Iptables

From Lolly's Wiki
Revision as of 05:30, 8 May 2025 by Lollypop (talk | contribs)
Jump to navigationJump to search

Block IPs dynamically from blocklists

I found a basic script [here] which I adapted to a set of lists and added logging. 

#!/bin/bash
#
# Based on a script from here https://www.lupovis.io/implementing-a-dynamic-blocklist-with-iptables/
#
# Enhanced by Lars Timmann <lt@timmann.de>
#
# Use at your own risk!
#

declare -A BLOCKLIST_URLS=(
Emerging_Threats   https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
TOR_exit_nodes     https://opendbl.net/lists/tor-exit.list
Bruteforce_Blocker https://opendbl.net/lists/bruteforce.list
Blocklist_de       https://opendbl.net/lists/blocklistde-all.list
Dshield            https://opendbl.net/lists/dshield.list
SSL_Abuse_IP_list  https://opendbl.net/lists/sslblock.list
IPSum_Level_3      https://opendbl.net/lists/ipsum.list
)
IPTABLES="/sbin/iptables"
IPSET="/sbin/ipset"

LIST_DIR="/etc/iptables_blocklist/lists"
MAX_ELEMENTS=$[2**16]

[ ! -d ${LIST_DIR} ] && mkdir -p ${LIST_DIR}

case $1 in
stop)
	for BLOCKLIST in ${!BLOCKLIST_URLS[@]}
	do
	 PREVIOUS_BLOCKLIST="${LIST_DIR}/${BLOCKLIST}_previous.txt"
 	 LOG="DENY Dyn ${BLOCKLIST}"
	 ${IPTABLES} -D INPUT -m set --match-set ${BLOCKLIST} src -j DROP
	 ${IPTABLES} -D INPUT -m set --match-set ${BLOCKLIST} src -j LOG --log-prefix "${LOG} " --log-tcp-options --log-ip-options
	 ${IPSET} destroy ${BLOCKLIST} -exist
	 >${PREVIOUS_BLOCKLIST}
	done
	;;
restart)
	$0 stop
	$0 start
	;;
start|update|*)
	for BLOCKLIST in ${!BLOCKLIST_URLS[@]}
	do
	 PREVIOUS_BLOCKLIST="${LIST_DIR}/${BLOCKLIST}_previous.txt"
	 CURRENT_BLOCKLIST="${LIST_DIR}/${BLOCKLIST}_current.txt"
	 LOG="DENY Dyn ${BLOCKLIST}"
	 [ -f ${CURRENT_BLOCKLIST} ] || touch ${CURRENT_BLOCKLIST}
	 [ -f ${PREVIOUS_BLOCKLIST} ] || touch ${PREVIOUS_BLOCKLIST}
	 # Download the current blocklist
	 curl -s ${BLOCKLIST_URLS[${BLOCKLIST}]} -o ${CURRENT_BLOCKLIST}
	 # Create the ipset set if it does not exist
	 ${IPSET} create ${BLOCKLIST} hash:net maxelem ${MAX_ELEMENTS} timeout 0 -exist
	 # Add new IPs to the blocklist
	 comm -13 <(sort -u <(grep -Ev "(^#|^$)" ${PREVIOUS_BLOCKLIST})) <(sort -u <(grep -Ev "(^#|^$)" ${CURRENT_BLOCKLIST})) | while read -r IP
	 do
	   ${IPSET} add -exist ${BLOCKLIST} ${IP}
	 done
	 # Remove outdated IPs from the blocklist
	 comm -23 <(sort -u <(grep -Ev "(^#|^$)" ${PREVIOUS_BLOCKLIST})) <(sort -u <(grep -Ev "(^#|^$)" ${CURRENT_BLOCKLIST})) | while read -r IP
	 do
	   ${IPSET} del -exist ${BLOCKLIST} ${IP}
	 done
	 # Ensure the IPtables rule is in place
	 ${IPTABLES} -C INPUT -m set --match-set ${BLOCKLIST} src -j DROP 2>/dev/null || ${IPTABLES} -I INPUT -m set --match-set ${BLOCKLIST} src -j DROP
	 ${IPTABLES} -C INPUT -m set --match-set ${BLOCKLIST} src -j LOG --log-prefix "${LOG} " --log-tcp-options --log-ip-options 2>/dev/null || ${IPTABLES} -I INPUT -m set --match-set ${BLOCKLIST} src -j LOG --log-prefix "${LOG} " --log-tcp-options --log-ip-options
	 # Save the current blocklist as the previous one for the next run
	 cp ${CURRENT_BLOCKLIST} ${PREVIOUS_BLOCKLIST}
	done
	;;
esac

To find the blocked IPs of the last 24hours you can try: 

# journalctl --full --dmesg --no-pager --grep "DENY Dyn \w+ " --since -24hours

or what is going on now: 

# journalctl --full --dmesg --no-pager --follow --grep "DENY Dyn \w+ "
Retrieved from "https://lars.timmann.de/wiki/index.php?title=Iptables&oldid=2818"