Skip to content

Instantly share code, notes, and snippets.

@paulgear

paulgear/ipset.sh

Created June 16, 2022 00:31
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save paulgear/46ca4d514ce63b14192a9417a9f30d99 to your computer and use it in GitHub Desktop.
Save paulgear/46ca4d514ce63b14192a9417a9f30d99 to your computer and use it in GitHub Desktop.
Download ZIP
Stupid ipset hack #1: Count & log unique NTP sources addresses
Raw
ipset.sh
#!/bin/sh
set -eu
PROTO='udp'
PORT='123'
LOG='NTP'
CHAIN=ntplog
SET=ntplog
MAXELEM=33554432
HASHSIZE=65535
TIMEOUT=1024
ipset create ${SET}-inet hash:ip -exist family inet counters timeout ${TIMEOUT} maxelem ${MAXELEM} hashsize ${HASHSIZE}
ipset create ${SET}-inet6 hash:ip -exist family inet6 counters timeout ${TIMEOUT} maxelem ${MAXELEM} hashsize ${HASHSIZE}
iptables --create ${CHAIN}
ip6tables --create ${CHAIN}
iptables --append ${CHAIN} -j RETURN -m set --match-set ${SET}-inet src
ip6tables --append ${CHAIN} -j RETURN -m set --match-set ${SET}-inet6 src
iptables --append ${CHAIN} -j SET --add-set ${SET}-inet src --exist
ip6tables --append ${CHAIN} -j SET --add-set ${SET}-inet6 src --exist
iptables --append ${CHAIN} -j LOG --log-prefix "${LOG}: "
ip6tables --append ${CHAIN} -j LOG --log-prefix "${LOG}: "
iptables --append INPUT ! -i lo -j ${CHAIN} -p ${PROTO} --dport ${PORT}
ip6tables --append INPUT ! -i lo -j ${CHAIN} -p ${PROTO} --dport ${PORT}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment