Just wondered if any one is using block lists for their docker containers.

IPSum publishes a great list of IPs worth blocking.

The thing is, I know docker networking interacts with iptables in a complex way such that the iptables INPUT chain is ignored.

The docker docs say you can put custom rules in DOCKER-USER chain, but my iptables knowledge isn’t great and I think I’m more likely to mess something up than to have any success.

The thing is, I’m sure that this is something loads of other people have encountered, and I’m sure there must be an easier way.

    • fine_sandy_bottomOP
      link
      fedilink
      English
      arrow-up
      2
      ·
      6 months ago

      ok. I hadn’t thought about that.

      Are there alternatives? Or is an IPv6 block list not practically possible?

    • fine_sandy_bottomOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      6 months ago

      Thank you. I was looking at something like this.

      I guess I was asking whether there’s a package or project which kinda creates this rule and keeps the ipset list updated.

      If I create a rule like that, then next time I’m playing around with this I’m not going to be able to figure out what I’ve done.

      • Matt The Horwood@lemmy.horwood.cloud
        link
        fedilink
        English
        arrow-up
        2
        ·
        6 months ago

        I would have a cron that runs a script to pull the list and update IPset, this might not work.

        make a file on your docker server with the below in it, set the file to execute chmod +x file.sh

        #!/bin/sh
        ipset -q flush ipsum
        ipset -q create ipsum hash:ip
        for ip in $(curl --compressed https://raw.githubusercontent.com/stamparm/ipsum/master/ipsum.txt 2>/dev/null | grep -v "#" | grep -v -E "\s[1-2]$" | cut -f 1); do ipset add ipsum $ip; done
        iptables -D INPUT -m set --match-set ipsum src -j DROP 2>/dev/null
        iptables -I INPUT -m set --match-set ipsum src -j DROP
        

        Then add a cron file in /etc/cron.d that runs the script every 24 hours

        10 3 * * * root /root/file.sh
        
        • fine_sandy_bottomOP
          link
          fedilink
          English
          arrow-up
          1
          ·
          6 months ago

          sweet. thanks.

          INPUT will need to be DOCKER-USER in your script but otherwise I’ll see how it goes.