[TOP TIP] firewalld and ipset (country blacklist)
Create the blacklist:
firewall-cmd --permanent --new-ipset=blacklist --type=hash:net --option=family=inet --option=hashsize=4096 --option=maxelem=200000
* –permanent = use to make changes to the permanent configuration
–new-ipset = name of the new IP/net blacklist
–type = storage hash type, "net" is for subnets, while "ip" for individual ip addresses
–option=family = IPv4 or IPv6 network, inet is for IPv4
–option=hashsize = the initial hash size of the list
–option=maxelem = max number of elements
Download net blocks:
wget http://www.ipdeny.com/ipblocks/data/countries/all-zones.tar.gz tar -vxzf all-zones.tar.gz
Choose which countries you would like to block,
After block the above countries, SPAM and hacking attempts dropped to nearly zero. Pretty much anything else comes via a European or American proxy, but that is easy to mitigate, once I file an abuse report to their network provider, the proxy is usually shut down rather quickly. While orchestrated and methodical hacks won't be mitigated by a simple country block list, everything else will be blocked, especially spam.
Populate the blacklist:
firewall-cmd --permanent --ipset=blacklist --add-entries-from-file=./cn.zone
The above command will load a country zone file to our blacklist. Make sure to change the path and filename to your chosen country zone file. You may also add individual IP addresses or net blocks by yourself, from the shell or by using a tool like fail2ban, with the following simple shell script (for example, save it as ~/bin/ban):
firewall-cmd --permanent --ipset=blacklist --add-entry=$1 firewall-cmd --ipset=blacklist --add-entry=$1
Run it like this:
Redirect the blacklist to the drop zone
firewall-cmd --permanent --zone=drop --add-source=ipset:blacklist firewall-cmd --reload
So far, we have created a blacklist and populated it with IP addresses and net blocks, but it is not blocking anything. In order to use our blacklist, we set it as a firewall "source", this means that anything that matches our blacklist will be redirected to a specific zone. Thus, by redirecting the blacklist to the "drop" zone, we effectively block all connections that match our blacklist. Simple and effective. The reload command at the end is needed to bring our permanent changes to the live/running firewall.
You may expand the above into a monthly script, run as a cron job, which clears the blacklist and re-downloads the list with the latest zones.
This guild is excellent and I have used it a few times. I am wondering if there is a way to whitelist 1 IP from a block that might be in the drop zone?
Since iptables rules are read from top to bottom, it might be possible to accomplish this by inserting (with
ACCEPT rule for the IP you want to whitelist, to the top of your ruleset. For example:
sudo iptables -I INPUT -s 188.8.131.52 -j ACCEPT
@thebtm I found some instructions for you! The two below forum posts can walk you through the steps of how to accomplish whitelisting IP addresses with
While your solution might be a good one for newbies, it doesn't address IPv6 at all. The
allzones.tar.gz file from ipdeny.com only contains IPv4 addresses. If you have IPv6 turned on in your Linode (the default, btw), you've left open an Abrams tank sized hole in your strategy for stuff like this:
Also, suppose you wanted to block (IPv4) traffic from a specific entity's addresses…say from QuadraNet -- a Los Angeles, CA server company that has the worst reputation in the industry and run by an Israeli fugitive who can't return home…full of spammers, scammers, phishers and 'bots. To mitigate this situation using your solution you would have to block all the IP (v4) addresses in the USA. Call me crazy but, IMHO, your Linode wouldn't be very useful after that.
Similarly, what if your system is attacked using a bogon (see: https://ipgeolocation.io/resources/bogon.html )? Bogons have no geolocation. Again, you're wide open…unless you want to blacklist every country on the internet…and, even then, the attack using the bogon address/network wouldn't be stopped.
All that being said, you need to be more nuanced in how you form your blacklists…and you absolutely need to handle IPv6.