-
-
Save mkorthof/3033ff64c4a5b4bd31336d422104d543 to your computer and use it in GitHub Desktop.
you need to install ipset first
also iptables could not create a new chain "LOGIPS" or append rule to INPUT chain
you could test and try manually with /sbin/iptables -N LOGIPS
if that does work try running the script with bash -x ipset-country to see where it fails
Hi,
The block for multiple countries doesn't work, is the example correct? If I put 6 countries, for example, it blocks only the first and the last one.
Use semicolon as seperator between entries
Excellent little script!
Would be great if you could also make it work with IPv6 and ip6tables.
Would be great if you could also make it work with IPv6 and ip6tables.
@HHawk Thanks, ipv6 should also work now
Wow....! Excellent work!!
Will give it a spin tomorrow. Just wanted to show my appreciation. ;-)
Thanks once again.
Finally had the change to fool around a bit more with the updated script.
I have a question. Is there a way to test to see if an IP is really blocked?
I am using, amongst others, RU,Russia on my block set. I actually found a Russian testing IP: 217.199.208.101
I checked /var/log/ipset-country.log on the Russian setting with: cat /var/log/ipset-country.log | grep 'russia'
2019-07-03 11:13:56 ipset: create set "ip-russia" - OK
2019-07-03 11:14:08 ipset: add "ip-ru-aggregated.zone" to "ip-russia" - NOK - 0 entries
2019-07-03 11:14:08 ipset: create set "ip6-russia" - OK
2019-07-03 11:14:12 ipset: add "ip6-ru.zone" to "ip6-russia" - OK - 2203 entries
2019-07-03 11:20:52 ipset: create set "ip-russia" - OK
2019-07-03 11:21:04 ipset: add "ip-ru-aggregated.zone" to "ip-russia" - NOK - 0 entries
2019-07-03 11:21:04 ipset: create set "ip6-russia" - OK
2019-07-03 11:21:08 ipset: add "ip6-ru.zone" to "ip6-russia" - OK - 2203 entries
So that's good.
Next I wanted to see if it's the Russian test IP is indeed blocked by using the command: sudo ipset test ip-russia 217.199.208.101
The output is strange:
ipset v6.11: Syntax error: cannot resolve '217.199.208.101' to an IPv6 address: Address family for hostname not supported
Syntax error: cannot parse 217.199.208.101: resolving to IPv6 address failed
For some reason it thinks it's an IPv6 address, though it's an IPv4 address? Strange. Maybe I am doing something wrong here?
...and how can I really test an IP to see if it's blocked. Or is there a different way?
Oh I also checked the iptables setting, which showed the following (with iptables -L):
Chain INPUT (policy ACCEPT)
target prot opt source destination
LOGIPS tcp -- anywhere anywhere match-set ip-china src
LOGIPS tcp -- anywhere anywhere match-set ip-vietnam src
LOGIPS tcp -- anywhere anywhere match-set ip-iran src
LOGIPS tcp -- anywhere anywhere match-set ip-russia src
f2b-SSH tcp -- anywhere anywhere tcp dpt:ssh
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain LOGIPS (4 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 10/min burst 5 LOG level info prefix `IPS REJECT: '
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain f2b-SSH (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Not sure if that is useful, but trying to supply as much information as I can obviously.
Thanks in advance.
2019-07-03 11:21:04 ipset: add "ip-ru-aggregated.zone" to "ip-russia" - NOK - 0 entries
that looks wrong
ipset v6.11: Syntax error: cannot resolve '217.199.208.101' to an IPv6 address: Address family for hostname not supported Syntax error: cannot parse 217.199.208.101: resolving to IPv6 address failed
Check ipset -t list, it should list ip-russia and ip6-russia.
Try flushing or even destroying your old set(s)
Looks also you're on an old version of ipset, maybe you are running RH/Centos...
Seems specifically specifying 'family' on 'ipset create' could be a possible fix:
'inet' is default, and for ipv6: ipset create test hash:ip family inet6
For some reason it thinks it's an IPv6 address, though it's an IPv4 address? Strange. Maybe I am doing something wrong here?
Yeah that certainly looks like it... the 'Type' in 'list' above should be 'hash:net' for both sets.
And of course ipset list should have ipv4/6 matching addresses for russia-ip/ip6 list.
...and how can I really test an IP to see if it's blocked. Or is there a different way?
iptables/ip6tables logs matches to LOGIPS chain
Hi mkorthof,
First off; sorry for the (very) late reply. I have been feeling ill and with the heat of the last few days. Anyways, it's getting better. So sorry for not responding (I hate it when that happens).
Anyways, I decided to setup a new server. With the following versions (higher is not possible for me at the moment):
iptables v1.4.21
ip6tables v1.4.21
ipset v6.38, protocol version: 6
So I downloaded your script (latest version) and I only added a new country:
country="CN,China;RU,Russia"
When I run your script (ipset-country) I get the following message:
iptables v1.4.21: The protocol family of set ip-russia is IPv6, which is not applicable.
Try `iptables -h' or 'iptables --help' for more information.
Seems weird to me though as it should be using ip6tables for that, but then again in the log (/var/log/ipset-country.log) it shows the following:
2019-07-25 20:01:29 ipset: create set "ip-china" - OK
2019-07-25 20:01:30 zonefile: get "ip-cn-aggregated.zone" - OK
2019-07-25 20:01:36 ipset: add "ip-cn-aggregated.zone" to "ip-china" - OK - 5178 entries
2019-07-25 20:01:36 iptables: found - OK
2019-07-25 20:01:36 iptables: restore - OK
2019-07-25 20:01:36 iptables: create log chain - OK
2019-07-25 20:01:36 iptables: append log rule - OK, append reject rule - OK
2019-07-25 20:01:36 iptables: insert ipset rule - OK
2019-07-25 20:01:36 ipset: create set "ip6-china" - OK
2019-07-25 20:01:36 zonefile: get "ip6-cn.zone" - OK
2019-07-25 20:01:38 ipset: add "ip6-cn.zone" to "ip6-china" - OK - 1746 entries
2019-07-25 20:01:38 ip6tables: found - OK
2019-07-25 20:01:38 ip6tables: restore - OK
2019-07-25 20:01:38 ip6tables: create log chain - OK
2019-07-25 20:01:38 ip6tables: append log rule - OK, append reject rule - OK
2019-07-25 20:01:38 ip6tables: insert ipset rule - OK
2019-07-25 20:01:38 ipset: create set "ip-russia" - OK
2019-07-25 20:01:39 zonefile: get "ip-ru-aggregated.zone" - OK
2019-07-25 20:01:48 ipset: add "ip-ru-aggregated.zone" to "ip-russia" - NOK - 0 entries
2019-07-25 20:01:48 iptables: found - OK
2019-07-25 20:01:48 iptables: restore - OK
2019-07-25 20:01:48 iptables: create log chain - OK
2019-07-25 20:01:48 iptables: append log rule - OK, append reject rule - OK
2019-07-25 20:01:48 iptables: insert ipset rule - NOK
2019-07-25 20:01:48 ipset: create set "ip6-russia" - OK
2019-07-25 20:01:49 zonefile: get "ip6-ru.zone" - OK
2019-07-25 20:01:51 ipset: add "ip6-ru.zone" to "ip6-russia" - OK - 2252 entries
2019-07-25 20:01:51 ip6tables: found - OK
2019-07-25 20:01:51 ip6tables: restore - OK
2019-07-25 20:01:51 ip6tables: create log chain - OK
2019-07-25 20:01:51 ip6tables: append log rule - OK, append reject rule - OK
2019-07-25 20:01:51 ip6tables: insert ipset rule - OK
So it seems it's added correctly?
Given your previous answer I also used the command you provided: ipset -t list
The output is:
Name: ip-china
Type: hash:net
Revision: 6
Header: family inet hashsize 2048 maxelem 65536
Size in memory: 12472
References: 0
Number of entries: 5178Name: ip6-china
Type: hash:net
Revision: 6
Header: family inet6 hashsize 1024 maxelem 65536
Size in memory: 97928
References: 0
Number of entries: 1746Name: ip-russia
Type: hash:net
Revision: 6
Header: family inet6 hashsize 1024 maxelem 65536
Size in memory: 1160
References: 0
Number of entries: 0Name: ip6-russia
Type: hash:net
Revision: 6
Header: family inet6 hashsize 1024 maxelem 65536
Size in memory: 110136
References: 1
Number of entries: 2252
So other than the "error"-message everything seems fine?
Yes, I am running on CentOS 7 (actually OpenVZ 7, but almost the same thing).
Regards
Hi,
iptables v1.4.21: The protocol family of set ip-russia is IPv6, which is not applicable.
Try `iptables -h' or 'iptables --help' for more information.
Think there was an incorrectly set variable that caused that (uses ipv6 instead of 4)
2019-07-25 20:01:48 ipset: add "ip-ru-aggregated.zone" to "ip-russia" - NOK - 0 entries
See? 0 entries. Same error
I've pushed a new version that should fix it.
Hi Marius,
Thank you for response. :-)
I tried the new version, but I am still getting errors, however I think it's a typo:
./ipset-country
./ipset-country: line 149: /sbin/ip}tables-restore: No such file or directory
./ipset-country: line 149: /sbin/ip6}tables-restore: No such file or directory
ip6tables v1.4.21: unknown reject type "icmp-port-unreachable"
Try `ip6tables -h' or 'ip6tables --help' for more information.
It's missing a "{" in there right? I changed it to have a { on those two locatations and re-run the script.
So I changed:
iptres="/sbin/$ipt}tables-restore"
to:
iptres="/sbin/${ipt}tables-restore"
And this is the result:
./ipset-country
ip6tables v1.4.21: unknown reject type "icmp-port-unreachable"
Try `ip6tables -h' or 'ip6tables --help' for more information.
ip6tables v1.4.21: unknown reject type "icmp-port-unreachable"
Try `ip6tables -h' or 'ip6tables --help' for more information.
No clue why I am getting "ip6tables v1.4.21: unknown reject type "icmp-port-unreachable"", but probably that's my own conifguration error. I will look this up myself. :-)
Output: /var/log/ipset-country.log
2019-08-05 09:57:00 ipset: create set "ipv4-china" - OK
2019-08-05 09:57:01 zonefile: get "ipv4-cn-aggregated.zone" - OK
2019-08-05 09:57:10 ipset: add "ipv4-cn-aggregated.zone" to "ip-china" - OK - 5180 entries
2019-08-05 09:57:10 iptables: found - OK
2019-08-05 09:57:10 iptables: restore - OK
2019-08-05 09:57:10 iptables: create log chain - OK
2019-08-05 09:57:10 iptables: append log rule - OK, append reject rule - OK
2019-08-05 09:57:10 iptables: insert ipset rule - OK
2019-08-05 09:57:10 ipset: create set "ipv6-china" - OK
2019-08-05 09:57:10 zonefile: get "ipv6-cn.zone" - OK
2019-08-05 09:57:13 ipset: add "ipv6-cn.zone" to "ip6-china" - OK - 1750 entries
2019-08-05 09:57:13 ip6tables: found - OK
2019-08-05 09:57:13 ip6tables: restore - OK
2019-08-05 09:57:13 ip6tables: create log chain - OK
2019-08-05 09:57:13 ip6tables: append log rule - OK, append reject rule - NOK
2019-08-05 09:57:13 ip6tables: insert ipset rule - OK
2019-08-05 09:57:13 ipset: create set "ipv4-russia" - OK
2019-08-05 09:57:14 zonefile: get "ipv4-ru-aggregated.zone" - OK
2019-08-05 09:57:28 ipset: add "ipv4-ru-aggregated.zone" to "ip-russia" - OK - 8032 entries
2019-08-05 09:57:28 iptables: found - OK
2019-08-05 09:57:28 iptables: restore - OK
2019-08-05 09:57:28 iptables: create log chain - OK
2019-08-05 09:57:28 iptables: append log rule - OK, append reject rule - OK
2019-08-05 09:57:28 iptables: insert ipset rule - OK
2019-08-05 09:57:28 ipset: create set "ipv6-russia" - OK
2019-08-05 09:57:29 zonefile: get "ipv6-ru.zone" - OK
2019-08-05 09:57:33 ipset: add "ipv6-ru.zone" to "ip6-russia" - OK - 2284 entries
2019-08-05 09:57:33 ip6tables: found - OK
2019-08-05 09:57:33 ip6tables: restore - OK
2019-08-05 09:57:33 ip6tables: create log chain - OK
2019-08-05 09:57:33 ip6tables: append log rule - OK, append reject rule - NOK
2019-08-05 09:57:33 ip6tables: insert ipset rule - OK
Sidenote; I just come to understand now that "NOK" means "Not OK", right? Don't know why I didn't understand that before. Guess I am an idiot sometimes. :S
Anyways, that error is probably related to the unknown reject rule. As mentioned I will look that up, to see why it's in there or what added it.
Output of the command "ipset -t list" is:
Name: ipv4-china
Type: hash:net
Revision: 6
Header: family inet hashsize 2048 maxelem 65536
Size in memory: 11000
References: 0
Number of entries: 5180
Name: ipv6-china
Type: hash:net
Revision: 6
Header: family inet6 hashsize 1024 maxelem 65536
Size in memory: 98264
References: 0
Number of entries: 1750
Name: ipv4-russia
Type: hash:net
Revision: 6
Header: family inet hashsize 4096 maxelem 65536
Size in memory: 2744
References: 1
Number of entries: 8032
Name: ipv6-russia
Type: hash:net
Revision: 6
Header: family inet6 hashsize 1024 maxelem 65536
Size in memory: 111480
References: 1
Number of entries: 2284
I also ran the command "ip6tables -L" and this is the output:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all anywhere anywhere state RELATED,ESTABLISHED
ACCEPT ipv6-icmp anywhere anywhere
ACCEPT all anywhere anywhere
ACCEPT tcp anywhere anywhere state NEW tcp dpt:ssh
ACCEPT udp anywhere fe80::/64 udp dpt:dhcpv6-client state NEW
LOGIPS tcp anywhere anywhere match-set ipv6-russia src
REJECT all anywhere anywhere reject-with icmp6-adm-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all anywhere anywhere reject-with icmp6-adm-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain LOGIPS (1 references)
target prot opt source destination
LOG all anywhere anywhere limit: avg 10/min burst 5 LOG level info prefix "IPS REJECT: "
While typing the above, I did a search on "icmp-port-unreachable", apparently there was a (another) small typo with your script.
Line 163 has the following:
elif [ "$proto" = "ipv4" ]; then rj="icmp6-port-unreachable"; fi
I changed that to:
elif [ "$proto" = "ipv6" ]; then rj="icmp6-port-unreachable"; fi
and re-ran the script again.
This time were no errors!
Also /var/log/ipset-country.log showed no errors anymore:
2019-08-05 10:08:04 ipset: create set "ipv4-china" - OK
2019-08-05 10:08:05 zonefile: get "ipv4-cn-aggregated.zone" - OK
2019-08-05 10:08:14 ipset: add "ipv4-cn-aggregated.zone" to "ip-china" - OK - 5180 entries
2019-08-05 10:08:14 iptables: found - OK
2019-08-05 10:08:14 iptables: restore - OK
2019-08-05 10:08:14 iptables: create log chain - OK
2019-08-05 10:08:14 iptables: append log rule - OK, append reject rule - OK
2019-08-05 10:08:14 iptables: insert ipset rule - OK
2019-08-05 10:08:14 ipset: create set "ipv6-china" - OK
2019-08-05 10:08:15 zonefile: get "ipv6-cn.zone" - OK
2019-08-05 10:08:18 ipset: add "ipv6-cn.zone" to "ip6-china" - OK - 1750 entries
2019-08-05 10:08:18 ip6tables: found - OK
2019-08-05 10:08:18 ip6tables: restore - OK
2019-08-05 10:08:18 ip6tables: create log chain - OK
2019-08-05 10:08:18 ip6tables: append log rule - OK, append reject rule - OK
2019-08-05 10:08:18 ip6tables: insert ipset rule - OK
2019-08-05 10:08:18 ipset: create set "ipv4-russia" - OK
2019-08-05 10:08:19 zonefile: get "ipv4-ru-aggregated.zone" - OK
2019-08-05 10:08:33 ipset: add "ipv4-ru-aggregated.zone" to "ip-russia" - OK - 8032 entries
2019-08-05 10:08:33 iptables: found - OK
2019-08-05 10:08:33 iptables: restore - OK
2019-08-05 10:08:33 iptables: create log chain - OK
2019-08-05 10:08:33 iptables: append log rule - OK, append reject rule - OK
2019-08-05 10:08:33 iptables: insert ipset rule - OK
2019-08-05 10:08:33 ipset: create set "ipv6-russia" - OK
2019-08-05 10:08:33 zonefile: get "ipv6-ru.zone" - OK
2019-08-05 10:08:38 ipset: add "ipv6-ru.zone" to "ip6-russia" - OK - 2284 entries
2019-08-05 10:08:38 ip6tables: found - OK
2019-08-05 10:08:38 ip6tables: restore - OK
2019-08-05 10:08:38 ip6tables: create log chain - OK
2019-08-05 10:08:38 ip6tables: append log rule - OK, append reject rule - OK
2019-08-05 10:08:38 ip6tables: insert ipset rule - OK
ip6tables -L shows the following:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all anywhere anywhere state RELATED,ESTABLISHED
ACCEPT ipv6-icmp anywhere anywhere
ACCEPT all anywhere anywhere
ACCEPT tcp anywhere anywhere state NEW tcp dpt:ssh
ACCEPT udp anywhere fe80::/64 udp dpt:dhcpv6-client state NEW
LOGIPS tcp anywhere anywhere match-set ipv6-russia src
REJECT all anywhere anywhere reject-with icmp6-adm-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all anywhere anywhere reject-with icmp6-adm-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain LOGIPS (1 references)
target prot opt source destination
LOG all anywhere anywhere limit: avg 10/min burst 5 LOG level info prefix "IPS REJECT: "
REJECT all anywhere anywhere reject-with icmp6-port-unreachable
So everything seems in order now, right?
Though I think one thing is strange. In "ip6tables -L" I only see the following:
LOGIPS tcp anywhere anywhere match-set ipv6-russia src
but I don't see a china reference in there. Or is this normal behaviour?
Sorry for the very long reply/post, but I am trying to be as helpful as I can.
Regards
Hi @HHawk
Thanks again for testing and showing the output.
You are correct about that var. I found another issue: the script does a iptables-restore between countries. So only last ipv4/6 is added.
Ive fixed that now so it restores once and rewrote the thing a bit; and tested on centos7/rhel8. It also supports firewalld now.
I’ll try pushing the new fixed ver later this week.
Hi @mkorthof (Marius),
Sidenote; seems you're Dutch, right? Based on your name. Only noticed it now. ;-)
You're most welcome. I am trying to give as much details as possible, as this is a great script! And it's getting better every time!
You don't want to know how many "attacks" are being made on my servers. Mostly China and Russia (frequently). Also a few US IP's, but I don't want to block the US completely though.
It's getting more and more important to block certain countries to relieve server load.
Looking forward to the fixes / adjustments. Will try again afterwards. I will be going on vacation for ~2.5 weeks, so I might be a bit slow in replying.
Regards
HI Guys.
I have just tried this on my Debian9 system and get the following errors:
./ipset-country.sh: line 148: /etc/iptables/rules.v4: No such file or directory
./ipset-country.sh: line 148: /etc/iptables/rules.v6: No such file or directory
ip6tables v1.6.0: unknown reject type "icmp-port-unreachable"
Try ip6tables -h' or 'ip6tables --help' for more information. ip6tables v1.6.0: Invalid rule number 0'
Try `ip6tables -h' or 'ip6tables --help' for more information.
A section of the logfile has:
2019-08-18 21:44:14 zonefile: get "ipv4-vn-aggregated.zone" - OK
2019-08-18 21:44:15 ipset: add "ipv4-vn-aggregated.zone" to "ip-vietname" - OK - 553 entries
2019-08-18 21:44:15 iptables: found - OK
2019-08-18 21:44:15 iptables: restore - NOK
2019-08-18 21:44:15 iptables: create log chain - already exists
2019-08-18 21:44:15 iptables: append log rule - already exists, append reject rule - already exists
2019-08-18 21:44:15 iptables: insert ipset rule - already exists
2019-08-18 21:44:15 ipset: create set "ipv6-vietname" - OK
2019-08-18 21:44:16 zonefile: get "ipv6-vn.zone" - OK
2019-08-18 21:44:16 ipset: add "ipv6-vn.zone" to "ip6-vietname" - OK - 176 entries
2019-08-18 21:44:16 ip6tables: found - OK
2019-08-18 21:44:16 ip6tables: restore - NOK
2019-08-18 21:44:16 ip6tables: create log chain - already exists
2019-08-18 21:44:16 ip6tables: append log rule - already exists, append reject rule - NOK
2019-08-18 21:44:16 ip6tables: insert ipset rule - NOK
2019-08-18 21:44:16 ipset: create set "ipv4-south_africa" - OK
2019-08-18 21:44:17 zonefile: get "ipv4-za-aggregated.zone" - OK
2019-08-18 21:44:19 ipset: add "ipv4-za-aggregated.zone" to "ip-south_africa" - OK - 1134 entries
2019-08-18 21:44:19 iptables: found - OK
2019-08-18 21:44:19 iptables: restore - NOK
2019-08-18 21:44:19 iptables: create log chain - already exists
2019-08-18 21:44:19 iptables: append log rule - already exists, append reject rule - already exists
2019-08-18 21:44:19 iptables: insert ipset rule - already exists
2019-08-18 21:44:19 ipset: create set "ipv6-south_africa" - OK
2019-08-18 21:44:20 zonefile: get "ipv6-za.zone" - OK
2019-08-18 21:44:20 ipset: add "ipv6-za.zone" to "ip6-south_africa" - OK - 284 entries
2019-08-18 21:44:20 ip6tables: found - OK
2019-08-18 21:44:20 ip6tables: restore - NOK
2019-08-18 21:44:20 ip6tables: create log chain - already exists
2019-08-18 21:44:20 ip6tables: append log rule - already exists, append reject rule - NOK
2019-08-18 21:44:20 ip6tables: insert ipset rule - NOK
Thanks,
Stephen
Hi mkorthof!
Sorry for the late response and feedback.
I had finally some time to test your excellent script again. So far it's working GREAT!
I cannot see any errors. Great work! Two thumbs up!
Regards,
HHawk
Hey kor, iv been using your work for some time on, but recently the main web were we get all the zones ipv4s it's down for some reason idk why, but i tried to add a different source url-get but im facing the md5sum verification, would you add an option on the script to either check or not the md5sum?
i'm trying to add zones from ipverse dut net and yea, other than that, you did it just fine men! n.n
Hey kor, iv been using your work for some time on, but recently the main web were we get all the zones ipv4s it's down for some reason idk why, but i tried to add a different source url-get but im facing the md5sum verification, would you add an option on the script to either check or not the md5sum?
i'm trying to add zones from ipverse dut net and yea, other than that, you did it just fine men! n.n
I noticed this also and switched to ipverse.net too and had to comment md5 checks in func_zf() function because ipverse does not supply md5 checksums. Looks like ipdeny is back now, but I'll add an option to disable md5 checks anyways.
If you have further issues feel free to create an issue at the repo (https://github.com/mkorthof/ipset-country/issues)
This is a great little script, very easy to set up and use. It only took a few minutes to get it up and running on Debian 10. Wouldn't DROP be preferable to REJECT though in the iptables rules? (Maybe make it a config choice?)
Wouldn't DROP be preferable to REJECT though in the iptables rules? (Maybe make it a config choice?)
Added as issue #1
Hi everyone,
I am using ipset on Amazon Linux 2, its working well. i have created SETNAME( web-access-block) and also added one ip (192.168.0.10) in web-access-block ipset file.
My questions are :-
- How i will know that, When had i add any ip in SETNAME( web-access-block) ?
- Can i release ip from SETNAME( web-access-block). which i was added 30 days ago, using script or any others way ?
Please help me.
Thanks
Sushant Kr Kunwar
Hi @SushantRathore-Admin,
I don't think your questions are in any way related to the script that used to be posted in this gist.
If you have any issues specifically related to ipset-country feel free to create an issue for the repo linked on top.
So recently i tried to setup the ipset-country, all works fine but.. i am running a FiveM server so when the server tries to send a heartbeat, it fails with the error:
Failed to connect to api.steampowered.com port 443
Failed to connect to keymaster.fivem.net port 443
What can i do to fix this issue?
Hi,
Thanks to share your script.
When I execute the script, I receive error :
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables v1.6.0: Couldn't load target `LOGIPS':No such file or directory
and in log file I have :
ipset: create set "zimbabwe" - OK
zonefile: "zw-aggregated.zone" - OK
2017-11-09 07:16:24 ipset: add entries from zw-aggregated.zone to "zimbabwe" - NOK
2017-11-09 07:16:24 iptables: restore - OK
2017-11-09 07:16:24 iptables: create log chain - disabled
2017-11-09 07:16:24 iptables: append log rule - disabled, append reject rule - disabled
2017-11-09 07:16:24 iptables: insert ipset rule - OK
Please can you help me to debug this ?
Thanks a lot