This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
fuss:iptables [2020/02/17 19:43] – [Block Attacks with FireHOL Level 1 IP Abuse List] office | fuss:iptables [2025/02/04 05:23] (current) – [Block GreenSnow Attacks] office | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== Packet Flow ====== | + | ====== Packet Flow ====== |
- | + | ||
- | {{fuss_iptables_flow_through_netfilter.svg? | + | |
- | + | ||
- | ===== Abridged Version | + | |
{{fuss_iptables_flow_through_netfilter_abridged.png? | {{fuss_iptables_flow_through_netfilter_abridged.png? | ||
Line 39: | Line 35: | ||
Packet | Packet | ||
</ | </ | ||
+ | |||
+ | ===== ASCII (Simplified) ===== | ||
+ | |||
+ | From the Advanced Routing Howto. | ||
+ | |||
+ | < | ||
+ | | ||
+ | ------>| PREROUTING +------> | ||
+ | | ||
+ | | ^ | ||
+ | | | ||
+ | +---->| INPUT +--------> | ||
+ | +-------+ | ||
+ | </ | ||
+ | |||
====== Flush Tables ====== | ====== Flush Tables ====== | ||
Line 264: | Line 275: | ||
all of which should be available to install via the distribution' | all of which should be available to install via the distribution' | ||
- | <file bash emerging-threats> | + | <file bash create-emerging-threats-ipset> |
# | # | ||
########################################################################### | ########################################################################### | ||
Line 318: | Line 329: | ||
* '' | * '' | ||
- | <file bash firehol-level1> | + | <file bash create-level1-ipset> |
# | # | ||
########################################################################### | ########################################################################### | ||
Line 408: | Line 419: | ||
To use, simply copy the script to ''/ | To use, simply copy the script to ''/ | ||
+ | |||
+ | ====== Block GreenSnow Attacks ====== | ||
+ | |||
+ | [[https:// | ||
+ | |||
+ | <file bash create-greensnow-ipset> | ||
+ | # | ||
+ | ########################################################################### | ||
+ | ## Copyright (C) Wizardry and Steamworks 2024 - License: GNU GPLv3 ## | ||
+ | ########################################################################### | ||
+ | # Downloads GreenSnow attack IP list and adds all the networks to ipset. ## | ||
+ | ########################################################################### | ||
+ | ## Possible firewall configuration: | ||
+ | ## Delete all the old rules. | ||
+ | # | ||
+ | # | ||
+ | #if [ ! -z " | ||
+ | # / | ||
+ | # / | ||
+ | #fi | ||
+ | #if [ ! -z " | ||
+ | # / | ||
+ | #fi | ||
+ | #if [ ! -z " | ||
+ | # / | ||
+ | #fi | ||
+ | ## Create the chain again and add all the new rules. | ||
+ | #/ | ||
+ | #/ | ||
+ | #/ | ||
+ | #/ | ||
+ | ## Continue with the rest. | ||
+ | #/ | ||
+ | ########################################################################### | ||
+ | |||
+ | `ipset list GREENSNOW 2>/ | ||
+ | if [ $? = 1 ]; then | ||
+ | ipset create GREENSNOW hash:net maxelem 262144 family inet | ||
+ | fi | ||
+ | ipset flush GREENSNOW | ||
+ | |||
+ | while read LINE; do | ||
+ | grep -E -vq " | ||
+ | if [ $? -eq 0 ]; then | ||
+ | continue | ||
+ | fi | ||
+ | printf %s "add GREENSNOW ${LINE}" | ||
+ | done <<< | ||
+ | |||
+ | </ | ||
+ | |||
+ | ====== Block BotScout Bots ====== | ||
+ | |||
+ | [[https:// | ||
+ | |||
+ | <file bash create-botscout-ipset> | ||
+ | # | ||
+ | ########################################################################### | ||
+ | ## Copyright (C) Wizardry and Steamworks 2024 - License: GNU GPLv3 ## | ||
+ | ########################################################################### | ||
+ | # Downloads botscout IP list and adds all the networks to ipset. | ||
+ | ########################################################################### | ||
+ | ## Possible firewall configuration: | ||
+ | ## Delete all the old rules. | ||
+ | # | ||
+ | # | ||
+ | #if [ ! -z " | ||
+ | # / | ||
+ | # / | ||
+ | #fi | ||
+ | #if [ ! -z " | ||
+ | # / | ||
+ | #fi | ||
+ | #if [ ! -z " | ||
+ | # / | ||
+ | #fi | ||
+ | ## Create the chain again and add all the new rules. | ||
+ | #/ | ||
+ | #/ | ||
+ | #/ | ||
+ | #/ | ||
+ | ## Continue with the rest. | ||
+ | #/ | ||
+ | ########################################################################### | ||
+ | |||
+ | `ipset list BOTSCOUT 2>/ | ||
+ | if [ $? = 1 ]; then | ||
+ | ipset create BOTSCOUT hash:net maxelem 262144 family inet | ||
+ | fi | ||
+ | ipset flush BOTSCOUT | ||
+ | |||
+ | while read LINE; do | ||
+ | grep -E -vq " | ||
+ | if [ $? -eq 0 ]; then | ||
+ | continue | ||
+ | fi | ||
+ | printf %s "add BOTSCOUT ${LINE}" | ||
+ | done <<< | ||
+ | |||
+ | </ | ||
====== Delete a Single Rule ====== | ====== Delete a Single Rule ====== | ||
Line 542: | Line 653: | ||
The '' | The '' | ||
+ | |||
+ | ====== PeerBlock Level 1 ====== | ||
+ | |||
+ | PeerBlock is a list of agencies dealing with copyright protection. The following script can be used to create an IP set and batch-block all of them. | ||
+ | |||
+ | <code bash> | ||
+ | # | ||
+ | ########################################################################### | ||
+ | ## Copyright (C) Wizardry and Steamworks 2023 - License: GNU GPLv3 ## | ||
+ | ########################################################################### | ||
+ | # Downloads peerblock level 1 and adds all the networks to ipset. | ||
+ | ########################################################################### | ||
+ | ## Possible firewall configuration: | ||
+ | ## Delete all the old rules. | ||
+ | # | ||
+ | # | ||
+ | #if [ ! -z " | ||
+ | # / | ||
+ | # / | ||
+ | #fi | ||
+ | #if [ ! -z " | ||
+ | # / | ||
+ | #fi | ||
+ | #if [ ! -z " | ||
+ | # / | ||
+ | #fi | ||
+ | ## Create the chain again and add all the new rules. | ||
+ | #/ | ||
+ | #/ | ||
+ | #/ | ||
+ | #/ | ||
+ | ## Continue with the rest. | ||
+ | #/ | ||
+ | ########################################################################### | ||
+ | | ||
+ | `ipset list PEERBLOCK-LEVEL1 2>/ | ||
+ | if [ $? = 1 ]; then | ||
+ | ipset create PEERBLOCK-LEVEL1 hash:net maxelem 262144 family inet | ||
+ | fi | ||
+ | ipset flush PEERBLOCK-LEVEL1 | ||
+ | curl -s -L " | ||
+ | gunzip | | ||
+ | cut -d: -f2 | | ||
+ | grep -E " | ||
+ | awk ' | ||
+ | ipset restore -exist | ||
+ | |||
+ | </ | ||
+ | |||
+ | Ideally, this script could be placed in ''/ | ||
+ | |||
+ | ====== Banning Countries on Debian ====== | ||
+ | |||
+ | On Debian, the procedure to obtain the '' | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | |||
+ | With the packages installed, there are some tools under ''/ | ||
+ | * '' | ||
+ | * '' | ||
+ | |||
+ | and: | ||
+ | * '' | ||
+ | * '' | ||
+ | |||
+ | and can be used in pairs in order to generate a database for '' | ||
+ | <code bash> | ||
+ | xt_geoip_dl | ||
+ | </ | ||
+ | in order to download a database, followed by: | ||
+ | <code bash> | ||
+ | xt_geoip_build | ||
+ | </ | ||
+ | in order to build the lookup table for the '' | ||
+ | |||
+ | Note that '' | ||
+ | |||
+ | The last command, '' | ||
+ | <code bash> | ||
+ | mkdir -p / | ||
+ | mv *.iv4 *.iv6 / | ||
+ | </ | ||
+ | |||
+ | |||
+ | |||
+ |
For the contact, copyright, license, warranty and privacy terms for the usage of this website please see the contact, license, privacy, copyright.