Differences

This shows you the differences between two versions of the page.

--- public:it:linuxrouter [2021/08/24 05:39] – [ipset] phil
+++ public:it:linuxrouter [Unknown date] (current) – removed - external edit (Unknown date) 127.0.0.1
@@ Line 1: / Line 1: @@
-====== Linux Router ======
-===== Hardware Links =====
-^Machine^Purchase Link^Description^
-|[[https://protectli.com/product/fw2b/| Protecli FW2B ]]| | Not very powerful but runs great. [[https://protectli.com/kb/how-to-use-flashli/|Flashing AMI BIOS / Coreboot]] |
-|[[public:it:zotac|ZOTAC ZBOX-MI549NANO-U ]]| [[https://www.amazon.com/gp/product/B076H6X88K/|Amazon]] | I run two of these which work great.|
-===== Links =====
-  * https://router7.org/installation/
-  * [[https://gist.github.com/vrypan/4341878|DynDNS53:  Python script to add/update an A record at amazon area53 DNS service, using current IP. (ie, dyndns replacement) ]]
-  * [[https://python-route53.readthedocs.io/en/latest/quickstart.html#changing-a-record-set|Python Route53]]
-  * [[https://askubuntu.com/questions/868334/block-china-with-iptables#931153|block list of IPs with ipset and iptables]]
-===== iptables =====
-==== Basic ====
-<code>
-iptables-save
-</code>
-==== Basic + VLANs ====
-<code>
-iptables-save
-</code>
-==== QDISC Rules with Netplan ====
-[[ https://netplan.io/faq/#use-pre-up%2C-post-up%2C-etc.-hook-scripts | Netplan pre-up, post-up, pre-down, post-down hook scripts]]
-/etc/networkd-dispatcher/routable.d/10-bond0-tc
-<code>
-#!/bin/sh
-tc qdisc add dev bond0 root tbf rate 19500mbit latency 400ms burst 12800kb
-</code>
-/etc/networkd-dispatcher/off.d/10-bond0-tc
-<code>
-#!/bin/sh
-tc qdisc del dev bond0 root
-</code>
-===== IP Blocking =====
-=== block list links ===
-  * https://github.com/notracking/hosts-blocklists
-  * https://github.com/blocklistproject/Lists
-  * https://firebog.net/
-=== Country Subnet block lists ===
-  * http://www.ipdeny.com/ipblocks/data/aggregated/
-  * https://github.com/herrbischoff/country-ip-blocks
-==== ipset ====
-<code>
-#!/bin/bash
-d=/etc/ipset
-mkdir -p $d
-declare -A countries
-countries=( \
-  ["ru"]="russia" \
-  ["cn"]="china" \
-)
-for cc in "${!countries[@]}"; do
-  name="${countries[$cc]}"
-  # Create the ipset list
-  ipset create $name hash:net -exist
-  # remove all entries from ipset
-  # This probably shouldn't be run every time.
-  # But if you only run this script monthly it's probably not a big deal.
-  ipset flush $name
-  # remove any old list that might exist from previous runs of this script
-  rm ${d}/${cc}.zone
-  # Pull the latest IP set for russia
-  wget -q -O ${d}/${cc}.zone http://www.ipdeny.com/ipblocks/data/aggregated/${cc}-aggregated.zone
-  # Add each IP address from the downloaded list into the ipset "$name"
-  for i in $(cat ${d}/${cc}.zone ); do
-    ipset add $name $i -exist
-  done
-done
-</code>
-Add the following to your iptables rules to start dropping traffic
-Example of dropping one ipset hash
-<code>
--A INPUT -p tcp -m set --match-set china src -j DROP
-</code>
-LOG and DROP example
-<code>
-# China
--N DROP_CN -m comment --comment "890 create logging chain DROP_CN"
--A INPUT -p tcp -m set --match-set china src -j DROP_CN -m comment --comment "891 Matched subnets for China are moved to chain DROP_CN"
--A DROP_CN -j LOG --log-prefix "[iptables][dropped][china]: " --log-level 4 -m comment --comment "892 log traffic dropped from China"
--A DROP_CN -j DROP -m comment --comment "893 actually drop traffic from China"
-</code>
-===== nftables =====
-  * [[ https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_iptables_to_nftables | Moving from iptables to nftables ]]
-  * [[ https://cryptsus.com/blog/setting-up-nftables-firewall.html | Setting up nftables firewall ]]
-  * [[ https://wiki.nftables.org/wiki-nftables/index.php/GeoIP_matching | GeoIP ]]

PhilsWiki

User Tools

Site Tools

Differences

Page Tools