add starter ipset+iptables firewall
Very, very basic. Sourced entire from manual pages, other's "word of mouth" advices, and successful hackery on others' systems (none of whom implied individuals or groups should be blamed for errors, etc.). Thanks in advance for comments and suggestions. Erm.. issues and patches welcome?
This commit is contained in:
23
init-bot-bl-ipset-and-iptable-rule.sh
Normal file
23
init-bot-bl-ipset-and-iptable-rule.sh
Normal file
@ -0,0 +1,23 @@
|
||||
#!/usr/bin/sh
|
||||
|
||||
INET_DEV=eth0
|
||||
|
||||
# default block list is small, consider maxlen i have used
|
||||
# maxelem 4194304 out of necessitity of the moment
|
||||
# ideally, plan to add, grow, rotate your ipsets before running
|
||||
# something like this
|
||||
|
||||
# a "starter" blocklist, nomninally for super-agressive spam-bots
|
||||
# which I tend to notice and add by hand
|
||||
|
||||
ipset -exist create bot-bl hash:ip timeout 0
|
||||
|
||||
# install to prerouting rules of iptables "mangle" table
|
||||
# here we want to drop all packets sourced fromv a member of the set
|
||||
|
||||
iptables -t mangle -A PREROUTING -i ${INET_DEV} -m set --match-set bot-bl src -j DROP
|
||||
|
||||
# Ignoring fail2ban and such, I have to remember/alias/bind a
|
||||
# command like this to use it:
|
||||
|
||||
# ipset add bot-bl 20.171.207.172
|
||||
Reference in New Issue
Block a user