Jun 25 20:06:33 madeleine kernel: EXT4-fs (md3): mounted filesystem with ordered data mode. Jun 25 20:06:33 madeleine kernel: EXT4-fs (md4): mounted filesystem with ordered data mode. Jun 25 20:06:33 madeleine kernel: EXT4-fs (md0): mounted filesystem with ordered data mode. Jun 25 20:06:33 madeleine kernel: ip_set: protocol 6 Jun 25 20:06:33 madeleine kernel: Netfilter messages via NETLINK v0.30. This will be loaded by /etc/rc.d/rc.sysinit before iptables starts, as shown by this snippet from /var/log/messages It works so why bother with something else, but I am a bit of a purist and also like to increase my knowledge.įound a much more 'elegant' method to fix this that will survive rpm updates.Ĭreate a file as shown here and make ~]# cat /etc/sysconfig/modules/ipset.modules You can test for it having loaded before trying to load it with a: if thenīut it seems wrong having to do this. This suggest to me that you have to modprobe it from /etc/rc.local but then there is no guarantee of it loading before the firewall, or loading it from /etc/clearos/firewall.d/local so it loads when the firewall loads, but this seems wrong as it will try to load it every time the firewall restarts. If you remove the file you can modprobe it successfully. You can reproduce this by removing the module then using "modprobe ip_set -v" while the file etc/modprobe.d/ip_set.conf with a line "install ip_set" in it exists. If you try loading it from there you get a: WARNING: /etc/modprobe.d/ip_set.conf line 1: ignoring bad line starting with 'install' Ages ago I thought I'd be clever and load it from /etc/modprobe.d from a file I called ip_set.conf but it does not work (as I found when I rebooted the machine yesterday). I've added individual chains for each list for more verbose logging that will log which blocklist the dropped ip is coming from should you have multiples.I use ipset for various bits of firewall blocking and have a script which modprobes it if it is not loaded. I'm not wildly familiar with ipsets but this makes for a much faster method of downloading, parsing and adding blocks. Iptables -A INPUT -m set -match-set $key src -j $key Iptables -A $key -j DROP # Drop after logging Iptables -A $key -p icmp -m limit -limit 5/min -j LOG -log-prefix "Denied $key ICMP: " -log-level 7 Iptables -A $key -p udp -m limit -limit 5/min -j LOG -log-prefix "Denied $key UDP: " -log-level 7 Iptables -A $key -p tcp -m limit -limit 5/min -j LOG -log-prefix "Denied $key TCP: " -log-level 7 Iptables -X $key # Delete list chain if existed Iptables -F $key # Flush list chain if existed Iptables -D INPUT -m set -match-set $key src -j $key # Delete link to list chain from INPUT # TODO method for determining appropriate maxelemĭone < <(zcat /tmp/blacklist_$key.gz | sed '1,2d' | sed s/.*://) Ipset create $key hash:net maxelem 400000 Wget -output-document=/tmp/blacklist_$key.gz -w 3 $ I had originally used as an example and tidied up / changed parts of the script to pretty close to what's below: #!/bin/bash I am trying to use blocklists to add regional blocks (China, Russia.) to my firewall rules and am struggling with the length it takes my script to complete and understanding why a different script fails to work. I am using Ubuntu Server 14.04 32bit for the following.
0 Comments
Leave a Reply. |