yanistyle/AS_Network_List
1
0
Fork 0
mirror of https://github.com/C24Be/AS_Network_List.git synced 2026-03-30 06:08:50 +03:00
Code Issues Packages Projects Releases Wiki Activity

some fixes

Browse Source
This commit is contained in:
C24Be
2026-03-26 09:26:41 +01:00
parent 849e96a16d
commit 011efe4bcb
10 changed files with 25 additions and 86 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
README.md
View File

@@ -63,10 +63,8 @@ This repository contains Python scripts that allow you to retrieve network lists
**nftables Format** (`blacklists_nftables/` folder):
* `blacklist.nft`: nftables configuration for mixed IPv4/IPv6 (**daily generated**)
* `blacklist-v4.nft`: nftables configuration for IPv4 only (**daily generated**)
* `blacklist-v6.nft`: nftables configuration for IPv6 only (**daily generated**)
* `blacklist-vk.nft`: nftables configuration for VK-only networks (**daily generated**)
* `blacklist-vk-v4.nft`: nftables configuration for VK-only IPv4 networks (**daily generated**)
* `blacklist-vk-v6.nft`: nftables configuration for VK-only IPv6 networks (**daily generated**)
* `README.md`: Complete usage documentation for nftables integration
@@ -120,8 +118,10 @@ ip6tables -I INPUT -m set --match-set blacklist-v6 src -j DROP
**For nftables:**
````bash
# Download and load into nftables
wget https://raw.githubusercontent.com/C24Be/AS_Network_List/main/blacklists_nftables/blacklist.nft
sudo nft -f blacklist.nft
wget https://raw.githubusercontent.com/C24Be/AS_Network_List/main/blacklists_nftables/blacklist-v4.nft
wget https://raw.githubusercontent.com/C24Be/AS_Network_List/main/blacklists_nftables/blacklist-v6.nft
sudo nft -f blacklist-v4.nft
sudo nft -f blacklist-v6.nft
# Protect VM from incoming blacklist sources
sudo nft add chain inet filter input '{ type filter hook input priority 0; policy accept; }'
@@ -129,8 +129,10 @@ sudo nft add rule inet filter input ip saddr @blacklist_v4 counter reject
sudo nft add rule inet filter input ip6 saddr @blacklist_v6 counter reject
# VK-only outbound blocking for VPN clients via NAT/FORWARD
wget https://raw.githubusercontent.com/C24Be/AS_Network_List/main/blacklists_nftables/blacklist-vk.nft
sudo nft -f blacklist-vk.nft
wget https://raw.githubusercontent.com/C24Be/AS_Network_List/main/blacklists_nftables/blacklist-vk-v4.nft
wget https://raw.githubusercontent.com/C24Be/AS_Network_List/main/blacklists_nftables/blacklist-vk-v6.nft
sudo nft -f blacklist-vk-v4.nft
sudo nft -f blacklist-vk-v6.nft
sudo nft add chain inet filter forward '{ type filter hook forward priority 0; policy accept; }'
sudo nft add rule inet filter forward iifname "<VPN_IFACE>" ip daddr @blacklist_v4 counter reject
sudo nft add rule inet filter forward iifname "<VPN_IFACE>" ip6 daddr @blacklist_v6 counter reject

0
blacklists/.keep_folder
View File

0
blacklists_iptables/.keep_folder
View File

0
blacklists_nftables/.keep_folder
View File

0
blacklists_nginx/.keep_folder
View File

0
blacklists_routes/.keep_folder
View File

70
blacklists_updater_iptables.sh
View File

@@ -20,15 +20,13 @@ blacklist_vk_v6_file="${SCRIPT_DIR}/blacklists/blacklist-vk-v6.txt"
# Output directory and files
iptables_output_dir="${SCRIPT_DIR}/blacklists_iptables"
iptables_output_file="${iptables_output_dir}/blacklist.ipset"
iptables_v4_output_file="${iptables_output_dir}/blacklist-v4.ipset"
iptables_v6_output_file="${iptables_output_dir}/blacklist-v6.ipset"
iptables_vk_output_file="${iptables_output_dir}/blacklist-vk.ipset"
iptables_vk_v4_output_file="${iptables_output_dir}/blacklist-vk-v4.ipset"
iptables_vk_v6_output_file="${iptables_output_dir}/blacklist-vk-v6.ipset"
# Create iptables directory if it doesn't exist
mkdir -p "${iptables_output_dir}"
# Create required directories if they don't exist
mkdir -p "${iptables_output_dir}" "${SCRIPT_DIR}/blacklists"
# Build additional VK-only blacklist from network names in auto/*.txt files
tmp_vk_file="$(mktemp "${SCRIPT_DIR}/blacklists/.blacklist-vk.XXXXXX")"
@@ -106,70 +104,10 @@ generate_ipset_config "${blacklist_v6_file}" "${iptables_v6_output_file}" "(IPv6
generate_ipset_config "${blacklist_vk_v4_file}" "${iptables_vk_v4_output_file}" "(VK names, IPv4 only)" "blacklist-vk-v4" "inet"
generate_ipset_config "${blacklist_vk_v6_file}" "${iptables_vk_v6_output_file}" "(VK names, IPv6 only)" "blacklist-vk-v6" "inet6"
# For mixed file, we need to create two sets (IPv4 and IPv6) as ipset doesn't support mixed families
cat > "${iptables_output_file}" << EOF
# IPSet blacklist configuration (mixed IPv4/IPv6)
# Auto-generated from $(basename ${blacklist_file})
# Last updated: $(date -u +"%Y-%m-%d %H:%M:%S UTC")
#
# Usage:
# 1. Load the ipset:
# ipset restore < $(basename ${iptables_output_file})
#
# 2. Use with iptables/ip6tables:
# iptables -I INPUT -m set --match-set blacklist-v4 src -m conntrack --ctstate NEW -j DROP
# iptables -I FORWARD -m set --match-set blacklist-v4 src -m conntrack --ctstate NEW -j DROP
# ip6tables -I INPUT -m set --match-set blacklist-v6 src -m conntrack --ctstate NEW -j DROP
# ip6tables -I FORWARD -m set --match-set blacklist-v6 src -m conntrack --ctstate NEW -j DROP
#
# 3. To flush/delete the sets:
# ipset flush blacklist-v4 && ipset destroy blacklist-v4
# ipset flush blacklist-v6 && ipset destroy blacklist-v6
#
EOF
# Append both IPv4 and IPv6 sets to the mixed file
tail -n +2 "${iptables_v4_output_file}" | grep -E "^(create|add)" >> "${iptables_output_file}"
echo "" >> "${iptables_output_file}"
tail -n +2 "${iptables_v6_output_file}" | grep -E "^(create|add)" >> "${iptables_output_file}"
echo "✓ Generated (mixed IPv4/IPv6): ${iptables_output_file}"
echo " Total entries: $(wc -l < "${blacklist_file}" | tr -d ' ')"
# Generate mixed VK-only ipset file (contains both v4 and v6 sets)
cat > "${iptables_vk_output_file}" << EOF
# IPSet blacklist configuration (VK names: VK Cloud / VKCOMPANY / VKONTAKTE)
# Auto-generated from name-filtered auto/*.txt sources
# Last updated: $(date -u +"%Y-%m-%d %H:%M:%S UTC")
#
# Usage:
# 1. Load the ipset:
# ipset restore < $(basename "${iptables_vk_output_file}")
#
# 2. Use with iptables/ip6tables:
# iptables -I OUTPUT -m set --match-set blacklist-vk-v4 dst -j REJECT
# iptables -I FORWARD -m set --match-set blacklist-vk-v4 dst -j REJECT
# ip6tables -I OUTPUT -m set --match-set blacklist-vk-v6 dst -j REJECT
# ip6tables -I FORWARD -m set --match-set blacklist-vk-v6 dst -j REJECT
#
# 3. To flush/delete the sets:
# ipset flush blacklist-vk-v4 && ipset destroy blacklist-vk-v4
# ipset flush blacklist-vk-v6 && ipset destroy blacklist-vk-v6
#
EOF
tail -n +2 "${iptables_vk_v4_output_file}" | grep -E "^(create|add)" >> "${iptables_vk_output_file}"
echo "" >> "${iptables_vk_output_file}"
tail -n +2 "${iptables_vk_v6_output_file}" | grep -E "^(create|add)" >> "${iptables_vk_output_file}"
echo "✓ Generated (VK names, mixed IPv4/IPv6): ${iptables_vk_output_file}"
echo " Total entries: $(wc -l < "${blacklist_vk_file}" | tr -d ' ')"
echo ""
echo "VK outgoing block examples (iptables/ipset):"
echo " ipset restore < ${iptables_vk_output_file}"
echo " ipset restore < ${iptables_vk_v4_output_file}"
echo " ipset restore < ${iptables_vk_v6_output_file}"
echo " iptables -I OUTPUT -m set --match-set blacklist-vk-v4 dst -j REJECT"
echo " iptables -I FORWARD -m set --match-set blacklist-vk-v4 dst -j REJECT"
echo " ip6tables -I OUTPUT -m set --match-set blacklist-vk-v6 dst -j REJECT"

21
blacklists_updater_nftables.sh
View File

@@ -18,8 +18,8 @@ VK_INPUT_FILE="$SCRIPT_DIR/blacklists/blacklist-vk.txt"
VK_INPUT_V4_FILE="$SCRIPT_DIR/blacklists/blacklist-vk-v4.txt"
VK_INPUT_V6_FILE="$SCRIPT_DIR/blacklists/blacklist-vk-v6.txt"
# Create output directory if it doesn't exist
mkdir -p "$OUTPUT_DIR"
# Create required directories if they don't exist
mkdir -p "$OUTPUT_DIR" "$SCRIPT_DIR/blacklists"
echo "Generating nftables blacklists..."
@@ -34,11 +34,6 @@ grep ':' "$VK_INPUT_FILE" | sort -u > "$VK_INPUT_V6_FILE" || true
grep -v ':' "$VK_INPUT_FILE" | sort -u > "$VK_INPUT_V4_FILE" || true
rm -f "$TMP_VK_FILE"
# Generate mixed IPv4/IPv6 blacklist
python3 "$SCRIPT_DIR/generate_nft_blacklist.py" \
"$INPUT_FILE" \
"$OUTPUT_DIR/blacklist.nft"
# Generate IPv4-only blacklist
TMP_V4_FILE="/tmp/blacklist-v4.txt"
TMP_V6_FILE="/tmp/blacklist-v6.txt"
@@ -54,9 +49,6 @@ python3 "$SCRIPT_DIR/generate_nft_blacklist.py" \
"$OUTPUT_DIR/blacklist-v6.nft"
# Generate VK-only blacklists (network names: VK Cloud / VKCOMPANY / VKONTAKTE)
python3 "$SCRIPT_DIR/generate_nft_blacklist.py" \
"$VK_INPUT_FILE" \
"$OUTPUT_DIR/blacklist-vk.nft"
python3 "$SCRIPT_DIR/generate_nft_blacklist.py" \
"$VK_INPUT_V4_FILE" \
"$OUTPUT_DIR/blacklist-vk-v4.nft"
@@ -64,19 +56,24 @@ python3 "$SCRIPT_DIR/generate_nft_blacklist.py" \
"$VK_INPUT_V6_FILE" \
"$OUTPUT_DIR/blacklist-vk-v6.nft"
# Remove deprecated mixed summary files if they exist
rm -f "$OUTPUT_DIR/blacklist.nft" "$OUTPUT_DIR/blacklist-vk.nft"
# Clean up temp files
rm -f "$TMP_V4_FILE" "$TMP_V6_FILE"
echo "nftables blacklists generated successfully!"
echo ""
echo "VM incoming block examples (all lists, nftables):"
echo " sudo nft -f $OUTPUT_DIR/blacklist.nft"
echo " sudo nft -f $OUTPUT_DIR/blacklist-v4.nft"
echo " sudo nft -f $OUTPUT_DIR/blacklist-v6.nft"
echo " sudo nft add chain inet filter input '{ type filter hook input priority 0; policy accept; }'"
echo " sudo nft add rule inet filter input ip saddr @blacklist_v4 counter reject"
echo " sudo nft add rule inet filter input ip6 saddr @blacklist_v6 counter reject"
echo ""
echo "VK outbound block examples for VPN clients via NAT (nftables):"
echo " sudo nft -f $OUTPUT_DIR/blacklist-vk.nft"
echo " sudo nft -f $OUTPUT_DIR/blacklist-vk-v4.nft"
echo " sudo nft -f $OUTPUT_DIR/blacklist-vk-v6.nft"
echo " sudo nft add chain inet filter forward '{ type filter hook forward priority 0; policy accept; }'"
echo " sudo nft add rule inet filter forward iifname \"<VPN_IFACE>\" ip daddr @blacklist_v4 counter reject"
echo " sudo nft add rule inet filter forward iifname \"<VPN_IFACE>\" ip6 daddr @blacklist_v6 counter reject"

4
blacklists_updater_nginx.sh
View File

@@ -11,8 +11,8 @@ nginx_output_file="${nginx_output_dir}/blacklist.conf"
nginx_v4_output_file="${nginx_output_dir}/blacklist-v4.conf"
nginx_v6_output_file="${nginx_output_dir}/blacklist-v6.conf"
# Create nginx directory if it doesn't exist
mkdir -p "${nginx_output_dir}"
# Create required directories if they don't exist
mkdir -p "${nginx_output_dir}" "blacklists"
# Function to generate nginx config from input file
generate_nginx_config() {

2
blacklists_updater_txt.sh
View File

@@ -11,6 +11,8 @@ black_names="uvd|umvd|fgup|grchc|roskomnad|federalnaya sluzhba|ufsb|zonatelecom|
# M100 - mail.ru
white_names="ruvds"
mkdir -p blacklists auto
grep -iE "${black_names}" auto/all-ru-asn.txt | grep -viE "${white_names}" | awk '{ print "# AS-Name: " $0 "\n" $1}' > ${auto_black_ass}
./network_list_from_as.py ${auto_black_ass} > ${outfile_w_comments}
./network_list_from_netname.py lists/ru-gov-netnames.txt >> ${outfile_w_comments}