT -p tcp -m set --match-set alwaysallow src -j ACCEPT
# Block
-A INPUT -p tcp -m set --match-set firehol-blocklistde src -j LOG_AND_DROP
-A INPUT -p tcp -m set --match-set firehol-turris src -j LOG_AND_DROP
-A INPUT -p tcp -m set --match-set firehol-tor src -j LOG_AND_DROP
-A INPUT -p tcp -m set --match-set blockedips src -j LOG_AND_DROP

apt-get -y install ipset git && mkdir -p /etc/ipblock/ && rm -rf /etc/ipblock/firehol/ && git clone https://github.com/firehol/blocklist-ipsets --branch master --single-branch /etc/ipblock/firehol && vi /etc/ipblock/script.sh && chmod +x /etc/ipblock/script.sh && vi /etc/iptables.rules && /etc/ipblock/script.sh