Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
fuss:iptables [2020/02/17 19:43] – [Block Attacks with FireHOL Level 1 IP Abuse List] officefuss:iptables [2025/02/04 05:23] (current) – [Block GreenSnow Attacks] office
Line 1: Line 1:
-====== Packet Flow ====== +====== Packet Flow  ======
- +
-{{fuss_iptables_flow_through_netfilter.svg?512}} +
- +
-===== Abridged Version =====+
  
 {{fuss_iptables_flow_through_netfilter_abridged.png?512}} {{fuss_iptables_flow_through_netfilter_abridged.png?512}}
Line 39: Line 35:
                                                                                   Packet                                                                                   Packet
 </ditaa> </ditaa>
 +
 +===== ASCII (Simplified) =====
 +
 +From the Advanced Routing Howto.
 +
 +<ditaa>
 +       +------------+       +---------+       +-------------+
 +------>| PREROUTING +------>| FORWARD +------>| POSTROUTING +------>
 +       +------+-----+       +---------+       +-------+-----+
 +              |                                       ^
 +              |     +-------+  local  +--------+      |
 +              +---->| INPUT +-------->| OUTPUT +------+
 +                    +-------+         +--------+
 +</ditaa>
 +
 ====== Flush Tables ====== ====== Flush Tables ======
  
Line 264: Line 275:
 all of which should be available to install via the distribution's package manager. all of which should be available to install via the distribution's package manager.
  
-<file bash emerging-threats>+<file bash create-emerging-threats-ipset>
 #!/usr/bin/env bash #!/usr/bin/env bash
 ########################################################################### ###########################################################################
Line 318: Line 329:
   * ''awk''   * ''awk''
  
-<file bash firehol-level1>+<file bash create-level1-ipset>
 #!/usr/bin/env bash #!/usr/bin/env bash
 ########################################################################### ###########################################################################
Line 408: Line 419:
  
 To use, simply copy the script to ''/etc/cron.hourly'' and then insert the ''iptables'' rules at the top into the existing firewall. To use, simply copy the script to ''/etc/cron.hourly'' and then insert the ''iptables'' rules at the top into the existing firewall.
 +
 +====== Block GreenSnow Attacks ======
 +
 +[[https://greensnow.co/|Greensnow]] is a service that monitors attacks on various services across the internet and updates a list of offenders in real time. The script provided generates an ipset from the IP addresses provided by GreenSnow. The script can be saved to ''/etc/cron.hourly'' in order to update the list of offending IP addresses every hour.
 +
 +<file bash create-greensnow-ipset>
 +#!/usr/bin/env bash
 +###########################################################################
 +##  Copyright (C) Wizardry and Steamworks 2024 - License: GNU GPLv3      ##
 +###########################################################################
 +# Downloads GreenSnow attack IP list and adds all the networks to ipset. ##
 +###########################################################################
 +## Possible firewall configuration:
 +## Delete all the old rules.
 +#I=`/sbin/iptables-save | grep -- "-A INPUT -j GREENSNOW"`
 +#O=`/sbin/iptables-save | grep -- "-A OUTPUT -j GREENSNOW"`
 +#if [ ! -z "$I" ] || [ ! -z "$O" ]; then
 +#    /sbin/iptables -F GREENSNOW
 +#    /sbin/iptables -X GREENSNOW
 +#fi
 +#if [ ! -z "$I" ]; then
 +#    /sbin/iptables -D INPUT -j GREENSNOW
 +#fi
 +#if [ ! -z "$O" ]; then
 +#    /sbin/iptables -D OUTPUT -j GREENSNOW
 +#fi
 +## Create the chain again and add all the new rules.
 +#/sbin/iptables -N GREENSNOW
 +#/sbin/iptables -I INPUT 1 -j GREENSNOW
 +#/sbin/iptables -I OUTPUT 1 -j GREENSNOW
 +#/sbin/iptables -A GREENSNOW -p all -m set --match-set GREENSNOW src,dst -j DROP
 +## Continue with the rest.
 +#/sbin/iptables -A GREENSNOW -j RETURN
 +###########################################################################
 +
 +`ipset list GREENSNOW 2>/dev/null >/dev/null`
 +if [ $? = 1 ]; then
 +    ipset create GREENSNOW hash:net maxelem 262144 family inet
 +fi
 +ipset flush GREENSNOW
 +
 +while read LINE; do
 +    grep -E -vq "^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\.|$)){4}$" <<< "${LINE}"
 +    if [ $? -eq 0 ]; then
 +        continue
 +    fi
 +    printf %s "add GREENSNOW ${LINE}" | ipset restore -exist
 +done <<< $(curl -s -L https://blocklist.greensnow.co/greensnow.txt)
 +
 +</file>
 +
 +====== Block BotScout Bots ======
 +
 +[[https://botscout.com/|BotScout]] is an online service that tracks bots that automatically register accounts on various websites or post spam messages. The script below can be copied to ''/etc/cron.hourly'' in order to generate an ipset of all the IP addresses reported by BotScout.
 +
 +<file bash create-botscout-ipset>
 +#!/usr/bin/env bash
 +###########################################################################
 +##  Copyright (C) Wizardry and Steamworks 2024 - License: GNU GPLv3      ##
 +###########################################################################
 +# Downloads botscout IP list and adds all the networks to ipset.         ##
 +###########################################################################
 +## Possible firewall configuration:
 +## Delete all the old rules.
 +#I=`/sbin/iptables-save | grep -- "-A INPUT -j BOTSCOUT"`
 +#O=`/sbin/iptables-save | grep -- "-A OUTPUT -j BOTSCOUT"`
 +#if [ ! -z "$I" ] || [ ! -z "$O" ]; then
 +#    /sbin/iptables -F BOTSCOUT
 +#    /sbin/iptables -X BOTSCOUT
 +#fi
 +#if [ ! -z "$I" ]; then
 +#    /sbin/iptables -D INPUT -j BOTSCOUT
 +#fi
 +#if [ ! -z "$O" ]; then
 +#    /sbin/iptables -D OUTPUT -j BOTSCOUT
 +#fi
 +## Create the chain again and add all the new rules.
 +#/sbin/iptables -N BOTSCOUT
 +#/sbin/iptables -I INPUT 1 -j BOTSCOUT
 +#/sbin/iptables -I OUTPUT 1 -j BOTSCOUT
 +#/sbin/iptables -A BOTSCOUT -p all -m set --match-set BOTSCOUT src,dst -j DROP
 +## Continue with the rest.
 +#/sbin/iptables -A BOTSCOUT -j RETURN
 +###########################################################################
 +
 +`ipset list BOTSCOUT 2>/dev/null >/dev/null`
 +if [ $? = 1 ]; then
 +    ipset create BOTSCOUT hash:net maxelem 262144 family inet
 +fi
 +ipset flush BOTSCOUT
 +
 +while read LINE; do
 +    grep -E -vq "^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\.|$)){4}$" <<< "${LINE}"
 +    if [ $? -eq 0 ]; then
 +        continue
 +    fi
 +    printf %s "add BOTSCOUT ${LINE}" | ipset restore -exist
 +done <<< $(curl -s -L https://iplists.firehol.org/files/botscout.ipset)
 +
 +</file>
  
 ====== Delete a Single Rule ====== ====== Delete a Single Rule ======
Line 542: Line 653:
  
 The ''generate-country-ip-sets.sh'' script presented above will create 8 separate lists, 2 lists per country for both IPv4 and IPv6 using a list of countries ''COUNTRY_CODES'' adjustable in the configuration section of the script. The ''generate-country-ip-sets.sh'' script presented above will create 8 separate lists, 2 lists per country for both IPv4 and IPv6 using a list of countries ''COUNTRY_CODES'' adjustable in the configuration section of the script.
 +
 +====== PeerBlock Level 1 ======
 +
 +PeerBlock is a list of agencies dealing with copyright protection. The following script can be used to create an IP set and batch-block all of them.
 +
 +<code bash>
 +#!/usr/bin/env bash
 +###########################################################################
 +##  Copyright (C) Wizardry and Steamworks 2023 - License: GNU GPLv3      ##
 +###########################################################################
 +# Downloads peerblock level 1 and adds all the networks to ipset.        ##
 +###########################################################################
 +## Possible firewall configuration:
 +## Delete all the old rules.
 +#I=`/sbin/iptables-save | grep -- "-A INPUT -j PEERBLOCK-LEVEL1"`
 +#O=`/sbin/iptables-save | grep -- "-A OUTPUT -j PEERBLOCK-LEVEL1"`
 +#if [ ! -z "$I" ] || [ ! -z "$O" ]; then
 +#    /sbin/iptables -F PEERBLOCK-LEVEL1
 +#    /sbin/iptables -X PEERBLOCK-LEVEL1
 +#fi
 +#if [ ! -z "$I" ]; then
 +#    /sbin/iptables -D INPUT -j PEERBLOCK-LEVEL1
 +#fi
 +#if [ ! -z "$O" ]; then
 +#    /sbin/iptables -D OUTPUT -j PEERBLOCK-LEVEL1
 +#fi
 +## Create the chain again and add all the new rules.
 +#/sbin/iptables -N PEERBLOCK-LEVEL1
 +#/sbin/iptables -I INPUT 1 -j PEERBLOCK-LEVEL1
 +#/sbin/iptables -I OUTPUT 1 -j PEERBLOCK-LEVEL1
 +#/sbin/iptables -A PEERBLOCK-LEVEL1 -p all -m set --match-set PEERBLOCK-LEVEL1 src,dst -j DROP
 +## Continue with the rest.
 +#/sbin/iptables -A PEERBLOCK-LEVEL1 -j RETURN
 +###########################################################################
 +    
 +`ipset list PEERBLOCK-LEVEL1 2>/dev/null >/dev/null`
 +if [ $? = 1 ]; then
 +    ipset create PEERBLOCK-LEVEL1 hash:net maxelem 262144 family inet
 +fi
 +ipset flush PEERBLOCK-LEVEL1
 +curl -s -L "http://list.iblocklist.com/?list=bt_level1&amp;fileformat=p2p&amp;archiveformat=gz" -o - |
 +    gunzip |
 +    cut -d: -f2 |
 +    grep -E "^[-0-9.]+$" |
 +    awk '{print "add PEERBLOCK-LEVEL1 "$1}' |
 +    ipset restore -exist
 +
 +</code>
 +
 +Ideally, this script could be placed in ''/etc/cron.daily'' in order to daily refresh the set of IPs.
 +
 +====== Banning Countries on Debian ======
 +
 +On Debian, the procedure to obtain the ''geoip'' ''iptables'' module is to install the packages:
 +  * ''xtables-addons-dkms'',
 +  * ''xtables-addons-common'',
 +  * ''libtext-csv-xs-perl''
 +
 +With the packages installed, there are some tools under ''/usr/lib/exec/xtables-addons'' that can be used to both download a geoip database as well as create the necessary mappings in order to be able to block countries. The tools are the following:
 +  * ''xt_geoip_dl'',
 +  * ''xt_geoip_build''
 +
 +and:
 +  * ''xt_geoip_dl_maxmind'',
 +  * ''xt_geoip_build_maxmind''
 +
 +and can be used in pairs in order to generate a database for ''iptables''. The procedure is to first issue:
 +<code bash>
 +xt_geoip_dl
 +</code>
 +in order to download a database, followed by:
 +<code bash>
 +xt_geoip_build
 +</code>
 +in order to build the lookup table for the ''iptables'' ''geoip'' module.
 +
 +Note that ''xt_geoip_dl_maxmind'' will require a license file to be supplies as the first parameter in order to download the MaxMind database.
 +
 +The last command, ''xt_geoip_build'' will generate ''iv4'' and ''iv6'' files in the current directory and they will have to be moved into ''/usr/share/xt_geoip/'':
 +<code bash>
 +mkdir -p /usr/share/xt_geoip/
 +mv *.iv4 *.iv6 /usr/share/xt_geoip
 +</code>
 +
 +
 +
 +

fuss/iptables.1581968586.txt.gz · Last modified: 2020/02/17 19:43 by office

Wizardry and Steamworks

© 2025 Wizardry and Steamworks

Access website using Tor Access website using i2p Wizardry and Steamworks PGP Key


For the contact, copyright, license, warranty and privacy terms for the usage of this website please see the contact, license, privacy, copyright.