Cannot create ipsets in kernel, tried iprange and update-ipsets

[sanyo-ok]

Hello,

I use your excellent Firehol script for over 10 years already, it is very good, exceptional convenience.

Recently I began to find how I can block some unwanted connections.

Phil kindly pointed me to ipset and iprange.

I have installed the latest versions of your scripts from github on my Debian v8 system, upgraded all distro packages too before building Firehol.

Unfortunately I cannot add any IPs to kernel ipset. I tried iprange and update-ipsets.

Can you please point me to several examples of how to generate ipsets by iprange and update-ipsets?

I tried:

ipset destroy update-ipsets enable iblocklist_org_microsoft update-ipsets

ipset list - displays empty

Got following in the syslog: May 8 21:05:35 atom update-ipsets.sh[18989]: INFO: iblocklist_org_microsoft: 9126545/727 mins passed, downloading... May 8 21:05:37 atom update-ipsets.sh[18989]: INFO: iblocklist_org_microsoft: HTTP/200 OK May 8 21:05:37 atom update-ipsets.sh[18989]: SAVED: iblocklist_org_microsoft: no need to load ipset in kernel

Then ipset create iblocklist_org_microsoft hash:net update-ipsets

ipset list - still displays empty

Please suggest, what am I doing wrong?

[sanyo-ok]

Tried to enable the list once again:

And got an error once again:

May 8 22:11:16 atom update-ipsets.sh[16824]: iblocklist_org_microsoft: Enabling iblocklist_org_microsoft... May 8 22:11:37 atom update-ipsets.sh[17039]: Getting list of active ipsets... May 8 22:11:37 atom update-ipsets.sh[17039]: INFO: iblocklist_org_microsoft: 9126611/727 mins passed, downloading... May 8 22:11:38 atom update-ipsets.sh[17039]: INFO: iblocklist_org_microsoft: HTTP/200 OK May 8 22:11:38 atom update-ipsets.sh[17039]: INFO: iblocklist_org_microsoft: loading to kernel (to temporary ipset)... May 8 22:11:38 atom update-ipsets.sh[17039]: INFO: iblocklist_org_microsoft: swapping temporary ipset to production May 8 22:11:38 atom update-ipsets.sh[17039]: ERROR: iblocklist_org_microsoft: failed to swap temporary ipset tmp-17039-12676-1 May 8 22:11:38 atom update-ipsets.sh[17039]: ERROR: iblocklist_org_microsoft: failed to update ipset (error file left as '/etc/firehol/ipsets/errors/iblocklist_org_microsoft.netset').

[sanyo-ok]

Well, following solved an issue:

Manually deleted files in: /etc/firehol/ipsets

Then executed following commands:

ipset destroy ipset create iblocklist_org_microsoft hash:net ipset add iblocklist_org_microsoft 1.1.1.1 update-ipsets enable iblocklist_org_microsoft update-ipsets

ipset list now displays many subnets as expected

Please suggest what is correct method to populate ipsets after reboot?

[ktsaou]

Hi,

you can use ipset directly from firehol.conf. Check this: https://github.com/firehol/firehol/wiki/Working-with-IPSETs

If you don't user firehol, you can use ipset-apply.sh from the contrib directory of firehol: https://github.com/firehol/firehol/blob/master/contrib/ipset-apply.sh This script takes an iprange/update-ipsets compatible input file (.ipset or .netset) and loads it into kernel.

Once an ipset is loaded into the kernel update-ipsets will update it automatically.

[sanyo-ok]

Hi Costa Tsaousis,

May be someone can be interested in following functions for Firehol to block some unwanted traffic to spynet networks:

add_ipset_prefix()
{
        List=$1;  
        Result="";
        for I in $List; do
        {
                Result="$Result ipset:$I";
        } done;
        echo $Result;
}

block_ipsets()
{

        Place=$1; # interface|router
        LANHosts=$2;  
        IPSetNames=$3;

        if [ "$Profile" == "short" ]; then
                return;
        fi;

        case $Place in
        ( interface )
                ExcludeFromBlock;
        ;;   
        esac;
        IPSet=`add_ipset_prefix "$IPSetNames"`;

        case $Place in
                ( interface )
                        client all drop src "$LANHosts"         dst "$IPSet";   
                        server all drop src "$IPSet"            dst "$LANHosts";
                ;;
                ( router )
                        client all drop src "$IPSet"            dst "$LANHosts";
                        server all drop src "$LANHosts"         dst "$IPSet";
                ;;
        esac;
}

router home2tun inface eth0 outface $TunName;
        masquerade;
        route "dns" drop;
        block_ipsets router "w10 xp" "spynet akamai other iblocklist_org_microsoft";
        route all accept; # route outside

[sanyo-ok]

And following scripts for restarting Firehol:

restart.sh:

Action=$1;
firehol stop;
case $Action in
( ipset )
        ipset destroy;
        /etc/firehol/load_ipsets.sh;
;;
esac;
firehol nofast start;
echo "ipset entries: "; ipset list | wc;
echo "iptables entries: "; iptables -L -n | wc;

load_ipsets.sh:

load_my_list()
{
        Name=$1;
        /etc/firehol/ipset-apply.sh /etc/firehol/lists/$Name;
}

load_public_list()
{
        Name=$1;

        update-ipsets enable $Name;
        update-ipsets 2>&1 | cat > /dev/null;

        /etc/firehol/ipset-apply.sh $Name;
}

load_my_list akamai.netset;
load_my_list spynet.ipset;
load_my_list other.ipset;
load_public_list iblocklist_org_microsoft;

[sanyo-ok]

Please let me know where can I download an up to date full list of subnets of an organization like Akamai? I would like to block their addresses only for a one of my hosts which does not browse any sites, so connections to Akamai network is unwanted on the host. I can google for each single subnet and find something like: http://bgp.he.net/net/2.16.4.0/23

Where can I download a text file with complete list of Akamai subnets?

[ktsaou]

I am not sure they disclose their IP address space. It would be a security flaw for them to do this (since, they would be exposed to DDoS). Anyway, you will have to check their site.

[sanyo-ok]

Some googling reveals following list: https://pastebin.com/raw/iGTvZrCz

[sanyo-ok]

Complete list for any organization is available at: http://bgp.he.net/AS20940#_prefixes

[sanyo-ok]

http://bgp.he.net/AS34164#_prefixes http://bgp.he.net/AS8075#_prefixes