ipset-blacklist icon indicating copy to clipboard operation
ipset-blacklist copied to clipboard

Published 20 hours ago verified publisher icon trick77

Whitelisting IP address

Open drzraf opened this issue 6 years ago • 9 comments

In the hope to finally close #16, #38 and #69

drzraf avatar Mar 22 '18 17:03 drzraf

When e.g. blocklist.de has blacklisted an IP, it is not a good idea to disregard that locally. If it is falsely blacklisted, that blacklisting should be corrected at blocklist.

PaulGuijt avatar Apr 01 '18 11:04 PaulGuijt

Use-case: Some of the servers expect incoming SQL connexions from OVH, other do a file_get_contents(), ... Non-dedicated OVH machines may very well be used by spammers and get blacklisted. Still I want my service to work.

My whitelist is already set in ufw/iptables. But since ipset-blacklist/ipset usually comes BEFORE in the rule set, I need these IP to be whitelisted in ipset-blacklist too (as are 127.0.0.1, ...)

OVH has already been blacklist by several blacklists many times, I sometimes even requested the unban myself with CC: to OVH. But each time my service may stop running many hours and the only solution is either a manual unban or disabling ipset which a worst than whitelisting.

IMHO, whitelisting is a must-have and only affect users who chose to use it.

drzraf avatar Apr 02 '18 01:04 drzraf

@drzraf I get the need for whitelisting but your proposal won't work in most cases. For example if your public IP address you want to whitelist is 1.2.3.4 and a blacklist submits 1.2.2.0/23, your IP address will still be blacklisted. This can't be regex matched. We would have to calculate CIDR ranges or deaggregate every IP range in order to make this work - which is a rather long and CPU intense operation.

trick77 avatar Apr 02 '18 08:04 trick77

Right, CIDR make things complex but:

  1. whitelisting for simple case could already work and be useful right now
  2. For IP ranges software exists (eg: https://github.com/firehol/iprange), Python modules too. But none of them fit a bash script intended to stay simple.

Thus we are restricted to either: Doing it in an imperfect way OR use a suitable language (python-whatever-...) providing modules IP-calc tasks OR increase bash script complexity OR not implementing it (the worst solution)

drzraf avatar Apr 02 '18 14:04 drzraf

Since iprange has been merge, I think whitelisting can now be reconsidered.

drzraf avatar Feb 12 '19 12:02 drzraf

Hi @drzraf & @trick77 . First of all, thanks guys for this script, very handy and it makes a sysadmin life a bit easy.

I'm using it and I needed to implement a white-list and I patched the master branch using the commits of @drzraf and it works pretty well.

Unfortunately from time to time I bump in some cases that @trick77 have figured out, when I have an IP that I need to whitelist but it's a part of a blacklisted CIDR.

Do you guys figured out a way to deaggregate the IP and then rebuild the larger CIDR into small ones without the IP that we want to whitelist?

nenominal avatar Jan 29 '20 14:01 nenominal

The issue of expanding/collapsing CIDR is a pandora box. There are some ways to deal with it, but I think none seem compatible with ipset-blacklist characteristics (simple, small footprint, one-file, bash-based script with few external dependencies)

drzraf avatar Jan 30 '20 17:01 drzraf

Hello. I use your script and I have the following two problems. First of all, how can I add apiv6 besides ipv4? When I go to crontab to do this process it sends me this error line 35: ipset: command not found line 41: ipset: command not found Error: while creating the initial ipset

And the process is not complete. But if I go to the folder and run it manually it works fine. Thanks very much

giannisantoua avatar Jan 28 '22 17:01 giannisantoua