Sidebar
public:it:linuxrouter
This is an old revision of the document!
Table of Contents
Linux Router
Hardware Links
| Machine | Purchase Link | Description |
|---|---|---|
| Protecli FW2B | Not very powerful but runs great. Flashing AMI BIOS / Coreboot | |
| ZOTAC ZBOX-MI549NANO-U | Amazon | I run two of these which work great. |
Links
iptables
Basic
iptables-save
Basic + VLANs
iptables-save
QDISC Rules with Netplan
Netplan pre-up, post-up, pre-down, post-down hook scripts
/etc/networkd-dispatcher/routable.d/10-bond0-tc
#!/bin/sh tc qdisc add dev bond0 root tbf rate 19500mbit latency 400ms burst 12800kb
/etc/networkd-dispatcher/off.d/10-bond0-tc
#!/bin/sh tc qdisc del dev bond0 root
ipset
https://github.com/herrbischoff/country-ip-blocks
#!/bin/bash
d=/etc/ipset
mkdir -p $d
declare -A countries
countries=( \
["ru"]="russia" \
["cn"]="china" \
)
for cc in "${!countries[@]}"; do
name="${countries[$cc]}"
# Create the ipset list
ipset create $name hash:net -exist
# remove all entries from ipset
# This probably shouldn't be run every time.
# But if you only run this script monthly it's probably not a big deal.
ipset flush $name
# remove any old list that might exist from previous runs of this script
rm ${d}/${cc}.zone
# Pull the latest IP set for russia
wget -q -O ${d}/${cc}.zone http://www.ipdeny.com/ipblocks/data/aggregated/${cc}-aggregated.zone
# Add each IP address from the downloaded list into the ipset "$name"
for i in $(cat ${d}/${cc}.zone ); do
ipset add $name $i -exist
done
done
Add the following to your iptables rules to start dropping traffic
Example of dropping one ipset hash
-A INPUT -p tcp -m set --match-set china src -j DROP
LOG and DROP example
# China -N DROP_CN -m comment --comment "890 create logging chain DROP_CN" -A INPUT -p tcp -m set --match-set china src -j DROP_CN -m comment --comment "891 Matched subnets for China are moved to chain DROP_CN" -A DROP_CN -j LOG --log-prefix "[iptables][dropped][china]: " --log-level 4 -m comment --comment "892 log traffic dropped from China" -A DROP_CN -j DROP -m comment --comment "893 actually drop traffic from China"
nftables
public/it/linuxrouter.1629697627.txt.gz ยท Last modified: 2021/08/23 00:47 by phil
