I have read some answers here about blocking IP address ranges, and have already used iptables
for this purpose before. It is suggested to use ipset
in combination with iptables
.
I have only installed ipset but have not configured it yet.
I found this site ip2location.com to generate a list of IPs to ban by country. I selected the 5 countries that target our sites regularly, but the list is huge, 256000 rows.
- Would this massive list slow down my server when using
ipset
(before attempting this using only IPtables I questioned such a large file might slow performance.). - If that is the case, what is the way to do this? At the moment I use fail2ban but I do not think the configuration for nginx is correctly setup (I assume regex). In any case, I need a more robust way.
- Finally, I do not claim to understand CIDR enough to make this list smaller (aggregate similar IP ranges if possible).
For instance, there are several /21 entries :
185.179.152.0/22
An online tool shows this resolves to : 185.179.152.0 to 185.179.155.255
I do not think there is any easy way to make the entries less, so any advice regarding implementation and performance issues please.
Best Answer
There is a command line utilty named
aggregate
. It takes a list of CIDR netblocks and aggregates consecutive blocks into the corresponding larger block. It also removes redundant netblocks.For example:
Feed it a text file containing only your CIDR blocks and it will attempt to aggregate them, reducing the size of the list.
From the man page:
aggregate
is packaged in most major Linux distributions, including Ubuntu.(Note that I pulled a list from that web site and tried to aggregate them and nothing happened, so they may already be aggregated. You can certainly use more than one ipset, which is probably the best thing to do here.)