On Wed, Jun 10, 2020 at 01:19:01PM -0400, Brett Delmage wrote: > ipset-blacklist is "A Bash shell script which uses ipset and iptables to ban > a large number of IP addresses published in IP blacklists. ipset uses a > hashtable to store/fetch IP addresses and thus the IP lookup is a lot (!) > faster than thousands of sequentially parsed iptables ban rules." > Clear instructions and download at > https://github.com/trick77/ipset-blacklist I've been using a home-grown script to do a similar thing, also using ipset. > [Blocking whole countries] is trivial to do by just adding the desired > country code e.g. .cn into a shell variable. I didn't see this feature, though the ipset-blacklist.conf lets you download country block lists using separate URLs each with a country code. Something I didn't see: I've found it helpful to have a white-list of addresses that never get added to the block lists on my machines. The white-list includes all my own servers and my current ISP DHCP internet assignments. Since ipset-blacklist is only a 113-line bash script, adding a white-list feature using "iprange --except" wouldn't be hard. Has anyone already done this? I note that there is an ugly bit in the script where various local IP addresses are removed using "sed" with regexp patterns - this would look much nicer using "iprange --except" as part of a generalized white-list processing, if iprange were available. Things in the script suggest the programmer hasn't had a lot of experience writing scripts, e.g. using: $(wc -l "$IP_BLACKLIST_TMP" | cut -d' ' -f1) instead of simply: $(wc -l <"$IP_BLACKLIST_TMP") Also the script doesn't check the error codes of commands, has unnecessary use of "command" in "command grep" everywhere, and doesn't use "sed -n" or other things efficiently, among other things. But it's a good start. -- | Ian! D. Allen, BA, MMath - idallen [ at ] idallen [ dot ] ca - Ottawa, Ontario, Canada | Home: www.idallen.com Contact Improvisation Dance: www.contactimprov.ca | Former college professor (Free/Libre GNU+Linux) at: teaching.idallen.com | Defend digital freedom: http://eff.org/ and have fun: http://fools.ca/ To unsubscribe send a blank message to linux+unsubscribe [ at ] linux-ottawa [ dot ] org To get help send a blank message to linux+help [ at ] linux-ottawa [ dot ] org To visit the archives: https://lists.linux-ottawa.org