{ # deny/log fragment to match ipsets maintained by emerging-threats: # https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt # # create ipsets # add ULOG and DROP entries # } # create et-* lists (-! suppressing errors) /usr/sbin/ipset -! create et-blacklist iphash --hashsize 26244 /usr/sbin/ipset -! create et-blacklistnet nethash --hashsize 3456 /usr/sbin/ipset -! create et-whitelist hash:net -exist # populate et-whitelist # this should use db variables and localnets... /usr/sbin/ipset add et-whitelist 192.168.200.0/24 -exist /usr/sbin/ipset add et-whitelist 0.0.0.0 -exist /usr/sbin/ipset add et-whitelist 127.0.0.1 -exist /usr/sbin/ipset add et-whitelist 127.0.0.2 -exist /usr/sbin/ipset add et-whitelist 69.46.36.28 -exist /usr/sbin/ipset add et-whitelist 204.178.115.101 -exist # delete all existing rules relating to et-blacklist and et-whitelist entries for r in $(iptables --line-numbers --list INPUT |grep "match-set.*et-" |cut -d\ -f1 |sort -r) do iptables -D INPUT $r done # create new chain /sbin/iptables --new-chain emerging-threats-blocklist # create new rules # et-whitelist /sbin/iptables --append emerging-threats-blocklist -m set --set et-whitelist src --jump RETURN # et-blacklists /sbin/iptables --append emerging-threats-blocklist -m set --match-set et-blacklistnet src,dst -j ULOG --ulog-nlgroup 1 --ulog-prefix "et-blacklistnet: " /sbin/iptables --append emerging-threats-blocklist -m set --match-set et-blacklistnet src,dst -j DROP /sbin/iptables --append emerging-threats-blocklist -m set --match-set et-blacklist src,dst -j ULOG --ulog-nlgroup 1 --ulog-prefix "et-blacklist: " /sbin/iptables --append emerging-threats-blocklist -m set --match-set et-blacklist src,dst -j DROP /sbin/iptables --append emerging-threats-blocklist -j RETURN # activate new rules /sbin/iptables --insert INPUT 1 -j emerging-threats-blocklist