Add blocklists from blocklist.de to iptables 2


UPDATE: http://blog.schaal-24.de/?p=2683&lang=en

I use some blocklists from blocklist.de, to minimize potential attacks.

Every list contains one IP per line, so the lists can easily added to the firewall using xt_recent. I use a simple Bash-Script which runs daily via cron to compare my firewall with the lists.

Some definitions for the script:

BLOCKLIST defines the single lists from blocklist.de.

OPT_RECENT contains the recent-options. --update means

I don’t want to see you for n seconds, but if I see you again during this time, I’ll block you again.

While --rcheck only means

I’ll will block you for the n seconds.

OPT_CHAIN_PREFIX is just the prefix for the jails.

MAX_IP defines the maximum amount of IP-adressess stored by xt_recent. By default xt_recent stores only 100 IP-addresses.

If one or more of the rules is not already present, the script adds the rule to your firewall..

So that not every IP is blocked for all services, you can adjust the ports (--dports).

See the script below – or simple download it.


# !/bin/bash

# Script to add banlists to the firewall
#
# Created: 02/17/2013
# Version: 1.0
# Author: Florian Schaal (info@schaal-24.de)
#
# Copyright (c) 2012 Florian Schaal (info@schaal-24.de.)
# All rights reserved.
#
# This script is free software
# you can redistribute it and/or modify it under
# the terms of the GNU General Public License.
# See http://www.fsf.org/licensing/licenses/gpl.html
#
# This script is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY;
# without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

#binaries
IPTABLES=`which iptables`
WGET=`which wget`

# CONFIG
# lists from http://www.blocklist.de/en/export.html
BLOCKLIST="all ssh mail apache imap ftp sip bots strongips ircbot"
BLOCKLIST_URL="http://lists.blocklist.de/lists/"

# options for recent
OPT_RECENT="--update --seconds 86400 --hitcount 1"
OPT_CHAIN_PREFIX="block"
OPT_ACTION=" -j REJECT"
MAX_IP=10000

check_chain () {
  $IPTABLES -C INPUT $1 2>/dev/null
  if [ $? -ne 0 ]; then
    echo "insert rule for chain in INPUT"
    $IPTABLES -I INPUT $1
  fi
}

check_chain_exists () {
  if [ -z "`$IPTABLES -L block-$1 2>/dev/null|grep \Chain`" ]; then
    echo create new chain: block-$1
    $IPTABLES -N block-$1
  fi
  case "$1" in
    all)
      check_chain "-m recent $OPT_RECENT --name $OPT_CHAIN_PREFIX-all $OPT_ACTION"
    ;;
    ssh)
      check_chain "-m tcp -p tcp --dport 22 -m recent $OPT_RECENT --name $OPT_CHAIN_PREFIX-$1 $OPT_ACTION"
    ;;
    mail)
      check_chain "-m multiport -p tcp --dports 25,143,993,110,995 -m recent $OPT_RECENT --name $OPT_CHAIN_PREFIX-$1 $OPT_ACTION"
    ;;
    apache)
      check_chain "-m multiport -p tcp --dports 80,443 -m recent $OPT_RECENT --name $OPT_CHAIN_PREFIX-$1 $OPT_ACTION"
    ;;
    imap)
      check_chain "-m multiport -p tcp --dports 143,993,110,995 -m recent $OPT_RECENT --name $OPT_CHAIN_PREFIX-$1 $OPT_ACTION"
    ;;
    ftp)
      check_chain "-m tcp -p tcp --dport 21 -m recent $OPT_RECENT --name $OPT_CHAIN_PREFIX-$1 $OPT_ACTION"
    ;
    sip)
      check_chain "-m tcp -p tcp --dport 5060 -m recent $OPT_RECENT --name $OPT_CHAIN_PREFIX-$1 $OPT_ACTION"
    ;;
    bots)
      check_chain "-m multiport -p tcp --dports 194,994,529,5060 -m recent $OPT_RECENT --name $OPT_CHAIN_PREFIX-$1 $OPT_ACTION"
    ;;
    strongips)
      check_chain "-m recent $OPT_RECENT --name $OPT_CHAIN_PREFIX-$1 $OPT_ACTION"
    ;;
    ircbot)
      check_chain "-m multiport -p tcp --dports 194,994,529 $OPT_RECENT --name $OPT_CHAIN_PREFIX-$1 $OPT_ACTION"
    ;;
    *)
      check_chain "$OPT_RECENT --name $OPT_CHAIN_PREFIX-$1 $OPT_ACTION"
    ;;
  esac
  }

get_blocklist () {
  echo / > /proc/net/xt_recent/block-$1
  $WGET -q -O - $BLOCKLIST_URL/$1.txt|while read ip; do
    echo +$ip > /proc/net/xt_recent/$OPT_CHAIN_PREFIX-$1
  done
}

chmod 600 /sys/module/xt_recent/parameters/ip_list_tot
echo $MAX_IP > /sys/module/xt_recent/parameters/ip_list_tot
chmod 400 /sys/module/xt_recent/parameters/ip_list_tot

for blocklist in $(echo $BLOCKLIST); do
  echo "processing $blocklist"
  check_chain_exists $blocklist
  get_blocklist $blocklist
done


Leave a comment

Your email address will not be published. Required fields are marked *

2 thoughts on “Add blocklists from blocklist.de to iptables

  • Sebastian

    Hallo,
    vielen Dank – einfaches und sehr nützliches Script und Listen.
    noch kurz als Hinweis: Kann es sein, dass bei den letzten beiden Regeln das -m recent fehlt?
    MfG
    Sebastian