[arm-allstar] Selective IP Blocking

David McGough kb4fxc at inttek.net
Sat Feb 17 01:13:12 EST 2024 

Danny,

Geo-blocking is easy to implement using ipsets combined with iptables. I do 
this now, dynamically blocking somewhere around 17 millions IP addresses, on 
a router running 10GbE, wire speed.

I've even got blocklists that I use on RPi devices, very effectively, for 
systems where I can't simply hide the ports being used.

As I said, this is overkill for most installations.

73, David K4FXC



On Fri, 16 Feb 2024, Danny K5CG via ARM-allstar wrote:

> >I wish geo IP blocking was a lot easier
> 
> Not so easy with iptables alone, but there is no reason you can't put a firewall on the front door that does. OPNSense, for example is easy to setup.
> 
> 73 
> Danny, K5CG 
> HH 550-000-0609 
> SKCC 14257
> 
> ----- Original Message -----
> From: "ARM Allstar" <arm-allstar at hamvoip.org>
> To: "ARM Allstar" <arm-allstar at hamvoip.org>
> Cc: "Benjamin Naber" <silver at julesenigma.com>
> Sent: Friday, February 16, 2024 4:25:39 PM
> Subject: Re: [arm-allstar] Selective IP Blocking
> 
> Steve the IP tables while daunting at first are actually the most effective
> and the most powerful way to protect your system at the network level.
> 
> Scammers hackers and others nefarious actors are trying to get into systems
> will find how your firewall works and especially if their software systems
> in place and attempt to load it down.
> 
> IP tables that set to drop all packets that are not on specific ports is
> the most effective. Not to mention it utilizes the least amount of
> resources.
> 
> For some high profile systems we lock down IP access to certain networks,
> such as home, office and cellular.
> 
> I wish geo IP blocking was a lot easier on iptables because a lot of
> scamming and hacking does come from China Indonesia Russia another
> nefarious countries where allstarlink doesn't exist.
> 
> 
> On Wed, Feb 14, 2024, 06:09 Steve Piotrowski via ARM-allstar <
> arm-allstar at hamvoip.org> wrote:
> 
> > i'm following this as well, as we're having a similar issue with constant
> > bogus login attempts. I did try to enable the basic allstar firewall in the
> > allstar.env but the log then has this error:
> >
> > Feb 14 06:03:49 localhost systemd[1]: Started OpenSSH Daemon.
> > Feb 14 06:03:50 localhost rc.local[311]: /usr/local/etc/rc.allstar:
> > line 62: /etc/openvpn/firewall: No such file or directory
> >
> > which to me means something didn't work?
> >
> > iptables looks like an option, saw some guidance in the hamvoip wiki
> > after searching but some of it seems dated.
> > _______________________________________________
> >
> > ARM-allstar mailing list
> > ARM-allstar at hamvoip.org
> > http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
> >
> > Visit the BBB and RPi2/3/4 web page - http://hamvoip.org
> >
> _______________________________________________
> 
> ARM-allstar mailing list
> ARM-allstar at hamvoip.org
> http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
> 
> Visit the BBB and RPi2/3/4 web page - http://hamvoip.org
> _______________________________________________
> 
> ARM-allstar mailing list
> ARM-allstar at hamvoip.org
> http://lists.hamvoip.org/cgi-bin/mailman/listinfo/arm-allstar
> 
> Visit the BBB and RPi2/3/4 web page - http://hamvoip.org
>

More information about the ARM-allstar mailing list