Seeing that you want SSLBL, URLhaus, and Feodo, I will make all the instructions for them.
More details on this can be found here
The problem with the URLhaus is that we need require IPs for the sets, and there is no list with it.
So what is the URLhaus used for? Malware. In that case I would suggest a different route, namely DNS blocking. But that again is a different topic, which has or is being discussed somewhere here, search for “block known malware/ransomeware” or something along those lines.
Step 1:
You will need to create network sets that will be used to populate with IPs (single and CIDR) to be blocked, dropped, rejected, or what have you.
ipset create feodo hash:ip
ipset create sslbl hash:ip
ipset save > /etc/ipset/ipset.conf
The above will create the needed sets, and save, so the FW will remember them on a reboot.
Step 2:
You need to add two scripts to /etc/sysconfig/scripts that will populate the sets.
mkdir /etc/sysconfig/scripts
vi /etc/sysconfig/scripts/feodo.sh
copy past the following…
#!/bin/bash
echo $0 executing at > /tmp/feodo.sh.log
date >> /tmp/feodo.sh.log
NETGROUP="feodo"
>/tmp/block-feodo
#curl -s https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/feodo.ipset | grep '^[0-9]' | sed '/:/d' | sed -e 's/;.*//' | sort | uniq >> /tmp/block-feodo
curl -s https://feodotracker.abuse.ch/downloads/feodotracker.rules | sed -e 's/].*//g' | sed 's|.*\[\(.*\)|\1|' | sed -e 's/#.*//g' | sed '/at.*/d' | sort | uniq >> /tmp/block-feodo
sudo ipset -q -L $NETGROUP > /dev/null 2>&1
if [ "$?" != 0 ]; then
echo "firewall network group $NETGROUP doesn't exist yet"
exit 1
fi
NEWGROUP=$NETGROUP-$$
sudo ipset create $NEWGROUP hash:ip
if [ "$?" != 0 ]; then
echo "There was an error trying to create temporary set"
exit 1
fi
count=0;
for i in `cat /tmp/block-feodo`;
do
sudo ipset -q -A $NEWGROUP $i
if [ "$?" != 0 ]; then
echo "There was an error trying to add $i"
exit 1
fi
let "count++"
done
sudo ipset swap $NEWGROUP $NETGROUP
if [ "$?" != 0 ]; then
echo "There was an error trying to swap temporary set"
exit 1
fi
sudo ipset destroy $NEWGROUP
rm /tmp/block-feodo
echo Added $count entries to $NETGROUP;
echo /n >> /tmp/feodo.sh.log
echo $0 ending execution at >> /tmp/feodo.sh.log
date >> /tmp/feodo.sh.log
exit 0
to save and quit press ESC and type :wq
vi /etc/sysconfig/scripts/sslbl.sh
copy past the following…
#!/bin/bash
echo $0 executing at > /tmp/sslbl.sh.log
date >> /tmp/sslbl.sh.log
NETGROUP="sslbl"
>/tmp/block-sslbl
#curl -s https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/sslbl.ipset | grep '^[0-9]' | sed '/:/d' | sed -e 's/;.*//' | sort | uniq >> /tmp/block-sslbl
curl -s https://sslbl.abuse.ch/blacklist/sslipblacklist.txt | grep '^[0-9]' | sed '/:/d' | sed -e 's/;.*//' | sed -e 's/#.*//g' | sed '/at.*/d' | sed -e 's/ .*//' | sort | uniq >> /tmp/block-sslbl
sudo ipset -q -L $NETGROUP > /dev/null 2>&1
if [ "$?" != 0 ]; then
echo "firewall network group $NETGROUP doesn't exist yet"
exit 1
fi
NEWGROUP=$NETGROUP-$$
sudo ipset create $NEWGROUP hash:ip
if [ "$?" != 0 ]; then
echo "There was an error trying to create temporary set"
exit 1
fi
count=0;
for i in `cat /tmp/block-sslbl`;
do
sudo ipset -q -A $NEWGROUP $i
if [ "$?" != 0 ]; then
echo "There was an error trying to add $i"
exit 1
fi
let "count++"
done
sudo ipset swap $NEWGROUP $NETGROUP
if [ "$?" != 0 ]; then
echo "There was an error trying to swap temporary set"
exit 1
fi
sudo ipset destroy $NEWGROUP
rm /tmp/block-sslbl
echo Added $count entries to $NETGROUP;
echo /n >> /tmp/sslbl.sh.log
echo $0 ending execution at >> /tmp/sslbl.sh.log
date >> /tmp/sslbl.sh.log
exit 0
to save and quit press ESC and type :wq
Step 3:
Edit crontab to run the scripts daily or what ever intervals you like.
I would not run them more than every 12 hours, as the lists may not have changed.
No need to add additional load to the list suppliers, that are doing this for free. Don’t abuse things.
fcrontab -e
Below the last line add the following, with a blank line after.
# Update FW scripts, run nightly, and reload firewall.local
05 0 * * * /etc/sysconfig/scripts/feodo.sh
05 0 * * * /etc/sysconfig/scripts/sslbl.sh
# Reload firewall.local
25 0 * * * /etc/sysconfig/firewall.local reload
to save and quit press ESC and type :wq
To check if it was saved correctly
fcrontab -l
Step 4:
Next the .sh files need to be executable.
chmod +x /etc/sysconfig/scripts/*.sh
Step 5:
Now we need to add the firewall rules, what to do when things match up.
vi /etc/sysconfig/firewall.local
Scroll down to the line that say
## add your 'start' rules here
Either you have something below it, or there is nothing, That is where you will add the following lines.
/sbin/iptables -I CUSTOMFORWARD -i red0 -m set --match-set feodo dst -j DROP
/sbin/iptables -I CUSTOMINPUT -i red0 -m set --match-set feodo src -j DROP
/sbin/iptables -I CUSTOMOUTPUT -i red0 -m set --match-set feodo dst -j DROP
/sbin/iptables -I CUSTOMFORWARD -i red0 -m set --match-set sslbl dst -j DROP
/sbin/iptables -I CUSTOMINPUT -i red0 -m set --match-set sslbl src -j DROP
/sbin/iptables -I CUSTOMOUTPUT -i red0 -m set --match-set sslbl dst -j DROP
And further below…
## add your 'stop' rules here
# IPSET flushing related chains
/sbin/iptables -F CUSTOMFORWARD
/sbin/iptables -F CUSTOMINPUT
/sbin/iptables -F CUSTOMOUTPUT
again, to save and quit press ESC and type :wq
Step 6:
Now you can run the scripts, this will take a bit…
/etc/sysconfig/scripts/feodo.sh
/etc/sysconfig/scripts/fsslbl.sh
If all was done right the scripts should create an output file in /tmp showing when last they were updated, etc. Those files get deleted and recreated when the scripts run.
Step 7:
To check if the lists were populated run the ipset -t list command.
and /etc/sysconfig/firewall.local reload to reload the rule set.
Done.
You should now have the ipsets in conjunction with the FW do the heavy lifting.
I hope that was easy enough to follow.
PS.
Obviously the above scripts and iptabels can be modded to block countries and other things as well, provided they are IP based.
For example, you want to block .CN, except now you won’t be dealing with IPs only but CIDR lists containing subnets as well. The hash will now not be :ip but :net
ipset create blacklist_china hash:net
vi /etc/sysconfig/scripts/blacklist_china.sh
#!/bin/bash
echo $0 executing at > /tmp/blacklist_china.sh.log
date >> /tmp/blacklist_china.sh.log
NETGROUP="blacklist_china"
>/tmp/block-cn
curl -s http://cdn.iwik.org/ipcountry/CN.cidr | grep '^[0-9]' | sed '/:/d' | sed -e 's/;.*//' | sort | uniq >> /tmp/block-cn
sudo ipset -q -L $NETGROUP > /dev/null 2>&1
if [ "$?" != 0 ]; then
echo "firewall network group $NETGROUP doesn't exist yet"
exit 1
fi
NEWGROUP=$NETGROUP-$$
sudo ipset create $NEWGROUP hash:net
if [ "$?" != 0 ]; then
echo "There was an error trying to create temporary set"
exit 1
fi
count=0;
for i in `cat /tmp/block-cn`;
do
sudo ipset -q -A $NEWGROUP $i
if [ "$?" != 0 ]; then
echo "There was an error trying to add $i"
exit 1
fi
let "count++"
done
sudo ipset swap $NEWGROUP $NETGROUP
if [ "$?" != 0 ]; then
echo "There was an error trying to swap temporary set"
exit 1
fi
sudo ipset destroy $NEWGROUP
rm /tmp/block-cn
echo Added $count entries to $NETGROUP;
echo /n >> /tmp/blacklist_china.sh.log
echo $0 ending execution at >> /tmp/blacklist_china.sh.log
date >> /tmp/blacklist_china.sh.log
exit 0
crontab entry
# Update Country blacklists
15 0 * * * /etc/sysconfig/scripts/blacklist_china.sh
vi /etc/sysconfig/firewall.local
# Bad Country CIDR ipset lists
#
/sbin/iptables -I CUSTOMFORWARD -i red0 -m set --match-set blacklist_china dst -j DROP
/sbin/iptables -I CUSTOMINPUT -i red0 -m set --match-set blacklist_china src -j DROP
/sbin/iptables -I CUSTOMOUTPUT -i red0 -m set --match-set blacklist_china dst -j DROP
The same flush rules apply, so no need to add anything behind stop.
/etc/sysconfig/firewall.local reload
Done, you are no longer talking to anything in China.
Obviously these rules are only as good as the source material, so keeping these lists up to date is crucial.
Have fun 