The following script assumes you have created an IP set of type
You should do this in the script that sets up the firewall, like so:
ipset create spamhaus nethash
Note the syntax change, from
ipset -N to
ipset create, in version 6.
Then, among other
iptables rules, you add something like:
iptables -A my_chain -m set --match-set spamhaus src,dst -j DROP
Copy and paste the script to your editor of choice. Note that it uses
perl (line 81).
You may want to use
egrep -v instead.
Regular expressions are similar, but
[[:space:]] instead of
Just save it in
/etc/cron.daily/ or equivalent when done.
You can pass
-v to the script to see more of the download.
Otherwise, you can prevent unwanted downloads like so:
echo drop.txt edrop.txt > no-download
That way you won't annoy Spamhaus while testing. Recall they don't want people to download more than once per hour. In my limited experience, once per day seems to be enough...
An IP set is limited to 65536 entries. If you need to block the whole IPv4 space you may want to try tools like ipqbdb.
More on IP-address based firewalling in:
Copyright (C) 2013 Alessandro Vesely, all rights reserved except as noted.