WebTracker.one

 
Login
Site Stats
Tools
Whois
Whois
Email Whois
Fingerprint
Logout
Contact
Lost Password
 
Smiley






JavaScript is disabled by your browser. Many features will not work.












Ipset - Block an IP Range

Sometimes you may find the need to block a range of IP addresses. I will use archive.org or the wayback machine as an example. Archive.org ignores robot texts and makes copies of your website even when you ask them not to. Therefore, it becomes necessary to block them. Here's how you do it.

You will need to install the following Apache modules if you do not already have them.

sudo apt install ipset iptables netfilter-persistent ipset-persistent iptables-persistent

Click the 'Yes' button in response to the system questions.

Now let's enable netfilter-persistent so that it can save our new rules. Without it, all our new rules would be wiped out at the next reboot.

sudo netfilter-persistent save
sudo systemctl enable netfilter-persistent
sudo systemctl start netfilter-persistent

Now let's create a blacklist group and add archive.org's IP address range to the group.

sudo ipset create blacklist hash:net hashsize 4096
sudo ipset add blacklist 207.241.224.0/24

The add blacklist rule above covers all IP addresses from 207.241.224.0 to 207.241.224.256. However, the wayback IP address range is much larger: 207.241.224.0 - 207.241.239.255. So the add blacklist command can be written as follows to capture all the IP addresses:

sudo ipset add blacklist 207.241.224.0/20

A CIDR address calculator such as https://www.ipaddressguide.com/cidr is helpful.

Now, let's create a rule to add the blacklist group to iptables.

sudo iptables -I INPUT -m set --match-set blacklist src -j DROP

Note: You will need to re-run the save command. In fact, every time you add new IP addresses to the blacklist group, you will need to re-run the command:

sudo netfilter-persistent save

Running the save command will update the file located at:

/etc/iptables/ipsets

If you want to review the IP addresses in your blacklist (replace blacklist with any other name that you might have chosen for the group):

sudo ipset list blacklist

You willl also want to check the iptables rules to make sure that your blacklist is included:

sudo iptables -L --line-numbers

Note: If you are already using Fail2Ban like I am, you will run into the following issue. At reboot, Fail2Ban will load its rules and netfilter-persistent will also load them, causing the Fail2Ban rules to be loaded twice. This can be prevented by editing the rules.v4 file:

sudo nano /etc/iptables/rules.v4

My two Fail2Ban jails are sshd and hacker. The netfilter-persistent commands are the lines beginning with - A. These commands are loading the IP addresses in the jails in addition to fail2ban also loading them. The related - A lines will need to be deleted.

-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
-A INPUT -p tcp -m multiport --dports 80,443 -j f2b-hacker
-A f2b-hacker -s ...
-A f2b-sshd -s ...

The quickest way to perform the edits would be to copy the rules.v4 file to your home directory. Change the ownership from root to yourself. Make the edits with your FTP editor such as WinSCP, and then copy the file back to /etc/iptables as follows.

sudo cp /etc/iptables/rules.v4 /home/robert/rules.v4
sudo chown robert /home/robert/rules.v4
sudo cp /home/robert/rules.v4 /etc/iptables/rules.v4

You can always add more IP addresses to your blacklist. Here I am adding the domain range for domaintools.com since I consider them to be a nuisance.

sudo ipset add blacklist 141.193.213.0/24

After adding more IP addresses to the blacklist, you will again need to re-run the save command to make them persistent (i.e. carry over after the next reboot):

sudo netfilter-persistent save

Again, if you have fail2ban, you will need to re-upload your edited rules.v4 file after each save to prevent your fail2ban jails from being run twice.

sudo cp /home/robert/rules.v4 /etc/iptables/rules.v4

     * posted by Robert on Thu, Aug 04, 2022

Return to Weblog



© 2023 WebTracker.one
 
➤