-
Notifications
You must be signed in to change notification settings - Fork 180
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Whitelisting IP address #72
base: master
Are you sure you want to change the base?
Conversation
When e.g. blocklist.de has blacklisted an IP, it is not a good idea to disregard that locally. |
Use-case:
Some of the servers expect incoming SQL connexions from OVH, other do a
file_get_contents(), ...
Non-dedicated OVH machines may very well be used by spammers and get blacklisted.
Still I want my service to work.
My whitelist is already set in ufw/iptables.
But since ipset-blacklist/ipset usually comes *BEFORE* in the rule set,
I need these IP to be whitelisted in ipset-blacklist too (as are 127.0.0.1, ...)
OVH has already been blacklist by several blacklists many times, I
sometimes even requested the unban myself with CC: to OVH.
But each time my service may stop running many hours and the
only solution is either a manual unban or disabling ipset which a worst
than whitelisting.
IMHO, whitelisting is a must-have and only affect users who chose to use it.
|
@drzraf I get the need for whitelisting but your proposal won't work in most cases. For example if your public IP address you want to whitelist is 1.2.3.4 and a blacklist submits 1.2.2.0/23, your IP address will still be blacklisted. This can't be regex matched. We would have to calculate CIDR ranges or deaggregate every IP range in order to make this work - which is a rather long and CPU intense operation. |
Right, CIDR make things complex but:
1) whitelisting for simple case could already work and be useful right now
2) For IP ranges software exists (eg: https://github.com/firehol/iprange),
Python modules too. But none of them fit a bash script intended to
stay simple.
Thus we are restricted to either:
Doing it in an imperfect way
*OR* use a suitable language (python-whatever-...) providing modules IP-calc tasks
*OR* increase bash script complexity
*OR* not implementing it (the worst solution)
|
Since iprange has been merge, I think whitelisting can now be reconsidered. |
Hi @drzraf & @trick77 . I'm using it and I needed to implement a white-list and I patched the master branch using the commits of @drzraf and it works pretty well. Unfortunately from time to time I bump in some cases that @trick77 have figured out, when I have an IP that I need to whitelist but it's a part of a blacklisted CIDR. Do you guys figured out a way to deaggregate the IP and then rebuild the larger CIDR into small ones without the IP that we want to whitelist? |
The issue of expanding/collapsing CIDR is a pandora box. |
Hello. I use your script and I have the following two problems. First of all, how can I add apiv6 besides ipv4? When I go to crontab to do this process it sends me this error And the process is not complete. But if I go to the folder and run it manually it works fine. |
Could it be reconsidered? |
In the hope to finally close #16, #38 and #69