Great that should make it very easy then to create both blacklists and
whitelists.
Just need a way to get access to all the country lists.
Thanks
Regards
Michael Knill
On 21/8/19, 11:40 am, "Lonnie Abelbeck" <li...@lonnie.abelbeck.com> wrote:
Just to help document iprange ...
Below was an example where a.netset is manually created:
pbx4 ~ # iprange -v a.netset --exclude-next test.netset >
block-all-except.netset
This is an alternate way to use stdin and a - (minus) as an placeholder
pbx4 ~ # echo "0.0.0.0/0" | iprange -v - --exclude-next test.netset >
block-all-except.netset
--
iprange: Loading from stdin
iprange: Loaded optimized stdin
iprange: Loading from test.netset
iprange: Loaded optimized test.netset
iprange: Removing IPs in test.netset from stdin
iprange: Printing stdin with 5 ranges, 4294967292 unique IPs
--
and you can have multiple "--exclude-next fileN.netset" to subtract
additional netsets.
A very powerful tool.
So, when the final result is used as a block-all-except.netset blocklist,
the subtracted IP's will be not blocked, all the rest will be blocked.
Lonnie
> On Aug 20, 2019, at 3:57 PM, Lonnie Abelbeck <li...@lonnie.abelbeck.com>
wrote:
>
> On Aug 20, 2019, at 2:57 PM, Michael Knill
<michael.kn...@ipcsolutions.com.au> wrote:
>>
>> Thanks Lonnie. I'm learning __
>>
>> I noticed in the doco that you can 'match incoming and/or outgoing'
traffic but I couldn't see where you actually specify this e.g. I just want
incoming for instance
>> Just wondering if I am missing something?
>
> I don't think we have a web interface toggle for that, in your user.conf
you can set:
> --
> BLOCK_HOSTS_BIDIRECTIONAL=0
> --
> and the AIF block hosts (Block All Traffic by Host/CIDR:) will only block
on incoming. (be sure to test)
>
> But be careful, you then eliminate all outbound (Block All Traffic by
Host/CIDR:) AIF block hosts filtering. If you can block one ransomware URL in
an email, that is a feature best not turned off.
>
> And before you ask, no, there is no separate set of .netset files for
outgoing and incoming :-)
>
>
> BTW, I have been playing with the "iprange" command, it is only 40 KB ...
I'm thinking it is AstLinux worthy. I know Michael Keuter has suggested
looking into it some time ago. So I now have...
>
> pbx4 ~ # cat > dns-in
> www.astlinux-project.org
>
> ==> The input is very flexible, here DNS is used to obtain the IPs...
(using pthreads for parallel lookups 5x by default).
>
> pbx4 ~ # iprange dns-in > test.netset
> pbx4 ~ # cat test.netset
> 185.199.108.153
> 185.199.109.153
> 185.199.110.153
> 185.199.111.153
>
> ==> I manually created this file...
>
> pbx4 ~ # cat a.netset
> 0.0.0.0/1
> 128.0.0.0/1
>
> ==> just checking...
>
> pbx4 ~ # iprange a.netset
> 0.0.0.0/0
>
> ==> Like the original question, generate a blocklist which is test.netset
subtracted from a.netset
> ==> In other words, the result will be a .netset blocking all except
"www.astlinux-project.org"...
>
> pbx4 ~ # iprange -v a.netset --exclude-next test.netset >
block-all-except.netset
> iprange: Loading from a.netset
> iprange: Loaded optimized a.netset
> iprange: Loading from test.netset
> iprange: Loaded optimized test.netset
> iprange: Removing IPs in test.netset from a.netset
> iprange: Printing a.netset with 5 ranges, 4294967292 unique IPs
>
> 54 printed CIDRs, break down by prefix:
> - prefix /1 counts 1 entries
> - prefix /2 counts 1 entries
> - prefix /3 counts 1 entries
> - prefix /4 counts 1 entries
> - prefix /5 counts 1 entries
> - prefix /6 counts 1 entries
> - prefix /7 counts 1 entries
> - prefix /8 counts 1 entries
> - prefix /9 counts 1 entries
> - prefix /10 counts 1 entries
> - prefix /11 counts 1 entries
> - prefix /12 counts 1 entries
> - prefix /13 counts 1 entries
> - prefix /14 counts 1 entries
> - prefix /15 counts 1 entries
> - prefix /16 counts 1 entries
> - prefix /17 counts 1 entries
> - prefix /18 counts 1 entries
> - prefix /19 counts 1 entries
> - prefix /20 counts 1 entries
> - prefix /21 counts 1 entries
> - prefix /22 counts 1 entries
> - prefix /25 counts 4 entries
> - prefix /26 counts 4 entries
> - prefix /27 counts 4 entries
> - prefix /28 counts 4 entries
> - prefix /29 counts 4 entries
> - prefix /30 counts 4 entries
> - prefix /31 counts 4 entries
> - prefix /32 counts 4 entries
>
> totals: 6 lines read, 5 distinct IP ranges found, 30 CIDR prefixes, 54
CIDRs printed, 4294967292 unique IPs
> completed in 0.00189 seconds (read 0.00075 + think 0.00004 + speak
0.00111)
>
> pbx4 ~ # cat block-all-except.netset
> 0.0.0.0/1
> 128.0.0.0/3
> 160.0.0.0/4
> 176.0.0.0/5
> 184.0.0.0/8
> 185.0.0.0/9
> 185.128.0.0/10
> 185.192.0.0/14
> 185.196.0.0/15
> 185.198.0.0/16
> 185.199.0.0/18
> 185.199.64.0/19
> 185.199.96.0/21
> 185.199.104.0/22
> 185.199.108.0/25
> 185.199.108.128/28
> 185.199.108.144/29
> 185.199.108.152
> 185.199.108.154/31
> 185.199.108.156/30
> 185.199.108.160/27
> 185.199.108.192/26
> 185.199.109.0/25
> 185.199.109.128/28
> 185.199.109.144/29
> 185.199.109.152
> 185.199.109.154/31
> 185.199.109.156/30
> 185.199.109.160/27
> 185.199.109.192/26
> 185.199.110.0/25
> 185.199.110.128/28
> 185.199.110.144/29
> 185.199.110.152
> 185.199.110.154/31
> 185.199.110.156/30
> 185.199.110.160/27
> 185.199.110.192/26
> 185.199.111.0/25
> 185.199.111.128/28
> 185.199.111.144/29
> 185.199.111.152
> 185.199.111.154/31
> 185.199.111.156/30
> 185.199.111.160/27
> 185.199.111.192/26
> 185.199.112.0/20
> 185.199.128.0/17
> 185.200.0.0/13
> 185.208.0.0/12
> 185.224.0.0/11
> 186.0.0.0/7
> 188.0.0.0/6
> 192.0.0.0/2
>
> ==> Try doing that by hand :-)
>
> ==> When iptables matches ipsets, each different prefix must be matched
for every packet, so you can reduce the number of prefixes at the expense of
more entries per prefix.
>
> pbx4 ~ # iprange -v --ipset-reduce 20 block-all-except.netset
>block-all-except20.netset
> iprange: Loading from block-all-except.netset
> iprange: Loaded optimized block-all-except.netset
>
> Counting prefixes in combined ipset
> ...
>
> Eliminated 26 out of 30 prefixes (4 remain in the final set).
>
> iprange: Printing combined ipset with 5 ranges, 4294967292 unique IPs
>
> 1593 printed CIDRs, break down by prefix:
> - prefix /8 counts 255 entries
> - prefix /16 counts 255 entries
> - prefix /22 counts 63 entries
> - prefix /32 counts 1020 entries
>
> totals: 54 lines read, 5 distinct IP ranges found, 4 CIDR prefixes, 1593
CIDRs printed, 4294967292 unique IPs
> completed in 0.01835 seconds (read 0.00068 + think 0.01419 + speak
0.00347)
>
>
> ==> Note the "4294967292 unique IPs" remains the same in both cases.
>
> ==> For AxtLinux the "--ipset-reduce 20" step may not be worth it, but is
optional.
>
>
> iprange is quite cool, a lot of cool mathematics in it. Though currently
IPv4-only.
>
>
> Lonnie
>
>
>>
>> On 21/8/19, 2:10 am, "Lonnie Abelbeck" <li...@lonnie.abelbeck.com> wrote:
>>
>> Michael,
>>
>> As your original question asked, you wanted to block all countries
except one or two.
>>
>> I suppose you could be clever and block all by default in
/mnt/kd/blocklists/blocked-hosts.netset
>> --
>> 0.0.0.0/1
>> 128.0.0.0/1
>> --
>> and then use the whitelist to add your allowed countries .netset's
>>
>> BTW, I have not tried this !
>>
>> But a more elegant method would be to generate a custom
block-all-except-xx-yy.netset on an external host for your custom use.
>>
>> The FireHol project uses a handy script "iprange" (should be on Debian)
>> https://github.com/firehol/iprange/wiki
>>
>> The "exclude" mode does a compliment of the added file, so in theory
(not tested) you could start with this file:
>> --
>> 0.0.0.0/1
>> 128.0.0.0/1
>> --
>> and then "exclude" what countries you want to allow to generate a
block-all-except-xx-yy.netset file.
>>
>> The iprange command has a bunch of other unique and useful features.
Though I'm not sure if it applies to AstLinux enough to be included ?
>>
>> Lonnie
>
>
>
> _______________________________________________
> Astlinux-users mailing list
> Astlinux-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted via PayPal to
pay...@krisk.org.
_______________________________________________
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to
pay...@krisk.org.
_______________________________________________
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to
pay...@krisk.org.
