Page 1 of 2
Feature Request: block country by ipset nethash rule table
Posted: 22 Jun 2013, 19:43
by xcron
Hello,
i have tried to block whole "US" ips with CC_DENY = "US" but its slowing down iptables a lot. Transfers going down to 1-2mb/s.
Would it be possible for you to add this feature in combination with ipset tool?
Its quite simple in terms of use:
ipset -N geoblock nethash
for IP in $(wget -O - ipdeny ipblocks/data/countries/us.zone) #<-- sorry couldnt post urls yet
do
ipset -A geoblock $IP
done
iptables -A INPUT -m set --set geoblock src -j DROP
iptables -A OUTPUT -m set --set geoblock dst -j DROP
Requirements: ip_set kernel module, CONFIG_NETFILTER_XT_SET must be true in kernel config.
Would be really cool if CSF would cover it that way since its 10000 times faster and not slowing down anything.
Bye,
xcron
Re: Feature Request: block country by ipset nethash rule tab
Posted: 30 Jul 2014, 12:15
by marcele
+1 for ipset support in CSF. I know this is an old feature request but from reading the docs it looks like it would be great for adding any large iptables sets like country or blocklists.
The homepage:
http://ipset.netfilter.org/index.html
A good write up:
http://blog.ls20.com/securing-your-serv ... locklists/
Cheers!
Re: Feature Request: block country by ipset nethash rule tab
Posted: 09 Aug 2014, 03:35
by weetabix
+1 from me as well
I would love to be able to use huge blocklists with csf.
Re: Feature Request: block country by ipset nethash rule tab
Posted: 09 Aug 2014, 13:08
by marcele
Some additional notes:
1. Most of the major distros now have ipset in their repos. Eg. For Centos its just a matter of turning on EPEL repo and doing "yum install ipset".
2. Ipset isn't supported in Openvz but they are working on it:
https://bugzilla.openvz.org/show_bug.cgi?id=2644
Probably the best way to implement it would be to only use it if it is installed otherwise use the current system and try and work around large country lists using CC_DROP_CIDR to limit the size of the CC_DENY/CC_ALLOW/CC_ALLOW_FILTER.
Re: Feature Request: block country by ipset nethash rule tab
Posted: 15 Aug 2014, 07:21
by Sergio
It could be nice to see this in CSF.
+1
Re: Feature Request: block country by ipset nethash rule tab
Posted: 15 Sep 2014, 04:42
by brianoz
ipset allows large sets of IPs to be blocked without performance degrading.
This sounds absolutely fantastic and it would make a lot of things like blocking countries and using all the blocklists possible.
just wanting to add my vote. This would really set CSF apart as I don't think the others do this yet.
No idea exactly how much work is involved but I'm sure it's not a small amount!
(this is worth considering for others asking)
Re: Feature Request: block country by ipset nethash rule tab
Posted: 22 Sep 2014, 11:03
by ForumAdmin
This is coming in BETA form in the next release.
Re: Feature Request: block country by ipset nethash rule tab
Posted: 22 Sep 2014, 16:37
by Sergio
GREAT!
Re: Feature Request: block country by ipset nethash rule tab
Posted: 23 Sep 2014, 09:04
by brianoz
Leading the industry as usual!
Re: Feature Request: block country by ipset nethash rule tab
Posted: 30 Sep 2014, 15:40
by ForumAdmin
This has now been added to the new v7.50 release:
http://blog.configserver.com