usr/src/ modules/ xtables- addons/ compat_ xtnu.h: 103: warning: ‘struct xt_target_param’ declared inside parameter list usr/src/ modules/ xtables- addons/ compat_ xtnu.h: 87: warning: its scope is only this definition or declaration, which is probably not what you want usr/src/ modules/ xtables- addons/ compat_ xtnu.h: 87: warning: ‘struct xt_match_param’ declared inside parameter list In file included from /usr/src/ modules/ xtables- addons/ compat_ xtables. I recommend adding a package that provides the kernel modules (ip_set_*) to universe, and altering iptables to support sets. As a result, it is basically impossible to make this 'ipset' package useful in ubuntu. Without iptables supporting matching on sets, it is actually not possible to use an ipset. Iptables v1.3.6: Couldn't load match `set':/ lib/iptables/ libipt_ set.so: cannot open shared object file: No such file or directory It requires rebuilding iptables with sets support. With this kernel it is possible use the 'ipset' binary provided with the 'ipset' package to add/remove/alter ipsets.Ī patched iptables does not build the 'set' module, and I can't figure out how to make it do that. I have managed to build a kernel that supports ipsets. If you download patch-o-matic-ng from the netfilter website, you can patch iptables, kernel and ipset. There are no kernels or modules installable via apt that support ipsets. This example would restrict you to only be able to pick up e-mails and connect to OpenVPN from your chosen countries as these ports are open further down the INPUT chain.Installing ipset allows you to interact with ipsets in a kernel that supports ipsets. $IPTABLES -I INPUT -m conntrack -ctstate NEW -m set ! -match-set country-list src -p udp -m multiport -dports 1194 -j DROP ![]() $IPTABLES -I INPUT -m conntrack -ctstate NEW -m set ! -match-set country-list src -p tcp -m multiport -dports 587,993 -j DROP Ipset create country-list nethash -exist > /dev/null 2>&1 ![]() # note the > /dev/null 2>&1 is needed for some odd reason # Block country addresses (exempt permitted countries) Add them to a file /etc/clearos/firewall.d/20-ipset-blocks. Note the firewall rules need to be personalised to your environment. Sed -i 's/add/add -exist/g' /usr/src/ipset_country-list.save Sed -i 's/create/create -exist/g' /usr/src/ipset_country-list.save Ipset save country-list > /usr/src/ipset_country-list.save Ipset swap country-list country-list-temp Ipset create country-list-temp nethash maxelem $MAXELEM -existĬurl -s -d country=1 -data-urlencode "country_list=$ISO" -d format_template=prefix | grep -v ^# | while read -r lineĮcho 'Country List Update failed' | mail -s 'Country List Update failed' destroy -q country-list-temp Ipset create country-list nethash maxelem $MAXELEM -exist ![]() # Destroy country-list-temp in case it exists and is populated ISO="at be ch cy cz de dk es fr gb gr ie it lu mt nl pt eu va sm mc je gg im" # Countries are case insensitive for this script # A list of the ISO country codes can be found at Create a file, /etc/cron.monthly/country_list in in it put: The following script will create an ipset list of selected countries' IP addresses.
0 Comments
Leave a Reply. |