Country blocking

[Jancs-E]

Hi!
Is it possible somehow to block a range of IPs assigned to a specific country(ies), using your script, most preferable by supplying a list in cfg? There are examples of such :
https://www.cyberciti.biz/faq/block-entier-country-using-iptables/ , not involving dependence on GeoIP.

[abelbeck]

The best method using Arno's AIF (v2.0.1g or later) is to enable the use of ipset and some sort of blocklist. First look at the firewall.conf file:

# (EXPERT SETTING!) Set this (to 1) to enable the use of ipset to efficiently
# match a large block of IPv4/IPv6 addresses/nets. Much faster when enabled.
# BLOCK_NETSET_DIR, BLOCK_HOSTS and BLOCK_HOSTS_FILE utilizes this feature.
# ------------------------------------------------------------------------------
#IPTABLES_IPSET=0

and

# Uncomment & specify here the location of the directory that contains *.netset
# files containing IP addresses and/or Networks (CIDR notation) to be BLOCKED.
# Each .netset file may contain only one IP/Net entry per line, each IP/Net
# entry must start at the beginning of the line and any valid entry must be
# immediately followed by a new-line or a POSIX [[:space:]] character.
# File contents not matching an IP/Net will be ignored.
#
# File naming convention, use *v6.netset files for IPv6 entries, all other
# *.netset files default to IPv4. Filenames are limited to a maximum of
# 27 characters before the .netset suffix.
# Optional whitelist.netset, whitelistv6.netset files may contain IP/Net entries
# that will NOT be BLOCKED by other *.netset files. Automatically by default,
# all Private (RFC1918), Link-Local and Multicast IP/Nets will be whitelisted.
# See also: DEFAULT_NETSET_WHITELIST and DEFAULT_NETSET_WHITELISTV6
#
# Note: This option depends on IPTABLES_IPSET being enabled.
# ------------------------------------------------------------------------------
#BLOCK_NETSET_DIR="/etc/arno-iptables-firewall/blocklists"

Given that info, edit your firewall.conf to include:

IPTABLES_IPSET=1
BLOCK_NETSET_DIR="/etc/arno-iptables-firewall/blocklists"

and create the "/etc/arno-iptables-firewall/blocklists" directory.

The final step is to populate the BLOCK_NETSET_DIR with .netset files that ipset understands.

Take a look at: "FireHOL IP Lists"
https://iplists.firehol.org/

A good general blocklist to start with there is "firehol_level1", and corresponding .netset file:
https://iplists.firehol.org/files/firehol_level1.netset

So, simply download this file to your BLOCK_NETSET_DIR using curl or 'wget' ...

curl -o /etc/arno-iptables-firewall/blocklists/firehol_level1.netset  https://iplists.firehol.org/files/firehol_level1.netset

and apply the changes to AIF:

arno-iptables-firewall force-reload

Test to make sure it is working as expected.

For production you will want to update this firehol_level1.netset file once or twice a day, so use cron to do that, or use a script I created for the AstLinux project along with cron:

(remove or edit the . /etc/rc.conf line for your purposes)
https://github.com/astlinux-project/astlinux/blob/master/package/arnofw/reload-blocklist-netset

Lastly, back to your original question for blocking countries, you can do that, find an ipset compatible list of addresses/subnets and follow the instructions above ... but studying the great FireHOL site you will see blocking specific countries is not that effective for blocking exploits and bad actors.

[Jancs-E]

Thank you very much for exhaustive how-to! Janis Citēts Lonnie Abelbeck <[email protected]> Sat, 20 Jul 2019 06:06:28 -0700:

…

The best method using Arno's AIF (v2.0.1g or later) is to enable the use of `ipset` and some sort of blocklist. First look at the `firewall.conf` file: ``` # (EXPERT SETTING!) Set this (to 1) to enable the use of ipset to efficiently # match a large block of IPv4/IPv6 addresses/nets. Much faster when enabled. # BLOCK_NETSET_DIR, BLOCK_HOSTS and BLOCK_HOSTS_FILE utilizes this feature. # ------------------------------------------------------------------------------ #IPTABLES_IPSET=0 ``` and ``` # Uncomment & specify here the location of the directory that contains *.netset # files containing IP addresses and/or Networks (CIDR notation) to be BLOCKED. # Each .netset file may contain only one IP/Net entry per line, each IP/Net # entry must start at the beginning of the line and any valid entry must be # immediately followed by a new-line or a POSIX [[:space:]] character. # File contents not matching an IP/Net will be ignored. # # File naming convention, use *v6.netset files for IPv6 entries, all other # *.netset files default to IPv4. Filenames are limited to a maximum of # 27 characters before the .netset suffix. # Optional whitelist.netset, whitelistv6.netset files may contain IP/Net entries # that will NOT be BLOCKED by other *.netset files. Automatically by default, # all Private (RFC1918), Link-Local and Multicast IP/Nets will be whitelisted. # See also: DEFAULT_NETSET_WHITELIST and DEFAULT_NETSET_WHITELISTV6 # # Note: This option depends on IPTABLES_IPSET being enabled. # ------------------------------------------------------------------------------ #BLOCK_NETSET_DIR="/etc/arno-iptables-firewall/blocklists" ``` Given that info, edit your `firewall.conf` to include: ``` IPTABLES_IPSET=1 BLOCK_NETSET_DIR="/etc/arno-iptables-firewall/blocklists" ``` and create the "/etc/arno-iptables-firewall/blocklists" directory. The final step is to populate the `BLOCK_NETSET_DIR` with `.netset` files that ipset understands. Take a look at: "FireHOL IP Lists" https://iplists.firehol.org/ A good general blocklist to start with there is "firehol_level1", and corresponding `.netset` file: https://iplists.firehol.org/files/firehol_level1.netset So, simply download this file to your `BLOCK_NETSET_DIR` using `curl` or 'wget' ... ``` curl -o /etc/arno-iptables-firewall/blocklists/firehol_level1.netset https://iplists.firehol.org/files/firehol_level1.netset ``` and apply the changes to AIF: ``` arno-iptables-firewall force-reload ``` Test to make sure it is working as expected. For production you will want to update this `firehol_level1.netset` file once or twice a day, so use `cron` to do that, or use a script I created for the AstLinux project along with `cron`: (remove or edit the `. /etc/rc.conf` line for your purposes) https://github.com/astlinux-project/astlinux/blob/master/package/arnofw/reload-blocklist-netset Lastly, back to your original question for blocking countries, you can do that, find an `ipset` compatible list of addresses/subnets and follow the instructions above ... but studying the great FireHOL site you will see blocking specific countries is not that effective for blocking exploits and bad actors. -- You are receiving this because you authored the thread. Reply to this email directly or view it on GitHub: #68 (comment)

-- ph. +37129203061 http://dict.dv.lv