-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy pathip-to-ipset-script.sh
More file actions
85 lines (76 loc) · 3.38 KB
/
ip-to-ipset-script.sh
File metadata and controls
85 lines (76 loc) · 3.38 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
#!/bin/bash
# ip-to-ipset-script.sh
# Convert list of IPs to script to block all through ipset and iptables.
# Version 20260201
#
# Copyright (C) 2025-2026 Michael McMahon
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <https://www.gnu.org/licenses/>.
# This script depends on these projects:
# ipset, iptables, bash, sed, echo, pwd, cd, mktemp, grep, sleep, date
# How do I use this script?
# 1. Place a list of IP addresses into the `ip-to-ipset-script.txt` file in
# the same directory as this script with one IP address on each line.
# 2. Run this command to run this script from the command line of a system that
# meets the dependencies.
# bash ip-to-ipset-script.sh
# 3. If successful, you will have a new file. Copy the file to the server that
# you want to block those addresses on. Replace
# `[email protected]:/root/ipset/` with the username, address, and
# directory that you want to place the files in.
# scp *-$(date +%Y%m%d).sh [email protected]:/root/ipset/
# 4. Login to the server.
# ssh [email protected]
# 5. Change to the directory where you store the files.
# cd ipset
# 6. Run the individual scripts like so.
# bash ddos-ipset-20260201.sh
# TODO Improve script to work with safe bash and unvalidated entries.
#set -euo pipefail
#set -euxo pipefail # DEBUG
# Where is the file with the IP list?
iplistfile="ip-to-ipset-script.txt"
# What is today?
today=$(date +%Y%m%d)
# What should the names of the ipsets start with?
name="ddos"
echo -e "Building ipset script...\n"
echo "Building $name ipset script in $(pwd)/$name-ipset-$today.sh file..."
{
# Download the list.
# Destroy ipsets.
# Note: This does not work for existing ipsets in use. You would need to make
# different ipsets and swap them in.
#echo "ipset -X $name-4" > "$name-ipset-$today.sh"
#echo "ipset -X $name-6" >> "$name-ipset-$today.sh"
# Create ipsets to block individual addresses.
# The default around 60,000 entries is probably enough, but if you need more
# use this syntax with maxelem:
# ipset -N $name-4 hash:ip family inet maxelem 300000
echo "ipset -N $name-4 hash:ip family inet"
echo "ipset -N $name-6 hash:ip family inet6"
# Create ipsets to block a CIDR range.
#echo "ipset -N $name-4 hash:net family inet" >> "$name-ipset-$today.sh"
#echo "ipset -N $name-6 hash:net family inet6" >> "$name-ipset-$today.sh"
# Add IPs to ipset script.
grep -v ":" "$iplistfile" \
| sed "s/^/ipset -A $name-4 /g"
grep ":" "$iplistfile" \
| sed "s/^/ipset -A $name-6 /g"
# Add the ipset to iptables
echo "iptables -I INPUT 1 -m set --match-set $name-4 src -j DROP"
echo "iptables -I FORWARD 1 -m set --match-set $name-4 src -j DROP"
echo "ip6tables -I INPUT 1 -m set --match-set $name-6 src -j DROP"
echo "ip6tables -I FORWARD 1 -m set --match-set $name-6 src -j DROP"
} >> "$name-ipset-$today.sh"