Otherwise there is no ipset list use-able and the feature will not work.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
IPS_BYPASS_MARK="0x40000000"
IPS_BYPASS_MASK="0x40000000"
IPS_BYPASS_MARK="0x40000000"
IPS_BYPASS_MASK="0x40000000"
+IPSET_DB_DIR="/var/lib/location/ipset"
+
function iptables() {
/sbin/iptables --wait "$@"
}
function iptables() {
/sbin/iptables --wait "$@"
}
# a technical threat to our users (i. e. listed at Spamhaus DROP et al.)
iptables -N HOSTILE
if [ "$DROPHOSTILE" == "on" ]; then
# a technical threat to our users (i. e. listed at Spamhaus DROP et al.)
iptables -N HOSTILE
if [ "$DROPHOSTILE" == "on" ]; then
+ # Call ipset and load the list which contains the hostile networks.
+ ipset restore < $IPSET_DB_DIR/CC_XD.ipset4
+
iptables -A HOSTILE -m limit --limit 10/second -j LOG --log-prefix "DROP_HOSTILE "
iptables -A INPUT -i $IFACE -m set --match-set CC_XD src -j HOSTILE
iptables -A FORWARD -i $IFACE -m set --match-set CC_XD src -j HOSTILE
iptables -A HOSTILE -m limit --limit 10/second -j LOG --log-prefix "DROP_HOSTILE "
iptables -A INPUT -i $IFACE -m set --match-set CC_XD src -j HOSTILE
iptables -A FORWARD -i $IFACE -m set --match-set CC_XD src -j HOSTILE