asallow

command module

v0.0.0-...-fedecf7 Latest Latest Go to latest Published: May 20, 2020 License: GPL-2.0 Imports: 15 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/42wim/asallow

Links

Open Source Insights

README ¶

asallow

What

Asallow creates 2 ipsets (AS_allow and AS_allow6), and populates them based on data from the RIPEstat Data API (https://stat.ripe.net/index/documentation/interfaces-apis) (and optionally your own manually specified subnets)

Why

An 'easy way' to whitelist providers and/or countries.
E.g. to only allow ssh access from specific countries.

Requirements

Linux kernel >= 2.6.32 supporting ipset (net:hash)
ipset

v6.20 and above for comment support
< 6.20 see 'nocomment' flag in asallow.conf (tested on centos6/rhel6)
root/sudo access
iptables

Building it

Install go (binaries on https://golang.org/dl/ or use your favorite package manager)
Set your GOPATH (https://code.google.com/p/go-wiki/wiki/GOPATH)
run:

go get github.com/42wim/asallow

asallow will be found in $GOPATH/bin/asallow

Config

By default it searches for asallow.conf in the current directory, you can also explicitly specify a config with -conf switch.
It will not run without a config file.

 ./asallow -h
Usage of ./asallow:
  -conf="asallow.conf": a valid config file

Config file as a [main] section and multivalue allow, ASN or country statements. Any combination works.

allow=range|ip

Specify an IPv4 or IPv6 ip address or CIDR range.
This will always be added to the ipset AS_allow or AS_allow6 (for IPv6)
ASN=AS number

Specify an AS number.
Ranges (currently) announced by this AS will be added to the ipset AS_allow or AS_allow6 (for IPv6) (AS number: see http://en.wikipedia.org/wiki/Autonomous_System_(Internet))
country=country code

2-digit ISO-3166 country code.
Ranges (currently) associated with the selected country will be added to the ipset AS_allow or AS_allow6 (for IPv6)

Example configuration

[main]
#ip ranges or ip addresses which should always be add
allow=10.0.0.0/8
allow=192.168.0.0/16
allow=fe80::/10

#prefixes of providers which should be looked up dynamically (using ripestat)
ASN=2611 #belnet
ASN=6848 #telenet
#ASN=5432 #mobistar

#allow a whole country
country=be
#country=nl
#country=fr

#uncomment 'nocomment' for older ipset versions < 6.20 (on centos6/rhel6)
#nocomment

Running it

# ./asallow
760 ipv4 / 169 ipv6 subnets added
AS_allow and AS_allow6 ipset created/modified

Check the contents of the sets with ipset:

# ipset list AS_allow
Name: AS_allow
Type: hash:net
Revision: 5
Header: family inet hashsize 1024 maxelem 65536 comment
Size in memory: 47488
References: 2
Members:
217.72.224.0/20 comment "be"
86.39.128.0/17 comment "be"
193.33.52.0/23 comment "be"
194.42.208.0/24 comment "be"
80.66.128.0/20 comment "be"
193.58.40.0/24 comment "AS6848"
213.246.192.0/18 comment "be"
....

Integration with IPtables

Simple example: Only allow ssh from AS_allow ranges and drop the rest.

iptables -A INPUT -p tcp -m tcp --dport 22 -m set --match-set AS_allow src -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 22 -j REJECT

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

asallow.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL