Salut,
Pourquoi s'enquiquiner avec peerguardian, tu ne connais pas ipset :
http://ipset.netfilter.org/ipset.man.html
Qui permet d'incorporer des listes énormes d'ip qui seront bloquées ou approuvées avec iptable, pas de processus en plus, donc pas de ressources supplémentaires ....
Ipset incorpore les ip au format cidr, mais il est possible via pg2ipset :
https://github.com/ilikenwf/pg2ipset
d'incorporer des listes au format range comme les iblocklist utilisées par peerguardian.
Perso, j'utilise cette méthode pour un blocage GEOIP de la zone asie, listes provenant d'ici:
#!/bin/bash
export PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin # script lancé via cron,
exec 2>/var/log/ipset.log
ipset -L asie;if [[ $(echo $?) = "1" ]]; then ipset -N asie hash:net maxelem 131072;fi # crée la table si inexistante
ipset -L asie6;if [[ $(echo $?) = "1" ]]; then ipset -N asie6 hash:net family inet6 maxelem 131072;fi #maxelem à adapter au volume de la liste
/etc/iptables/ipset
ipset flush
##
cd /var/log/tracker/zones
# Suppression de l'ancienne liste
rm /var/log/tracker/zones/*.zone
rm /var/log/tracker/zones6/*.zone
# Recuperation de la liste pour l'asie, v4 et v6
list="cn tw hk id in kh kp kr la mo my ph vn th mm ru"
for z in $list;do
wget -P . http://www.ipdeny.com/ipblocks/data/countries/$z.zone
done
cd /var/log/tracker/zones6
for z in $list;do
wget -P . http://www.ipdeny.com/ipv6/ipaddresses/blocks/$z.zone
done
list4=$(ls -l /var/log/tracker/zones | grep ".zone" | awk ' { print $9}')
list6=$(ls -l /var/log/tracker/zones6 | grep ".zone" | awk ' { print $9}')
for z in $list4;do
for i in $(cat /var/log/tracker/zones/$z ); do ipset -A -exist asie $i; done
done
for z in $list6;do
for i in $(cat /var/log/tracker/zones6/$z ); do ipset -A -exist asie6 $i; done
done
###########
service ipset-persistent save
firewall & #script de mon firewall
########
ipset-persistent
Scripts inspiré de ce site:
https://github.com/BroHui/systemd-ipset-service
#!/bin/sh
### BEGIN INIT INFO
# Provides: ipset-persistent
# Required-Start: mountkernfs $local_fs
# Required-Stop: $local_fs
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# X-Start-Before: $network iptables-persistent
# X-Stop-After: $network
# Short-Description: Set up ipset rules
# Description: Loads/saves current ipset rules from/to /etc/iptables
# to provide a persistent rule set during boot time
### END INIT INFO
. /lib/lsb/init-functions
rc=0
IPSET=/sbin/ipset
load_rules()
{
if [ ! -x $IPSET ]; then
log_action_cont_msg " skipping ipset-persistent ($IPSET not exist)"
else
log_action_begin_msg "Loading ipset rules"
if [ ! -f /etc/iptables/ipset ]; then
log_action_cont_msg " skipping ipset-persistent (no rules to load )"
else
log_action_cont_msg " ipset"
$IPSET destroy
$IPSET restore < /etc/iptables/ipset 2> /dev/null
if [ $? -ne 0 ]; then
rc=1
fi
fi
fi
log_action_end_msg $rc
}
save_rules()
{
if [ ! -x $IPSET ]; then
log_action_cont_msg " $IPSET not exist"
else
log_action_begin_msg "Saving rules"
if [ -x /sbin/ipset ]; then
log_action_cont_msg " ipset"
ipset save > /etc/iptables/ipset
if [ $? -ne 0 ]; then
rc=1
fi
fi
fi
log_action_end_msg $rc
}
flush_rules()
{
if [ ! -x $IPSET ]; then
log_action_cont_msg " $IPSET not exist"
else
log_action_begin_msg "Flushing rules"
log_action_cont_msg " ipset"
$IPSET destroy
fi
log_action_end_msg 0
}
case "$1" in
start|restart|reload|force-reload)
load_rules
;;
save)
save_rules
;;
stop)
echo "Automatic flushing disabled, use \"flush\" instead of \"stop\""
;;
flush)
flush_rules
;;
*)
echo "Usage: $0 {start|restart|reload|force-reload|save|flush}" >&2
exit 1
;;
esac
exit $c
ipset.service:
[Unit]
Description=ipset persistent rule service
Before=netfilter-persistent.service
ConditionFileNotEmpty=/etc/iptables/ipset
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/sbin/ipset -exist -file /etc/iptables/ipset restore
ExecStop=/sbin/ipset -file /etc/iptables/ipset save
[Install]
WantedBy=multi-user.target
Règles iptables:
#####
iptables -N LOG_BANNED_GEOIP
iptables -A LOG_BANNED_GEOIP -j LOG --log-prefix '** BANNED GEOIP **' --log-level info
iptables -A LOG_BANNED_GEOIP -j DROP
iptables -A INPUT -p tcp -m set --match-set asie src -j LOG_BANNED_GEOIP
iptables -A INPUT -p udp -m set --match-set asie src -j LOG_BANNED_GEOIP
####
ip6tables -N LOG_BANNED_GEOIP6
ip6tables -A LOG_BANNED_GEOIP6 -j LOG --log-prefix '** BANNED GEOIP6 **' --log-level info
ip6tables -A LOG_BANNED_GEOIP6 -j DROP
ip6tables -A INPUT -p tcp -m set --match-set asie6 src -j LOG_BANNED_GEOIP6
ip6tables -A INPUT -p udp -m set --match-set asie6 src -j LOG_BANNED_GEOIP6
#######
Si ça peut t'inspirer...
A+++