Python's iptables blocklist importer program allows the parsing and importing of IP range block lists, with a P2P-style, into an iptables chain.
The iptables blocklist importer is a powerful and efficient Python program designed to quickly parse and import P2P-style IP range block lists into an iptables chain. To use this program, simply create an empty chain in your iptables firewall named BadRanges (or edit the code to use another name if you prefer) and add an appropriate reference in your INPUT and/or FORWARD chains.
Assuming you're using this on a single host that doesn't act as a router, you won't need an entry in FORWARD. Here's a basic example of what you can use: "iptables -N BadRanges iptables -I INPUT -i eth0 -m state --state NEW,RELATED -j BadRanges iptables -I FORWARD -i eth0 -m state --state NEW,RELATED -j BadRanges". This assumes your external network adapter is called eth0.
Once you've added the required entries, all new incoming connections or packets related to existing connections will be checked against the BadRanges list. It's important to note that this will not filter outbound packets, so you'll still be able to use a website hosted by an IP range that you don't want connecting back to you.
To get started, save your iptables (which is iptables-save > /etc/sysconfig/iptables on Fedora at least) so it loads by default. Then copy iptables-blocklist.py to /usr/local/libexec, which will parse the list into iptables-restore format. Finally, install zzz-badrangeupdate in your /etc/cron.daily or /etc/cron.weekly to regularly update and install the list.
The cron script downloads a zipped list of IP ranges to be blocked if it has changed since the last execution using wget. The list is then unzipped and a diff between the previous and current list is created simply for reference. The unzipped text list of IP ranges is then parsed by the iptables-blocklist.py program into a list of approximated subnets. This list is sorted into network prefix length order, shortest first, on the assumption that it will make for faster or easier matching.
Once the subnets are sorted, the list is output in iptables-restore format and piped through iptables-restore with the -n flag. This effectively replaces the one BadRanges chain with a new one atomically. The efficient process of this program makes it an excellent option for anyone looking to efficiently manage their firewall and keep their system secure.
Assuming you're using this on a single host that doesn't act as a router, you won't need an entry in FORWARD. Here's a basic example of what you can use: "iptables -N BadRanges iptables -I INPUT -i eth0 -m state --state NEW,RELATED -j BadRanges iptables -I FORWARD -i eth0 -m state --state NEW,RELATED -j BadRanges". This assumes your external network adapter is called eth0.
Once you've added the required entries, all new incoming connections or packets related to existing connections will be checked against the BadRanges list. It's important to note that this will not filter outbound packets, so you'll still be able to use a website hosted by an IP range that you don't want connecting back to you.
To get started, save your iptables (which is iptables-save > /etc/sysconfig/iptables on Fedora at least) so it loads by default. Then copy iptables-blocklist.py to /usr/local/libexec, which will parse the list into iptables-restore format. Finally, install zzz-badrangeupdate in your /etc/cron.daily or /etc/cron.weekly to regularly update and install the list.
The cron script downloads a zipped list of IP ranges to be blocked if it has changed since the last execution using wget. The list is then unzipped and a diff between the previous and current list is created simply for reference. The unzipped text list of IP ranges is then parsed by the iptables-blocklist.py program into a list of approximated subnets. This list is sorted into network prefix length order, shortest first, on the assumption that it will make for faster or easier matching.
Once the subnets are sorted, the list is output in iptables-restore format and piped through iptables-restore with the -n flag. This effectively replaces the one BadRanges chain with a new one atomically. The efficient process of this program makes it an excellent option for anyone looking to efficiently manage their firewall and keep their system secure.
What's New
Version 0.9: N/A