sunnuntai 12. huhtikuuta 2020

IPTables GeoFilter + banned_hosts using ipset

I have over the course of a couple of weeks come up with a good geofiler script that will also cycle in IP addresses that snoop your interfaces for know services and add them to an ipset drop list.

I start off in my firewall script with creating new ipset kernel lists so that when my firewall script is run the tables are created in the kernel so that rules can be set using them.

ipset -N china hash:net ipset -N india hash:net ipset -N iran hash:net ipset -N russia hash:net ipset -N korea hash:net ipset -N banned_hosts iphash 

Then I create the iptables statements to incorporate the ipset kernel lists.

iptables -A INPUT -m set --match-set china src -j DROP iptables -A INPUT -m set --match-set india src -j DROP iptables -A INPUT -m set --match-set iran src -j DROP iptables -A INPUT -m set --match-set russia src -j DROP iptables -A INPUT -m set --match-set korea src -j DROP 

Then I create a rule set to add snoopers to the banned_hosts ipset kernel list. I have offset my ssh service to an obscure port number, and It should be noted that I do NOT run an SMTP, WEB or SECURE WEB server on this host. So any IP looking for such services is considered a snooper and has no business talking to my external interface.

iptables -A INPUT -i $UNTRUSTED -p tcp --dport 22 -j SET --add-set banned_hosts src iptables -A INPUT -i $UNTRUSTED -p tcp --dport 25 -j SET --add-set banned_hosts src iptables -A INPUT -i $UNTRUSTED -p tcp --dport 80 -j SET --add-set banned_hosts src iptables -A INPUT -i $UNTRUSTED -p tcp --dport 443 -j SET --add-set banned_hosts src iptables -A INPUT -m set --match-set banned_hosts src -j DROP 

I have put together a script that refreshes the ipset kernel lists and writes out the banned_hosts for permanent inclusion to the banned_hosts kernel list. I call this script /home/fw/geofilter.sh.

# Export the banned_hosts list to a file. ipset list banned_hosts -file /home/fw/banned_hosts.exam # Strip the first 8 lines of exported banned_hosts. sed -e '1,8d' banned_hosts.exam >banned_hosts.log # Flush the ipset lists ipset -F # remove any old list that might exist from previous runs of this script rm *-aggregated.zone # Pull the latest IP set for geofilter wget https://www.ipdeny.com/ipblocks/data/aggregated/cn-aggregated.zone wget https://www.ipdeny.com/ipblocks/data/aggregated/in-aggregated.zone wget https://www.ipdeny.com/ipblocks/data/aggregated/ir-aggregated.zone wget https://www.ipdeny.com/ipblocks/data/aggregated/kp-aggregated.zone wget https://www.ipdeny.com/ipblocks/data/aggregated/kr-aggregated.zone wget https://www.ipdeny.com/ipblocks/data/aggregated/ru-aggregated.zone # Add each IP address from the downloaded list into the ipset for i in $(cat cn-aggregated.zone ); do ipset -A china $i; done for i in $(cat in-aggregated.zone ); do ipset -A india $i; done for i in $(cat ir-aggregated.zone ); do ipset -A iran $i; done for i in $(cat ru-aggregated.zone ); do ipset -A russia $i; done for i in $(cat k*-aggregated.zone ); do ipset -A korea $i; done for h in $(cat banned_hosts.log ); do ipset -A banned_hosts $h; done # Restore iptables /home/fw/firewall.sh 

Call the geofilter.sh from a crontab.

00 4 * * * cd /home/fw/ && sudo ./geofilter.sh >/dev/null 

Create a tmux session (alternative to screen) to watch the traffic counters in iptables. /home/fw/watchfirewall.sh

tmux new -d -s watch "sudo watch -d -n 2 iptables -nvL" 

run the watchfirewall.sh script.

fw@host:/home/fw# ./watchfirewall.sh 

Attach to the tmux session to watch the firewall chain incrementation.

tmux attach -t watch 
submitted by /u/morggin to r/linux
[link] [comments]