From 6e93756cae11ba357f46bae6eed9da44cd0f7fc3 Mon Sep 17 00:00:00 2001 From: Richard Shaw Date: Jun 16 2020 14:36:14 +0000 Subject: Initial commit. --- diff --git a/blacklist-by-country b/blacklist-by-country new file mode 100644 index 0000000..bb94e6e --- /dev/null +++ b/blacklist-by-country @@ -0,0 +1,3 @@ +# Which countries should be blocked? +# Use the two letter designation separated by a space. +countries="" diff --git a/blacklist-by-ip b/blacklist-by-ip new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/blacklist-by-ip diff --git a/firewalld-blacklist b/firewalld-blacklist new file mode 100755 index 0000000..9f2e3b7 --- /dev/null +++ b/firewalld-blacklist @@ -0,0 +1,52 @@ +#!/bin/bash +# Based on the below article +# https://www.linode.com/community/questions/11143/top-tip-firewalld-and-ipset-country-blacklist + +# Source the blacklisted countries from the configuration file +. /etc/blacklist-by-country + +# Create a temporary working directory +ipdeny_tmp_dir=$(mktemp -d -t blacklist-XXXXXXXXXX) +pushd $ipdeny_tmp_dir + +# Download the latest network adresses by country file +curl -LO http://www.ipdeny.com/ipblocks/data/countries/all-zones.tar.gz +tar xf all-zones.tar.gz + +# For updates, remove the ipset blacklist and recreate +if firewall-cmd -q --zone=drop --query-source=ipset:blacklist; then + firewall-cmd -q --permanent --delete-ipset=blacklist +fi + +# Create the ipset blacklist which accepts both IP addresses and networks +firewall-cmd -q --permanent --new-ipset=blacklist --type=hash:net \ + --option=family=inet --option=hashsize=4096 --option=maxelem=200000 \ + --set-description="An ipset list of networks or ips to be dropped." + +# Add the address ranges by country per ipdeny.com to the blacklist +for country in $countries; do + firewall-cmd -q --permanent --ipset=blacklist \ + --add-entries-from-file=./$country.zone && \ + echo "Added $country to blacklist ipset." +done + +# Block individual IPs if the configuration file exists and is not empty +if [ -s "/etc/blacklist-by-ip" ]; then + echo "Adding IPs blacklists." + firewall-cmd -q --permanent --ipset=blacklist \ + --add-entries-from-file=/etc/blacklist-by-ip && \ + echo "Added IPs to blacklist ipset." +fi + +# Add the blacklist ipset to the drop zone if not already setup +if firewall-cmd -q --zone=drop --query-source=ipset:blacklist; then + echo "Blacklist already in firewalld drop zone." +else + echo "Adding ipset blacklist to firewalld drop zone." + firewall-cmd --permanent --zone=drop --add-source=ipset:blacklist +fi + +firewall-cmd -q --reload + +popd +rm -rf $ipdeny_tmp_dir diff --git a/firewalld-blacklist.service b/firewalld-blacklist.service new file mode 100644 index 0000000..91b92e0 --- /dev/null +++ b/firewalld-blacklist.service @@ -0,0 +1,7 @@ +[Unit] +Description=Oneshot service to update country blacklists +After=network-online.target + +[Service] +Type=oneshot +ExecStart=/usr/local/sbin/firewalld-blacklist diff --git a/firewalld-blacklist.timer b/firewalld-blacklist.timer new file mode 100644 index 0000000..71f6eb8 --- /dev/null +++ b/firewalld-blacklist.timer @@ -0,0 +1,17 @@ +[Unit] +Description=Timer for Country Blacklist Updates +After=firewalld.service +Requires=firewalld.service + +[Timer] +# See http://www.freedesktop.org/software/systemd/man/systemd.time.html for +# methods of specifying the frequency, some examples below are: +# daily → *-*-* 00:00:00 +# monthly → *-*-01 00:00:00 +# weekly → Mon *-*-* 00:00:00 +# By default, run about midnight: +OnCalendar=monthly +Persistent=yes + +[Install] +WantedBy=timers.target