How to Create a Blacklist for Shorewall

Save

Most spam filters and modern firewalls make use of blacklists--lists of Internet protocol addresses from spammers and malicious networks--to better protect users from known threats. For Linux, the Shorewall firewall is no exception, and provides an easier iptables (IP routing) configuration for setting up and implementing personalized blacklists. Making the blacklist, or knowing which IPs to block, can be difficult.

Manual Blacklist Creation

  • Open "/etc/shorewall/blacklist" and scroll down. It should look something like this:

    ADDRESS/SUBNET PROTOCOL PORT
    LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
  • Input any addresses that you want blocked. (The Spamhaus and URLBlacklist sites in Resources show some current threats.) Addresses can be host/network/IP addresses (singular or a range), MAC addresses (prefixed with "~") or ipsets (using "+"). Add any protocol and port limitations. (Note that you can only specify ports if the protocol is "tcp" or "udp.")

    For example, say you want to block all incoming tcp traffic on ports 1 to 31, the entry would look like this:

    ADDRESS/SUBNET PROTOCOL PORT
    • tcp 1:31
    LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

    A MAC address entry to block all traffic from that interface:

    ADDRESS/SUBNET PROTOCOL PORT

    ~00-9A-8C-FF-03-AA - -

    LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
  • Write and close the file. (You'll need to restart Shorewall unless you have dynamic blacklisting enabled.)

Automatic Blacklist Creation

  • Open a new file, such as "/etc/scripts/blacklistupdate.sh."

  • Create a bash script from the file like the following from Mudy's Blog:

    !/bin/sh

    echo "#ADDRESS/SUBNET PROTOCOL PORT" > /tmp/blacklist

    wget -q -O - http://feeds.dshield.org/block.txt | awk --posix '/^[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.0\t/ { print $1 "/24";}' >> /tmp/blacklist

    wget -q -O - http://www.spamhaus.org/drop/drop.lasso | awk --posix '/^[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}\// { print $1;}' >> /tmp/blacklist

    echo "#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE" >> /tmp/blacklist

    mv /tmp/blacklist /etc/shorewall/blacklist

    shorewall refresh &>/dev/null

    Note that this script creates a fresh blacklist instead of adding to the existing one.

  • Write and close the new script.

  • Add the script to your cron jobs in "/etc/crontab." The cron entry should look like "00 3 sun root /etc/scripts/blacklistupdate.sh" if you want to run the script at 3 a.m. every Sunday.

    Since the script contains a Shorewall refresh command, it's unnecessary to add another job to restart Shorewall.

References

Promoted By Zergnet

Comments

Resources

Related Searches

Check It Out

Geek Vs Geek: Robot battles, hoverboard drag race, and more

M
Is DIY in your DNA? Become part of our maker community.
Submit Your Work!