Hello all.
Out of nftables (I don’t know about it), I think the best way to filter IPs by countries is using iptables with ipset.
Quote:
ipset is used to set up, maintain and inspect so called IP sets in the Linux kernel. Depending on the type of the set, an IP set may store IP(v4/v6) addresses, (TCP/UDP) port numbers, IP and MAC address pairs, IP address and port number pairs, etc.
Iptables matches and targets referring to sets create references, which protect the given sets in the kernel. A set cannot be destroyed while there is a single reference pointing to it.
|
(man ipset, I recommend to read it).
I read some about filtering sets of IPs, and I understood that filtering a lot of IPs only with iptables is not efficient, and it is better doing it by sets of them. Now I am blocking several countries in my little home server using this method, and I do it in that way. Note that the sets of IP contries can change, so it is recommended to implement it like a cron job.
I’m not a computer security specialist, neither a sysadmin. I am only a luser… But I coded this little script by myself (in fact, both, Duckduckgo and me did it) and it works in my server with GNU/Linux Slackware!!. So, I’m proud to shate it with you. For another distros you must, perhaps modify it. Im sure it is improvable, I accept suggestions.
Code:
#!/bin/bash
# Script para filtrado de direcciones de IP por paises
# mediante creación de bloques de ip del tipo hash:net con ipset
# y la creación de reglas con iptables.
# Requiere permisos de administrador
# En GNU/Linux Slackware copiarlo en /etc/cron.daily con permisos de ejecución (
chmod +x)
# Para otras distros revisar configuración de cron.
# URL fuente de bloques de direccciones IP: http://www.ipdeny.com
# Listado completo en http://www.ipdeny.com/ipblocks/data/countries
# Paises filtados:
# Afganistán (af)
# China (cn)
#
for Pais in af cn;
do
# Si el bloque de direcciones de ip existe, lo eliminamos
ipset destroy -exist Bloque-Pais-$Pais > /dev/null 2>&1
# Creamos nuevos bloques de direcciones del tipo hash:net
ipset create Bloque-Pais-$Pais hash:net
# Añadimos direcciones de IP a cada bloque
for IP in $(wget -O - http://www.ipdeny.com/ipblocks/data/countries/$Pais.zo
ne)
do
ipset add Bloque-Pais-$Pais $IP
done
done
# Creamos un fichero con todos los conjuntos de ips, por si el diablo.
mkdir -p /etc/iptables/ipset/
ipset save > /etc/iptables/ipset/bloques.ipset.save
# Escribimos en el log
Date=`date +20\%y\%m\%d_\%H\%M\%S`
echo "$Date Actualizadas direcciones de IP del filtro de paises." >> /var/log/cron
# Queda creada regla al final del fichero /etc/iptables/iptables.sh
# De la siguiente manera para activar el filtro:
# Creamos una regla de filtrado para cada bloque de paises
# creados con la tarea cron /etc/cron.daily/blacklist.paises.sh
# for Pais in af cn;
# do
# iptables -I INPUT -m set --match-set Bloque-Pais-$Pais src -p TCP -j DROP
# echo "Creadas reglas DROP para el país $Pais"
# done
exit 0
I commented the script in my own language: today is too late, so I'll try to traduce it to English soon (specially the last lines, because is important to add a rule in your iptables script).
You can list the created sets of IPs by its name:
Code:
alfonso@Sherwood:~$ sudo /usr/sbin/ipset list --name
Password:
Bloque-Pais-af
Bloque-Pais-cn
ips.maliciosas ## ← This set is created with another script
Each set of rules contains a lot of IPs. Remember I created sets of them with the type hash:net (see man ipset):
Code:
alfonso@Sherwood:~$ sudo /usr/sbin/ipset list Bloque-Pais-af | nl | tail -n 3
114 103.144.237.0/24
115 180.94.64.0/19
116 103.96.233.0/24
116 lines of IP direcctions in CIDR notation: that is a lot of IPs.
Finally, if the rule is properly created in your iptables script (If you don't have any, you must), the rules can be listed easily:
Quote:
alfonso@Sherwood:~$ sudo /usr/sbin/iptables -nvL | grep set
294 16716 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 match-set ips.maliciosas src
49 2568 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 match-set Bloque-Pais-cn src
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 match-set Bloque-Pais-af src
|
Happy slacking.