abelbeck
commented
5 years ago The best method using Arno's AIF (v2.0.1g or later) is to enable the use of ipset and some sort of blocklist. First look at the firewall.conf file:
# (EXPERT SETTING!) Set this (to 1) to enable the use of ipset to efficiently
# match a large block of IPv4/IPv6 addresses/nets. Much faster when enabled.
# BLOCK_NETSET_DIR, BLOCK_HOSTS and BLOCK_HOSTS_FILE utilizes this feature.
# ------------------------------------------------------------------------------
#IPTABLES_IPSET=0and
# Uncomment & specify here the location of the directory that contains *.netset
# files containing IP addresses and/or Networks (CIDR notation) to be BLOCKED.
# Each .netset file may contain only one IP/Net entry per line, each IP/Net
# entry must start at the beginning of the line and any valid entry must be
# immediately followed by a new-line or a POSIX [[:space:]] character.
# File contents not matching an IP/Net will be ignored.
#
# File naming convention, use *v6.netset files for IPv6 entries, all other
# *.netset files default to IPv4. Filenames are limited to a maximum of
# 27 characters before the .netset suffix.
# Optional whitelist.netset, whitelistv6.netset files may contain IP/Net entries
# that will NOT be BLOCKED by other *.netset files. Automatically by default,
# all Private (RFC1918), Link-Local and Multicast IP/Nets will be whitelisted.
# See also: DEFAULT_NETSET_WHITELIST and DEFAULT_NETSET_WHITELISTV6
#
# Note: This option depends on IPTABLES_IPSET being enabled.
# ------------------------------------------------------------------------------
#BLOCK_NETSET_DIR="/etc/arno-iptables-firewall/blocklists"Given that info, edit your firewall.conf to include:
IPTABLES_IPSET=1
BLOCK_NETSET_DIR="/etc/arno-iptables-firewall/blocklists"and create the "/etc/arno-iptables-firewall/blocklists" directory.
The final step is to populate the BLOCK_NETSET_DIR with .netset files that ipset understands.
Take a look at: "FireHOL IP Lists" https://iplists.firehol.org/
A good general blocklist to start with there is "firehol_level1", and corresponding .netset file:
https://iplists.firehol.org/files/firehol_level1.netset
So, simply download this file to your BLOCK_NETSET_DIR using curl or 'wget' ...
curl -o /etc/arno-iptables-firewall/blocklists/firehol_level1.netset https://iplists.firehol.org/files/firehol_level1.netsetand apply the changes to AIF:
arno-iptables-firewall force-reloadTest to make sure it is working as expected.
For production you will want to update this firehol_level1.netset file once or twice a day, so use cron to do that, or use a script I created for the AstLinux project along with cron:
(remove or edit the . /etc/rc.conf line for your purposes)
https://github.com/astlinux-project/astlinux/blob/master/package/arnofw/reload-blocklist-netset
Lastly, back to your original question for blocking countries, you can do that, find an ipset compatible list of addresses/subnets and follow the instructions above ... but studying the great FireHOL site you will see blocking specific countries is not that effective for blocking exploits and bad actors.
Jancs-E
Hi! Is it possible somehow to block a range of IPs assigned to a specific country(ies), using your script, most preferable by supplying a list in cfg? There are examples of such : https://www.cyberciti.biz/faq/block-entier-country-using-iptables/ , not involving dependence on GeoIP.