Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add ipset support #9

Open
mrash opened this issue Oct 20, 2013 · 5 comments
Open

Add ipset support #9

mrash opened this issue Oct 20, 2013 · 5 comments
Assignees
@mrash

Comments

@mrash
Copy link
Owner

mrash commented Oct 20, 2013

All auto-blocking operations in psad should support ipset on Linux systems.
@ghost ghost assigned mrash Oct 20, 2013
@doctaweeks
Copy link

I've found on embedded platforms that a long chain in iptables can become a severe bottleneck (ksoftirqd will peg CPU). Using a hash ipset instead eliminates this bottleneck.

@nyov
Copy link

nyov commented Sep 23, 2018

I suppose this does not exist yet?

@MPC-GH
Copy link

MPC-GH commented Nov 4, 2021
edited
Loading

You can achieve this with a bit of a rough hack, by using the EXTERNAL_BLOCK_SCRIPT in psad.conf:

EXTERNAL_BLOCK_SCRIPT /path/to/script/block_ip SRCIP;

And the block_ip script:

#!/bin/bash
#
# Called by PSAD when blocking an address
#
# Use to put a filter in place into an ipset

IP=$1

if [[ $IP =~ .*:.* ]]
then
	/usr/sbin/ipset -A PSAD_AUTO_BL6 $IP
else
	/usr/sbin/ipset -A PSAD_AUTO_BL4 $IP
fi

And by creating the ipset rule in the usual way:

# ipset create PSAD_AUTO_BL6 hash:ip
# ipset create PSAD_AUTO_BL6 hash:ip

And inserting them into iptables/ip6tables:

iptables -A INPUT -m set --set PSAD_AUTO_BL4 src -j DROP
ip6tables -A INPUT -m set --set PSAD_AUTO_BL6 src -j DROP

Final note - PSAD doesn't call the ipt_block script for IP6 addresses yet, but if and when, the steps above should give some basic support.

Note that I also disabled PSAD inserting its normal chains with the following in psad.conf to avoid double-filtering by the ipset and the normal individual block rules.

IPTABLES_PREREQ_CHECK N;

Cheers,

Mark

@gnif
Copy link

gnif commented Jun 11, 2023

It should be noted that an issue with this solution is that it wont remove IPs that should be auto unblocked after the timeout expires.

@MPC-GH
Copy link

MPC-GH commented Jun 18, 2023

Hi Gnif,

Yes - that's correct. It was just a quick hack to migrate block rules into ipsets. There didn't appear to be an existing script hook for unblocking so I didn't do anything relating to that.

It was enough for my use case back in 2021 which was to mitigate CPU load on an ARM-based SBC which was starting to struggle with individual rules. I'd certainly recommend anyone using my script considers using a periodic clear-down of the accumulated ipset rules and some whitelisting of any critical address ranges.

Cheers,

Mark

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mrash mrash

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@gnif @mrash @nyov @doctaweeks @MPC-GH