This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
public:it:linuxrouter [2021/08/23 00:47] – [ipset] phil | public:it:linuxrouter [Unknown date] (current) – removed - external edit (Unknown date) 127.0.0.1 | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== Linux Router ====== | ||
- | ===== Hardware Links ===== | ||
- | ^Machine^Purchase Link^Description^ | ||
- | |[[https:// | ||
- | |[[public: | ||
- | |||
- | ===== Links ===== | ||
- | |||
- | * https:// | ||
- | * [[https:// | ||
- | * [[https:// | ||
- | * [[https:// | ||
- | |||
- | ===== iptables ===== | ||
- | |||
- | ==== Basic ==== | ||
- | < | ||
- | iptables-save | ||
- | </ | ||
- | |||
- | ==== Basic + VLANs ==== | ||
- | < | ||
- | iptables-save | ||
- | </ | ||
- | |||
- | ==== QDISC Rules with Netplan ==== | ||
- | |||
- | [[ https:// | ||
- | |||
- | / | ||
- | < | ||
- | #!/bin/sh | ||
- | tc qdisc add dev bond0 root tbf rate 19500mbit latency 400ms burst 12800kb | ||
- | </ | ||
- | |||
- | |||
- | / | ||
- | < | ||
- | #!/bin/sh | ||
- | tc qdisc del dev bond0 root | ||
- | </ | ||
- | |||
- | |||
- | ===== ipset ===== | ||
- | |||
- | https:// | ||
- | |||
- | < | ||
- | #!/bin/bash | ||
- | |||
- | d=/ | ||
- | mkdir -p $d | ||
- | |||
- | declare -A countries | ||
- | countries=( \ | ||
- | [" | ||
- | [" | ||
- | ) | ||
- | |||
- | for cc in " | ||
- | name=" | ||
- | |||
- | # Create the ipset list | ||
- | ipset create $name hash:net -exist | ||
- | |||
- | # remove all entries from ipset | ||
- | # This probably shouldn' | ||
- | # But if you only run this script monthly it's probably not a big deal. | ||
- | ipset flush $name | ||
- | |||
- | # remove any old list that might exist from previous runs of this script | ||
- | rm ${d}/ | ||
- | |||
- | # Pull the latest IP set for russia | ||
- | wget -q -O ${d}/ | ||
- | |||
- | |||
- | # Add each IP address from the downloaded list into the ipset " | ||
- | for i in $(cat ${d}/ | ||
- | ipset add $name $i -exist | ||
- | done | ||
- | |||
- | done | ||
- | </ | ||
- | |||
- | Add the following to your iptables rules to start dropping traffic | ||
- | |||
- | |||
- | Example of dropping one ipset hash | ||
- | < | ||
- | -A INPUT -p tcp -m set --match-set china src -j DROP | ||
- | </ | ||
- | |||
- | LOG and DROP example | ||
- | < | ||
- | # China | ||
- | -N DROP_CN -m comment --comment "890 create logging chain DROP_CN" | ||
- | -A INPUT -p tcp -m set --match-set china src -j DROP_CN -m comment --comment "891 Matched subnets for China are moved to chain DROP_CN" | ||
- | -A DROP_CN -j LOG --log-prefix " | ||
- | -A DROP_CN -j DROP -m comment --comment "893 actually drop traffic from China" | ||
- | </ | ||
- | ===== nftables ===== | ||
- | |||
- | * [[ https:// | ||
- | * [[ https:// | ||
- | * [[ https:// |