initialize a manual-blacklist set

2014-12-23 12:20:16 +00:00 · 2014-12-23 12:20:16 +00:00 · 2b119b9b22
commit 2b119b9b22
parent 751c0dc403
1 changed files with 12 additions and 2 deletions
--- a/blacklist.sh
+++ b/blacklist.sh
@ -38,8 +38,18 @@ if ! iptables -L FORWARD|grep -q ${blocklist_chain_name}; then
  iptables -I FORWARD 1 -m state --state NEW,RELATED -j ${blocklist_chain_name}
 fi                                                                 

+# flush the chain referencing blacklists, they will be restored in a second
 iptables -F ${blocklist_chain_name}

+# create the "manual" blacklist set
+set_name="manual-blacklist"
+if ! ipset list | grep -q "Name: ${set_name}"; then
+    ipset create "${set_name}" hash:net
+fi
+iptables -A ${blocklist_chain_name} -m set --match-set "${set_name}" src,dst -m limit --limit 10/minute -j LOG --log-prefix "BLOCK ${set_name} "
+iptables -A ${blocklist_chain_name} -m set --match-set "${set_name}" src,dst -j DROP
+                                                                      
+# now process the dynamic blacklists
 for url in $urls; do
    # initialize temp files
    unsorted_blocklist=$(mktemp)