Differences

This shows you the differences between two versions of the page.

--- fuss:iptables [2020/02/17 19:43] – [Block Attacks with FireHOL Level 1 IP Abuse List] office
+++ fuss:iptables [2025/10/21 23:26] (current) – external edit 127.0.0.1
@@ Line 1: / Line 1: @@
-====== Packet Flow ======
+====== Packet Flow  ======
-{{fuss_iptables_flow_through_netfilter.svg?512}}
-===== Abridged Version =====
 {{fuss_iptables_flow_through_netfilter_abridged.png?512}}
@@ Line 39: / Line 35: @@
                                                                                   Packet
 </ditaa>
+===== ASCII (Simplified) =====
+From the Advanced Routing Howto.
+<ditaa>
+       +------------+       +---------+       +-------------+
+------>| PREROUTING +------>| FORWARD +------>| POSTROUTING +------>
+       +------+-----+       +---------+       +-------+-----+
+              |                                       ^
+              |     +-------+  local  +--------+      |
+              +---->| INPUT +-------->| OUTPUT +------+
+                    +-------+         +--------+
+</ditaa>
 ====== Flush Tables ======
@@ Line 264: / Line 275: @@
 all of which should be available to install via the distribution's package manager.
-<file bash emerging-threats>
+<file bash create-emerging-threats-ipset>
 #!/usr/bin/env bash
 ###########################################################################
@@ Line 318: / Line 329: @@
   * ''awk''
-<file bash firehol-level1>
+<file bash create-level1-ipset>
 #!/usr/bin/env bash
 ###########################################################################
@@ Line 408: / Line 419: @@
 To use, simply copy the script to ''/etc/cron.hourly'' and then insert the ''iptables'' rules at the top into the existing firewall.
+====== Block GreenSnow Attacks ======
+[[https://greensnow.co/|Greensnow]] is a service that monitors attacks on various services across the internet and updates a list of offenders in real time. The script provided generates an ipset from the IP addresses provided by GreenSnow. The script can be saved to ''/etc/cron.hourly'' in order to update the list of offending IP addresses every hour.
+<file bash create-greensnow-ipset>
+#!/usr/bin/env bash
+###########################################################################
+##  Copyright (C) Wizardry and Steamworks 2024 - License: GNU GPLv3      ##
+###########################################################################
+# Downloads GreenSnow attack IP list and adds all the networks to ipset. ##
+###########################################################################
+## Possible firewall configuration:
+## Delete all the old rules.
+#I=`/sbin/iptables-save | grep -- "-A INPUT -j GREENSNOW"`
+#O=`/sbin/iptables-save | grep -- "-A OUTPUT -j GREENSNOW"`
+#if [ ! -z "$I" ] || [ ! -z "$O" ]; then
+#    /sbin/iptables -F GREENSNOW
+#    /sbin/iptables -X GREENSNOW
+#fi
+#if [ ! -z "$I" ]; then
+#    /sbin/iptables -D INPUT -j GREENSNOW
+#fi
+#if [ ! -z "$O" ]; then
+#    /sbin/iptables -D OUTPUT -j GREENSNOW
+#fi
+## Create the chain again and add all the new rules.
+#/sbin/iptables -N GREENSNOW
+#/sbin/iptables -I INPUT 1 -j GREENSNOW
+#/sbin/iptables -I OUTPUT 1 -j GREENSNOW
+#/sbin/iptables -A GREENSNOW -p all -m set --match-set GREENSNOW src,dst -j DROP
+## Continue with the rest.
+#/sbin/iptables -A GREENSNOW -j RETURN
+###########################################################################
+`ipset list GREENSNOW 2>/dev/null >/dev/null`
+if [ $? = 1 ]; then
+    ipset create GREENSNOW hash:net maxelem 262144 family inet
+fi
+ipset flush GREENSNOW
+while read LINE; do
+    grep -E -vq "^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\.|$)){4}$" <<< "${LINE}"
+    if [ $? -eq 0 ]; then
+        continue
+    fi
+    printf %s "add GREENSNOW ${LINE}" | ipset restore -exist
+done <<< $(curl -s -L https://blocklist.greensnow.co/greensnow.txt)
+</file>
+====== Block BotScout Bots ======
+[[https://botscout.com/|BotScout]] is an online service that tracks bots that automatically register accounts on various websites or post spam messages. The script below can be copied to ''/etc/cron.hourly'' in order to generate an ipset of all the IP addresses reported by BotScout.
+<file bash create-botscout-ipset>
+#!/usr/bin/env bash
+###########################################################################
+##  Copyright (C) Wizardry and Steamworks 2024 - License: GNU GPLv3      ##
+###########################################################################
+# Downloads botscout IP list and adds all the networks to ipset.         ##
+###########################################################################
+## Possible firewall configuration:
+## Delete all the old rules.
+#I=`/sbin/iptables-save | grep -- "-A INPUT -j BOTSCOUT"`
+#O=`/sbin/iptables-save | grep -- "-A OUTPUT -j BOTSCOUT"`
+#if [ ! -z "$I" ] || [ ! -z "$O" ]; then
+#    /sbin/iptables -F BOTSCOUT
+#    /sbin/iptables -X BOTSCOUT
+#fi
+#if [ ! -z "$I" ]; then
+#    /sbin/iptables -D INPUT -j BOTSCOUT
+#fi
+#if [ ! -z "$O" ]; then
+#    /sbin/iptables -D OUTPUT -j BOTSCOUT
+#fi
+## Create the chain again and add all the new rules.
+#/sbin/iptables -N BOTSCOUT
+#/sbin/iptables -I INPUT 1 -j BOTSCOUT
+#/sbin/iptables -I OUTPUT 1 -j BOTSCOUT
+#/sbin/iptables -A BOTSCOUT -p all -m set --match-set BOTSCOUT src,dst -j DROP
+## Continue with the rest.
+#/sbin/iptables -A BOTSCOUT -j RETURN
+###########################################################################
+`ipset list BOTSCOUT 2>/dev/null >/dev/null`
+if [ $? = 1 ]; then
+    ipset create BOTSCOUT hash:net maxelem 262144 family inet
+fi
+ipset flush BOTSCOUT
+while read LINE; do
+    grep -E -vq "^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\.|$)){4}$" <<< "${LINE}"
+    if [ $? -eq 0 ]; then
+        continue
+    fi
+    printf %s "add BOTSCOUT ${LINE}" | ipset restore -exist
+done <<< $(curl -s -L https://iplists.firehol.org/files/botscout.ipset)
+</file>
 ====== Delete a Single Rule ======
@@ Line 542: / Line 653: @@
 The ''generate-country-ip-sets.sh'' script presented above will create 8 separate lists, 2 lists per country for both IPv4 and IPv6 using a list of countries ''COUNTRY_CODES'' adjustable in the configuration section of the script.
+====== PeerBlock Level 1 ======
+PeerBlock is a list of agencies dealing with copyright protection. The following script can be used to create an IP set and batch-block all of them.
+<code bash>
+#!/usr/bin/env bash
+###########################################################################
+##  Copyright (C) Wizardry and Steamworks 2023 - License: GNU GPLv3      ##
+###########################################################################
+# Downloads peerblock level 1 and adds all the networks to ipset.        ##
+###########################################################################
+## Possible firewall configuration:
+## Delete all the old rules.
+#I=`/sbin/iptables-save | grep -- "-A INPUT -j PEERBLOCK-LEVEL1"`
+#O=`/sbin/iptables-save | grep -- "-A OUTPUT -j PEERBLOCK-LEVEL1"`
+#if [ ! -z "$I" ] || [ ! -z "$O" ]; then
+#    /sbin/iptables -F PEERBLOCK-LEVEL1
+#    /sbin/iptables -X PEERBLOCK-LEVEL1
+#fi
+#if [ ! -z "$I" ]; then
+#    /sbin/iptables -D INPUT -j PEERBLOCK-LEVEL1
+#fi
+#if [ ! -z "$O" ]; then
+#    /sbin/iptables -D OUTPUT -j PEERBLOCK-LEVEL1
+#fi
+## Create the chain again and add all the new rules.
+#/sbin/iptables -N PEERBLOCK-LEVEL1
+#/sbin/iptables -I INPUT 1 -j PEERBLOCK-LEVEL1
+#/sbin/iptables -I OUTPUT 1 -j PEERBLOCK-LEVEL1
+#/sbin/iptables -A PEERBLOCK-LEVEL1 -p all -m set --match-set PEERBLOCK-LEVEL1 src,dst -j DROP
+## Continue with the rest.
+#/sbin/iptables -A PEERBLOCK-LEVEL1 -j RETURN
+###########################################################################
+`ipset list PEERBLOCK-LEVEL1 2>/dev/null >/dev/null`
+if [ $? = 1 ]; then
+    ipset create PEERBLOCK-LEVEL1 hash:net maxelem 262144 family inet
+fi
+ipset flush PEERBLOCK-LEVEL1
+curl -s -L "http://list.iblocklist.com/?list=bt_level1&amp;fileformat=p2p&amp;archiveformat=gz" -o - |
+    gunzip |
+    cut -d: -f2 |
+    grep -E "^[-0-9.]+$" |
+    awk '{print "add PEERBLOCK-LEVEL1 "$1}' |
+    ipset restore -exist
+</code>
+Ideally, this script could be placed in ''/etc/cron.daily'' in order to daily refresh the set of IPs.
+====== Banning Countries on Debian ======
+On Debian, the procedure to obtain the ''geoip'' ''iptables'' module is to install the packages:
+  * ''xtables-addons-dkms'',
+  * ''xtables-addons-common'',
+  * ''libtext-csv-xs-perl''
+With the packages installed, there are some tools under ''/usr/lib/exec/xtables-addons'' that can be used to both download a geoip database as well as create the necessary mappings in order to be able to block countries. The tools are the following:
+  * ''xt_geoip_dl'',
+  * ''xt_geoip_build''
+and:
+  * ''xt_geoip_dl_maxmind'',
+  * ''xt_geoip_build_maxmind''
+and can be used in pairs in order to generate a database for ''iptables''. The procedure is to first issue:
+<code bash>
+xt_geoip_dl
+</code>
+in order to download a database, followed by:
+<code bash>
+xt_geoip_build
+</code>
+in order to build the lookup table for the ''iptables'' ''geoip'' module.
+Note that ''xt_geoip_dl_maxmind'' will require a license file to be supplies as the first parameter in order to download the MaxMind database.
+The last command, ''xt_geoip_build'' will generate ''iv4'' and ''iv6'' files in the current directory and they will have to be moved into ''/usr/share/xt_geoip/'':
+<code bash>
+mkdir -p /usr/share/xt_geoip/
+mv *.iv4 *.iv6 /usr/share/xt_geoip
+</code>