updated with new scripts

README.md

@@ -6,14 +6,6 @@ The different files are listed in lists and are hopefully somewhat self explanat
 
 Anything with .list end in the zone folder will be added to the block list. This was initially used to block countries, but you can use it to block anything. 
 
-Add ```update.sh``` in your cron
+This now uses systemd. Move the systemd service and do a ```systemstl daemon-reload``` then ```systemctl enable iptables --now```
 
-Load iptables and ipset rules however you please on start up
+There may be a better way to do this, but this works for me on my servers. 
-
-This is done by the following. Some of my servers have it in ```/etc/rc.local``` others have it in ```/etc/network/interface``` as post-up script
-
-```iptables-restore < /path/to/iptables.save```
-
-```ipset restore < /path/to/ipset.save```
-
-There may be a better way to do this, but this works for me on some servers. 

etc/iptables/README.md

@@ -0,0 +1,19 @@
+# iptables
+
+Here is my script that I use to update iptables with data. 
+
+The different files are listed in lists and are hopefully somewhat self explanatory
+
+Anything with .list end in the zone folder will be added to the block list. This was initially used to block countries, but you can use it to block anything. 
+
+Add ```update.sh``` in your cron
+
+Load iptables and ipset rules however you please on start up
+
+This is done by the following. Some of my servers have it in ```/etc/rc.local``` others have it in ```/etc/network/interface``` as post-up script
+
+```iptables-restore < /path/to/iptables.save```
+
+```ipset restore < /path/to/ipset.save```
+
+There may be a better way to do this, but this works for me on some servers. 

etc/iptables/ipset.save

@@ -37735,169 +37735,3 @@ add drop 121.101.64.0/18
 add drop 94.125.186.0/24
 add drop 212.40.192.0/19
 add drop 195.128.96.0/22
-create allowHTTPS hash:net family inet hashsize 1024 maxelem 65536
-add allowHTTPS 173.245.48.0/20
-add allowHTTPS 103.31.4.0/22
-add allowHTTPS 172.64.0.0/13
-add allowHTTPS 197.234.240.0/22
-add allowHTTPS 198.41.128.0/17
-add allowHTTPS 188.114.96.0/20
-add allowHTTPS 141.101.64.0/18
-add allowHTTPS 108.162.192.0/18
-add allowHTTPS 190.93.240.0/20
-add allowHTTPS 131.0.72.0/22
-add allowHTTPS 104.16.0.0/12
-add allowHTTPS 162.158.0.0/15
-add allowHTTPS 103.22.200.0/22
-add allowHTTPS 103.21.244.0/22
-create allowSSH hash:net family inet hashsize 1024 maxelem 65536
-add allowSSH 97.255.128.0/18
-add allowSSH 174.255.255.254
-add allowSSH 70.223.240.0/21
-add allowSSH 70.223.254.0/24
-add allowSSH 70.223.255.254
-add allowSSH 70.223.255.248/30
-add allowSSH 174.255.240.0/21
-add allowSSH 70.208.0.0/13
-add allowSSH 70.223.255.252/31
-add allowSSH 66.174.255.240/29
-add allowSSH 69.103.255.255
-add allowSSH 97.255.255.0/25
-add allowSSH 174.255.255.240/29
-add allowSSH 69.82.0.0/16
-add allowSSH 66.174.255.254
-add allowSSH 66.174.192.0/19
-add allowSSH 172.32.0.0/11
-add allowSSH 192.182.251.66
-add allowSSH 97.254.0.0/16
-add allowSSH 174.255.255.192/27
-add allowSSH 69.103.254.0/24
-add allowSSH 206.29.160.0/19
-add allowSSH 70.223.248.0/22
-add allowSSH 69.103.192.0/19
-add allowSSH 174.248.0.0/14
-add allowSSH 97.255.255.252/31
-add allowSSH 69.83.254.0/24
-add allowSSH 70.223.255.128/26
-add allowSSH 72.250.0.0/17
-add allowSSH 69.83.255.224/28
-add allowSSH 69.83.128.0/18
-add allowSSH 97.248.0.0/14
-add allowSSH 174.255.255.248/30
-add allowSSH 69.103.255.192/27
-add allowSSH 45.76.15.216/31
-add allowSSH 97.255.240.0/21
-add allowSSH 66.174.255.248/30
-add allowSSH 69.103.240.0/21
-add allowSSH 97.255.255.224/28
-add allowSSH 97.255.255.255
-add allowSSH 69.102.0.0/16
-add allowSSH 69.83.255.248/30
-add allowSSH 66.174.252.0/23
-add allowSSH 70.223.0.0/17
-add allowSSH 69.103.224.0/20
-add allowSSH 66.174.255.192/27
-add allowSSH 66.174.254.0/24
-add allowSSH 70.223.255.192/27
-add allowSSH 69.103.128.0/18
-add allowSSH 208.54.0.0/17
-add allowSSH 69.83.255.0/25
-add allowSSH 72.240.0.0/15
-add allowSSH 174.255.255.128/26
-add allowSSH 69.83.255.252/31
-add allowSSH 208.54.128.0/19
-add allowSSH 70.223.252.0/23
-add allowSSH 50.28.192.0/18
-add allowSSH 157.230.229.117
-add allowSSH 174.254.0.0/16
-add allowSSH 162.160.0.0/11
-add allowSSH 97.255.0.0/17
-add allowSSH 174.255.224.0/20
-add allowSSH 69.103.255.224/28
-add allowSSH 70.223.255.224/28
-add allowSSH 66.174.255.0/25
-add allowSSH 69.103.255.128/26
-add allowSSH 70.192.0.0/12
-add allowSSH 97.240.0.0/13
-add allowSSH 97.255.254.0/24
-add allowSSH 174.224.0.0/12
-add allowSSH 69.103.248.0/22
-add allowSSH 70.220.0.0/15
-add allowSSH 174.255.252.0/23
-add allowSSH 70.223.128.0/18
-add allowSSH 69.103.255.254
-add allowSSH 174.255.254.0/24
-add allowSSH 69.83.252.0/23
-add allowSSH 97.252.0.0/15
-add allowSSH 69.83.240.0/21
-add allowSSH 174.141.208.0/20
-add allowSSH 174.240.0.0/13
-add allowSSH 66.174.128.0/18
-add allowSSH 45.76.28.244
-add allowSSH 69.83.255.255
-add allowSSH 69.103.255.248/30
-add allowSSH 97.255.192.0/19
-add allowSSH 216.155.160.0/20
-add allowSSH 97.224.0.0/12
-add allowSSH 69.83.248.0/22
-add allowSSH 174.255.255.255
-add allowSSH 66.174.255.252/31
-add allowSSH 45.76.15.216
-add allowSSH 174.255.248.0/22
-add allowSSH 69.103.0.0/17
-add allowSSH 70.223.255.0/25
-add allowSSH 174.255.128.0/18
-add allowSSH 69.83.255.254
-add allowSSH 70.216.0.0/14
-add allowSSH 174.252.0.0/15
-add allowSSH 174.255.192.0/19
-add allowSSH 69.103.255.252/31
-add allowSSH 66.174.255.128/26
-add allowSSH 66.174.0.0/17
-add allowSSH 66.174.248.0/22
-add allowSSH 172.98.199.107
-add allowSSH 69.103.252.0/23
-add allowSSH 69.83.255.128/26
-add allowSSH 149.28.123.155
-add allowSSH 69.83.255.192/27
-add allowSSH 69.83.255.240/29
-add allowSSH 70.222.0.0/16
-add allowSSH 70.223.255.240/29
-add allowSSH 66.94.0.0/19
-add allowSSH 66.174.240.0/21
-add allowSSH 69.103.255.0/25
-add allowSSH 174.255.255.252/31
-add allowSSH 69.96.0.0/14
-add allowSSH 97.255.255.240/29
-add allowSSH 100.128.0.0/9
-add allowSSH 70.223.224.0/20
-add allowSSH 69.83.0.0/17
-add allowSSH 69.103.255.240/29
-add allowSSH 70.223.255.255
-add allowSSH 149.28.42.0/23
-add allowSSH 97.255.255.192/27
-add allowSSH 97.255.252.0/23
-add allowSSH 67.211.160.0/24
-add allowSSH 69.100.0.0/15
-add allowSSH 174.255.0.0/17
-add allowSSH 69.83.224.0/20
-add allowSSH 97.255.255.254
-add allowSSH 97.192.0.0/11
-add allowSSH 97.128.0.0/10
-add allowSSH 69.83.192.0/19
-add allowSSH 97.255.255.248/30
-add allowSSH 66.174.255.224/28
-add allowSSH 66.174.224.0/20
-add allowSSH 174.192.0.0/11
-add allowSSH 174.255.255.0/25
-add allowSSH 97.255.255.128/26
-add allowSSH 70.223.192.0/19
-add allowSSH 66.174.255.255
-add allowSSH 174.255.255.224/28
-add allowSSH 162.248.242.96/29
-add allowSSH 97.255.248.0/22
-add allowSSH 97.255.224.0/20
-create directHTTPS hash:net family inet hashsize 1024 maxelem 65536
-add directHTTPS 67.211.160.100
-add directHTTPS 72.241.86.95
-add directHTTPS 72.240.75.15

etc/iptables/rules.v4

@@ -0,0 +1,11 @@
+# Generated by iptables-save v1.4.21 on Sat May 13 10:34:33 2017
+*filter
+:INPUT ACCEPT [59:5736]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [45:49826]
+
+-A INPUT -m set --match-set drop src -j DROP
+-A OUTPUT -m set --match-set drop dst -j DROP
+
+COMMIT
+# Completed on Sat May 13 10:34:33 2017

etc/iptables/service.sh

@@ -0,0 +1,65 @@
+#!/bin/bash
+# Configure iptables firewall
+
+# Limit PATH
+PATH="/sbin:/usr/sbin:/bin:/usr/bin"
+
+# Download
+ip_update() {
+	wget -q 'https://www.cloudflare.com/ips-v4' -O /etc/iptables/list/CF.list
+	wget -q 'http://ipdeny.com/ipblocks/data/countries/ru.zone' -O /etc/iptables/zone/ru.zone
+	wget -q 'http://ipdeny.com/ipblocks/data/countries/cn.zone' -O /etc/iptables/zone/cn.zone
+	wget -q 'http://ipdeny.com/ipblocks/data/countries/in.zone' -O /etc/iptables/zone/in.zone
+	wget -q 'http://ipdeny.com/ipblocks/data/countries/iq.zone' -O /etc/iptables/zone/iq.zone
+	wget -q 'http://ipdeny.com/ipblocks/data/countries/jp.zone' -O /etc/iptables/zone/jp.zone
+	wget -q 'http://ipdeny.com/ipblocks/data/countries/kp.zone' -O /etc/iptables/zone/kp.zone
+	wget -q 'http://ipdeny.com/ipblocks/data/countries/kr.zone' -O /etc/iptables/zone/kr.zone
+	wget -q 'http://ipdeny.com/ipblocks/data/countries/id.zone' -O /etc/iptables/zone/id.zone
+	wget -q 'http://ipdeny.com/ipblocks/data/countries/cf.zone' -O /etc/iptables/zone/cf.zone
+	wget -q 'http://ipdeny.com/ipblocks/data/countries/za.zone' -O /etc/iptables/zone/za.zone
+	wget -q 'http://ipdeny.com/ipblocks/data/countries/co.zone' -O /etc/iptables/zone/co.zone
+}
+# ipset update
+firewall_update() {
+	ip_update
+	for i in $(cat /etc/iptables/zone/*.zone ); do ipset -exist -A drop $i; done
+}
+
+# iptables configuration
+firewall_start() {
+	ipset create drop hash:net family inet hashsize 16384 maxelem 65536
+	ip_update
+	for i in $(cat /etc/iptables/zone/*.zone ); do ipset -exist -A drop $i; done
+	iptables -A INPUT -m set --match-set drop src -j DROP
+	iptables -A OUTPUT -m set --match-set drop dst -j DROP
+}
+
+# clear iptables configuration
+firewall_stop() {
+	iptables -F
+	iptables -X
+	iptables -P INPUT   ACCEPT
+	iptables -P FORWARD ACCEPT
+	iptables -P OUTPUT  ACCEPT
+	ipset destroy drop
+}
+
+# execute action
+case "$1" in
+	start|restart)
+		echo "Starting firewall"
+		firewall_stop
+		firewall_start
+		echo "Firewall started"
+	;;
+	stop)
+		echo "Stopping firewall"
+		firewall_stop
+		echo "Firewall stopped"
+	;;
+	update)
+		echo "Update ipset IPs"
+		firewall_update
+		echo "updated ipset IPs"
+	;;
+esac

etc/systemd/system/iptables.service

@@ -0,0 +1,13 @@
+[Unit]
+Description=iptables firewall service
+After=network.target
+
+[Service]
+Type=oneshot
+ExecStart=/etc/iptables/service.sh start
+RemainAfterExit=true
+ExecStop=/etc/iptables/service.sh stop
+StandardOutput=journal
+
+[Install]
+WantedBy=multi-user.target

list/allowHTTPS.list

@@ -1,14 +0,0 @@
-103.21.244.0/22
-103.22.200.0/22
-103.31.4.0/22
-104.16.0.0/12
-108.162.192.0/18
-131.0.72.0/22
-141.101.64.0/18
-162.158.0.0/15
-172.64.0.0/13
-173.245.48.0/20
-188.114.96.0/20
-190.93.240.0/20
-197.234.240.0/22
-198.41.128.0/17

list/allowSSH.list

@@ -1,129 +0,0 @@
-72.240.0.0/15
-67.211.160.0/24
-66.174.0.0/17
-66.174.128.0/18
-66.174.192.0/19
-66.174.224.0/20
-66.174.240.0/21
-66.174.248.0/22
-66.174.252.0/23
-66.174.254.0/24
-66.174.255.0/25
-66.174.255.128/26
-66.174.255.192/27
-66.174.255.224/28
-66.174.255.240/29
-66.174.255.248/30
-66.174.255.252/31
-66.174.255.254/32
-66.174.255.255/32
-69.82.0.0/16
-69.83.0.0/17
-69.83.128.0/18
-69.83.192.0/19
-69.83.224.0/20
-69.83.240.0/21
-69.83.248.0/22
-69.83.252.0/23
-69.83.254.0/24
-69.83.255.0/25
-69.83.255.128/26
-69.83.255.192/27
-69.83.255.224/28
-69.83.255.240/29
-69.83.255.248/30
-69.83.255.252/31
-69.83.255.254/32
-69.83.255.255/32
-69.96.0.0/14
-69.100.0.0/15
-69.102.0.0/16
-69.103.0.0/17
-69.103.128.0/18
-69.103.192.0/19
-69.103.224.0/20
-69.103.240.0/21
-69.103.248.0/22
-69.103.252.0/23
-69.103.254.0/24
-69.103.255.0/25
-69.103.255.128/26
-69.103.255.192/27
-69.103.255.224/28
-69.103.255.240/29
-69.103.255.248/30
-69.103.255.252/31
-69.103.255.254/32
-69.103.255.255/32
-70.192.0.0/12
-70.208.0.0/13
-70.216.0.0/14
-70.220.0.0/15
-70.222.0.0/16
-70.223.0.0/17
-70.223.128.0/18
-70.223.192.0/19
-70.223.224.0/20
-70.223.240.0/21
-70.223.248.0/22
-70.223.252.0/23
-70.223.254.0/24
-70.223.255.0/25
-70.223.255.128/26
-70.223.255.192/27
-70.223.255.224/28
-70.223.255.240/29
-70.223.255.248/30
-70.223.255.252/31
-70.223.255.254/32
-70.223.255.255/32
-97.128.0.0/10
-97.192.0.0/11
-97.224.0.0/12
-97.240.0.0/13
-97.248.0.0/14
-97.252.0.0/15
-97.254.0.0/16
-97.255.0.0/17
-97.255.128.0/18
-97.255.192.0/19
-97.255.224.0/20
-97.255.240.0/21
-97.255.248.0/22
-97.255.252.0/23
-97.255.254.0/24
-97.255.255.0/25
-97.255.255.128/26
-97.255.255.192/27
-97.255.255.224/28
-97.255.255.240/29
-97.255.255.248/30
-97.255.255.252/31
-97.255.255.254/32
-97.255.255.255/32
-174.192.0.0/11
-174.224.0.0/12
-174.240.0.0/13
-174.248.0.0/14
-174.252.0.0/15
-174.254.0.0/16
-174.255.0.0/17
-174.255.128.0/18
-174.255.192.0/19
-174.255.224.0/20
-174.255.240.0/21
-174.255.248.0/22
-174.255.252.0/23
-174.255.254.0/24
-174.255.255.0/25
-174.255.255.128/26
-174.255.255.192/27
-174.255.255.224/28
-174.255.255.240/29
-174.255.255.248/30
-174.255.255.252/31
-174.255.255.254/32
-174.255.255.255/32
-149.28.43.193/23
-45.76.15.216/32
-162.248.242.98/29

list/directHTTPS.list

@@ -1,2 +0,0 @@
-72.241.86.95
-67.211.160.100

rules.v4

@@ -1,53 +0,0 @@
-# Generated by iptables-save v1.4.21 on Sat May 13 10:34:33 2017
-*filter
-:INPUT DROP [59:5736]
-:FORWARD DROP [0:0]
-:OUTPUT ACCEPT [45:49826]
-
--A INPUT -m set --match-set drop src -j DROP
--A OUTPUT -m set --match-set drop dst -j DROP
-
--A INPUT -p ICMP --icmp-type 8 -j ACCEPT
-
--A INPUT -m state --state INVALID -j DROP
--A FORWARD -m state --state INVALID -j DROP
-##-A OUTPUT -m state --state INVALID -j DROP
-
--A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT
-
--A INPUT -m recent --name portscan --rcheck --second 86400 -j DROP
--A FORWARD -m recent --name portscan --rcheck --second 86400 -j DROP
-
--A INPUT -m recent --name portscan --remove
--A FORWARD -m recent --name portscan --remove
-
--A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "Portscan:"
--A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP
-
--A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "Portscan:"
--A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP
-#### END DROP INVALID DATA 20180408 ####
-
--A INPUT -i lo -j ACCEPT
-
-#-A INPUT -p tcp --dport 22333 -i ztwfuerpaw -j ACCEPT
-
--A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-
-#-A INPUT -m set --match-set allowHTTPS src -p tcp -m tcp --dport 443 -j ACCEPT
-#-A INPUT -m set --match-set directHTTPS src -p tcp -m tcp --dport 443 -j ACCEPT
-
--A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
--A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
--A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
--A INPUT -p tcp -m tcp --dport 587 -j ACCEPT
--A INPUT -p tcp -m tcp --dport 465 -j ACCEPT
--A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
--A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
-
-#-A OUTPUT -j ACCEPT
-#-A FORWARD -j DROP
-##-A INPUT -i eth0 -j DROP
-#-A INPUT -j DROP
-COMMIT
-# Completed on Sat May 13 10:34:33 2017

update.sh

@@ -1,22 +0,0 @@
-#!/bin/bash
-
-wget -q 'http://ipdeny.com/ipblocks/data/countries/ru.zone' -O /etc/iptables/zone/ru.zone
-wget -q 'http://ipdeny.com/ipblocks/data/countries/cn.zone' -O /etc/iptables/zone/cn.zone
-wget -q 'http://ipdeny.com/ipblocks/data/countries/in.zone' -O /etc/iptables/zone/in.zone
-wget -q 'http://ipdeny.com/ipblocks/data/countries/iq.zone' -O /etc/iptables/zone/iq.zone
-wget -q 'http://ipdeny.com/ipblocks/data/countries/jp.zone' -O /etc/iptables/zone/jp.zone
-wget -q 'http://ipdeny.com/ipblocks/data/countries/kp.zone' -O /etc/iptables/zone/kp.zone
-wget -q 'http://ipdeny.com/ipblocks/data/countries/kr.zone' -O /etc/iptables/zone/kr.zone
-wget -q 'http://ipdeny.com/ipblocks/data/countries/id.zone' -O /etc/iptables/zone/id.zone
-wget -q 'http://ipdeny.com/ipblocks/data/countries/cf.zone' -O /etc/iptables/zone/cf.zone
-wget -q 'http://ipdeny.com/ipblocks/data/countries/za.zone' -O /etc/iptables/zone/za.zone
-wget -q 'http://ipdeny.com/ipblocks/data/countries/co.zone' -O /etc/iptables/zone/co.zone
-wget -q 'https://www.cloudflare.com/ips-v4' -O /etc/iptables/list/CF.list
-
-
-for i in $(cat /etc/iptables/zone/*.zone ); do ipset -exist -A drop $i; done
-for i in $(cat /etc/iptables/list/CF.list ); do ipset -exist -A allowHTTPS $i; done
-for i in $(cat /etc/iptables/list/allowSSH.list ); do ipset -exist -A allowSSH $i; done
-for i in $(cat /etc/iptables/list/directHTTPS.list ); do ipset -exist -A directHTTPS $i; done
-
-ipset save > /etc/iptables/ipset.save

zone/block.zone

@@ -1 +0,0 @@
-blockedIPhere/32