home | list info | list archive | date index | thread index

Re: ipset-blacklist: A bash script to ban large numbers of IP addresses published in blacklists

  • Subject: Re: ipset-blacklist: A bash script to ban large numbers of IP addresses published in blacklists
  • From: "Ian! D. Allen" <idallen [ at ] idallen [ dot ] ca>
  • Date: Wed, 10 Jun 2020 16:59:52 -0400
On Wed, Jun 10, 2020 at 01:19:01PM -0400, Brett Delmage wrote:
> ipset-blacklist is "A Bash shell script which uses ipset and iptables to ban
> a large number of IP addresses published in IP blacklists. ipset uses a
> hashtable to store/fetch IP addresses and thus the IP lookup is a lot (!)
> faster than thousands of sequentially parsed iptables ban rules."
> Clear instructions and download at
> https://github.com/trick77/ipset-blacklist

I've been using a home-grown script to do a similar thing, also using ipset.

> [Blocking whole countries] is trivial to do by just adding the desired
> country code e.g. .cn into a shell variable.

I didn't see this feature, though the ipset-blacklist.conf lets you
download country block lists using separate URLs each with a country code.

Something I didn't see:

I've found it helpful to have a white-list of addresses that never get
added to the block lists on my machines.  The white-list includes all
my own servers and my current ISP DHCP internet assignments.

Since ipset-blacklist is only a 113-line bash script, adding a white-list
feature using "iprange --except" wouldn't be hard.  Has anyone already
done this?

I note that there is an ugly bit in the script where various local IP
addresses are removed using "sed" with regexp patterns - this would look
much nicer using "iprange --except" as part of a generalized white-list
processing, if iprange were available.

Things in the script suggest the programmer hasn't had a lot of experience
writing scripts, e.g. using:

    $(wc -l "$IP_BLACKLIST_TMP" | cut -d' ' -f1)

instead of simply:

    $(wc -l <"$IP_BLACKLIST_TMP")

Also the script doesn't check the error codes of commands, has unnecessary
use of "command" in "command grep" everywhere, and doesn't use "sed -n"
or other things efficiently, among other things.  But it's a good start.

| Ian! D. Allen, BA, MMath  -  idallen [ at ] idallen [ dot ] ca - Ottawa, Ontario, Canada
| Home: www.idallen.com   Contact Improvisation Dance: www.contactimprov.ca
| Former college professor (Free/Libre GNU+Linux) at:  teaching.idallen.com
| Defend digital freedom:  http://eff.org/  and have fun:  http://fools.ca/

To unsubscribe send a blank message to linux+unsubscribe [ at ] linux-ottawa [ dot ] org
To get help send a blank message to linux+help [ at ] linux-ottawa [ dot ] org
To visit the archives: https://lists.linux-ottawa.org