Friday, March 29, 2019

Block countries in CentOS 6 with ipset blacklist and iptables using ipdeny.com

If your CentOS version doesn't come with ipset, install it with "yum install ipset". IPSET allows you to load a TON of IP addresses into a list using far less resources than it would be to load them into iptables. You only need one iptables rule then.  Below is how I set mine up.

1. Create an ipset that uses hash:net so we can block huge netblocks with CIDR notation.
ipset create blacklist hash:net

2. Then add the ip blocks you want to block to the blacklist ipset like below.  More on this in step 4 but I believe you've got to have at least one net block in there to add the iptables rule.
ipset add blacklist 1.0.1.0/24
You can get country IP blocks here: http://www.ipdeny.com/ipblocks/data/aggregated/ http://www.ipdeny.com/ipblocks/

3. Then add a rule in iptables to DROP the blacklist in the position of line 1. I put it first in line so it gets executed before all other rules.
iptables -I INPUT 1 -m set --match-set blacklist src -j DROP


As a test, I rebooted the server to see if the commands persisted, they did not. "iptables -L -n" showed my DROP rule in position 1 is gone, also "ipset list" showed no ipset's defined. This will mean that we need to execute a script at boot to load the /etc/sysconfig/ipset.blacklist into the ipset, and add the iptables rule last. I believe iptables will error out if you try to add the iptables rule first with no ipset called "blacklist" defined.

4. Fine tune/create your blacklist ipset and save it as a local file. This script will automatically add countries IP blocks to the "blacklist" ipset in memory. You still need to "ipset save blacklist > /etc/sysconfig/ipset.blacklist" after you get your ipset the way you want so you can load it at startup. I would recommend loading it from a local file instead of running the population script at boot time in case the ipdeny.com website is not available.
cd /root
nano RunIPSet


------------------Copy---------Credit for script is coming as soon as I find it again online-------------
#!/bin/bash
for IP in $(wget -O - http://www.ipdeny.com/ipblocks/data/aggregated/{cn-aggregated,ru-aggregated,kr-aggregated,pk-aggregated,tw-aggregated,sg-aggregated,hn-aggregated,hk-aggregated,ir-aggregated,ua-aggregated,vn-aggregated,it-aggregated,de-aggregated,my-aggregated,nl-aggregated,ng-aggregated,cf-aggregated,gt-aggregated,id-aggregated,ie-aggregated,il-aggregated,iq-aggregated,td-aggregated,za-aggregated,br-aggregated,ca-aggregated,dk-aggregated,fr-aggregated,in-aggregated,jp-aggregated,mx-aggregated,ph-aggregated}.zone)
do
sudo ipset add blacklist $IP
done
-------------------Save-------------------------------
This will take a long time to finish.  It will look like it's not doing anything. Just wait for 10 minutes or so.
Make it executable: chmod u+x RunIPSet
Run it:  ./RunIPSet  (This could take a long time, 10-20 min)
Verify your blacklist populated: ipset list blacklist | more
Save the ipset blacklist to the local file: ipset save blacklist > /etc/sysconfig/ipset.blacklist

5. Running the whole thing at startup. 
Save the iptables in memory to a file:  iptables-save > /etc/sysconfig/iptables.cdc
Run the commands below in order to 1.Restore the blacklist from file. 2.Restore the iptables rules from file.  I do this in CentOS6 by adding them to the end of /etc/rc.local
"nano /etc/rc.local" and add these commands to the bottom of the file.
ipset restore < /etc/sysconfig/ipset.blacklist
iptables-restore /etc/sysconfig/iptables.cdc

I'm noticing that the temporary fail2ban iptables entries that happen to be in "iptables -L -n" are saved when you run the iptables-save and thus restored when you run the iptables-restore command.  After waiting out the ban time, fail2ban will not remove these rules, I suppose because it didn't add them.  
Just "nano /etc/sysconfig/iptables.cdc" and delete the lines containing those IPs so it starts clean.

Notes and other useful commands:
If you have to modify the ipset in memory or the /etc/sysconfig/ipset.blacklist file, remove the iptables rule, destroy the ipset blacklist, create ipset blacklist again, and run the population script, save ipset memory to file, set the iptables rule again:
sudo iptables -L --line-numbers
sudo iptables -D INPUT 1
ipset destroy blacklist
ipset create blacklist hash:net
./RunIPSet  (This could take a long time)
ipset save blacklist > /etc/sysconfig/ipset.blacklist
iptables -I INPUT 1 -m set --match-set blacklist src -j DROP

Remove line from ipset blacklist: ipset del blacklist <ipaddress/xx>





No comments: