Re: [CentOS] CentOS 6.X, iptables 1.47 and GeoLite2 Country Database
On 15/01/2019 01:29, Jobst Schmalenbach wrote: On Mon, Jan 14, 2019 at 07:29:45AM +, Phil Perry (ppe...@elrepo.org) wrote: On 14/01/2019 07:09, Jobst Schmalenbach wrote: Hi I use ipdeny's aggregated country lists to do the same thing: http://www.ipdeny.com/ipblocks/data/aggregated/ I just feed this data directly into ipset/iptables via a script running on my firewall (not a C6 box). ipset is a really efficient way of doing this. Do you create a separate table, then feed every IP address (via ipset) into this chain? Would you mind sharing this script? thx Jobst Below is my script for creating/updating an ipset to block my top 10 undesirable/abusive countries. It runs as a cron job up startup to initially populate it and again every X hours to update it on my EdgeRouter firewall device. It can be relatively slow process creating very large sets, so we create a temp set and then swap the contents of the live set with the temp set and finally delete the temp set. This is a more efficient way of updating an existing set. Once the ipset has been created, you can create rules in iptables to match against that set using -m set --match-set SETNAME. Hope that helps -- Phil CountryList="cn ru ua kp kr br ro tr vn in" if [ -e /tmp/countries.txt ]; then rm /tmp/countries.txt fi for country in $CountryList; do curl -o /tmp/$country.txt http://www.ipdeny.com/ipblocks/data/aggregated/$country-aggregated.zone cat /tmp/$country.txt >> /tmp/countries.txt done getnetblocks() { cat < /tmp/cnblock.txt sudo ipset -! -R < /tmp/cnblock.txt sudo ipset -W geotmp COUNTRIES-BLOCK sudo ipset -X geotmp rm /tmp/cnblock.txt ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 6.X, iptables 1.47 and GeoLite2 Country Database
--On Monday, January 14, 2019 7:29 AM + Phil Perry wrote: I use ipdeny's aggregated country lists to do the same thing: http://www.ipdeny.com/ipblocks/data/aggregated/ I just feed this data directly into ipset/iptables via a script running on my firewall (not a C6 box). ipset is a really efficient way of doing this. CentOS 7 uses firewalld which has direct support for ipsets in XML form. Hopefully the site will soon supply the data in that format. (But it's not hard to generate the files from their format.) Note that a zip file of all the individual country files can be downloaded here: http://www.ipdeny.com/ipblocks/ ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 6.X, iptables 1.47 and GeoLite2 Country Database
On Mon, Jan 14, 2019 at 07:29:45AM +, Phil Perry (ppe...@elrepo.org) wrote: > On 14/01/2019 07:09, Jobst Schmalenbach wrote: > > Hi > I use ipdeny's aggregated country lists to do the same thing: > > http://www.ipdeny.com/ipblocks/data/aggregated/ > > I just feed this data directly into ipset/iptables via a script running on > my firewall (not a C6 box). ipset is a really efficient way of doing this. Do you create a separate table, then feed every IP address (via ipset) into this chain? Would you mind sharing this script? thx Jobst -- Computers are like air conditioners, they stop working properly if you open Windows! | |0| | Jobst Schmalenbach, General Manager | | |0| Barrett & Sales Essentials |0|0|0| +61 3 9533 , POBox 277, Caulfield South, 3162, Australia ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] @reboot only some lines of a script are working (yum install not)
Hallo. solved. proxy in yum.conf is working when starting yum in an crontab-environment. Ralf Zitat von Ralf Prengel : Zitat von Mogens Kjaer : On 1/10/19 11:32 AM, Ralf Prengel wrote: yum install doesn't work running the script via cron allthough yum remove works. Is the network up when the script executes? Hallo, yes it is up. Result of 10 pings is fine as first line in the script. Any other ideas? Ralf ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] @reboot only some lines of a script are working (yum install not)
Found this after using debug-level. Seems as if curl doesn t use the proxy configuration. We are using port 8080. } } 2019-01-14 09:57:06,919 attempt 1/10: http://mirrorlist.centos.org/?release=7&arch=x86_64&repo=os&infra=stock 2019-01-14 09:57:35,048 exception: [Errno 14] curl#7 - "Failed connect to mirrorlist.centos.org:80; Die Operation ist jetzt in Bearbeitung" 2019-01-14 09:57:35,049 retrycode (14) not in list [-1, 2, 4, 5, 6, 7], re-raising ~ Zitat von Ralf Prengel : ok a good hint. I will test it monday. Ralf Von meinem iPhone gesendet Am 10.01.2019 um 18:23 schrieb Mogens Kjaer : On 1/10/19 11:32 AM, Ralf Prengel wrote: yum install doesn't work running the script via cron allthough yum remove works. Is the network up when the script executes? Mogens -- Mogens Kjaer, m...@lemo.dk http://www.lemo.dk ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos