I got tired of people from other countries trying to make an anonymous SIP call through my SIP box and other senseless attacks on Shorewall, so I wrote a script that added entire countries to the blacklist. I don't know anybody in these countries so I wasn't worried about blocking access to anything from my home. I can initiate connections out and complete them, it just drops connections originating from these ranges. The script condenses IP scopes to limit the blacklist somewhat. It's running very well right now on a box with 256M of memory.
-----------This is in /etc/cron.weekly------------------------- #!/bin/sh # # cron.d/shorewall -- update blacklist and restart # IP=/usr/local/bin/ip_blacklist.sh SHOREWALL=/sbin/shorewall test -x $IP || exit 1 test -x $SHOREWALL || exit 1 $IP && $SHOREWALL refresh ----------This is /usr/local/bin/ip_blacklist.sh---------------- #!/bin/sh # More country IP blocks available at # http://www.countryipblocks.net/country-blocks/cidr/ # Make sure the next line is 1 line URL="http://www.countryipblocks.net/e_country_data/RO_cidr.txt http://www.countryipblocks.net/e_country_data/RU_cidr.txt http://www.countryipblocks.net/e_country_data/KR_cidr.txt http://www.countryipblocks.net/e_country_data/CN_cidr.txt"; FILE=/tmp/blacklist.txt WGET=$(which wget) SED=$(which sed) GREP=$(which grep) SORT=$(which sort) AGGREGATE=$(which aggregate) BLACKLIST="/etc/shorewall/blacklist" DATE=$(date) test x$WGET = x && echo $0 requires wget && exit 1 test x$SED = x && echo $0 requires sed && exit 1 test x$AGGREGATE = x && echo $0 requires aggregate (apt-get install aggregate) && exit 1 test x$SORT = x && echo $0 requires sort && exit 1 BEGINNING="#ADDRESS/SUBNET PROTOCOL PORT" ENDING="#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE" cd /tmp test -f $FILE && rm $FILE $($WGET -q $URL -O $FILE) echo $BEGINNING > $BLACKLIST echo "#Downloaded: " $DATE >> $BLACKLIST $GREP "^#" $FILE >> $BLACKLIST cat $FILE|$GREP -v ^#| $SORT -t . -k 1,1n -k 2,2n -k 3,3n -k 4,4n \ |$AGGREGATE -t -q >> $BLACKLIST echo $ENDING >> $BLACKLIST ---------------------------------------------------------------------- Any feedback or comments are greatly appreciated. Sean -- If all printers were determined not to print anything till they were sure it would offend nobody, there would be very little printed. - Benjamin Franklin ------------------------------------------------------------------------------ 10 Tips for Better Server Consolidation Server virtualization is being driven by many needs. But none more important than the need to reduce IT complexity while improving strategic productivity. Learn More! http://www.accelacomm.com/jaw/sdnl/114/51507609/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
