Just to help document iprange ... Below was an example where a.netset is manually created:
pbx4 ~ # iprange -v a.netset --exclude-next test.netset > block-all-except.netset This is an alternate way to use stdin and a - (minus) as an placeholder pbx4 ~ # echo "0.0.0.0/0" | iprange -v - --exclude-next test.netset > block-all-except.netset -- iprange: Loading from stdin iprange: Loaded optimized stdin iprange: Loading from test.netset iprange: Loaded optimized test.netset iprange: Removing IPs in test.netset from stdin iprange: Printing stdin with 5 ranges, 4294967292 unique IPs -- and you can have multiple "--exclude-next fileN.netset" to subtract additional netsets. A very powerful tool. So, when the final result is used as a block-all-except.netset blocklist, the subtracted IP's will be not blocked, all the rest will be blocked. Lonnie > On Aug 20, 2019, at 3:57 PM, Lonnie Abelbeck <li...@lonnie.abelbeck.com> > wrote: > > On Aug 20, 2019, at 2:57 PM, Michael Knill > <michael.kn...@ipcsolutions.com.au> wrote: >> >> Thanks Lonnie. I'm learning __ >> >> I noticed in the doco that you can 'match incoming and/or outgoing' traffic >> but I couldn't see where you actually specify this e.g. I just want incoming >> for instance >> Just wondering if I am missing something? > > I don't think we have a web interface toggle for that, in your user.conf you > can set: > -- > BLOCK_HOSTS_BIDIRECTIONAL=0 > -- > and the AIF block hosts (Block All Traffic by Host/CIDR:) will only block on > incoming. (be sure to test) > > But be careful, you then eliminate all outbound (Block All Traffic by > Host/CIDR:) AIF block hosts filtering. If you can block one ransomware URL > in an email, that is a feature best not turned off. > > And before you ask, no, there is no separate set of .netset files for > outgoing and incoming :-) > > > BTW, I have been playing with the "iprange" command, it is only 40 KB ... I'm > thinking it is AstLinux worthy. I know Michael Keuter has suggested looking > into it some time ago. So I now have... > > pbx4 ~ # cat > dns-in > www.astlinux-project.org > > ==> The input is very flexible, here DNS is used to obtain the IPs... (using > pthreads for parallel lookups 5x by default). > > pbx4 ~ # iprange dns-in > test.netset > pbx4 ~ # cat test.netset > 185.199.108.153 > 185.199.109.153 > 185.199.110.153 > 185.199.111.153 > > ==> I manually created this file... > > pbx4 ~ # cat a.netset > 0.0.0.0/1 > 128.0.0.0/1 > > ==> just checking... > > pbx4 ~ # iprange a.netset > 0.0.0.0/0 > > ==> Like the original question, generate a blocklist which is test.netset > subtracted from a.netset > ==> In other words, the result will be a .netset blocking all except > "www.astlinux-project.org"... > > pbx4 ~ # iprange -v a.netset --exclude-next test.netset > > block-all-except.netset > iprange: Loading from a.netset > iprange: Loaded optimized a.netset > iprange: Loading from test.netset > iprange: Loaded optimized test.netset > iprange: Removing IPs in test.netset from a.netset > iprange: Printing a.netset with 5 ranges, 4294967292 unique IPs > > 54 printed CIDRs, break down by prefix: > - prefix /1 counts 1 entries > - prefix /2 counts 1 entries > - prefix /3 counts 1 entries > - prefix /4 counts 1 entries > - prefix /5 counts 1 entries > - prefix /6 counts 1 entries > - prefix /7 counts 1 entries > - prefix /8 counts 1 entries > - prefix /9 counts 1 entries > - prefix /10 counts 1 entries > - prefix /11 counts 1 entries > - prefix /12 counts 1 entries > - prefix /13 counts 1 entries > - prefix /14 counts 1 entries > - prefix /15 counts 1 entries > - prefix /16 counts 1 entries > - prefix /17 counts 1 entries > - prefix /18 counts 1 entries > - prefix /19 counts 1 entries > - prefix /20 counts 1 entries > - prefix /21 counts 1 entries > - prefix /22 counts 1 entries > - prefix /25 counts 4 entries > - prefix /26 counts 4 entries > - prefix /27 counts 4 entries > - prefix /28 counts 4 entries > - prefix /29 counts 4 entries > - prefix /30 counts 4 entries > - prefix /31 counts 4 entries > - prefix /32 counts 4 entries > > totals: 6 lines read, 5 distinct IP ranges found, 30 CIDR prefixes, 54 CIDRs > printed, 4294967292 unique IPs > completed in 0.00189 seconds (read 0.00075 + think 0.00004 + speak 0.00111) > > pbx4 ~ # cat block-all-except.netset > 0.0.0.0/1 > 128.0.0.0/3 > 160.0.0.0/4 > 176.0.0.0/5 > 184.0.0.0/8 > 185.0.0.0/9 > 185.128.0.0/10 > 185.192.0.0/14 > 185.196.0.0/15 > 185.198.0.0/16 > 185.199.0.0/18 > 185.199.64.0/19 > 185.199.96.0/21 > 185.199.104.0/22 > 185.199.108.0/25 > 185.199.108.128/28 > 185.199.108.144/29 > 185.199.108.152 > 185.199.108.154/31 > 185.199.108.156/30 > 185.199.108.160/27 > 185.199.108.192/26 > 185.199.109.0/25 > 185.199.109.128/28 > 185.199.109.144/29 > 185.199.109.152 > 185.199.109.154/31 > 185.199.109.156/30 > 185.199.109.160/27 > 185.199.109.192/26 > 185.199.110.0/25 > 185.199.110.128/28 > 185.199.110.144/29 > 185.199.110.152 > 185.199.110.154/31 > 185.199.110.156/30 > 185.199.110.160/27 > 185.199.110.192/26 > 185.199.111.0/25 > 185.199.111.128/28 > 185.199.111.144/29 > 185.199.111.152 > 185.199.111.154/31 > 185.199.111.156/30 > 185.199.111.160/27 > 185.199.111.192/26 > 185.199.112.0/20 > 185.199.128.0/17 > 185.200.0.0/13 > 185.208.0.0/12 > 185.224.0.0/11 > 186.0.0.0/7 > 188.0.0.0/6 > 192.0.0.0/2 > > ==> Try doing that by hand :-) > > ==> When iptables matches ipsets, each different prefix must be matched for > every packet, so you can reduce the number of prefixes at the expense of more > entries per prefix. > > pbx4 ~ # iprange -v --ipset-reduce 20 block-all-except.netset > >block-all-except20.netset > iprange: Loading from block-all-except.netset > iprange: Loaded optimized block-all-except.netset > > Counting prefixes in combined ipset > ... > > Eliminated 26 out of 30 prefixes (4 remain in the final set). > > iprange: Printing combined ipset with 5 ranges, 4294967292 unique IPs > > 1593 printed CIDRs, break down by prefix: > - prefix /8 counts 255 entries > - prefix /16 counts 255 entries > - prefix /22 counts 63 entries > - prefix /32 counts 1020 entries > > totals: 54 lines read, 5 distinct IP ranges found, 4 CIDR prefixes, 1593 > CIDRs printed, 4294967292 unique IPs > completed in 0.01835 seconds (read 0.00068 + think 0.01419 + speak 0.00347) > > > ==> Note the "4294967292 unique IPs" remains the same in both cases. > > ==> For AxtLinux the "--ipset-reduce 20" step may not be worth it, but is > optional. > > > iprange is quite cool, a lot of cool mathematics in it. Though currently > IPv4-only. > > > Lonnie > > >> >> On 21/8/19, 2:10 am, "Lonnie Abelbeck" <li...@lonnie.abelbeck.com> wrote: >> >> Michael, >> >> As your original question asked, you wanted to block all countries except >> one or two. >> >> I suppose you could be clever and block all by default in >> /mnt/kd/blocklists/blocked-hosts.netset >> -- >> 0.0.0.0/1 >> 128.0.0.0/1 >> -- >> and then use the whitelist to add your allowed countries .netset's >> >> BTW, I have not tried this ! >> >> But a more elegant method would be to generate a custom >> block-all-except-xx-yy.netset on an external host for your custom use. >> >> The FireHol project uses a handy script "iprange" (should be on Debian) >> https://github.com/firehol/iprange/wiki >> >> The "exclude" mode does a compliment of the added file, so in theory (not >> tested) you could start with this file: >> -- >> 0.0.0.0/1 >> 128.0.0.0/1 >> -- >> and then "exclude" what countries you want to allow to generate a >> block-all-except-xx-yy.netset file. >> >> The iprange command has a bunch of other unique and useful features. >> Though I'm not sure if it applies to AstLinux enough to be included ? >> >> Lonnie > > > > _______________________________________________ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
