Ah sorry I missed that.
Regarding geoblocking, its not something I would want to manually do each time
and I would build a script initially and maybe a new tab eventually.
The individual country netset files would either be blacklisted or whitelisted
and they could be consolidated with iprange.
My initial thoughts anyway. No time to do it currently. I may just add the
included netset files for now incoming.
Regards
Michael Knill
On 21/8/19, 6:57 am, "Lonnie Abelbeck" <li...@lonnie.abelbeck.com> wrote:
On Aug 20, 2019, at 2:57 PM, Michael Knill
<michael.kn...@ipcsolutions.com.au> wrote:
>
> Thanks Lonnie. I'm learning __
>
> I noticed in the doco that you can 'match incoming and/or outgoing'
traffic but I couldn't see where you actually specify this e.g. I just want
incoming for instance
> Just wondering if I am missing something?
I don't think we have a web interface toggle for that, in your user.conf
you can set:
--
BLOCK_HOSTS_BIDIRECTIONAL=0
--
and the AIF block hosts (Block All Traffic by Host/CIDR:) will only block
on incoming. (be sure to test)
But be careful, you then eliminate all outbound (Block All Traffic by
Host/CIDR:) AIF block hosts filtering. If you can block one ransomware URL in
an email, that is a feature best not turned off.
And before you ask, no, there is no separate set of .netset files for
outgoing and incoming :-)
BTW, I have been playing with the "iprange" command, it is only 40 KB ...
I'm thinking it is AstLinux worthy. I know Michael Keuter has suggested
looking into it some time ago. So I now have...
pbx4 ~ # cat > dns-in
www.astlinux-project.org
==> The input is very flexible, here DNS is used to obtain the IPs...
(using pthreads for parallel lookups 5x by default).
pbx4 ~ # iprange dns-in > test.netset
pbx4 ~ # cat test.netset
185.199.108.153
185.199.109.153
185.199.110.153
185.199.111.153
==> I manually created this file...
pbx4 ~ # cat a.netset
0.0.0.0/1
128.0.0.0/1
==> just checking...
pbx4 ~ # iprange a.netset
0.0.0.0/0
==> Like the original question, generate a blocklist which is test.netset
subtracted from a.netset
==> In other words, the result will be a .netset blocking all except
"www.astlinux-project.org"...
pbx4 ~ # iprange -v a.netset --exclude-next test.netset >
block-all-except.netset
iprange: Loading from a.netset
iprange: Loaded optimized a.netset
iprange: Loading from test.netset
iprange: Loaded optimized test.netset
iprange: Removing IPs in test.netset from a.netset
iprange: Printing a.netset with 5 ranges, 4294967292 unique IPs
54 printed CIDRs, break down by prefix:
- prefix /1 counts 1 entries
- prefix /2 counts 1 entries
- prefix /3 counts 1 entries
- prefix /4 counts 1 entries
- prefix /5 counts 1 entries
- prefix /6 counts 1 entries
- prefix /7 counts 1 entries
- prefix /8 counts 1 entries
- prefix /9 counts 1 entries
- prefix /10 counts 1 entries
- prefix /11 counts 1 entries
- prefix /12 counts 1 entries
- prefix /13 counts 1 entries
- prefix /14 counts 1 entries
- prefix /15 counts 1 entries
- prefix /16 counts 1 entries
- prefix /17 counts 1 entries
- prefix /18 counts 1 entries
- prefix /19 counts 1 entries
- prefix /20 counts 1 entries
- prefix /21 counts 1 entries
- prefix /22 counts 1 entries
- prefix /25 counts 4 entries
- prefix /26 counts 4 entries
- prefix /27 counts 4 entries
- prefix /28 counts 4 entries
- prefix /29 counts 4 entries
- prefix /30 counts 4 entries
- prefix /31 counts 4 entries
- prefix /32 counts 4 entries
totals: 6 lines read, 5 distinct IP ranges found, 30 CIDR prefixes, 54
CIDRs printed, 4294967292 unique IPs
completed in 0.00189 seconds (read 0.00075 + think 0.00004 + speak 0.00111)
pbx4 ~ # cat block-all-except.netset
0.0.0.0/1
128.0.0.0/3
160.0.0.0/4
176.0.0.0/5
184.0.0.0/8
185.0.0.0/9
185.128.0.0/10
185.192.0.0/14
185.196.0.0/15
185.198.0.0/16
185.199.0.0/18
185.199.64.0/19
185.199.96.0/21
185.199.104.0/22
185.199.108.0/25
185.199.108.128/28
185.199.108.144/29
185.199.108.152
185.199.108.154/31
185.199.108.156/30
185.199.108.160/27
185.199.108.192/26
185.199.109.0/25
185.199.109.128/28
185.199.109.144/29
185.199.109.152
185.199.109.154/31
185.199.109.156/30
185.199.109.160/27
185.199.109.192/26
185.199.110.0/25
185.199.110.128/28
185.199.110.144/29
185.199.110.152
185.199.110.154/31
185.199.110.156/30
185.199.110.160/27
185.199.110.192/26
185.199.111.0/25
185.199.111.128/28
185.199.111.144/29
185.199.111.152
185.199.111.154/31
185.199.111.156/30
185.199.111.160/27
185.199.111.192/26
185.199.112.0/20
185.199.128.0/17
185.200.0.0/13
185.208.0.0/12
185.224.0.0/11
186.0.0.0/7
188.0.0.0/6
192.0.0.0/2
==> Try doing that by hand :-)
==> When iptables matches ipsets, each different prefix must be matched for
every packet, so you can reduce the number of prefixes at the expense of more
entries per prefix.
pbx4 ~ # iprange -v --ipset-reduce 20 block-all-except.netset
>block-all-except20.netset
iprange: Loading from block-all-except.netset
iprange: Loaded optimized block-all-except.netset
Counting prefixes in combined ipset
...
Eliminated 26 out of 30 prefixes (4 remain in the final set).
iprange: Printing combined ipset with 5 ranges, 4294967292 unique IPs
1593 printed CIDRs, break down by prefix:
- prefix /8 counts 255 entries
- prefix /16 counts 255 entries
- prefix /22 counts 63 entries
- prefix /32 counts 1020 entries
totals: 54 lines read, 5 distinct IP ranges found, 4 CIDR prefixes, 1593
CIDRs printed, 4294967292 unique IPs
completed in 0.01835 seconds (read 0.00068 + think 0.01419 + speak 0.00347)
==> Note the "4294967292 unique IPs" remains the same in both cases.
==> For AxtLinux the "--ipset-reduce 20" step may not be worth it, but is
optional.
iprange is quite cool, a lot of cool mathematics in it. Though currently
IPv4-only.
Lonnie
>
> On 21/8/19, 2:10 am, "Lonnie Abelbeck" <li...@lonnie.abelbeck.com> wrote:
>
> Michael,
>
> As your original question asked, you wanted to block all countries
except one or two.
>
> I suppose you could be clever and block all by default in
/mnt/kd/blocklists/blocked-hosts.netset
> --
> 0.0.0.0/1
> 128.0.0.0/1
> --
> and then use the whitelist to add your allowed countries .netset's
>
> BTW, I have not tried this !
>
> But a more elegant method would be to generate a custom
block-all-except-xx-yy.netset on an external host for your custom use.
>
> The FireHol project uses a handy script "iprange" (should be on Debian)
> https://github.com/firehol/iprange/wiki
>
> The "exclude" mode does a compliment of the added file, so in theory
(not tested) you could start with this file:
> --
> 0.0.0.0/1
> 128.0.0.0/1
> --
> and then "exclude" what countries you want to allow to generate a
block-all-except-xx-yy.netset file.
>
> The iprange command has a bunch of other unique and useful features.
Though I'm not sure if it applies to AstLinux enough to be included ?
>
> Lonnie
_______________________________________________
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to
pay...@krisk.org.
_______________________________________________
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to
pay...@krisk.org.
