Hello,
i have tried to block whole "US" ips with CC_DENY = "US" but its slowing down iptables a lot. Transfers going down to 1-2mb/s.
Would it be possible for you to add this feature in combination with ipset tool?
Its quite simple in terms of use:
ipset -N geoblock nethash
for IP in $(wget -O - ipdeny ipblocks/data/countries/us.zone) #<-- sorry couldnt post urls yet
do
ipset -A geoblock $IP
done
iptables -A INPUT -m set --set geoblock src -j DROP
iptables -A OUTPUT -m set --set geoblock dst -j DROP
Requirements: ip_set kernel module, CONFIG_NETFILTER_XT_SET must be true in kernel config.
Would be really cool if CSF would cover it that way since its 10000 times faster and not slowing down anything.
Bye,
xcron
Feature Request: block country by ipset nethash rule table
Re: Feature Request: block country by ipset nethash rule tab
+1 for ipset support in CSF. I know this is an old feature request but from reading the docs it looks like it would be great for adding any large iptables sets like country or blocklists.
The homepage:
http://ipset.netfilter.org/index.html
A good write up:
http://blog.ls20.com/securing-your-serv ... locklists/
Cheers!
The homepage:
http://ipset.netfilter.org/index.html
A good write up:
http://blog.ls20.com/securing-your-serv ... locklists/
Cheers!
Re: Feature Request: block country by ipset nethash rule tab
+1 from me as well
I would love to be able to use huge blocklists with csf.
I would love to be able to use huge blocklists with csf.
Re: Feature Request: block country by ipset nethash rule tab
Some additional notes:
1. Most of the major distros now have ipset in their repos. Eg. For Centos its just a matter of turning on EPEL repo and doing "yum install ipset".
2. Ipset isn't supported in Openvz but they are working on it:
https://bugzilla.openvz.org/show_bug.cgi?id=2644
Probably the best way to implement it would be to only use it if it is installed otherwise use the current system and try and work around large country lists using CC_DROP_CIDR to limit the size of the CC_DENY/CC_ALLOW/CC_ALLOW_FILTER.
1. Most of the major distros now have ipset in their repos. Eg. For Centos its just a matter of turning on EPEL repo and doing "yum install ipset".
2. Ipset isn't supported in Openvz but they are working on it:
https://bugzilla.openvz.org/show_bug.cgi?id=2644
Probably the best way to implement it would be to only use it if it is installed otherwise use the current system and try and work around large country lists using CC_DROP_CIDR to limit the size of the CC_DENY/CC_ALLOW/CC_ALLOW_FILTER.
Re: Feature Request: block country by ipset nethash rule tab
It could be nice to see this in CSF.
+1
+1
Re: Feature Request: block country by ipset nethash rule tab
ipset allows large sets of IPs to be blocked without performance degrading.
This sounds absolutely fantastic and it would make a lot of things like blocking countries and using all the blocklists possible.
just wanting to add my vote. This would really set CSF apart as I don't think the others do this yet.
No idea exactly how much work is involved but I'm sure it's not a small amount!
(this is worth considering for others asking)
This sounds absolutely fantastic and it would make a lot of things like blocking countries and using all the blocklists possible.
just wanting to add my vote. This would really set CSF apart as I don't think the others do this yet.
No idea exactly how much work is involved but I'm sure it's not a small amount!
(this is worth considering for others asking)
-
ForumAdmin
- Moderator
- Posts: 1523
- Joined: 01 Oct 2008, 09:24
Re: Feature Request: block country by ipset nethash rule tab
This is coming in BETA form in the next release.
Re: Feature Request: block country by ipset nethash rule tab
Leading the industry as usual! 
-
ForumAdmin
- Moderator
- Posts: 1523
- Joined: 01 Oct 2008, 09:24
Re: Feature Request: block country by ipset nethash rule tab
This has now been added to the new v7.50 release:
http://blog.configserver.com
http://blog.configserver.com