Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/parmaster/geoblock

Convenient way to block countries by IP with ipset, iprange and iptables. Only couple iptables rules are added, which is easily revertable. Run services to keep geoblock persistent
https://github.com/parmaster/geoblock

block-ip-country country-blocker firewall firewall-automation firewall-configuration firewall-rules ipset-data ipset-rules ipsets iptables iptables-rules

Last synced: 20 days ago
JSON representation

Convenient way to block countries by IP with ipset, iprange and iptables. Only couple iptables rules are added, which is easily revertable. Run services to keep geoblock persistent

Awesome Lists containing this project

README

        

> [!CAUTION]
> Use at your own risk, make sure you have alternative ways to access your server before making changes to firewall (like KVM etc.).

It is basically a convenient way to block countries by IP with iptables. Step-by-step instructions are combined into one Makefile to compile and optimize multiple ip blocks. Only three iptables rule added as a result, which is easily revertable. Two systemd services run at system startup and load ip lists to keep geoblock persistent.

## Prerequisites

Load countries IP ranges in CIDR format to the `lists/` folder (see `make load ` instructions). Multiple lists will be automatically combined and optimized. Remember to update lists from time to time.

Install `iprange` and `ipset` with:

sudo apt install -y iprange ipset

## Installation

`make load [ ...]` will load lists of IP ranges for specific countries from the [herrbischoff/country-ip-blocks](https://github.com/herrbischoff/country-ip-blocks) repository and save into `lists` directory. For example, to load usual suspects:

make load ru cn by

`make add` will copy everything where it supposed to be and start services:

sudo make add

To check services status:

sudo make status

Only one iptables rule is added as a result. To delete geoblock rule from iptables:

sudo make cleanup

To update lists:

make load [ ...]
sudo make update

To uninstall - stop and remove services, iptables rule and ipset list:

sudo make uninstall

## How it works

After combining and optimizing every list from `lists` folder into one `geoblock.txt` file, new `geoblock` list is created with `ipset`, then every line from `geoblock.txt` is put into that list, finally the list is saved to `/etc/ipset.conf` file.

Then there are two systemd services:

- `ipset-persistent.service` is configured so it starts at the right time in server startup sequence and loads `/etc/ipset.conf`, so `geoblock` set is loaded and ready to be used by iptables.
- `geoblock-persistent.service` starts next and runs a script that sets up a firewall rule to block incoming traffic from IP addresses listed in the `geoblock` set, log the blocked attempts up to a limit, and then drop the packets.

## Logging blocked packets
Blocket packets are logged to syslog by default.
To log blocked packets to the separate log file, use the following rsyslog configuration file `/etc/rsyslog.d/20-geoblock.conf`:

```conf
# Geoblock generated log messages to file
:msg,contains,"geoblock: " /var/log/geoblock.log
& stop
```

Logrotate configuration could be useful as well
`/etc/logrotate.d/geoblock`:

```conf
/var/log/geoblock.log
{
rotate 5
weekly
missingok
notifempty
compress
delaycompress
sharedscripts
}
```

## Some sources that were used to make this

### Country IP blocks:

https://github.com/herrbischoff/country-ip-blocks

### iptables man:

https://www.digitalocean.com/community/tutorials/how-to-list-and-delete-iptables-firewall-rules

### country ban gist:

https://gist.github.com/jasonruyle/8870296

### persistent ipset manual

https://selivan.github.io/2018/07/27/ipset-save-with-ufw-and-iptables-persistent-and.html

## Contributors

- [nisenbeck](https://github.com/nisenbeck) - added rate limited logging of blocked packets