On Aug 20, 2019, at 2:57 PM, Michael Knill <michael.kn...@ipcsolutions.com.au>
wrote:
>
> Thanks Lonnie. I'm learning __
>
> I noticed in the doco that you can 'match incoming and/or outgoing' traffic
> but I couldn't see where you actually specify this e.g. I just want incoming
> for instance
> Just wondering if I am missing something?
I don't think we have a web interface toggle for that, in your user.conf you
can set:
--
BLOCK_HOSTS_BIDIRECTIONAL=0
--
and the AIF block hosts (Block All Traffic by Host/CIDR:) will only block on
incoming. (be sure to test)
But be careful, you then eliminate all outbound (Block All Traffic by
Host/CIDR:) AIF block hosts filtering. If you can block one ransomware URL in
an email, that is a feature best not turned off.
And before you ask, no, there is no separate set of .netset files for outgoing
and incoming :-)
BTW, I have been playing with the "iprange" command, it is only 40 KB ... I'm
thinking it is AstLinux worthy. I know Michael Keuter has suggested looking
into it some time ago. So I now have...
pbx4 ~ # cat > dns-in
www.astlinux-project.org
==> The input is very flexible, here DNS is used to obtain the IPs... (using
pthreads for parallel lookups 5x by default).
pbx4 ~ # iprange dns-in > test.netset
pbx4 ~ # cat test.netset
185.199.108.153
185.199.109.153
185.199.110.153
185.199.111.153
==> I manually created this file...
pbx4 ~ # cat a.netset
0.0.0.0/1
128.0.0.0/1
==> just checking...
pbx4 ~ # iprange a.netset
0.0.0.0/0
==> Like the original question, generate a blocklist which is test.netset
subtracted from a.netset
==> In other words, the result will be a .netset blocking all except
"www.astlinux-project.org"...
pbx4 ~ # iprange -v a.netset --exclude-next test.netset >
block-all-except.netset
iprange: Loading from a.netset
iprange: Loaded optimized a.netset
iprange: Loading from test.netset
iprange: Loaded optimized test.netset
iprange: Removing IPs in test.netset from a.netset
iprange: Printing a.netset with 5 ranges, 4294967292 unique IPs
54 printed CIDRs, break down by prefix:
- prefix /1 counts 1 entries
- prefix /2 counts 1 entries
- prefix /3 counts 1 entries
- prefix /4 counts 1 entries
- prefix /5 counts 1 entries
- prefix /6 counts 1 entries
- prefix /7 counts 1 entries
- prefix /8 counts 1 entries
- prefix /9 counts 1 entries
- prefix /10 counts 1 entries
- prefix /11 counts 1 entries
- prefix /12 counts 1 entries
- prefix /13 counts 1 entries
- prefix /14 counts 1 entries
- prefix /15 counts 1 entries
- prefix /16 counts 1 entries
- prefix /17 counts 1 entries
- prefix /18 counts 1 entries
- prefix /19 counts 1 entries
- prefix /20 counts 1 entries
- prefix /21 counts 1 entries
- prefix /22 counts 1 entries
- prefix /25 counts 4 entries
- prefix /26 counts 4 entries
- prefix /27 counts 4 entries
- prefix /28 counts 4 entries
- prefix /29 counts 4 entries
- prefix /30 counts 4 entries
- prefix /31 counts 4 entries
- prefix /32 counts 4 entries
totals: 6 lines read, 5 distinct IP ranges found, 30 CIDR prefixes, 54 CIDRs
printed, 4294967292 unique IPs
completed in 0.00189 seconds (read 0.00075 + think 0.00004 + speak 0.00111)
pbx4 ~ # cat block-all-except.netset
0.0.0.0/1
128.0.0.0/3
160.0.0.0/4
176.0.0.0/5
184.0.0.0/8
185.0.0.0/9
185.128.0.0/10
185.192.0.0/14
185.196.0.0/15
185.198.0.0/16
185.199.0.0/18
185.199.64.0/19
185.199.96.0/21
185.199.104.0/22
185.199.108.0/25
185.199.108.128/28
185.199.108.144/29
185.199.108.152
185.199.108.154/31
185.199.108.156/30
185.199.108.160/27
185.199.108.192/26
185.199.109.0/25
185.199.109.128/28
185.199.109.144/29
185.199.109.152
185.199.109.154/31
185.199.109.156/30
185.199.109.160/27
185.199.109.192/26
185.199.110.0/25
185.199.110.128/28
185.199.110.144/29
185.199.110.152
185.199.110.154/31
185.199.110.156/30
185.199.110.160/27
185.199.110.192/26
185.199.111.0/25
185.199.111.128/28
185.199.111.144/29
185.199.111.152
185.199.111.154/31
185.199.111.156/30
185.199.111.160/27
185.199.111.192/26
185.199.112.0/20
185.199.128.0/17
185.200.0.0/13
185.208.0.0/12
185.224.0.0/11
186.0.0.0/7
188.0.0.0/6
192.0.0.0/2
==> Try doing that by hand :-)
==> When iptables matches ipsets, each different prefix must be matched for
every packet, so you can reduce the number of prefixes at the expense of more
entries per prefix.
pbx4 ~ # iprange -v --ipset-reduce 20 block-all-except.netset
>block-all-except20.netset
iprange: Loading from block-all-except.netset
iprange: Loaded optimized block-all-except.netset
Counting prefixes in combined ipset
...
Eliminated 26 out of 30 prefixes (4 remain in the final set).
iprange: Printing combined ipset with 5 ranges, 4294967292 unique IPs
1593 printed CIDRs, break down by prefix:
- prefix /8 counts 255 entries
- prefix /16 counts 255 entries
- prefix /22 counts 63 entries
- prefix /32 counts 1020 entries
totals: 54 lines read, 5 distinct IP ranges found, 4 CIDR prefixes, 1593 CIDRs
printed, 4294967292 unique IPs
completed in 0.01835 seconds (read 0.00068 + think 0.01419 + speak 0.00347)
==> Note the "4294967292 unique IPs" remains the same in both cases.
==> For AxtLinux the "--ipset-reduce 20" step may not be worth it, but is
optional.
iprange is quite cool, a lot of cool mathematics in it. Though currently
IPv4-only.
Lonnie
>
> On 21/8/19, 2:10 am, "Lonnie Abelbeck" <li...@lonnie.abelbeck.com> wrote:
>
> Michael,
>
> As your original question asked, you wanted to block all countries except
> one or two.
>
> I suppose you could be clever and block all by default in
> /mnt/kd/blocklists/blocked-hosts.netset
> --
> 0.0.0.0/1
> 128.0.0.0/1
> --
> and then use the whitelist to add your allowed countries .netset's
>
> BTW, I have not tried this !
>
> But a more elegant method would be to generate a custom
> block-all-except-xx-yy.netset on an external host for your custom use.
>
> The FireHol project uses a handy script "iprange" (should be on Debian)
> https://github.com/firehol/iprange/wiki
>
> The "exclude" mode does a compliment of the added file, so in theory (not
> tested) you could start with this file:
> --
> 0.0.0.0/1
> 128.0.0.0/1
> --
> and then "exclude" what countries you want to allow to generate a
> block-all-except-xx-yy.netset file.
>
> The iprange command has a bunch of other unique and useful features.
> Though I'm not sure if it applies to AstLinux enough to be included ?
>
> Lonnie
_______________________________________________
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to
pay...@krisk.org.
