OpenWRT compatibility and misc changes #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open

austin2479 wants to merge 41 commits into trick77:master from austin2479:master

README.md

            
                      Original file line number
                      Diff line number
                      Diff line change
                  
    @@ -1,30 +1,27 @@
  
    ipset-blacklist

    ===============

    A tiny Bash shell script which uses ipset and iptables to ban a large number of IP addresses published in IP blacklists. ipset uses a hashtable to store/fetch IP addresses and thus the IP lookup is a lot (!) faster than thousands of sequentially parsed iptables ban rules. However, the limit of an ipset list is 2^16 entries.

    A set of shell scripts which use ipset and iptables to ban a large number of IP addresses published in IP blacklists. `ipset` uses a hashtable to store/fetch IP addresses and thus the IP lookup is a lot (!) faster than thousands of sequentially parsed iptables ban rules. However, the limit of an ipset list is 2^16 entries.

    The ipset command doesn't work under OpenVZ. It works fine on dedicated and fully virtualized servers like KVM though.

    Note: Updating the blacklists takes a long time (8m 20s on a TPLink TL-WDR3600), and running at a low priority (with `nice` and `ionice`) is recommended to avoid impacting packet routing & firewall performance. 

    ## Quick start for Debian/Ubuntu based installations

    1. Copy update-blacklist.sh into /usr/local/bin

    2. chmod +x /usr/local/bin/update-blacklist.sh

    2. Modify update-blacklist.sh according to your needs. Per default, the blacklisted IP addresses will be saved to /etc/ip-blacklist.conf

    3. apt-get install ipset

    4. Create the ipset blacklist and insert it into your iptables input filter (see below). After proper testing, make sure to persist it in your firewall script or similar or the rules will be lost after the next reboot.

    5. Auto-update the blacklist using a cron job

    ## Quick start for OpenWRT

    1. Copy the scripts to a temporary directory on your OpenWRT router

    2. Run `sh install.sh`

    # iptables filter rule

    ```

    ipset create blacklist hash:net

    iptables -I INPUT -m set --match-set blacklist src -j DROP

    ipset create blacklist_net hash:net

    ipset create blacklist_ip hash:ip

    iptables -I INPUT -m set --match-set blacklist_net src -j DROP

    iptables -I INPUT -m set --match-set blacklist_ip src -j DROP

    ```

    Make sure to run this snippet in your firewall script. If you don't, the ipset blacklist and the iptables rule to ban the blacklisted ip addresses will be missing!

    # Cron job

    In order to auto-update the blacklist, copy the following code into /etc/cron.d/update-blacklist. Don't update the list too often or some blacklist providers will ban your IP address. Once a day should be OK though.

    ```

    MAILTO=root

    33 23 * * *      root /usr/local/bin/update-blacklist.sh

    33 23 * * *      /bin/nice /usr/local/bin/update-blacklist.sh > /tmp/update-blacklist.log 2>&1

    ```

    ## Check for dropped packets

    @@ -36,13 +33,3 @@ Chain INPUT (policy DROP 3064 packets, 177K bytes)
  
     pkts bytes target     prot opt in     out     source               destination

       43  2498 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set blacklist src

    ```

    ## Modify the blacklists you want to use

    Edit the BLACKLIST array to add or remove blacklists, or use it to add your own blacklists.

    ```

    BLACKLISTS=(

    "http://www.mysite.me/files/mycustomblacklist.txt" # Your personal blacklist

    "http://www.projecthoneypot.org/list_of_ips.php?t=d&rss=1" # Project Honey Pot Directory of Dictionary Attacker IPs

    # I don't want this: "http://www.openbl.org/lists/base.txt"  # OpenBL.org 30 day List

    )

    ```

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

OpenWRT compatibility and misc changes #2

Uh oh!

Diff view

Diff view

There are no files selected for viewing

Uh oh!

OpenWRT compatibility and misc changes #2

Are you sure you want to change the base?

Uh oh!

OpenWRT compatibility and misc changes #2

Uh oh!

Uh oh!

Diff view

Diff view

There are no files selected for viewing

Uh oh!