Iptables

From Lolly's Wiki
Revision as of 09:33, 7 May 2025 by Lollypop (talk | contribs) (Created page with "==Block IPs dynamically from blocklists== I found a basic script https://www.lupovis.io/implementing-a-dynamic-blocklist-with-iptables/ here which I adapted to a set of lists and added logging. <SyntaxHighlight lang=bash> #!/bin/bash declare -A BLOCKLIST_URLS=( Emerging_Threats https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt TOR_exit_nodes https://opendbl.net/lists/tor-exit.list Bruteforce_Blocker https://opendbl.net/lists/bruteforce.list Block...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search

Block IPs dynamically from blocklists

I found a basic script [here] which I adapted to a set of lists and added logging. 

#!/bin/bash
declare -A BLOCKLIST_URLS=(
Emerging_Threats   https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
TOR_exit_nodes     https://opendbl.net/lists/tor-exit.list
Bruteforce_Blocker https://opendbl.net/lists/bruteforce.list
Blocklist_de       https://opendbl.net/lists/blocklistde-all.list
Dshield            https://opendbl.net/lists/dshield.list
SSL_Abuse_IP_list  https://opendbl.net/lists/sslblock.list
IPSum_Level_3      https://opendbl.net/lists/ipsum.list
)
IPTABLES="/sbin/iptables"
IPSET="/sbin/ipset"

LIST_DIR="/etc/iptables_blocklist/lists"

[ ! -d ${LIST_DIR} ] && mkdir -p ${LIST_DIR}

for BLOCKLIST in ${!BLOCKLIST_URLS[@]}
do
  PREVIOUS_BLOCKLIST="${LIST_DIR}/previous_${BLOCKLIST}.txt"
  CURRENT_BLOCKLIST="${LIST_DIR}/current_${BLOCKLIST}.txt"
  LOG="DENY Dyn ${BLOCKLIST}"
  [ -f ${CURRENT_BLOCKLIST} ] || touch ${CURRENT_BLOCKLIST}
  [ -f ${PREVIOUS_BLOCKLIST} ] || touch ${PREVIOUS_BLOCKLIST}
  # Download the current blocklist
  curl -s ${BLOCKLIST_URLS[${BLOCKLIST}]} -o ${CURRENT_BLOCKLIST}
  # Create the ipset set if it does not exist
  ${IPSET}  list -n ${BLOCKLIST} 2>/dev/null || ${IPSET} create ${BLOCKLIST} hash:ip maxelem 256000 timeout 0
  # Add new IPs to the blocklist
  comm -13 <(sort -u <(grep -Ev "(^#|^$)" ${PREVIOUS_BLOCKLIST})) <(sort -u <(grep -Ev "(^#|^$)" ${CURRENT_BLOCKLIST})) | while read -r IP
  do
    ${IPSET} add ${BLOCKLIST} ${IP}
  done
  # Remove outdated IPs from the blocklist
  comm -23 <(sort -u <(grep -Ev "(^#|^$)" ${PREVIOUS_BLOCKLIST})) <(sort -u <(grep -Ev "(^#|^$)" ${CURRENT_BLOCKLIST})) | while read -r IP
  do
    ${IPSET} del ${BLOCKLIST} ${IP}
  done
  # Ensure the IPtables rule is in place
  ${IPTABLES} -C INPUT -m set --match-set ${BLOCKLIST} src -j DROP 2>/dev/null || ${IPTABLES} -I INPUT -m set --match-set ${BLOCKLIST} src -j DROP
  ${IPTABLES} -C INPUT -m set --match-set ${BLOCKLIST} src -j LOG --log-prefix "${LOG} " --log-tcp-options --log-ip-options 2>/dev/null || ${IPTABLES} -I INPUT -m set --match-set ${BLOCKLIST} src -j LOG --log-prefix "${LOG} " --log-tcp-options --log-ip-options
  # Save the current blocklist as the previous one for the next run
  cp ${CURRENT_BLOCKLIST} ${PREVIOUS_BLOCKLIST}
done

To find the blocked IPs of the last 24hours you can try: 

# journalctl --full --dmesg --no-pager --grep "DENY Dyn \w+ " --since -24hours

or what is going on now: 

# journalctl --full --dmesg --no-pager --follow --grep "DENY Dyn \w+ "
Retrieved from "https://lars.timmann.de/wiki/index.php?title=Iptables&oldid=2815"