Re: [CentOS] CentOS 6.X, iptables 1.47 and GeoLite2 Country Database

2019-01-14 Thread Phil Perry 

On 15/01/2019 01:29, Jobst Schmalenbach wrote:


On Mon, Jan 14, 2019 at 07:29:45AM +, Phil Perry (ppe...@elrepo.org) wrote:

On 14/01/2019 07:09, Jobst Schmalenbach wrote:

Hi

I use ipdeny's aggregated country lists to do the same thing:

http://www.ipdeny.com/ipblocks/data/aggregated/

I just feed this data directly into ipset/iptables via a script running on
my firewall (not a C6 box). ipset is a really efficient way of doing this.



Do you create a separate table, then feed every IP address (via ipset) into 
this chain?
Would you mind sharing this script?

thx
Jobst





Below is my script for creating/updating an ipset to block my top 10 
undesirable/abusive countries. It runs as a cron job up startup to 
initially populate it and again every X hours to update it on my 
EdgeRouter firewall device.


It can be relatively slow process creating very large sets, so we create 
a temp set and then swap the contents of the live set with the temp set 
and finally delete the temp set. This is a more efficient way of 
updating an existing set.


Once the ipset has been created, you can create rules in iptables to 
match against that set using -m set --match-set SETNAME.


Hope that helps

-- Phil


CountryList="cn ru ua kp kr br ro tr vn in"
if [ -e /tmp/countries.txt ]; then
rm /tmp/countries.txt
fi

for country in $CountryList; do
	curl -o /tmp/$country.txt 
http://www.ipdeny.com/ipblocks/data/aggregated/$country-aggregated.zone

cat /tmp/$country.txt >> /tmp/countries.txt
done

getnetblocks() {
cat < /tmp/cnblock.txt
sudo ipset -! -R < /tmp/cnblock.txt
sudo ipset -W geotmp COUNTRIES-BLOCK
sudo ipset -X geotmp

rm /tmp/cnblock.txt

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS 6.X, iptables 1.47 and GeoLite2 Country Database

2019-01-14 Thread Kenneth Porter 
--On Monday, January 14, 2019 7:29 AM + Phil Perry  
wrote:



I use ipdeny's aggregated country lists to do the same thing:

http://www.ipdeny.com/ipblocks/data/aggregated/

I just feed this data directly into ipset/iptables via a script running
on my firewall (not a C6 box). ipset is a really efficient way of doing
this.


CentOS 7 uses firewalld which has direct support for ipsets in XML form. 
Hopefully the site will soon supply the data in that format. (But it's not 
hard to generate the files from their format.)


Note that a zip file of all the individual country files can be downloaded 
here:


http://www.ipdeny.com/ipblocks/

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] CentOS 6.X, iptables 1.47 and GeoLite2 Country Database

2019-01-14 Thread Jobst Schmalenbach 


On Mon, Jan 14, 2019 at 07:29:45AM +, Phil Perry (ppe...@elrepo.org) wrote:
> On 14/01/2019 07:09, Jobst Schmalenbach wrote:
> > Hi
> I use ipdeny's aggregated country lists to do the same thing:
> 
> http://www.ipdeny.com/ipblocks/data/aggregated/
> 
> I just feed this data directly into ipset/iptables via a script running on
> my firewall (not a C6 box). ipset is a really efficient way of doing this.


Do you create a separate table, then feed every IP address (via ipset) into 
this chain?
Would you mind sharing this script?

thx
Jobst



-- 
Computers are like air conditioners, they stop working properly if you open 
Windows!

  | |0| |   Jobst Schmalenbach, General Manager
  | | |0|   Barrett & Sales Essentials
  |0|0|0|   +61 3 9533 , POBox 277, Caulfield South, 3162, Australia
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] @reboot only some lines of a script are working (yum install not)

2019-01-14 Thread Ralf Prengel 

Hallo.
solved.
proxy in yum.conf is working when starting yum in an crontab-environment.

Ralf

Zitat von Ralf Prengel :


Zitat von Mogens Kjaer :


On 1/10/19 11:32 AM, Ralf Prengel wrote:
yum install doesn't work running the script via cron allthough yum  
remove works.


Is the network up when the script executes?



Hallo,

yes it is up.
Result of 10 pings is fine as first line in the script.
Any other ideas?

Ralf

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos




___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] @reboot only some lines of a script are working (yum install not)

2019-01-14 Thread Ralf Prengel 

Found this after using debug-level.
Seems as if curl doesn t use the proxy configuration.
We are using port 8080.

}
  }
2019-01-14 09:57:06,919 attempt 1/10:  
http://mirrorlist.centos.org/?release=7&arch=x86_64&repo=os&infra=stock
2019-01-14 09:57:35,048 exception: [Errno 14] curl#7 - "Failed connect  
to mirrorlist.centos.org:80; Die Operation ist jetzt in Bearbeitung"
2019-01-14 09:57:35,049 retrycode (14) not in list [-1, 2, 4, 5, 6,  
7], re-raising

~

Zitat von Ralf Prengel :


ok
a good hint.
I will test it monday.

Ralf

Von meinem iPhone gesendet


Am 10.01.2019 um 18:23 schrieb Mogens Kjaer :


On 1/10/19 11:32 AM, Ralf Prengel wrote:
yum install doesn't work running the script via cron allthough yum  
remove works.


Is the network up when the script executes?

Mogens

--
Mogens Kjaer, m...@lemo.dk
http://www.lemo.dk

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos




___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos