Changes

Jump to: navigation, search

BlackBlockGoogle

951 bytes added, 16:48, 23 February 2020
add ipsets script
echo "iptables -t mangle -X $2_ip" >> del_$2.sh
echo "iptables -t mangle -X $2_do" >> del_$2.sh
 
</pre>
 
 
== Use ipsets instead of iptables ==
 
If you block AS with a large number of entries, you will notice a performance hit when using iptables.
 
ipsets are much more efficient. Here is a similar script for setting up corporate monster blocking using ipsets on OpenWRT.
 
<pre>
#!/bin/sh
 
IP=`nslookup $1 | grep -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | tail -n1 | cut -d\ -f3`
AS=`wget -q -O - http://ipinfo.io/$IP/org | cut -f1 -d \ | sed -e 's/AS//'`
 
echo '#!/bin/sh' > add_$2.sh
chmod 750 add_$2.sh
echo '#!/bin/sh' > del_$2.sh
chmod 750 del_$2.sh
NETWORKS=`wget -O - http://stat.ripe.net/data/announced-prefixes/data.yaml?resource=$AS|grep prefix\:|grep -v \:\:|awk '{print $3}'`
 
echo "ipset create $2_ip hash:net" >> add_$2.sh
echo "iptables -A forwarding_rule -m set --match-set $2_ip dst -j reject" >> add_$2.sh
 
for i in $NETWORKS; do echo "ipset add $2_ip $i" >> add_$2.sh; done
 
echo "ipset destroy $2_ip" >> del_$2.sh
</pre>
13
edits

Navigation menu