wiki:geoblock_country_bash_script
Table of Contents
Geoblock country bash script
Install prerequisites
apt install ipset aggregate shorewall
Setup shorewall
Simple interface tutorial https://shorewall.org/standalone.htm
Install and start ipset script
- ipset-geoblock-country.sh
#!/bin/bash # debug # set -x exec 1> >(logger -s -t $(basename $0)) 2>&1 logger "Start: $0" /sbin/ipset create geoblock hash:net -exist /sbin/ipset flush geoblock for IP in $(/usr/bin/wget -O - http://www.ipdeny.com/ipblocks/data/aggregated/fr-aggregated.zone) # alternatives #for IP in $(/usr/bin/wget -q -O - https://ftp.ripe.net/ripe/stats/delegated-ripencc-latest | awk -F'|' 'BEGIN{OFS=""} ( $2 == "FR" ) && $3 == "ipv4" {print $4,"/",32-(log($5) /log(2))}') #for IP in $(/usr/bin/wget -q -O - https://ftp.ripe.net/ripe/stats/delegated-ripencc-latest | grep "ripencc|FR|ipv4" | awk -F '|' '{ printf("%s/%d\n", $4, 32-log($5)/log(2)) }') do /sbin/ipset -A geoblock $IP -exist done logger "End: $0"
chmod u+x /usr/local/sbin/ipset-geoblock-country.sh /usr/local/sbin/ipset-geoblock-country.sh
Verify loaded ipset
ipset list geoblock
Configure shorewall blacklist
touch /etc/shorewall/blrules /etc/shorewall/blrules cat <<EOF > #ACTION SOURCE DEST PROTO DPORT DROP net:+geoblock all EOF
Restart shorewall
shorewall check shorewall restart
Make persistent via interfaces (before shorewall starts)
pre-up /sbin/ipset create geoblock hash:net -exist
Load ipset after shorewall has started
touch /etc/shorewall/started cat <<EOF >/etc/shorewall/started #!/bin/bash /usr/local/sbin/ipset-geoblock-country.sh & EOF
Refresh ipset weekly on mondays
crontab -e 30 6 * * 1 /usr/local/sbin/ipset-geoblock-country.sh
Reboot and check.
Tested on
- Debian 9 Stretch
See also
References
wiki/geoblock_country_bash_script.txt · Last modified: 2021/07/15 15:35 by antisa