blocklist-ipsets
blocklist-ipsets copied to clipboard
firehol
iptables & ipsets
Hi,
Sorry if it's a stupid question but I can't just figure this out
I'm running iptables manually well it's more through fail2ban really with bits of ufw just to open the ports I need... The point is I'm not using any specialized solution
Well, so I've installed update-ipsets. I've run:
update-ipsets --enable-all
update-ipsets
cd firehol.git/contrib
find /etc/firehol/ipsets -name *.ipset -exec basename {} .ipset \; | while read -r ipset; do ./ipset-apply.sh $ipset; done
find /etc/firehol/ipsets -name *.netset -exec basename {} .netset \; | while read -r ipset; do ./ipset-apply.sh $ipset; done
So far so good I've got some complaints that some ipset names were too long (more than 31 characters) but I guess that's OK for now
My understading is that now the ipsets are declared into the kernel and updated everytime the cron job run update-ipsets
What I can't figure out is how I actually block all those IP. And make sure those rules are here after a reboot I'm sorry if this is a basic question
Or maybe I should just forget about ipset-apply and do all this with firehol I've no clue however how I would do that without breaking my fail2ban setup, I would need help
Thanks for the great work. It is much appreciated!
OK, figured out how to blocks the IPs in the set. Needed to change my find+while loop
find /etc/firehol/ipsets -name *.ipset -exec basename {} .ipset \; | while read -r ipset; do ./ipset-apply.sh $ipset; if [ $? -eq 0 ]; then iptables -I INPUT -m set --match-set $ipset src -j DROP; fi done
find /etc/firehol/ipsets -name *.netset -exec basename {} .netset \; | while read -r ipset; do ./ipset-apply.sh $ipset; if [ $? -eq 0 ]; then iptables -I INPUT -m set --match-set $ipset src -j DROP; fi done
Then I've made an ipset save > /etc/ipset.conf to prepare for persistency. Could not find a way to us this at boot though And I guess I should cvhange my crontab so that every time I run update-ipset I also run ipset save ?
hmm... blocking all the sets ends up in blocking android activesync setup 😢
@DuredhelFinceleb thank you. I stumble-upon your issue when find a way create ipsets from sources.
I am just a bit modified your one-liner to execute ipset-apply for all sources in /etc/firehol/ipsets folder. This is helps me to build ipsets then create iptables rules.
#/bin/sh
# ipset find and apply script
#
# ipset-apply script is located to firehol repository
# https://github.com/firehol/firehol/blob/master/contrib/ipset-apply.sh
# find all source files in firehol ipset list
# then call ipset-apply.sh script to proccess accordingly
find /etc/firehol/ipsets -type f \( -name "*.ipset" -o -name "*.netset" \) | xargs -L 1 basename -s .ipset $1 | xargs -L 1 basename -s .netset $1 | while read -r ipset; do
echo "Processing $ipset...";
ipset-apply.sh "$ipset" ;
echo -e "\n";
done;
# list latest ipsets
ipset list -t;
echo "Completed.";
