Open Jancs-E opened 5 years ago
The best method using Arno's AIF (v2.0.1g or later) is to enable the use of ipset
and some sort of blocklist. First look at the firewall.conf
file:
# (EXPERT SETTING!) Set this (to 1) to enable the use of ipset to efficiently
# match a large block of IPv4/IPv6 addresses/nets. Much faster when enabled.
# BLOCK_NETSET_DIR, BLOCK_HOSTS and BLOCK_HOSTS_FILE utilizes this feature.
# ------------------------------------------------------------------------------
#IPTABLES_IPSET=0
and
# Uncomment & specify here the location of the directory that contains *.netset
# files containing IP addresses and/or Networks (CIDR notation) to be BLOCKED.
# Each .netset file may contain only one IP/Net entry per line, each IP/Net
# entry must start at the beginning of the line and any valid entry must be
# immediately followed by a new-line or a POSIX [[:space:]] character.
# File contents not matching an IP/Net will be ignored.
#
# File naming convention, use *v6.netset files for IPv6 entries, all other
# *.netset files default to IPv4. Filenames are limited to a maximum of
# 27 characters before the .netset suffix.
# Optional whitelist.netset, whitelistv6.netset files may contain IP/Net entries
# that will NOT be BLOCKED by other *.netset files. Automatically by default,
# all Private (RFC1918), Link-Local and Multicast IP/Nets will be whitelisted.
# See also: DEFAULT_NETSET_WHITELIST and DEFAULT_NETSET_WHITELISTV6
#
# Note: This option depends on IPTABLES_IPSET being enabled.
# ------------------------------------------------------------------------------
#BLOCK_NETSET_DIR="/etc/arno-iptables-firewall/blocklists"
Given that info, edit your firewall.conf
to include:
IPTABLES_IPSET=1
BLOCK_NETSET_DIR="/etc/arno-iptables-firewall/blocklists"
and create the "/etc/arno-iptables-firewall/blocklists" directory.
The final step is to populate the BLOCK_NETSET_DIR
with .netset
files that ipset understands.
Take a look at: "FireHOL IP Lists" https://iplists.firehol.org/
A good general blocklist to start with there is "firehol_level1", and corresponding .netset
file:
https://iplists.firehol.org/files/firehol_level1.netset
So, simply download this file to your BLOCK_NETSET_DIR
using curl
or 'wget' ...
curl -o /etc/arno-iptables-firewall/blocklists/firehol_level1.netset https://iplists.firehol.org/files/firehol_level1.netset
and apply the changes to AIF:
arno-iptables-firewall force-reload
Test to make sure it is working as expected.
For production you will want to update this firehol_level1.netset
file once or twice a day, so use cron
to do that, or use a script I created for the AstLinux project along with cron
:
(remove or edit the . /etc/rc.conf
line for your purposes)
https://github.com/astlinux-project/astlinux/blob/master/package/arnofw/reload-blocklist-netset
Lastly, back to your original question for blocking countries, you can do that, find an ipset
compatible list of addresses/subnets and follow the instructions above ... but studying the great FireHOL site you will see blocking specific countries is not that effective for blocking exploits and bad actors.
Thank you very much for exhaustive how-to!
Janis
Citēts Lonnie Abelbeck notifications@github.com Sat, 20 Jul 2019 06:06:28 -0700:
The best method using Arno's AIF (v2.0.1g or later) is to enable the
use ofipset
and some sort of blocklist. First look at the
firewall.conf
file:# (EXPERT SETTING!) Set this (to 1) to enable the use of ipset to efficiently # match a large block of IPv4/IPv6 addresses/nets. Much faster when enabled. # BLOCK_NETSET_DIR, BLOCK_HOSTS and BLOCK_HOSTS_FILE utilizes this feature. # ------------------------------------------------------------------------------ #IPTABLES_IPSET=0
and
# Uncomment & specify here the location of the directory that contains *.netset # files containing IP addresses and/or Networks (CIDR notation) to be BLOCKED. # Each .netset file may contain only one IP/Net entry per line, each IP/Net # entry must start at the beginning of the line and any valid entry must be # immediately followed by a new-line or a POSIX [[:space:]] character. # File contents not matching an IP/Net will be ignored. # # File naming convention, use *v6.netset files for IPv6 entries, all other # *.netset files default to IPv4. Filenames are limited to a maximum of # 27 characters before the .netset suffix. # Optional whitelist.netset, whitelistv6.netset files may contain IP/Net entries # that will NOT be BLOCKED by other *.netset files. Automatically by default, # all Private (RFC1918), Link-Local and Multicast IP/Nets will be whitelisted. # See also: DEFAULT_NETSET_WHITELIST and DEFAULT_NETSET_WHITELISTV6 # # Note: This option depends on IPTABLES_IPSET being enabled. # ------------------------------------------------------------------------------ #BLOCK_NETSET_DIR="/etc/arno-iptables-firewall/blocklists"
Given that info, edit your
firewall.conf
to include:IPTABLES_IPSET=1 BLOCK_NETSET_DIR="/etc/arno-iptables-firewall/blocklists"
and create the "/etc/arno-iptables-firewall/blocklists" directory.
The final step is to populate the
BLOCK_NETSET_DIR
with.netset
files that ipset understands.Take a look at: "FireHOL IP Lists" https://iplists.firehol.org/
A good general blocklist to start with there is "firehol_level1",
and corresponding.netset
file: https://iplists.firehol.org/files/firehol_level1.netsetSo, simply download this file to your
BLOCK_NETSET_DIR
using
curl
or 'wget' ...curl -o /etc/arno-iptables-firewall/blocklists/firehol_level1.netset https://iplists.firehol.org/files/firehol_level1.netset
and apply the changes to AIF:
arno-iptables-firewall force-reload
Test to make sure it is working as expected.
For production you will want to update this
firehol_level1.netset
file once or twice a day, so usecron
to do that, or use a script
I created for the AstLinux project along withcron
:(remove or edit the
. /etc/rc.conf
line for your purposes) https://github.com/astlinux-project/astlinux/blob/master/package/arnofw/reload-blocklist-netsetLastly, back to your original question for blocking countries, you
can do that, find anipset
compatible list of addresses/subnets
and follow the instructions above ... but studying the great
FireHOL site you will see blocking specific countries is not that
effective for blocking exploits and bad actors.-- You are receiving this because you authored the thread. Reply to this email directly or view it on GitHub: https://github.com/arno-iptables-firewall/aif/issues/68#issuecomment-513466111
-- ph. +37129203061
Hi! Is it possible somehow to block a range of IPs assigned to a specific country(ies), using your script, most preferable by supplying a list in cfg? There are examples of such : https://www.cyberciti.biz/faq/block-entier-country-using-iptables/ , not involving dependence on GeoIP.