@Jclendineng Apologies for taking so long to ping you the following details, been rather busy lately with school holidays and work.
I have a file call /etc/shorewall/ipsets which contains the following:
create blockipsnets hash:net family inet hashsize 16384 maxelem 65536
create blockips hash:net family inet hashsize 262144 maxelem 524288
create whitelistips hash:ip family inet hashsize 1024 maxelem 65536
Once you have created that file with those entries, run the following command to create the IPSets:
ipset restore -! < /etc/shorewall/ipsets
In Shorewall, I enabled blacklists so the line effectively now reads:
$OUT.=“net\t”.$i->key.“\tdhcp,nosmurfs,optional,blacklist”;
In the /etc/shorewall/blrules file, I added the following rules:
WHITELIST net:+whitelistips fw
DROP net:+blockipsnets fw
DROP net:+blockips fw
WHITELIST net:+whitelistips loc
DROP net:+blockipsnets loc
DROP net:+blockips loc
Note that the names in the blrules need to match up with the names of the IPSets you created earlier.
If you want to drop traffic from an entire country, you can add a line like the following:
DROP net:[1] loc
I have the following details in the rc.local script so ensure that the IPSets are created and loaded with the relevant information before Shorewall starts. Shorewall will fail to start if the IPSets are not created:
if [ “
lsmod | grep ip_set” = “” ]; then
modprobe ip_set
fiCounter=
cat /etc/shorewall/ipsets | wc -l
if [ $Counter -eq 0 ]
then
if [-f /etc/shorewall/ipsets.bak ]
then
Counter=cat /etc/shorewall/ipsets.bak | wc -l
if [ $Counter -gt 0 ]
then
cp /etc/shorewall/ipsets.bak /etc/shorewall/ipsets
fi
fi
fiipset restore -! < /etc/shorewall/ipsets
I have 2 additional text files, 1 for a list of public IP addresses which I whitelist as they are trusted IP addresses which I use, the other is a specific list of IP Addresses which I wish to blacklist which may not appear in any of the logs.
I have a cron script which runs through the logs, grabs the relevant information and then updates the IPSets. the script looks pretty much like the following:
strHome=“/root/blacklist”
strTmpBL=“$strHome/blacklist”
strTmp1=“$strHome/blacklisttmp1”
rm-rf $strTmpBL
touch $strTmpBL
- Grab a copy of all of the IPs which you wish to blacklist from the logs or any other location which you desire and write them to the
strTmpBLfile.
- check amount of lines before sorting and cleanup and basic ip syntax checking
cat $strTmpBL | grep -E -o “([0-9]{1,3}[.]){3}[0-9]{1,3}” | sort | uniq > $strTmp1
rm -rf $strTmpBL
mv $strTmp1 $strTmpBL
if [ -f $strHome/safe_ips.txt ]
then
cat $strHome/safe_ips.txt | sort | uniq > $strSafeTmp
rm -rf $strHome/safe_ips.txt
mv $strSafeTmp /root/blacklist/safe_ips.txt
grep -v -f $strHome/safe_ips.txt $strTmpBL > $strTmp1
rm -rf $strTmpBL
mv $strTmp1 $strTmpBL
fi
while read line; do
ipset -A -exist blockips $line &
done < $strTmpBL
- This is where I save the IPsets to a file. I also make a backup copy of it as I found that sometimes when Shorewall is stopped or restarted or when the server is restarted, the entries in the
/etc/shorewall/ipsetsfile are thrown away and I am left with an empty file which causes Shorewall not to start.
ipset -S > /etc/shorewall/ipsets
Counter=
cat /etc/shorewall/ipsets | wc -l
if [ $Counter -gt 0 ]
then
cp /etc/shorewall/ipsets /root/blacklist/ipsets.bak
fi
Sorry about the lack of indentation, the indentation was lost when posting the snippets in here and I don’t know how to fix that.
Hope this is of some use.
CN ↩︎