setting a massive list of blocking rules from ip list or a better way to do things?

Ed Kemp

7/17/23, 12:20 AM

ok so almost similar has been asked before but slight differences

i have a homelab server i bought to learn and its ended up doing a few services. one of those is a media server, and since i want it open, AND since reddit opendirectories group stumbled on my ip and shouted it to the world, i started having huge traffic from places like india and africa who were directing their own sites to my media library to generate traffic and money for them. i was a bit non plus by this so with help of a friend i got ufw on and started blocking offenders like whack-a-mole first, then by larger ranges. in the end i found one of those websites that you click countries you dont want and it makes a list of ip/subs that i then tried

""while read line; do ufw deny from $line to any; done < lowtrust.txt""

to build into ufw rules.this started fast with many per second but soon slowed to a rule every ten seconds. then i had power out for a day and lost my place after ten days chugging away. i tried again using

""cat lowtrust.txt | awk '/^[^#]/ { print $1 }' | sudo xargs -I {} ufw deny from {} to any""

with similar problems. there are 110000 lines in the list! and building a list to allow rather than deny is not much different.

by what i have read this is far from optimal and will incur speed penalties.

so except for buying a hardware firewall (and then going through all this again to find out how to get a list of 110k rules on a box that probably wants me to type them into a web interface one by one)... what shall i do?

this is just for port 80 btw, other services i dont mind anyone using, i just want to stop people maxxing me out 24/7 repeatedly downloading 50tb of files every month. i dont want to make people sign up and log in, thats against my principles of the site and it would only encourage brute forcers and vandals. like i said, im learning so this old box is not very secure at all.

one other thing, and im not sure the relevance, but can i stop people getting to my server using the ip? most bad traffic comes like that rather than from my url/webpage frontend. is this something i would do from my server, router, or my domain provider (namecheap)

edit: yes i know about vpn and cloudflare but its important to me that i dont rely on external services.

will ipset do what im asking?

0 + 0

iptables

ufw

A.B

7/18/23, 10:55 PM

Have a look there: https://manpages.debian.org/xtables-addons-common/xtables-addons.8#geoip

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: setting a massive list of blocking rules from ip list or a better way to do things?

TH: ตั้งค่ารายการกฎการบล็อกจำนวนมากจากรายการ ip หรือวิธีที่ดีกว่าในการทำสิ่งต่างๆ

RO: stabilirea unei liste masive de reguli de blocare din lista IP sau un mod mai bun de a face lucrurile?

RU: установка огромного списка правил блокировки из списка IP-адресов или лучший способ сделать что-то?

VI: thiết lập một danh sách lớn các quy tắc chặn từ danh sách ip hoặc cách tốt hơn để thực hiện mọi việc?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.