antisaWiki

User Tools

Site Tools

Trace: use_konsole_profile_python_virtual_environment confluence_aws_deploy create_wordpress_user_directly_database geoblock_country_bash_script
wiki:geoblock_country_bash_script

Table of Contents

, , ,

Geoblock country bash script

Install prerequisites

apt install ipset aggregate shorewall

Setup shorewall

Simple interface tutorial https://shorewall.org/standalone.htm

Install and start ipset script

ipset-geoblock-country.sh
#!/bin/bash
# debug
# set -x
exec 1> >(logger -s -t $(basename $0)) 2>&1
logger "Start: $0"
/sbin/ipset create geoblock hash:net -exist
/sbin/ipset flush geoblock
for IP in $(/usr/bin/wget -O - http://www.ipdeny.com/ipblocks/data/aggregated/fr-aggregated.zone)
# alternatives
#for IP in $(/usr/bin/wget -q -O - https://ftp.ripe.net/ripe/stats/delegated-ripencc-latest | awk -F'|' 'BEGIN{OFS=""} ( $2 == "FR" ) && $3 == "ipv4" {print $4,"/",32-(log($5)  /log(2))}')
#for IP in $(/usr/bin/wget -q -O - https://ftp.ripe.net/ripe/stats/delegated-ripencc-latest | grep "ripencc|FR|ipv4" | awk -F '|' '{ printf("%s/%d\n", $4, 32-log($5)/log(2)) }')
do
  /sbin/ipset -A geoblock $IP -exist
done
logger "End: $0"
chmod u+x /usr/local/sbin/ipset-geoblock-country.sh
/usr/local/sbin/ipset-geoblock-country.sh

Verify loaded ipset

ipset list geoblock

Configure shorewall blacklist

touch /etc/shorewall/blrules
/etc/shorewall/blrules
cat <<EOF >
#ACTION      SOURCE           DEST     PROTO    DPORT
DROP         net:+geoblock    all
EOF

Restart shorewall

shorewall check
shorewall restart

Make persistent via interfaces (before shorewall starts)

pre-up /sbin/ipset create geoblock hash:net -exist

Load ipset after shorewall has started

touch /etc/shorewall/started
cat <<EOF >/etc/shorewall/started
#!/bin/bash

/usr/local/sbin/ipset-geoblock-country.sh &
EOF

Refresh ipset weekly on mondays

crontab -e
30 6 * * 1 /usr/local/sbin/ipset-geoblock-country.sh

Reboot and check.

Tested on

  • Debian 9 Stretch

See also

References

wiki/geoblock_country_bash_script.txt · Last modified: 2021/07/15 15:35 by antisa
Except where otherwise noted, content on this wiki is licensed under the following license: CC0 1.0 Universal
CC0 1.0 Universal Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki