This is an old revision of the document!
Machine | Purchase Link | Description |
---|---|---|
Protecli FW2B | Protecli FW2B | Not very powerful but runs great. Flashing AMI BIOS / Coreboot |
ZOTAC ZBOX-MI549NANO-U | Amazon | I run two of these which work great. |
iptables-save
iptables-save
Netplan pre-up, post-up, pre-down, post-down hook scripts
/etc/networkd-dispatcher/routable.d/10-bond0-tc
#!/bin/sh tc qdisc add dev bond0 root tbf rate 19500mbit latency 400ms burst 12800kb
/etc/networkd-dispatcher/off.d/10-bond0-tc
#!/bin/sh tc qdisc del dev bond0 root
$ geoipupdate --config-file GeoIP.conf -d ./ $ ls -1 GeoIP.conf GeoLite2-ASN.mmdb GeoLite2-City.mmdb GeoLite2-Country.mmdb
#!/bin/bash d=/etc/ipset mkdir -p $d declare -A countries countries=( \ ["ru"]="russia" \ ["cn"]="china" \ ) for cc in "${!countries[@]}"; do name="${countries[$cc]}" # Create the ipset list ipset create $name hash:net -exist # remove all entries from ipset # This probably shouldn't be run every time. # But if you only run this script monthly it's probably not a big deal. ipset flush $name # remove any old list that might exist from previous runs of this script rm ${d}/${cc}.zone # Pull the latest IP set for russia wget -q -O ${d}/${cc}.zone http://www.ipdeny.com/ipblocks/data/aggregated/${cc}-aggregated.zone # Add each IP address from the downloaded list into the ipset "$name" for i in $(cat ${d}/${cc}.zone ); do ipset add $name $i -exist done done
Add the following to your iptables rules to start dropping traffic
Example of dropping one ipset hash
-A INPUT -p tcp -m set --match-set china src -j DROP
LOG and DROP example
# China -N DROP_CN -m comment --comment "890 create logging chain DROP_CN" -A INPUT -p tcp -m set --match-set china src -j DROP_CN -m comment --comment "891 Matched subnets for China are moved to chain DROP_CN" -A DROP_CN -j LOG --log-prefix "[iptables][dropped][china]: " --log-level 4 -m comment --comment "892 log traffic dropped from China" -A DROP_CN -j DROP -m comment --comment "893 actually drop traffic from China"