Simple and flexible firewall for Linux server
Go to file
Benoît S. c7c5e9814a WIP: Added a way to block ASNs and IPs with ipset
This is a work in progress to ban ASNs and IP addresses in an efficient
way with `ipset`.
More things in minifirewall could be replaced with `ipset`, like the
HTTPSITE part, but for now I'm only focused on banning networks.

Please review the code (I followed the current coding style), test it,
and make comments!
2020-07-22 10:31:47 +09:00
.gitignore Add a Vagrantfile for testing 2019-06-04 17:43:26 +02:00
LICENSE Minifirewall is now under GPLv3 license 2019-06-04 16:53:34 +02:00
README.md WIP: Added a way to block ASNs and IPs with ipset 2020-07-22 10:31:47 +09:00
Vagrantfile Add a Vagrantfile for testing 2019-06-04 17:43:26 +02:00
blacklist-countries.sh Modify URL to track country ip blocks 2015-01-12 20:45:27 +01:00
cron_minifirewall Added an example of cron script to daily reload iptables 2011-04-02 12:01:58 +02:00
minifirewall WIP: Added a way to block ASNs and IPs with ipset 2020-07-22 10:31:47 +09:00
minifirewall.conf WIP: Added a way to block ASNs and IPs with ipset 2020-07-22 10:31:47 +09:00
ripe.sh Add delegated CIDR for AFRINIC and LACNIC. 2014-05-09 11:08:32 +02:00

README.md

Minifirewall

Minifirewall is shellscripts for easy firewalling on a standalone server we used netfilter/iptables http://netfilter.org/ designed for recent Linux kernel See https://gitea.evolix.org/evolix/minifirewall

Install

install -m 0700 minifirewall /etc/init.d/minifirewall
install -m 0600 minifirewall.conf /etc/default/minifirewall

Config

Edit /etc/default/minifirewall file:

  • If your interface is not eth0, change INT variable
  • If you don't IPv6 : IPv6=off
  • Modify INTLAN variable, probably with your IP/32 or your local network if you trust it
  • Set your trusted and privilegied IP addresses in TRUSTEDIPS and PRIVILEGIEDIPS variables
  • Authorize your +public+ services with SERVICESTCP1 and SERVICESUDP1 variables
  • Authorize your +semi-public+ services (only for TRUSTEDIPS and PRIVILEGIEDIPS ) with SERVICESTCP2 and SERVICESUDP2 variables
  • Authorize your +private+ services (only for TRUSTEDIPS ) with SERVICESTCP3 and SERVICESUDP3 variables
  • Configure your authorizations for external services : DNS, HTTP, HTTPS, SMTP, SSH, NTP
  • Add your specific rules

Usage

/etc/init.d/minifirewall start/stop/restart

If you want to add minifirewall in boot sequence:

systemctl enable minifirewall

Ban a whole AS

Automatic way using an API

Set the AS number you want to ban in BANNEDASNS.

Manual way

The manual way is here only for reference.

First find the AS for one IP address.

$ whois IP | grep origin:
Or if no result, use a specific whois server
$ whois -h whois.radb.net IP | grep origin:
Or if no result, use a specific whois server
$ whois -h whois.cymru.com IP

Then, get the routes of this AS.

$ whois -i origin ASNUMBER | grep route:
Or if no result, use a specific whois server
$ whois -h whois.radb.net -i origin ASNUMBER | grep route:
Or if no result, use a specific API
$ curl -qs https://asn.ipinfo.app/api/text/list/ASNUMBER

Finally, add a kernel set and DROP the set.

# ipset -N ASNUMBER hash:net family inet
# ipset -A ASNUMBER 192.0.2.0/24
# ipset -A ASNUMBER 198.51.100.0/24
# iptables -A INPUT -m set --match-set ASNUMBER src -j DROP

License

This is an Evolix project and is licensed under the GPLv3, see the LICENSE file for details.