Blackip es un proyecto que pretende recopilar la mayor cantidad de listas negras públicas de IPs IPv4 (incluyendo bloqueo de zonas geográficas con IPDeny) utilizando el módulo IPSET de Iptables Netfilter. Este módulo nos permite realizar filtrado masivo (Vea Filtrado por Geolocalización), a una velocidad de procesamiento muy superior a otras soluciones (Vea el benchmark). Blackip también puede ser utilizada en Squid-Cache (Tested in v3.5.x)
Blackip is a project that aims to collect as many public blacklists of IPv4 IPs (including blocking geographic zones with IPDeny) using the IPSET module from Iptables Netfilter. This module allows us to perform mass filtering (See Geolocation Filtering), at a processing speed far superior to other Solutions (See the benchmark). Blackip can also be used in Squid-Cache (Tested in v3.5.x)
| ACL | Black IPs | txt size | tar.gz size |
|---|---|---|---|
| blackip.txt | 917104 | 13,0 Mb | 3,0 Mb |
git ipset iptables bash tar zip wget squid subversion python ulogd2
git clone --depth=1 https://github.com/maravento/blackip.git
La ACL blackip.txt ya viene optimizada. Descárguela y descomprimala en la ruta de su preferencia / The ACL blackip.txt is already optimized. Download it and unzip it in the path of your preference
wget -q -N https://raw.githubusercontent.com/maravento/blackip/master/blackip.tar.gz && cat blackip.tar.gz* | tar xzf -
wget -q -N https://raw.githubusercontent.com/maravento/blackip/master/checksum.md5
md5sum blackip.txt | awk '{print $1}' && cat checksum.md5 | awk '{print $1}'
El script bipupdate.sh actualiza la ACL blackip.txt, realizando la captura, depuración y limpieza de IPs, sin embargo puede generar conflíctos. Tenga en cuenta que este script consume gran cantidad de recursos de hardware durante el procesamiento y puede tomar mucho tiempo / The bipupdate.sh script updates blackip.txt ACL, doing the capture, debugging and cleaning of domains, however it can generate conflicts. Keep in mind that this script consumes a lot of hardware resources during processing and it can take a long time.
wget -q -N https://raw.githubusercontent.com/maravento/blackip/master/bipupdate/bipupdate.sh && sudo chmod x bipupdate.sh && sudo ./bipupdate.sh
Ejecución exitosa / Successful execution
Blackip: Done 06/05/2017 15:47:14
- Blackip es una ACL IPv4. No incluye CIDR / Blackip is an ACL IPv4. Does not include CIDR
- Antes de utilizar bipupdate.sh debe activar las reglas en Squid-Cache / You must activate the rules in Squid-Cache before using bipupdate.sh
- La actualización debe ejecutarse en equipos de pruebas destinados para este propósito. Nunca en servidores en producción / The update must run on test equipment designed for this purpose. Never on servers in production
- Blackip excluye rangos privados RFC1918 (IPs reservadas) / Blackip excludes private ranges RFC1918 (reserved IPs)
- Tenga en cuenta que no se debe utilizar Blackip en IPSET y en Squid-Cache al mismo tiempo (doble filtrado) / Note that Blackip should not be used in IPSET and in Squid-Cache at the same time (double filtrate).
- Puede agregar su propia Blacklist IPs/CIDR a blackip.txt, pero tenga cuidado con los conflictos que pueda generar / You can add your own Blacklist IPs/CIDR to blackip.txt, but be careful with conflicts that may arise
Para Squid-Cache / For Squid-Cache
Edite / Edit:
/etc/squid/squid.conf
Y agregue las siguientes líneas: / And add the following lines:
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
acl blackip dst "/path_to_acl/blackip.txt"
http_access deny blackip
Edite su script de Iptables y agregue las siguientes líneas: / Edit your Iptables script and add the following lines:
### IPSET BLACKZONE (select country to block and ip/range) ###
# http://www.ipdeny.com/ipblocks/
ipset=/sbin/ipset
iptables=/sbin/iptables
route=/path_to_acl_blackip/
zone=/path_to_acl_zones/zones
if [ ! -d $zone ]; then mkdir -p $zone; fi
$ipset -F
$ipset -N -! blackzone hash:net maxelem 1000000
# Uncomment this line if you want to block entire countries
#for ip in $(cat $zone/{cn,ru}.zone $route/blackip.txt); do
# Uncomment this line if you want to block only ips (recommended)
for ip in $(cat $route/blackip.txt); do
$ipset -A blackzone $ip
done
$iptables -t mangle -A PREROUTING -m set --match-set blackzone src -j NFLOG --nflog-prefix 'Blackzone Block'
$iptables -t mangle -A PREROUTING -m set --match-set blackzone src -j DROP
$iptables -A FORWARD -m set --match-set blackzone dst -j NFLOG --nflog-prefix 'Blackzone Block'
$iptables -A FORWARD -m set --match-set blackzone dst -j DROP
Puede incluir rangos completos de países (e.g. China, Rusia, etc) con IPDeny agregando los países a la línea: / You can block entire countries ranges (e.g. China, Rusia, etc) with IPDeny adding the countries to the line:
for ip in $(cat $zone/{cn,ru}.zone $route/blackip.txt); do
En caso de error o conflicto, ejecute: / In case of error or conflict, execute:
sudo ipset flush blackzone # (or: sudo ipset flush)
NFLOG: /var/log/ulog/syslogemu.log
chown root:root /var/log
apt -y install ulogd2
if [ ! -d /var/log/ulog/syslogemu.log ]; then mkdir -p /var/log/ulog && touch /var/log/ulog/syslogemu.log; fi
usermod -a -G ulog $USER
Ultimate Hosts IPs Blacklist. Mirror
Blocklist and Blocklist Export. Replaced by Ultimate Hosts IPs Blacklist
Firehold Level 1 (Excluded for containing CIDR)
StopForumSpam Toxic CIDR (Excluded for containing CIDR)
OpenBL (Server Down since Ago 2017)
Agradecemos a todos aquellos que han contribuido a este proyecto. Los interesados pueden contribuir, enviándonos enlaces de nuevas "Blacklist", para ser incluidas en este proyecto / We thank all those who contributed to this project. Those interested may contribute sending us new "Blacklist" links to be included in this project Special thanks to: Jhonatan Sneider
BTC: 3M84UKpz8AwwPADiYGQjT9spPKCvbqm4Bc
© 2019 Maravento Studio
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.