filter-chain

module
v0.2.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 26, 2022 License: Apache-2.0

README

Filter-Chain

Dynamic iptables filter chain
If you need to block subnets from some countries for partially eliminate L7 DDOS, bots or port scan. RIPE used as subnet datasource.
To solve these problems, there are more powerful (and paid) services and I recommend to use them in the next.

Requirements

  • Any modern Linux distro with iptables and ipset support.

Installation

Use the ansible (deploy/filter-chain-role) for install iptables, ipset and filter-chain.

Configuration

Example config:

# default []
allowNetworkList:
  - "172.16.0.0/12"

# default []
countryAllowList:
  - "NL"
  - "US"

# default []
countryDenyList:
  - "CN"

# Refresh interval for update data from RIPE
# Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
# default 12h
refreshInterval: 23h59m

Also you need add iptables rule with jump into ipset-filter chain.
Minimal manual configuration for iptables:

iptables -I INPUT 1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -N ipset-filter
iptables -I INPUT 2 -m conntrack --ctstate NEW -j ipset-filter
... # Any other rules
iptables -A INPUT -i eth0 -j DROP
# Then save rules
iptables-save > /etc/iptables/rules.v4

Note that it is recommended to save only an empty ipset-filter chain. In any case, rules relating to ipsets that do not yet exist will not be applied at startup.
In turn, the filter-chain will create ipsets at startup and add rules to the chain.

TODO
  • Ansible role and install docs
  • Automatic creation a jump rule

Directories

Path Synopsis
internal
applier
getter
models
models/firewall/iptables
models/repository/bolt
pkg
config
ipset
log
validate

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.