firewalld.conf-ban
FirewallBackend=iptables
A link alapján: https://documentation.clearos.com/content:en_us:kb_howtos_country_block…
Ez mehetne a cron.monthly-ba:
#!/bin/bash
# A list of the ISO country codes can be found at http://en.wikipedia.org/wiki/ISO_3166-1
# Countries are case insensitive for this script
ISO="at be ch cy cz de dk es fr gb gr ie it lu mt nl pt eu va sm mc je gg im"
MAXELEM=131072
#MAXELEM=524288
if [ "`lsmod | grep ip_set`" = "" ]; then
modprobe ip_set
fi
# Destroy country-list-temp in case it exists and is populated
ipset destroy -q country-list-temp
# Make sure the new lists exist
ipset create country-list nethash maxelem $MAXELEM -exist
ipset create country-list-temp nethash maxelem $MAXELEM -exist
# Load the country list
curl -s -d country=1 --data-urlencode "country_list=$ISO" -d format_template=prefix https://ip.ludost.net/cgi/process | grep -v ^# | while read -r line
do
ipset -A -exist country-list-temp $line
done
if [ $(ipset list country-list-temp | wc -l) -le 7 ]; then
logger -t country-list "Update failed"
echo 'Country List Update failed' | mail -s 'Country List Update failed' somewhere@example.com
ipset destroy -q country-list-temp
exit
fi
# Make the temp list current
ipset swap country-list country-list-temp
# Destroy the (now old) temp list
ipset destroy -q country-list-temp
# add some exceptions
#ipset add -exist country-list 209.90.117.194
#ipset add -exist country-list 209.90.117.196
#ipset add -exist country-list 159.203.19.178
# Create save list for loading on boot
ipset save country-list > /usr/src/ipset_country-list.save
sed -i 's/create/create -exist/g' /usr/src/ipset_country-list.save
sed -i 's/add/add -exist/g' /usr/src/ipset_country-list.save
logger -t country-list "Updated"
# Load in all previously saved ipset sets
if [ "`lsmod | grep ip_set`" = "" ]; then
modprobe ip_set
fi
for file in /usr/src/ipset_*.save ; do
ipset restore < $file
done
Ez az "ipset-block.sh" script:
#!/bin/bash
#
# this script name: ipset-block.sh
#
if [ "$FW_PROTO" != "ipv4" ]; then
return 0
fi
for file in /usr/src/ipset_*.save ; do
ipset restore < $file
done
IPTABLES=/usr/sbin/iptables
# Block country addresses (exempt permitted countries)
#
# note the > /dev/null 2>&1 is needed for some odd reason
ipset create country-list nethash -exist > /dev/null 2>&1
$IPTABLES -I INPUT -m conntrack --ctstate NEW -m set --match-set country-list src -p tcp-j DROP
Systemd service unit:
# /etc/systemd/system/ipset-block
# /usr/lib/systemd/system/ipset-block
[Unit]
After=network.target
[Service]
ExecStart=/pathto/ipset-block.sh
[Install]
WantedBy=default.target
# -----
Ez jó lehet? Az ipset-block.sh a megadott országokat tiltja, ha jól írtam.