yanistyle/AS_Network_List
1
0
Fork 0
mirror of https://github.com/C24Be/AS_Network_List.git synced 2026-03-29 21:58:59 +03:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: yanistyle:3ea564dfe819884f3ba52f88b9c9ebe8e9757331
Branches Tags
yanistyle:main
..
compare: yanistyle:main
Branches Tags
yanistyle:main

31 Commits
3ea564dfe8 ... main

Author SHA1 Message Date
C24Be
7690d60023 Update 2026.03.29 13:11:56 2026-03-29 13:11:57 +00:00
C24Be
1ef2a3a21e Update 2026.03.29 06:56:52 2026-03-29 06:56:52 +00:00
C24Be
128d6c3d19 Merge branch 'main' of https://github.com/C24Be/AS_Network_List 2026-03-28 12:15:26 +01:00
C24Be
4502515ab1 Readme 2026-03-28 12:15:23 +01:00
C24Be
740834b112 Update 2026.03.28 06:52:03 2026-03-28 06:52:03 +00:00
C24Be
c79108d476 Readme 2026-03-27 19:16:50 +01:00
C24Be
754f545764 Update 2026.03.27 18:14:06 2026-03-27 18:14:07 +00:00
C24Be
048810e560 big update 2026-03-27 19:12:07 +01:00
C24Be
cfed9adddf big update 2026-03-27 19:11:52 +01:00
C24Be
0107142b90 Update 2026.03.27 06:59:36 2026-03-27 06:59:36 +00:00
C24Be
5d9070946d readme 2026-03-26 11:20:52 +01:00
C24Be
4126557898 Merge branch 'main' of https://github.com/C24Be/AS_Network_List 2026-03-26 11:20:00 +01:00
C24Be
cd643625f1 readme 2026-03-26 11:19:56 +01:00
C24Be
23ca832e7d Update 2026.03.26 09:38:27 2026-03-26 09:38:27 +00:00
C24Be
760bc7409d readme files 2026-03-26 10:37:06 +01:00
C24Be
3922acb075 readme files 2026-03-26 10:34:02 +01:00
C24Be
17d64070c6 mini readmes 2026-03-26 10:17:04 +01:00
C24Be
c34ebee88f Update 2026.03.26 08:47:07 2026-03-26 08:47:07 +00:00
C24Be
96f5442eea + routes folder to commit 2026-03-26 09:45:53 +01:00
C24Be
22bbb3dd20 some fixes 2026-03-26 09:42:48 +01:00
C24Be
943e7f2498 Merge branch 'main' of https://github.com/C24Be/AS_Network_List 2026-03-26 09:41:31 +01:00
C24Be
ecc4b2e387 some fixes 2026-03-26 09:41:27 +01:00
C24Be
72d57938c0 Update 2026.03.26 08:35:16 2026-03-26 08:35:17 +00:00
C24Be
1d0162e69f some fixes 2026-03-26 09:33:42 +01:00
C24Be
75e044c01d Update 2026.03.26 08:29:31 2026-03-26 08:29:31 +00:00
C24Be
3cb9156d28 some fixes 2026-03-26 09:28:25 +01:00
C24Be
011efe4bcb some fixes 2026-03-26 09:26:41 +01:00
C24Be
849e96a16d + routes 2026-03-26 09:18:49 +01:00
C24Be
ee407903b6 + routes 2026-03-26 09:16:31 +01:00
C24Be
07284f6831 + routes 2026-03-26 09:16:11 +01:00
C24Be
f407215a72 Update 2026.03.26 07:01:14 2026-03-26 07:01:14 +00:00
47 changed files with 2654 additions and 4451 deletions
Expand all files Collapse all files

2
.github/actions/gitPush/action.yaml vendored
View File

@@ -10,7 +10,7 @@ runs:
git config --global user.email "${{ env.REPO_OWNER }}@github.com"
if [ -n "${{ env.CUSTOM_BRANCH }}" ]; then
git checkout "${daily_branch}" 2>/dev/null || git checkout -b "${daily_branch}"
git push --set origin "${daily_branch}"
git push --set-upstream origin "${daily_branch}"
fi
git add ${{ env.PUSH_FILES }}
git diff --staged --quiet || CHANGED=true

6
.github/actions/gitReset/action.yaml vendored
View File

@@ -8,9 +8,9 @@ runs:
if [ -n "${{ env.CUSTOM_BRANCH }}" ]; then
git reset --hard
git clean -fdx
git checkout "${daily_branch}"
git pull origin "${daily_branch}"
git push --set origin "${daily_branch}"
git checkout "${daily_branch}" 2>/dev/null || git checkout -b "${daily_branch}"
git pull origin "${daily_branch}" || true
git push --set-upstream origin "${daily_branch}"
fi
git reset --hard
git clean -fdx

6
.github/workflows/resolve_networks.yml vendored
View File

@@ -26,7 +26,7 @@ jobs:
with:
fetch-depth: 0 # this is required to fetch all history for all branches and tags
token: ${{ env.GH_PAT }}
ref: ${{ github.branch }}
ref: ${{ github.ref_name }}
- uses: ./.github/actions/gitReset
env:
CUSTOM_BRANCH: true
@@ -53,7 +53,7 @@ jobs:
with:
fetch-depth: 0 # this is required to fetch all history for all branches and tags
token: ${{ env.GH_PAT }}
ref: ${{ github.branch }}
ref: ${{ github.ref_name }}
- uses: ./.github/actions/gitReset
env:
CUSTOM_BRANCH: true
@@ -80,7 +80,7 @@ jobs:
with:
fetch-depth: 0 # this is required to fetch all history for all branches and tags
token: ${{ env.GH_PAT }}
ref: ${{ github.branch }}
ref: ${{ github.ref_name }}
- uses: ./.github/actions/gitReset
env:
CUSTOM_BRANCH: true

3
.github/workflows/update_blacklists.yml vendored
View File

@@ -33,6 +33,7 @@ jobs:
- run: ./blacklists_updater_nginx.sh
- run: ./blacklists_updater_iptables.sh
- run: ./blacklists_updater_nftables.sh
- run: ./blacklists_updater_routes.sh
- uses: ./.github/actions/gitPush
env:
PUSH_FILES: blacklists/ blacklists_nginx/ blacklists_iptables/ blacklists_nftables/
PUSH_FILES: blacklists/ blacklists_nginx/ blacklists_iptables/ blacklists_nftables/ blacklists_route/

83
README.md
View File

@@ -9,12 +9,15 @@
This repository contains Python scripts that allow you to retrieve network lists based on either an Autonomous System (AS) name or a Network name. Also you can download and parse the whole RIPE database to get information about Networks for the further analysis.
## Important Links
**Ready-to-use blacklists in multiple formats:**
- [Text blacklists in `blacklists/`](https://github.com/C24Be/AS_Network_List/tree/main/blacklists) - Plain text format with IPv4/IPv6 separation
- [Nginx configurations in `blacklists_nginx/`](https://github.com/C24Be/AS_Network_List/tree/main/blacklists_nginx) - Ready to include in your nginx config
- [IPTables/IPSet files in `blacklists_iptables/`](https://github.com/C24Be/AS_Network_List/tree/main/blacklists_iptables) - Optimized for iptables with ipset
- [Other network and ASN lists in `auto/`](https://github.com/C24Be/AS_Network_List/tree/main/auto) - Comprehensive Russian network data
- [nftables files in `blacklists_nftables/`](https://github.com/C24Be/AS_Network_List/tree/main/blacklists_nftables) - Ready-to-load sets and rules for nftables
- [Linux route files in `blacklists_route/`](https://github.com/C24Be/AS_Network_List/tree/main/blacklists_route) - VK route blackholes to loopback (IPv4/IPv6)
## Files and features
@@ -33,6 +36,8 @@ This repository contains Python scripts that allow you to retrieve network lists
- `blacklists_updater_txt.sh`: Generates text-based blacklists with IPv4/IPv6 separation
- `blacklists_updater_nginx.sh`: Generates nginx configuration files with deny directives
- `blacklists_updater_iptables.sh`: Generates ipset configuration files for iptables/ip6tables
- `blacklists_updater_nftables.sh`: Generates nftables blacklist files (mixed/v4/v6 and VK-specific)
- `blacklists_updater_routes.sh`: Generates Linux route files to send VK networks to loopback (`127.0.0.1` / `::1`)
### Generated Blacklists
@@ -52,25 +57,34 @@ This repository contains Python scripts that allow you to retrieve network lists
**IPTables/IPSet Format** (`blacklists_iptables/` folder):
- `blacklist.ipset`: IPSet configuration for mixed IPv4/IPv6 (**daily generated**)
- `blacklist-v4.ipset`: IPSet configuration for IPv4 only (**daily generated**)
- `blacklist-v6.ipset`: IPSet configuration for IPv6 only (**daily generated**)
- `blacklist-vk-v4.ipset`: IPSet configuration for VK-only IPv4 networks (**daily generated**)
- `blacklist-vk-v6.ipset`: IPSet configuration for VK-only IPv6 networks (**daily generated**)
- `README.md`: Complete usage documentation for iptables integration
**nftables Format** (`blacklists_nftables/` folder):
* `blacklist.nft`: nftables configuration for mixed IPv4/IPv6 (**daily generated**)
* `blacklist.nft`: nftables set definitions for mixed IPv4/IPv6 (**daily generated**)
* `blacklist-v4.nft`: nftables configuration for IPv4 only (**daily generated**)
* `blacklist-v6.nft`: nftables configuration for IPv6 only (**daily generated**)
* `blacklist-vk.nft`: nftables set definitions for VK-only mixed IPv4/IPv6 (**daily generated**)
* `blacklist-vk-v4.nft`: nftables configuration for VK-only IPv4 networks (**daily generated**)
* `blacklist-vk-v6.nft`: nftables configuration for VK-only IPv6 networks (**daily generated**)
* `README.md`: Complete usage documentation for nftables integration
**Linux Routes Format** (`blacklists_route/` folder):
* `blacklist-vk-v4.routes`: IPv4 routes for VK-only networks to `127.0.0.1` via `lo` (**daily generated**)
* `blacklist-vk-v6.routes`: IPv6 routes for VK-only networks to `::1` via `lo` (**daily generated**)
### Reference Lists
**Contributors are welcome!**
- `lists/ru-gov-netnames.txt`: A list of network names associated with the Russian government.
- `lists/ru-gov-asns.txt`: A list of AS numbers associated with the Russian government.
- ASN candidates used for blacklists are derived automatically from `auto/all-ru-asn.txt`.
### Auto-Generated Data
@@ -98,22 +112,55 @@ wget https://raw.githubusercontent.com/C24Be/AS_Network_List/main/blacklists_ngi
**For IPTables/IPSet:**
```bash
# Download and load into ipset
wget https://raw.githubusercontent.com/C24Be/AS_Network_List/main/blacklists_iptables/blacklist.ipset
ipset restore < blacklist.ipset
iptables -I INPUT -m set --match-set blacklist-v4 src -j DROP
ip6tables -I INPUT -m set --match-set blacklist-v6 src -j DROP
# Download and load IPv4/IPv6 sets into ipset
wget https://raw.githubusercontent.com/C24Be/AS_Network_List/main/blacklists_iptables/blacklist-v4.ipset
wget https://raw.githubusercontent.com/C24Be/AS_Network_List/main/blacklists_iptables/blacklist-v6.ipset
ipset restore < blacklist-v4.ipset
ipset restore < blacklist-v6.ipset
iptables -I INPUT -m set --match-set blacklist-v4 src -m conntrack --ctstate NEW -j DROP
ip6tables -I INPUT -m set --match-set blacklist-v6 src -m conntrack --ctstate NEW -j DROP
```
**For nftables:**
````bash
# Download and load into nftables
# Download and load nftables sets
wget https://raw.githubusercontent.com/C24Be/AS_Network_List/main/blacklists_nftables/blacklist.nft
wget https://raw.githubusercontent.com/C24Be/AS_Network_List/main/blacklists_nftables/blacklist-v4.nft
wget https://raw.githubusercontent.com/C24Be/AS_Network_List/main/blacklists_nftables/blacklist-v6.nft
sudo nft -f blacklist.nft
sudo nft -f blacklist-v4.nft
sudo nft -f blacklist-v6.nft
# Protect VM from incoming blacklist sources
sudo nft add chain inet filter input '{ type filter hook input priority 0; policy accept; }'
sudo nft add rule inet filter input ip saddr @blacklist_v4 counter reject
sudo nft add rule inet filter input ip6 saddr @blacklist_v6 counter reject
# VK-only outbound blocking for VPN clients via NAT/FORWARD
wget https://raw.githubusercontent.com/C24Be/AS_Network_List/main/blacklists_nftables/blacklist-vk.nft
wget https://raw.githubusercontent.com/C24Be/AS_Network_List/main/blacklists_nftables/blacklist-vk-v4.nft
wget https://raw.githubusercontent.com/C24Be/AS_Network_List/main/blacklists_nftables/blacklist-vk-v6.nft
sudo nft -f blacklist-vk.nft
sudo nft -f blacklist-vk-v4.nft
sudo nft -f blacklist-vk-v6.nft
sudo nft add chain inet filter forward '{ type filter hook forward priority 0; policy accept; }'
sudo nft add rule inet filter forward iifname "<VPN_IFACE>" ip daddr @blacklist_vk_v4 counter reject
sudo nft add rule inet filter forward iifname "<VPN_IFACE>" ip6 daddr @blacklist_vk_v6 counter reject
# View the loaded rules
sudo nft list ruleset
````
**For Linux Routes (VK loopback blackhole):**
```bash
# Download and apply VK route files
wget https://raw.githubusercontent.com/C24Be/AS_Network_List/main/blacklists_route/blacklist-vk-v4.routes
wget https://raw.githubusercontent.com/C24Be/AS_Network_List/main/blacklists_route/blacklist-vk-v6.routes
sudo sh blacklist-vk-v4.routes
sudo sh blacklist-vk-v6.routes
```
**For Custom Applications:**
```bash
@@ -163,16 +210,16 @@ See the README files in each folder for detailed usage instructions.
./network_list_from_as.py AS61280
```
2. Run the script with a URL to a file in a GitHub repository as an argument:
2. Run the script with a URL to a file with one ASN per line:
```bash
./network_list_from_as.py https://github.com/C24Be/AS_Network_List/blob/main/lists/ru-gov-asns.txt
./network_list_from_as.py https://example.com/asns.txt
```
Or better use the raw file link:
```bash
./network_list_from_as.py https://raw.githubusercontent.com/C24Be/AS_Network_List/main/lists/ru-gov-asns.txt
./network_list_from_as.py https://example.com/asns-raw.txt
```
3. To display a help message, use the `-h` or `--help` switch:
@@ -237,16 +284,6 @@ This repository uses GitHub Actions to automatically update blacklists:
All blacklists are automatically regenerated and committed to ensure you always have the latest data.
## Blacklist Format Comparison
| Format | Best For | Performance | Ease of Use | File Size |
|--------|----------|-------------|-------------|-----------|
| **Text** | Custom scripts, analysis | N/A | ⭐⭐⭐⭐⭐ | Small |
| **Nginx** | Web servers, reverse proxies | Good | ⭐⭐⭐⭐ | Medium |
| **IPSet** | Firewalls, large-scale blocking | Excellent | ⭐⭐⭐ | Medium |
**Recommendation**: Use IPSet for firewall-level blocking (best performance), Nginx for web application layer, and text format for custom integrations.
## Additional information
- [RIPE DB Inetnum](https://ftp.ripe.net/ripe/dbase/split/ripe.db.inetnum.gz)

2531
auto/ripe-ru-ipv4.json
View File

File diff suppressed because it is too large Load Diff

463
auto/ripe-ru-ipv4.txt
View File

File diff suppressed because it is too large Load Diff

0
blacklists/.keep
View File

70
blacklists/blacklist-v4.txt
View File

@@ -30,7 +30,6 @@
128.140.170.0/24
128.140.171.0/24
128.140.172.0/22
128.140.173.0/24
130.49.224.0/19
145.255.238.240/28
146.185.208.0/22
@@ -43,14 +42,9 @@
155.212.192.0/20
176.109.0.0/21
176.112.168.0/21
176.116.112.0/22
176.116.96.0/20
178.16.156.148/30
178.17.176.0/23
178.17.178.0/23
178.17.180.0/23
178.17.182.0/23
178.17.184.0/22
178.17.188.0/22
178.20.234.224/29
178.22.88.0/21
178.22.89.64/26
@@ -65,7 +59,6 @@
178.237.240.0/20
178.237.248.0/21
178.237.28.0/24
178.237.29.0/24
178.237.30.0/23
178.248.232.137/32
178.248.232.60/32
@@ -112,7 +105,6 @@
185.130.112.0/23
185.130.114.0/23
185.131.68.0/22
185.131.68.0/23
185.149.160.0/24
185.149.161.0/24
185.149.162.0/24
@@ -123,8 +115,6 @@
185.16.244.0/22
185.16.244.0/23
185.16.246.0/23
185.16.246.0/24
185.16.247.0/24
185.168.60.0/24
185.168.61.0/24
185.168.62.0/24
@@ -197,14 +187,12 @@
188.93.62.0/24
193.203.40.0/22
193.232.70.0/24
193.33.230.0/23
193.47.146.0/24
194.140.247.0/25
194.140.247.128/25
194.150.202.0/23
194.165.22.0/23
194.186.112.80/28
194.186.63.0/24
194.190.9.0/24
194.215.248.0/24
194.226.116.0/22
@@ -241,7 +229,6 @@
195.211.23.0/24
195.218.175.40/29
195.218.190.0/23
195.226.203.0/24
195.239.113.0/24
195.239.247.0/24
195.239.80.32/29
@@ -262,7 +249,6 @@
195.98.43.104/29
195.98.73.56/29
195.98.77.100/30
212.111.84.0/22
212.119.174.0/24
212.119.175.0/24
212.120.169.48/29
@@ -288,10 +274,6 @@
212.192.156.0/22
212.23.85.48/30
212.23.85.56/29
212.233.120.0/22
212.233.72.0/21
212.233.88.0/21
212.233.96.0/22
212.32.198.64/29
212.48.134.192/26
212.48.138.240/28
@@ -396,8 +378,6 @@
213.172.27.252/30
213.172.30.136/30
213.172.4.192/26
213.176.232.0/23
213.176.234.0/23
213.177.111.0/24
213.183.253.56/29
213.219.212.0/22
@@ -453,7 +433,9 @@
217.106.203.88/29
217.106.93.192/26
217.106.95.112/28
217.107.0.0/18
217.107.200.0/21
217.107.208.0/20
217.107.5.112/29
217.107.5.16/29
217.107.5.24/29
@@ -469,7 +451,7 @@
217.16.16.0/21
217.16.24.0/21
217.172.18.0/23
217.174.188.0/22
217.172.20.0/22
217.174.188.0/23
217.195.92.16/28
217.195.93.144/29
@@ -484,7 +466,10 @@
217.20.158.0/24
217.20.159.0/24
217.20.86.128/26
217.20.86.192/27
217.20.86.224/29
217.20.86.232/29
217.20.86.240/28
217.23.88.168/29
217.23.88.248/29
217.27.142.176/30
@@ -493,9 +478,7 @@
217.67.177.208/29
217.69.128.0/20
217.69.128.0/21
217.69.132.0/24
217.69.136.0/21
31.177.104.0/22
31.177.95.0/24
31.44.63.64/29
37.139.32.0/22
@@ -518,6 +501,7 @@
46.20.70.160/28
46.228.0.232/29
46.29.152.0/22
46.29.156.0/23
46.46.142.160/28
46.46.148.40/29
46.47.197.128/30
@@ -629,9 +613,6 @@
79.137.139.0/24
79.137.139.0/25
79.137.139.128/25
79.137.140.0/24
79.137.142.0/24
79.137.157.0/24
79.137.157.0/25
79.137.157.128/25
79.137.164.0/24
@@ -651,9 +632,6 @@
79.137.240.0/22
79.137.244.0/22
79.142.88.0/28
79.143.229.0/24
79.143.230.0/24
79.143.232.0/24
80.237.11.88/29
80.237.39.112/29
80.237.98.80/28
@@ -663,8 +641,6 @@
80.254.100.40/29
80.254.119.168/29
80.73.16.0/20
80.73.16.0/21
80.73.16.0/24
80.73.168.80/28
80.73.169.244/30
80.82.43.24/29
@@ -688,11 +664,9 @@
81.195.125.96/30
81.195.148.140/30
81.195.150.248/30
81.195.151.0/24
81.195.151.172/30
81.195.155.0/30
81.195.161.12/30
81.195.164.0/24
81.195.165.64/28
81.195.168.24/30
81.195.177.160/30
@@ -871,8 +845,6 @@
87.240.128.0/18
87.240.128.0/19
87.240.160.0/19
87.240.166.0/24
87.240.167.0/24
87.242.112.0/22
87.245.133.0/24
87.249.16.32/28
@@ -940,9 +912,6 @@
89.21.152.104/29
89.221.228.0/22
89.221.232.0/21
89.221.232.0/22
89.221.235.0/24
89.221.236.0/22
89.28.253.168/29
89.28.255.56/29
90.150.176.52/30
@@ -965,7 +934,6 @@
90.156.148.0/22
90.156.148.0/23
90.156.150.0/23
90.156.151.0/24
90.156.212.0/22
90.156.212.0/23
90.156.214.0/23
@@ -974,29 +942,15 @@
90.156.218.0/23
90.156.232.0/21
91.103.194.184/29
91.135.212.0/22
91.135.216.0/21
91.135.220.0/24
91.135.221.0/24
91.195.136.0/23
91.208.20.0/24
91.215.168.0/22
91.217.34.0/23
91.219.192.0/22
91.219.224.0/22
91.221.140.0/23
91.221.140.0/24
91.221.141.0/24
91.226.250.0/24
91.227.32.0/24
91.231.132.0/22
91.231.132.0/24
91.231.133.0/24
91.231.134.0/24
91.237.76.0/24
92.101.253.152/29
92.101.253.96/29
92.38.217.0/24
92.39.106.168/30
92.39.106.20/30
92.39.111.84/30
@@ -1038,7 +992,6 @@
94.124.192.192/29
94.139.244.0/22
94.139.244.0/23
94.139.244.0/24
94.139.246.0/23
94.199.64.0/21
94.25.119.228/30
@@ -1055,9 +1008,6 @@
95.142.201.0/24
95.142.202.0/24
95.142.203.0/24
95.142.204.0/23
95.142.207.0/24
95.163.133.0/24
95.163.180.0/22
95.163.180.0/23
95.163.182.0/23
@@ -1095,6 +1045,7 @@
95.167.5.80/28
95.167.54.76/30
95.167.59.244/30
95.167.59.248/30
95.167.64.20/30
95.167.68.216/29
95.167.69.116/30
@@ -1112,7 +1063,6 @@
95.173.128.0/20
95.173.144.0/20
95.213.0.0/17
95.213.0.0/18
95.213.0.0/20
95.213.16.0/21
95.213.24.0/23
@@ -1127,8 +1077,6 @@
95.213.34.0/23
95.213.36.0/22
95.213.40.0/21
95.213.44.0/24
95.213.45.0/24
95.213.48.0/20
95.213.64.0/18
95.53.248.0/29

17
blacklists/blacklist-v6.txt
View File

@@ -1,22 +1,5 @@
2a00:1148::/29
2a00:1148::/32
2a00:46e0:2::/48
2a00:46e0::/32
2a00:a300::/32
2a00:b4c0::/32
2a00:bdc0:8000::/34
2a00:bdc0::/33
2a00:bdc0:c000::/35
2a00:bdc0:e002::/48
2a00:bdc0:e003::/48
2a00:bdc0:e004::/48
2a00:bdc0:e005::/48
2a00:bdc0:e007::/48
2a00:bdc0:f000::/36
2a00:bdc1::/32
2a00:bdc2::/31
2a00:bdc4::/30
2a14:25c0::/32
2a14:25c5::/32
2a14:25c6::/32
2a14:25c7::/32

87
blacklists/blacklist.txt
View File

@@ -30,7 +30,6 @@
128.140.170.0/24
128.140.171.0/24
128.140.172.0/22
128.140.173.0/24
130.49.224.0/19
145.255.238.240/28
146.185.208.0/22
@@ -43,14 +42,9 @@
155.212.192.0/20
176.109.0.0/21
176.112.168.0/21
176.116.112.0/22
176.116.96.0/20
178.16.156.148/30
178.17.176.0/23
178.17.178.0/23
178.17.180.0/23
178.17.182.0/23
178.17.184.0/22
178.17.188.0/22
178.20.234.224/29
178.22.88.0/21
178.22.89.64/26
@@ -65,7 +59,6 @@
178.237.240.0/20
178.237.248.0/21
178.237.28.0/24
178.237.29.0/24
178.237.30.0/23
178.248.232.137/32
178.248.232.60/32
@@ -112,7 +105,6 @@
185.130.112.0/23
185.130.114.0/23
185.131.68.0/22
185.131.68.0/23
185.149.160.0/24
185.149.161.0/24
185.149.162.0/24
@@ -123,8 +115,6 @@
185.16.244.0/22
185.16.244.0/23
185.16.246.0/23
185.16.246.0/24
185.16.247.0/24
185.168.60.0/24
185.168.61.0/24
185.168.62.0/24
@@ -197,14 +187,12 @@
188.93.62.0/24
193.203.40.0/22
193.232.70.0/24
193.33.230.0/23
193.47.146.0/24
194.140.247.0/25
194.140.247.128/25
194.150.202.0/23
194.165.22.0/23
194.186.112.80/28
194.186.63.0/24
194.190.9.0/24
194.215.248.0/24
194.226.116.0/22
@@ -241,7 +229,6 @@
195.211.23.0/24
195.218.175.40/29
195.218.190.0/23
195.226.203.0/24
195.239.113.0/24
195.239.247.0/24
195.239.80.32/29
@@ -262,7 +249,6 @@
195.98.43.104/29
195.98.73.56/29
195.98.77.100/30
212.111.84.0/22
212.119.174.0/24
212.119.175.0/24
212.120.169.48/29
@@ -288,10 +274,6 @@
212.192.156.0/22
212.23.85.48/30
212.23.85.56/29
212.233.120.0/22
212.233.72.0/21
212.233.88.0/21
212.233.96.0/22
212.32.198.64/29
212.48.134.192/26
212.48.138.240/28
@@ -396,8 +378,6 @@
213.172.27.252/30
213.172.30.136/30
213.172.4.192/26
213.176.232.0/23
213.176.234.0/23
213.177.111.0/24
213.183.253.56/29
213.219.212.0/22
@@ -453,7 +433,9 @@
217.106.203.88/29
217.106.93.192/26
217.106.95.112/28
217.107.0.0/18
217.107.200.0/21
217.107.208.0/20
217.107.5.112/29
217.107.5.16/29
217.107.5.24/29
@@ -469,7 +451,7 @@
217.16.16.0/21
217.16.24.0/21
217.172.18.0/23
217.174.188.0/22
217.172.20.0/22
217.174.188.0/23
217.195.92.16/28
217.195.93.144/29
@@ -484,7 +466,10 @@
217.20.158.0/24
217.20.159.0/24
217.20.86.128/26
217.20.86.192/27
217.20.86.224/29
217.20.86.232/29
217.20.86.240/28
217.23.88.168/29
217.23.88.248/29
217.27.142.176/30
@@ -493,31 +478,12 @@
217.67.177.208/29
217.69.128.0/20
217.69.128.0/21
217.69.132.0/24
217.69.136.0/21
2a00:1148::/29
2a00:1148::/32
2a00:46e0:2::/48
2a00:46e0::/32
2a00:a300::/32
2a00:b4c0::/32
2a00:bdc0:8000::/34
2a00:bdc0::/33
2a00:bdc0:c000::/35
2a00:bdc0:e002::/48
2a00:bdc0:e003::/48
2a00:bdc0:e004::/48
2a00:bdc0:e005::/48
2a00:bdc0:e007::/48
2a00:bdc0:f000::/36
2a00:bdc1::/32
2a00:bdc2::/31
2a00:bdc4::/30
2a14:25c0::/32
2a14:25c5::/32
2a14:25c6::/32
2a14:25c7::/32
31.177.104.0/22
31.177.95.0/24
31.44.63.64/29
37.139.32.0/22
@@ -540,6 +506,7 @@
46.20.70.160/28
46.228.0.232/29
46.29.152.0/22
46.29.156.0/23
46.46.142.160/28
46.46.148.40/29
46.47.197.128/30
@@ -651,9 +618,6 @@
79.137.139.0/24
79.137.139.0/25
79.137.139.128/25
79.137.140.0/24
79.137.142.0/24
79.137.157.0/24
79.137.157.0/25
79.137.157.128/25
79.137.164.0/24
@@ -673,9 +637,6 @@
79.137.240.0/22
79.137.244.0/22
79.142.88.0/28
79.143.229.0/24
79.143.230.0/24
79.143.232.0/24
80.237.11.88/29
80.237.39.112/29
80.237.98.80/28
@@ -685,8 +646,6 @@
80.254.100.40/29
80.254.119.168/29
80.73.16.0/20
80.73.16.0/21
80.73.16.0/24
80.73.168.80/28
80.73.169.244/30
80.82.43.24/29
@@ -710,11 +669,9 @@
81.195.125.96/30
81.195.148.140/30
81.195.150.248/30
81.195.151.0/24
81.195.151.172/30
81.195.155.0/30
81.195.161.12/30
81.195.164.0/24
81.195.165.64/28
81.195.168.24/30
81.195.177.160/30
@@ -893,8 +850,6 @@
87.240.128.0/18
87.240.128.0/19
87.240.160.0/19
87.240.166.0/24
87.240.167.0/24
87.242.112.0/22
87.245.133.0/24
87.249.16.32/28
@@ -962,9 +917,6 @@
89.21.152.104/29
89.221.228.0/22
89.221.232.0/21
89.221.232.0/22
89.221.235.0/24
89.221.236.0/22
89.28.253.168/29
89.28.255.56/29
90.150.176.52/30
@@ -987,7 +939,6 @@
90.156.148.0/22
90.156.148.0/23
90.156.150.0/23
90.156.151.0/24
90.156.212.0/22
90.156.212.0/23
90.156.214.0/23
@@ -996,29 +947,15 @@
90.156.218.0/23
90.156.232.0/21
91.103.194.184/29
91.135.212.0/22
91.135.216.0/21
91.135.220.0/24
91.135.221.0/24
91.195.136.0/23
91.208.20.0/24
91.215.168.0/22
91.217.34.0/23
91.219.192.0/22
91.219.224.0/22
91.221.140.0/23
91.221.140.0/24
91.221.141.0/24
91.226.250.0/24
91.227.32.0/24
91.231.132.0/22
91.231.132.0/24
91.231.133.0/24
91.231.134.0/24
91.237.76.0/24
92.101.253.152/29
92.101.253.96/29
92.38.217.0/24
92.39.106.168/30
92.39.106.20/30
92.39.111.84/30
@@ -1060,7 +997,6 @@
94.124.192.192/29
94.139.244.0/22
94.139.244.0/23
94.139.244.0/24
94.139.246.0/23
94.199.64.0/21
94.25.119.228/30
@@ -1077,9 +1013,6 @@
95.142.201.0/24
95.142.202.0/24
95.142.203.0/24
95.142.204.0/23
95.142.207.0/24
95.163.133.0/24
95.163.180.0/22
95.163.180.0/23
95.163.182.0/23
@@ -1117,6 +1050,7 @@
95.167.5.80/28
95.167.54.76/30
95.167.59.244/30
95.167.59.248/30
95.167.64.20/30
95.167.68.216/29
95.167.69.116/30
@@ -1134,7 +1068,6 @@
95.173.128.0/20
95.173.144.0/20
95.213.0.0/17
95.213.0.0/18
95.213.0.0/20
95.213.16.0/21
95.213.24.0/23
@@ -1149,8 +1082,6 @@
95.213.34.0/23
95.213.36.0/22
95.213.40.0/21
95.213.44.0/24
95.213.45.0/24
95.213.48.0/20
95.213.64.0/18
95.53.248.0/29

241
blacklists/blacklist_with_comments.txt
View File

@@ -1,209 +1,39 @@
# Networks announced by AS28709
# AS-Name (ORG): VKONTAKTE-REGIONAL-CDN (LLC VK)
2a00:bdc0:e003::/48
178.237.24.0/24
2a00:bdc0:e002::/48
178.237.21.0/24
178.237.22.0/24
128.140.170.0/24
95.142.202.0/24
2a00:bdc0:e005::/48
178.237.28.0/24
185.32.251.0/24
2a00:bdc0:e007::/48
2a00:bdc0:e004::/48
95.142.203.0/24
95.142.201.0/24
185.32.249.0/24
2a00:bdc0:e005::/48
178.237.21.0/24
128.140.170.0/24
2a00:bdc0:e007::/48
178.237.22.0/24
185.32.251.0/24
95.142.202.0/24
2a00:bdc0:e004::/48
2a00:bdc0:e003::/48
2a00:bdc0:e002::/48
95.142.201.0/24
178.237.24.0/24
178.237.28.0/24
# Networks announced by AS28709
# AS-Name (ORG): VKONTAKTE-REGIONAL-CDN (LLC VK)
95.142.203.0/24
185.32.249.0/24
2a00:bdc0:e005::/48
178.237.21.0/24
128.140.170.0/24
2a00:bdc0:e007::/48
178.237.22.0/24
185.32.251.0/24
95.142.202.0/24
2a00:bdc0:e004::/48
2a00:bdc0:e003::/48
2a00:bdc0:e002::/48
95.142.201.0/24
178.237.24.0/24
178.237.28.0/24
# Networks announced by AS34500
# AS-Name (ORG): CTSPI (FGUP CTSPI MGA Russia)
80.73.16.0/21
80.73.16.0/24
80.73.16.0/20
# Networks announced by AS43038
# AS-Name (ORG): TVK-AS (MTS PJSC)
178.17.182.0/23
178.17.176.0/23
193.33.230.0/23
79.143.232.0/24
178.17.178.0/23
213.176.234.0/23
178.17.184.0/22
79.143.230.0/24
81.195.151.0/24
213.176.232.0/23
79.143.229.0/24
195.226.203.0/24
178.17.180.0/23
178.17.188.0/22
91.208.20.0/24
# Networks announced by AS43720
# AS-Name (ORG): TVK-AS (MTS OJSC)
91.135.221.0/24
91.195.136.0/23
91.135.216.0/21
91.135.220.0/24
91.135.212.0/22
81.195.164.0/24
# Networks announced by AS47541
# AS-Name (ORG): VKONTAKTE-SPB-AS (LLC VK)
2a00:bdc4::/30
79.137.183.0/24
79.137.164.0/24
2a14:25c5::/32
95.213.44.0/24
87.240.166.0/24
79.137.139.0/24
185.131.68.0/23
2a00:bdc1::/32
95.213.45.0/24
95.142.192.0/20
2a00:bdc0:8000::/34
91.231.133.0/24
93.186.224.0/21
185.32.248.0/22
79.137.180.0/24
91.231.134.0/24
2a00:bdc2::/31
2a14:25c7::/32
95.213.0.0/17
93.186.232.0/21
87.240.167.0/24
95.213.0.0/18
87.240.128.0/18
91.231.132.0/24
2a00:bdc0:c000::/35
217.69.132.0/24
2a00:bdc0::/33
95.142.192.0/21
# Networks announced by AS47542
# AS-Name (ORG): VKONTAKTE-MSK-CDN-AS (LLC VK)
95.213.44.0/24
95.142.204.0/23
2a00:bdc0:f000::/36
95.213.45.0/24
128.140.173.0/24
95.142.207.0/24
87.240.166.0/24
87.240.167.0/24
# Networks announced by AS47764
# AS-Name (ORG): VK-AS (LLC VK)
89.221.228.0/22
146.185.240.0/22
79.137.240.0/21
5.188.140.0/22
195.211.20.0/22
185.187.63.0/24
87.242.112.0/22
195.218.190.0/23
83.217.216.0/22
217.16.16.0/20
89.221.235.0/24
95.163.180.0/22
2a00:1148::/32
212.111.84.0/22
90.156.151.0/24
90.156.148.0/22
178.22.88.0/21
90.156.216.0/22
2a00:1148::/29
185.16.246.0/24
217.69.128.0/20
109.120.188.0/22
2a00:b4c0::/32
2a00:46e0::/32
87.239.104.0/21
89.208.208.0/22
130.49.224.0/19
212.233.120.0/22
89.208.196.0/22
95.163.32.0/19
45.136.20.0/22
83.222.28.0/22
94.139.244.0/24
212.233.72.0/21
89.208.228.0/22
109.120.180.0/22
2a14:25c6::/32
213.219.212.0/22
185.241.192.0/22
193.203.40.0/22
185.16.148.0/22
185.86.144.0/22
95.163.133.0/24
91.231.134.0/24
89.208.218.0/23
185.100.104.0/22
5.181.61.0/24
95.163.216.0/22
89.221.232.0/22
37.139.40.0/22
178.237.29.0/24
92.38.217.0/24
217.174.188.0/22
91.219.224.0/22
194.186.63.0/24
146.185.208.0/22
79.137.174.0/23
185.16.244.0/22
5.101.40.0/22
2a00:46e0:2::/48
83.166.232.0/21
62.217.160.0/20
128.140.168.0/21
185.16.247.0/24
90.156.232.0/21
89.221.236.0/22
95.163.208.0/21
155.212.192.0/20
37.139.32.0/22
185.131.68.0/22
91.231.133.0/24
188.93.56.0/21
217.20.144.0/20
185.130.112.0/22
90.156.212.0/22
89.208.216.0/23
5.61.232.0/21
85.192.32.0/22
95.163.248.0/21
5.61.16.0/21
89.208.84.0/22
185.16.244.0/23
212.233.96.0/22
89.208.220.0/22
178.237.16.0/20
185.226.52.0/22
94.139.244.0/22
212.233.88.0/21
79.137.157.0/24
31.177.104.0/22
91.231.132.0/22
176.112.168.0/21
185.5.136.0/22
94.100.176.0/20
2a14:25c0::/32
45.84.128.0/22
5.181.60.0/22
185.180.200.0/22
83.166.248.0/21
84.23.52.0/22
# Networks announced by AS49281
# AS-Name (ORG): M100 (M100 LLC)
2a00:a300::/32
85.198.106.0/24
# Networks announced by AS49797
# AS-Name (ORG): NESSLY (LLC VK)
79.137.142.0/24
# Networks announced by AS49988
# AS-Name (ORG): odkl-as (LLC VK)
85.198.107.0/24
79.137.140.0/24
# Networks announced by AS51932
# AS-Name (ORG): ORVD-AS (FGUP Goskorporatsiya po OrVD)
91.221.140.0/24
91.221.141.0/24
91.221.140.0/23
# Network name: Roskomnadzor-net
46.228.0.232/29
87.226.213.0/24
@@ -212,7 +42,9 @@
78.108.200.0/24
# Network name: RU-RTCOMM-20001220
217.106.0.0/16
217.107.0.0/18
217.107.200.0/21
217.107.208.0/20
# Network name: MMT
46.61.208.0/24
# Network name: RTCOMM-GNIVC
@@ -226,6 +58,7 @@
95.173.128.0/20
95.173.144.0/20
176.116.96.0/20
176.116.112.0/22
185.183.172.0/23
185.183.174.0/23
194.226.80.0/21
@@ -246,6 +79,7 @@
95.173.128.0/20
95.173.144.0/20
176.116.96.0/20
176.116.112.0/22
185.183.172.0/23
185.183.174.0/23
194.226.80.0/21
@@ -332,6 +166,7 @@
95.173.128.0/20
95.173.144.0/20
176.116.96.0/20
176.116.112.0/22
185.183.172.0/23
185.183.174.0/23
194.226.80.0/21
@@ -341,6 +176,7 @@
# Network name: RU_FSKN
92.50.198.72/30
95.167.59.244/30
95.167.59.248/30
# Network name: UMNS-NOVGOROD
213.59.91.48/29
# Network name: FOMS
@@ -362,6 +198,7 @@
217.106.147.8/29
# Network name: GLAVNIVZ
46.29.152.0/22
46.29.156.0/23
185.168.60.0/24
185.168.61.0/24
185.168.62.0/24
@@ -399,7 +236,10 @@
94.25.70.64/30
# Network name: MNSHMAO
217.20.86.128/26
217.20.86.192/27
217.20.86.224/29
217.20.86.232/29
217.20.86.240/28
# Network name: UMNS-TUMEN
213.59.59.120/29
213.59.59.144/29
@@ -538,6 +378,7 @@
77.37.128.0/17
# Network name: STARNET-VPN
217.172.18.0/23
217.172.20.0/22
# Network name: CCC-HC
89.111.176.0/22
# Network name: RU-NIC-HOSTING

0
blacklists_iptables/.keep
View File

109
blacklists_iptables/README.md
View File

@@ -1,109 +0,0 @@
# IPTables/IPSet Blacklist Configurations
Auto-generated ipset configuration files for blocking networks and IP addresses with iptables/ip6tables.
## Available Files
### IPv4 Only
- **`blacklist-v4.ipset`** - Contains only IPv4 networks (806 entries)
### IPv6 Only
- **`blacklist-v6.ipset`** - Contains only IPv6 networks (3 entries)
### Mixed IPv4/IPv6
- **`blacklist.ipset`** - Contains both IPv4 and IPv6 sets (809 total entries)
## Usage
### 1. Load the IPSet
```bash
# For IPv4 only
ipset restore < blacklist-v4.ipset
# For IPv6 only
ipset restore < blacklist-v6.ipset
# For both IPv4 and IPv6 (loads both sets)
ipset restore < blacklist.ipset
```
### 2. Apply IPTables Rules
```bash
# For IPv4
iptables -I INPUT -m set --match-set blacklist-v4 src -j DROP
iptables -I FORWARD -m set --match-set blacklist-v4 src -j DROP
# For IPv6
ip6tables -I INPUT -m set --match-set blacklist-v6 src -j DROP
ip6tables -I FORWARD -m set --match-set blacklist-v6 src -j DROP
```
### 3. Persist Rules (Optional)
To make the rules persistent across reboots:
**On Debian/Ubuntu:**
```bash
# Save iptables rules
iptables-save > /etc/iptables/rules.v4
ip6tables-save > /etc/iptables/rules.v6
# Save ipset
ipset save > /etc/ipset.conf
```
**On RHEL/CentOS:**
```bash
# Save iptables rules
service iptables save
service ip6tables save
# Save ipset
ipset save > /etc/sysconfig/ipset
```
### 4. Update Existing Sets
To update the blacklist without restarting iptables:
```bash
# Flush and reload
ipset flush blacklist-v4
ipset restore < blacklist-v4.ipset
```
### 5. Remove Sets
```bash
# Remove IPv4 set
ipset flush blacklist-v4
ipset destroy blacklist-v4
# Remove IPv6 set
ipset flush blacklist-v6
ipset destroy blacklist-v6
```
## Performance Benefits
IPSet uses hash tables for O(1) lookup performance, making it ideal for large blacklists:
- Much faster than individual iptables rules
- Minimal CPU overhead
- Supports up to 65536 entries per set (configurable)
- Kernel-level implementation for maximum efficiency
## Automatic Updates
These files are automatically regenerated when the blacklists are updated via the GitHub Actions workflow.
## Source
Generated from the blacklist files in the `blacklists/` directory.

74
blacklists_iptables/blacklist-v4.ipset
View File

@@ -1,6 +1,6 @@
# IPSet blacklist configuration (IPv4 only)
# Auto-generated from blacklist-v4.txt
# Last updated: 2026-03-25 06:55:55 UTC
# Last updated: 2026-03-29 06:56:51 UTC
#
# Usage:
# 1. Load the ipset:
@@ -15,7 +15,7 @@
# ipset destroy blacklist-v4
#
create blacklist-v4 hash:net family inet hashsize 1135 maxelem 2270
create blacklist-v4 hash:net family inet hashsize 1083 maxelem 2166
add blacklist-v4 109.120.180.0/22
add blacklist-v4 109.120.180.0/23
add blacklist-v4 109.120.182.0/23
@@ -48,7 +48,6 @@ add blacklist-v4 128.140.168.0/23
add blacklist-v4 128.140.170.0/24
add blacklist-v4 128.140.171.0/24
add blacklist-v4 128.140.172.0/22
add blacklist-v4 128.140.173.0/24
add blacklist-v4 130.49.224.0/19
add blacklist-v4 145.255.238.240/28
add blacklist-v4 146.185.208.0/22
@@ -61,14 +60,9 @@ add blacklist-v4 149.62.55.240/30
add blacklist-v4 155.212.192.0/20
add blacklist-v4 176.109.0.0/21
add blacklist-v4 176.112.168.0/21
add blacklist-v4 176.116.112.0/22
add blacklist-v4 176.116.96.0/20
add blacklist-v4 178.16.156.148/30
add blacklist-v4 178.17.176.0/23
add blacklist-v4 178.17.178.0/23
add blacklist-v4 178.17.180.0/23
add blacklist-v4 178.17.182.0/23
add blacklist-v4 178.17.184.0/22
add blacklist-v4 178.17.188.0/22
add blacklist-v4 178.20.234.224/29
add blacklist-v4 178.22.88.0/21
add blacklist-v4 178.22.89.64/26
@@ -83,7 +77,6 @@ add blacklist-v4 178.237.24.0/24
add blacklist-v4 178.237.240.0/20
add blacklist-v4 178.237.248.0/21
add blacklist-v4 178.237.28.0/24
add blacklist-v4 178.237.29.0/24
add blacklist-v4 178.237.30.0/23
add blacklist-v4 178.248.232.137/32
add blacklist-v4 178.248.232.60/32
@@ -130,7 +123,6 @@ add blacklist-v4 185.130.112.0/22
add blacklist-v4 185.130.112.0/23
add blacklist-v4 185.130.114.0/23
add blacklist-v4 185.131.68.0/22
add blacklist-v4 185.131.68.0/23
add blacklist-v4 185.149.160.0/24
add blacklist-v4 185.149.161.0/24
add blacklist-v4 185.149.162.0/24
@@ -141,8 +133,6 @@ add blacklist-v4 185.16.150.0/23
add blacklist-v4 185.16.244.0/22
add blacklist-v4 185.16.244.0/23
add blacklist-v4 185.16.246.0/23
add blacklist-v4 185.16.246.0/24
add blacklist-v4 185.16.247.0/24
add blacklist-v4 185.168.60.0/24
add blacklist-v4 185.168.61.0/24
add blacklist-v4 185.168.62.0/24
@@ -215,14 +205,12 @@ add blacklist-v4 188.93.61.0/24
add blacklist-v4 188.93.62.0/24
add blacklist-v4 193.203.40.0/22
add blacklist-v4 193.232.70.0/24
add blacklist-v4 193.33.230.0/23
add blacklist-v4 193.47.146.0/24
add blacklist-v4 194.140.247.0/25
add blacklist-v4 194.140.247.128/25
add blacklist-v4 194.150.202.0/23
add blacklist-v4 194.165.22.0/23
add blacklist-v4 194.186.112.80/28
add blacklist-v4 194.186.63.0/24
add blacklist-v4 194.190.9.0/24
add blacklist-v4 194.215.248.0/24
add blacklist-v4 194.226.116.0/22
@@ -259,7 +247,6 @@ add blacklist-v4 195.211.22.0/24
add blacklist-v4 195.211.23.0/24
add blacklist-v4 195.218.175.40/29
add blacklist-v4 195.218.190.0/23
add blacklist-v4 195.226.203.0/24
add blacklist-v4 195.239.113.0/24
add blacklist-v4 195.239.247.0/24
add blacklist-v4 195.239.80.32/29
@@ -280,7 +267,6 @@ add blacklist-v4 195.98.38.16/28
add blacklist-v4 195.98.43.104/29
add blacklist-v4 195.98.73.56/29
add blacklist-v4 195.98.77.100/30
add blacklist-v4 212.111.84.0/22
add blacklist-v4 212.119.174.0/24
add blacklist-v4 212.119.175.0/24
add blacklist-v4 212.120.169.48/29
@@ -306,10 +292,6 @@ add blacklist-v4 212.17.9.144/28
add blacklist-v4 212.192.156.0/22
add blacklist-v4 212.23.85.48/30
add blacklist-v4 212.23.85.56/29
add blacklist-v4 212.233.120.0/22
add blacklist-v4 212.233.72.0/21
add blacklist-v4 212.233.88.0/21
add blacklist-v4 212.233.96.0/22
add blacklist-v4 212.32.198.64/29
add blacklist-v4 212.48.134.192/26
add blacklist-v4 212.48.138.240/28
@@ -414,8 +396,6 @@ add blacklist-v4 213.172.27.224/30
add blacklist-v4 213.172.27.252/30
add blacklist-v4 213.172.30.136/30
add blacklist-v4 213.172.4.192/26
add blacklist-v4 213.176.232.0/23
add blacklist-v4 213.176.234.0/23
add blacklist-v4 213.177.111.0/24
add blacklist-v4 213.183.253.56/29
add blacklist-v4 213.219.212.0/22
@@ -471,7 +451,9 @@ add blacklist-v4 217.106.203.240/29
add blacklist-v4 217.106.203.88/29
add blacklist-v4 217.106.93.192/26
add blacklist-v4 217.106.95.112/28
add blacklist-v4 217.107.0.0/18
add blacklist-v4 217.107.200.0/21
add blacklist-v4 217.107.208.0/20
add blacklist-v4 217.107.5.112/29
add blacklist-v4 217.107.5.16/29
add blacklist-v4 217.107.5.24/29
@@ -487,7 +469,7 @@ add blacklist-v4 217.16.16.0/20
add blacklist-v4 217.16.16.0/21
add blacklist-v4 217.16.24.0/21
add blacklist-v4 217.172.18.0/23
add blacklist-v4 217.174.188.0/22
add blacklist-v4 217.172.20.0/22
add blacklist-v4 217.174.188.0/23
add blacklist-v4 217.195.92.16/28
add blacklist-v4 217.195.93.144/29
@@ -502,7 +484,10 @@ add blacklist-v4 217.20.156.0/23
add blacklist-v4 217.20.158.0/24
add blacklist-v4 217.20.159.0/24
add blacklist-v4 217.20.86.128/26
add blacklist-v4 217.20.86.192/27
add blacklist-v4 217.20.86.224/29
add blacklist-v4 217.20.86.232/29
add blacklist-v4 217.20.86.240/28
add blacklist-v4 217.23.88.168/29
add blacklist-v4 217.23.88.248/29
add blacklist-v4 217.27.142.176/30
@@ -511,9 +496,7 @@ add blacklist-v4 217.65.219.160/29
add blacklist-v4 217.67.177.208/29
add blacklist-v4 217.69.128.0/20
add blacklist-v4 217.69.128.0/21
add blacklist-v4 217.69.132.0/24
add blacklist-v4 217.69.136.0/21
add blacklist-v4 31.177.104.0/22
add blacklist-v4 31.177.95.0/24
add blacklist-v4 31.44.63.64/29
add blacklist-v4 37.139.32.0/22
@@ -536,6 +519,7 @@ add blacklist-v4 45.84.130.0/23
add blacklist-v4 46.20.70.160/28
add blacklist-v4 46.228.0.232/29
add blacklist-v4 46.29.152.0/22
add blacklist-v4 46.29.156.0/23
add blacklist-v4 46.46.142.160/28
add blacklist-v4 46.46.148.40/29
add blacklist-v4 46.47.197.128/30
@@ -647,9 +631,6 @@ add blacklist-v4 79.137.132.128/25
add blacklist-v4 79.137.139.0/24
add blacklist-v4 79.137.139.0/25
add blacklist-v4 79.137.139.128/25
add blacklist-v4 79.137.140.0/24
add blacklist-v4 79.137.142.0/24
add blacklist-v4 79.137.157.0/24
add blacklist-v4 79.137.157.0/25
add blacklist-v4 79.137.157.128/25
add blacklist-v4 79.137.164.0/24
@@ -669,9 +650,6 @@ add blacklist-v4 79.137.240.0/21
add blacklist-v4 79.137.240.0/22
add blacklist-v4 79.137.244.0/22
add blacklist-v4 79.142.88.0/28
add blacklist-v4 79.143.229.0/24
add blacklist-v4 79.143.230.0/24
add blacklist-v4 79.143.232.0/24
add blacklist-v4 80.237.11.88/29
add blacklist-v4 80.237.39.112/29
add blacklist-v4 80.237.98.80/28
@@ -681,8 +659,6 @@ add blacklist-v4 80.247.46.0/24
add blacklist-v4 80.254.100.40/29
add blacklist-v4 80.254.119.168/29
add blacklist-v4 80.73.16.0/20
add blacklist-v4 80.73.16.0/21
add blacklist-v4 80.73.16.0/24
add blacklist-v4 80.73.168.80/28
add blacklist-v4 80.73.169.244/30
add blacklist-v4 80.82.43.24/29
@@ -706,11 +682,9 @@ add blacklist-v4 81.195.124.52/30
add blacklist-v4 81.195.125.96/30
add blacklist-v4 81.195.148.140/30
add blacklist-v4 81.195.150.248/30
add blacklist-v4 81.195.151.0/24
add blacklist-v4 81.195.151.172/30
add blacklist-v4 81.195.155.0/30
add blacklist-v4 81.195.161.12/30
add blacklist-v4 81.195.164.0/24
add blacklist-v4 81.195.165.64/28
add blacklist-v4 81.195.168.24/30
add blacklist-v4 81.195.177.160/30
@@ -889,8 +863,6 @@ add blacklist-v4 87.239.108.0/22
add blacklist-v4 87.240.128.0/18
add blacklist-v4 87.240.128.0/19
add blacklist-v4 87.240.160.0/19
add blacklist-v4 87.240.166.0/24
add blacklist-v4 87.240.167.0/24
add blacklist-v4 87.242.112.0/22
add blacklist-v4 87.245.133.0/24
add blacklist-v4 87.249.16.32/28
@@ -958,9 +930,6 @@ add blacklist-v4 89.21.140.104/29
add blacklist-v4 89.21.152.104/29
add blacklist-v4 89.221.228.0/22
add blacklist-v4 89.221.232.0/21
add blacklist-v4 89.221.232.0/22
add blacklist-v4 89.221.235.0/24
add blacklist-v4 89.221.236.0/22
add blacklist-v4 89.28.253.168/29
add blacklist-v4 89.28.255.56/29
add blacklist-v4 90.150.176.52/30
@@ -983,7 +952,6 @@ add blacklist-v4 90.150.189.32/29
add blacklist-v4 90.156.148.0/22
add blacklist-v4 90.156.148.0/23
add blacklist-v4 90.156.150.0/23
add blacklist-v4 90.156.151.0/24
add blacklist-v4 90.156.212.0/22
add blacklist-v4 90.156.212.0/23
add blacklist-v4 90.156.214.0/23
@@ -992,29 +960,15 @@ add blacklist-v4 90.156.216.0/23
add blacklist-v4 90.156.218.0/23
add blacklist-v4 90.156.232.0/21
add blacklist-v4 91.103.194.184/29
add blacklist-v4 91.135.212.0/22
add blacklist-v4 91.135.216.0/21
add blacklist-v4 91.135.220.0/24
add blacklist-v4 91.135.221.0/24
add blacklist-v4 91.195.136.0/23
add blacklist-v4 91.208.20.0/24
add blacklist-v4 91.215.168.0/22
add blacklist-v4 91.217.34.0/23
add blacklist-v4 91.219.192.0/22
add blacklist-v4 91.219.224.0/22
add blacklist-v4 91.221.140.0/23
add blacklist-v4 91.221.140.0/24
add blacklist-v4 91.221.141.0/24
add blacklist-v4 91.226.250.0/24
add blacklist-v4 91.227.32.0/24
add blacklist-v4 91.231.132.0/22
add blacklist-v4 91.231.132.0/24
add blacklist-v4 91.231.133.0/24
add blacklist-v4 91.231.134.0/24
add blacklist-v4 91.237.76.0/24
add blacklist-v4 92.101.253.152/29
add blacklist-v4 92.101.253.96/29
add blacklist-v4 92.38.217.0/24
add blacklist-v4 92.39.106.168/30
add blacklist-v4 92.39.106.20/30
add blacklist-v4 92.39.111.84/30
@@ -1056,7 +1010,6 @@ add blacklist-v4 94.100.184.0/21
add blacklist-v4 94.124.192.192/29
add blacklist-v4 94.139.244.0/22
add blacklist-v4 94.139.244.0/23
add blacklist-v4 94.139.244.0/24
add blacklist-v4 94.139.246.0/23
add blacklist-v4 94.199.64.0/21
add blacklist-v4 94.25.119.228/30
@@ -1073,9 +1026,6 @@ add blacklist-v4 95.142.200.0/21
add blacklist-v4 95.142.201.0/24
add blacklist-v4 95.142.202.0/24
add blacklist-v4 95.142.203.0/24
add blacklist-v4 95.142.204.0/23
add blacklist-v4 95.142.207.0/24
add blacklist-v4 95.163.133.0/24
add blacklist-v4 95.163.180.0/22
add blacklist-v4 95.163.180.0/23
add blacklist-v4 95.163.182.0/23
@@ -1113,6 +1063,7 @@ add blacklist-v4 95.167.5.64/28
add blacklist-v4 95.167.5.80/28
add blacklist-v4 95.167.54.76/30
add blacklist-v4 95.167.59.244/30
add blacklist-v4 95.167.59.248/30
add blacklist-v4 95.167.64.20/30
add blacklist-v4 95.167.68.216/29
add blacklist-v4 95.167.69.116/30
@@ -1130,7 +1081,6 @@ add blacklist-v4 95.173.128.0/19
add blacklist-v4 95.173.128.0/20
add blacklist-v4 95.173.144.0/20
add blacklist-v4 95.213.0.0/17
add blacklist-v4 95.213.0.0/18
add blacklist-v4 95.213.0.0/20
add blacklist-v4 95.213.16.0/21
add blacklist-v4 95.213.24.0/23
@@ -1145,8 +1095,6 @@ add blacklist-v4 95.213.33.0/24
add blacklist-v4 95.213.34.0/23
add blacklist-v4 95.213.36.0/22
add blacklist-v4 95.213.40.0/21
add blacklist-v4 95.213.44.0/24
add blacklist-v4 95.213.45.0/24
add blacklist-v4 95.213.48.0/20
add blacklist-v4 95.213.64.0/18
add blacklist-v4 95.53.248.0/29

21
blacklists_iptables/blacklist-v6.ipset
View File

@@ -1,6 +1,6 @@
# IPSet blacklist configuration (IPv6 only)
# Auto-generated from blacklist-v6.txt
# Last updated: 2026-03-25 06:55:55 UTC
# Last updated: 2026-03-29 06:56:51 UTC
#
# Usage:
# 1. Load the ipset:
@@ -15,26 +15,9 @@
# ipset destroy blacklist-v6
#
create blacklist-v6 hash:net family inet6 hashsize 1024 maxelem 44
add blacklist-v6 2a00:1148::/29
add blacklist-v6 2a00:1148::/32
add blacklist-v6 2a00:46e0:2::/48
add blacklist-v6 2a00:46e0::/32
add blacklist-v6 2a00:a300::/32
add blacklist-v6 2a00:b4c0::/32
add blacklist-v6 2a00:bdc0:8000::/34
add blacklist-v6 2a00:bdc0::/33
add blacklist-v6 2a00:bdc0:c000::/35
create blacklist-v6 hash:net family inet6 hashsize 1024 maxelem 10
add blacklist-v6 2a00:bdc0:e002::/48
add blacklist-v6 2a00:bdc0:e003::/48
add blacklist-v6 2a00:bdc0:e004::/48
add blacklist-v6 2a00:bdc0:e005::/48
add blacklist-v6 2a00:bdc0:e007::/48
add blacklist-v6 2a00:bdc0:f000::/36
add blacklist-v6 2a00:bdc1::/32
add blacklist-v6 2a00:bdc2::/31
add blacklist-v6 2a00:bdc4::/30
add blacklist-v6 2a14:25c0::/32
add blacklist-v6 2a14:25c5::/32
add blacklist-v6 2a14:25c6::/32
add blacklist-v6 2a14:25c7::/32

2
blacklists_iptables/blacklist-vk-v4.ipset
View File

@@ -1,6 +1,6 @@
# IPSet blacklist configuration (VK names, IPv4 only)
# Auto-generated from blacklist-vk-v4.txt
# Last updated: 2026-03-25 06:55:55 UTC
# Last updated: 2026-03-29 06:56:51 UTC
#
# Usage:
# 1. Load the ipset:

2
blacklists_iptables/blacklist-vk-v6.ipset
View File

@@ -1,6 +1,6 @@
# IPSet blacklist configuration (VK names, IPv6 only)
# Auto-generated from blacklist-vk-v6.txt
# Last updated: 2026-03-25 06:55:55 UTC
# Last updated: 2026-03-29 06:56:51 UTC
#
# Usage:
# 1. Load the ipset:

289
blacklists_iptables/blacklist-vk.ipset
View File

@@ -1,289 +0,0 @@
# IPSet blacklist configuration (VK names: VK Cloud / VKCOMPANY / VKONTAKTE)
# Auto-generated from name-filtered auto/*.txt sources
# Last updated: 2026-03-25 06:55:55 UTC
#
# Usage:
# 1. Load the ipset:
# ipset restore < blacklist-vk.ipset
#
# 2. Use with iptables/ip6tables:
# iptables -I OUTPUT -m set --match-set blacklist-vk-v4 dst -j REJECT
# iptables -I FORWARD -m set --match-set blacklist-vk-v4 dst -j REJECT
# ip6tables -I OUTPUT -m set --match-set blacklist-vk-v6 dst -j REJECT
# ip6tables -I FORWARD -m set --match-set blacklist-vk-v6 dst -j REJECT
#
# 3. To flush/delete the sets:
# ipset flush blacklist-vk-v4 && ipset destroy blacklist-vk-v4
# ipset flush blacklist-vk-v6 && ipset destroy blacklist-vk-v6
#
create blacklist-vk-v4 hash:net family inet hashsize 1024 maxelem 532
add blacklist-vk-v4 109.120.180.0/22
add blacklist-vk-v4 109.120.180.0/23
add blacklist-vk-v4 109.120.182.0/23
add blacklist-vk-v4 109.120.188.0/22
add blacklist-vk-v4 109.120.188.0/23
add blacklist-vk-v4 109.120.190.0/23
add blacklist-vk-v4 128.140.168.0/21
add blacklist-vk-v4 128.140.168.0/23
add blacklist-vk-v4 128.140.170.0/24
add blacklist-vk-v4 128.140.171.0/24
add blacklist-vk-v4 128.140.172.0/22
add blacklist-vk-v4 130.49.224.0/19
add blacklist-vk-v4 146.185.208.0/22
add blacklist-vk-v4 146.185.208.0/23
add blacklist-vk-v4 146.185.210.0/23
add blacklist-vk-v4 146.185.240.0/22
add blacklist-vk-v4 146.185.240.0/23
add blacklist-vk-v4 146.185.242.0/23
add blacklist-vk-v4 155.212.192.0/20
add blacklist-vk-v4 176.112.168.0/21
add blacklist-vk-v4 178.22.88.0/21
add blacklist-vk-v4 178.22.89.64/26
add blacklist-vk-v4 178.22.94.0/23
add blacklist-vk-v4 178.237.16.0/20
add blacklist-vk-v4 178.237.16.0/21
add blacklist-vk-v4 178.237.24.0/22
add blacklist-vk-v4 178.237.30.0/23
add blacklist-vk-v4 185.100.104.0/22
add blacklist-vk-v4 185.100.104.0/23
add blacklist-vk-v4 185.100.106.0/23
add blacklist-vk-v4 185.130.112.0/22
add blacklist-vk-v4 185.130.112.0/23
add blacklist-vk-v4 185.130.114.0/23
add blacklist-vk-v4 185.131.68.0/22
add blacklist-vk-v4 185.16.148.0/22
add blacklist-vk-v4 185.16.148.0/23
add blacklist-vk-v4 185.16.150.0/23
add blacklist-vk-v4 185.16.244.0/22
add blacklist-vk-v4 185.16.244.0/23
add blacklist-vk-v4 185.16.246.0/23
add blacklist-vk-v4 185.180.200.0/22
add blacklist-vk-v4 185.187.63.0/24
add blacklist-vk-v4 185.187.63.0/25
add blacklist-vk-v4 185.187.63.128/25
add blacklist-vk-v4 185.226.52.0/22
add blacklist-vk-v4 185.226.52.0/23
add blacklist-vk-v4 185.226.54.0/23
add blacklist-vk-v4 185.241.192.0/22
add blacklist-vk-v4 185.241.192.0/23
add blacklist-vk-v4 185.241.194.0/23
add blacklist-vk-v4 185.29.128.0/22
add blacklist-vk-v4 185.29.130.0/24
add blacklist-vk-v4 185.32.248.0/22
add blacklist-vk-v4 185.32.248.0/23
add blacklist-vk-v4 185.32.250.0/23
add blacklist-vk-v4 185.5.136.0/22
add blacklist-vk-v4 185.5.136.0/23
add blacklist-vk-v4 185.5.138.0/23
add blacklist-vk-v4 185.6.244.0/22
add blacklist-vk-v4 185.6.244.0/23
add blacklist-vk-v4 185.6.246.0/23
add blacklist-vk-v4 185.86.144.0/22
add blacklist-vk-v4 185.86.144.0/23
add blacklist-vk-v4 185.86.146.0/23
add blacklist-vk-v4 188.93.56.0/21
add blacklist-vk-v4 188.93.56.0/24
add blacklist-vk-v4 188.93.57.0/24
add blacklist-vk-v4 188.93.58.0/24
add blacklist-vk-v4 188.93.60.0/24
add blacklist-vk-v4 188.93.61.0/24
add blacklist-vk-v4 188.93.62.0/24
add blacklist-vk-v4 193.203.40.0/22
add blacklist-vk-v4 194.84.16.12/30
add blacklist-vk-v4 195.211.20.0/22
add blacklist-vk-v4 195.211.22.0/24
add blacklist-vk-v4 195.211.23.0/24
add blacklist-vk-v4 212.111.84.0/22
add blacklist-vk-v4 212.233.120.0/22
add blacklist-vk-v4 212.233.72.0/21
add blacklist-vk-v4 212.233.88.0/21
add blacklist-vk-v4 212.233.96.0/22
add blacklist-vk-v4 213.219.212.0/22
add blacklist-vk-v4 213.219.212.0/23
add blacklist-vk-v4 213.219.214.0/23
add blacklist-vk-v4 217.16.16.0/20
add blacklist-vk-v4 217.16.16.0/21
add blacklist-vk-v4 217.16.24.0/21
add blacklist-vk-v4 217.174.188.0/23
add blacklist-vk-v4 217.20.144.0/20
add blacklist-vk-v4 217.20.144.0/22
add blacklist-vk-v4 217.20.148.0/24
add blacklist-vk-v4 217.20.149.0/24
add blacklist-vk-v4 217.20.150.0/23
add blacklist-vk-v4 217.20.152.0/22
add blacklist-vk-v4 217.20.156.0/23
add blacklist-vk-v4 217.20.158.0/24
add blacklist-vk-v4 217.20.159.0/24
add blacklist-vk-v4 217.69.128.0/20
add blacklist-vk-v4 217.69.128.0/21
add blacklist-vk-v4 217.69.136.0/21
add blacklist-vk-v4 37.139.32.0/22
add blacklist-vk-v4 37.139.32.0/23
add blacklist-vk-v4 37.139.34.0/23
add blacklist-vk-v4 37.139.40.0/22
add blacklist-vk-v4 37.139.40.0/23
add blacklist-vk-v4 37.139.42.0/23
add blacklist-vk-v4 45.136.20.0/22
add blacklist-vk-v4 45.136.20.0/23
add blacklist-vk-v4 45.136.22.0/23
add blacklist-vk-v4 45.84.128.0/22
add blacklist-vk-v4 45.84.128.0/23
add blacklist-vk-v4 45.84.130.0/23
add blacklist-vk-v4 5.101.40.0/22
add blacklist-vk-v4 5.101.40.0/23
add blacklist-vk-v4 5.101.42.0/23
add blacklist-vk-v4 5.181.60.0/22
add blacklist-vk-v4 5.181.60.0/24
add blacklist-vk-v4 5.181.61.0/24
add blacklist-vk-v4 5.181.62.0/23
add blacklist-vk-v4 5.188.140.0/22
add blacklist-vk-v4 5.188.140.0/23
add blacklist-vk-v4 5.188.142.0/23
add blacklist-vk-v4 5.61.16.0/21
add blacklist-vk-v4 5.61.16.0/22
add blacklist-vk-v4 5.61.20.0/22
add blacklist-vk-v4 5.61.232.0/21
add blacklist-vk-v4 5.61.232.0/22
add blacklist-vk-v4 5.61.236.0/23
add blacklist-vk-v4 5.61.238.0/24
add blacklist-vk-v4 5.61.239.0/27
add blacklist-vk-v4 5.61.239.128/25
add blacklist-vk-v4 5.61.239.40/29
add blacklist-vk-v4 5.61.239.48/28
add blacklist-vk-v4 5.61.239.64/26
add blacklist-vk-v4 62.217.160.0/20
add blacklist-vk-v4 62.217.160.0/21
add blacklist-vk-v4 62.217.168.0/21
add blacklist-vk-v4 79.137.132.0/24
add blacklist-vk-v4 79.137.132.0/25
add blacklist-vk-v4 79.137.132.128/25
add blacklist-vk-v4 79.137.139.0/24
add blacklist-vk-v4 79.137.139.0/25
add blacklist-vk-v4 79.137.139.128/25
add blacklist-vk-v4 79.137.157.0/25
add blacklist-vk-v4 79.137.157.128/25
add blacklist-vk-v4 79.137.164.0/24
add blacklist-vk-v4 79.137.164.0/25
add blacklist-vk-v4 79.137.164.128/25
add blacklist-vk-v4 79.137.167.0/24
add blacklist-vk-v4 79.137.167.0/25
add blacklist-vk-v4 79.137.167.128/25
add blacklist-vk-v4 79.137.174.0/23
add blacklist-vk-v4 79.137.174.0/24
add blacklist-vk-v4 79.137.175.0/24
add blacklist-vk-v4 79.137.180.0/24
add blacklist-vk-v4 79.137.180.0/25
add blacklist-vk-v4 79.137.180.128/25
add blacklist-vk-v4 79.137.240.0/21
add blacklist-vk-v4 79.137.240.0/22
add blacklist-vk-v4 79.137.244.0/22
add blacklist-vk-v4 83.166.232.0/21
add blacklist-vk-v4 83.166.232.0/22
add blacklist-vk-v4 83.166.236.0/22
add blacklist-vk-v4 83.166.248.0/21
add blacklist-vk-v4 83.166.248.0/22
add blacklist-vk-v4 83.166.252.0/22
add blacklist-vk-v4 83.217.216.0/22
add blacklist-vk-v4 83.217.216.0/23
add blacklist-vk-v4 83.217.218.0/23
add blacklist-vk-v4 83.222.28.0/22
add blacklist-vk-v4 84.23.52.0/22
add blacklist-vk-v4 84.23.52.0/23
add blacklist-vk-v4 84.23.54.0/23
add blacklist-vk-v4 85.114.31.108/30
add blacklist-vk-v4 85.192.32.0/22
add blacklist-vk-v4 85.192.32.0/23
add blacklist-vk-v4 85.192.34.0/23
add blacklist-vk-v4 85.198.106.0/24
add blacklist-vk-v4 85.198.107.0/24
add blacklist-vk-v4 87.239.104.0/21
add blacklist-vk-v4 87.239.104.0/22
add blacklist-vk-v4 87.239.108.0/22
add blacklist-vk-v4 87.240.128.0/18
add blacklist-vk-v4 87.240.128.0/19
add blacklist-vk-v4 87.240.160.0/19
add blacklist-vk-v4 87.242.112.0/22
add blacklist-vk-v4 89.208.196.0/22
add blacklist-vk-v4 89.208.196.0/23
add blacklist-vk-v4 89.208.198.0/23
add blacklist-vk-v4 89.208.208.0/22
add blacklist-vk-v4 89.208.208.0/23
add blacklist-vk-v4 89.208.210.0/23
add blacklist-vk-v4 89.208.216.0/21
add blacklist-vk-v4 89.208.216.0/23
add blacklist-vk-v4 89.208.218.0/23
add blacklist-vk-v4 89.208.220.0/22
add blacklist-vk-v4 89.208.228.0/22
add blacklist-vk-v4 89.208.228.0/23
add blacklist-vk-v4 89.208.230.0/23
add blacklist-vk-v4 89.208.84.0/22
add blacklist-vk-v4 89.208.84.0/23
add blacklist-vk-v4 89.208.86.0/23
add blacklist-vk-v4 89.221.228.0/22
add blacklist-vk-v4 89.221.232.0/21
add blacklist-vk-v4 90.156.148.0/22
add blacklist-vk-v4 90.156.148.0/23
add blacklist-vk-v4 90.156.150.0/23
add blacklist-vk-v4 90.156.212.0/22
add blacklist-vk-v4 90.156.212.0/23
add blacklist-vk-v4 90.156.214.0/23
add blacklist-vk-v4 90.156.216.0/22
add blacklist-vk-v4 90.156.216.0/23
add blacklist-vk-v4 90.156.218.0/23
add blacklist-vk-v4 90.156.232.0/21
add blacklist-vk-v4 91.219.224.0/22
add blacklist-vk-v4 91.231.132.0/22
add blacklist-vk-v4 91.237.76.0/24
add blacklist-vk-v4 93.153.255.84/30
add blacklist-vk-v4 93.186.224.0/20
add blacklist-vk-v4 93.186.224.0/21
add blacklist-vk-v4 93.186.232.0/21
add blacklist-vk-v4 94.100.176.0/20
add blacklist-vk-v4 94.100.176.0/21
add blacklist-vk-v4 94.100.184.0/21
add blacklist-vk-v4 94.139.244.0/22
add blacklist-vk-v4 94.139.244.0/23
add blacklist-vk-v4 94.139.246.0/23
add blacklist-vk-v4 95.142.192.0/20
add blacklist-vk-v4 95.142.192.0/21
add blacklist-vk-v4 95.142.200.0/21
add blacklist-vk-v4 95.163.180.0/22
add blacklist-vk-v4 95.163.180.0/23
add blacklist-vk-v4 95.163.182.0/23
add blacklist-vk-v4 95.163.208.0/21
add blacklist-vk-v4 95.163.208.0/23
add blacklist-vk-v4 95.163.210.0/23
add blacklist-vk-v4 95.163.212.0/22
add blacklist-vk-v4 95.163.216.0/22
add blacklist-vk-v4 95.163.216.0/23
add blacklist-vk-v4 95.163.218.0/23
add blacklist-vk-v4 95.163.248.0/21
add blacklist-vk-v4 95.163.248.0/22
add blacklist-vk-v4 95.163.252.0/23
add blacklist-vk-v4 95.163.254.0/23
add blacklist-vk-v4 95.163.32.0/19
add blacklist-vk-v4 95.163.32.0/22
add blacklist-vk-v4 95.163.36.0/22
add blacklist-vk-v4 95.163.40.0/21
add blacklist-vk-v4 95.163.48.0/20
add blacklist-vk-v4 95.213.0.0/17
add blacklist-vk-v4 95.213.0.0/20
add blacklist-vk-v4 95.213.16.0/21
add blacklist-vk-v4 95.213.24.0/23
add blacklist-vk-v4 95.213.26.0/24
add blacklist-vk-v4 95.213.27.0/24
add blacklist-vk-v4 95.213.28.0/24
add blacklist-vk-v4 95.213.29.0/24
add blacklist-vk-v4 95.213.30.0/24
add blacklist-vk-v4 95.213.31.0/24
add blacklist-vk-v4 95.213.32.0/24
add blacklist-vk-v4 95.213.33.0/24
add blacklist-vk-v4 95.213.34.0/23
add blacklist-vk-v4 95.213.36.0/22
add blacklist-vk-v4 95.213.40.0/21
add blacklist-vk-v4 95.213.48.0/20
add blacklist-vk-v4 95.213.64.0/18
create blacklist-vk-v6 hash:net family inet6 hashsize 1024 maxelem 2
add blacklist-vk-v6 2a00:bdc0::/29

1179
blacklists_iptables/blacklist.ipset
View File

File diff suppressed because it is too large Load Diff

209
blacklists_nftables/README.md
View File

@@ -1,185 +1,52 @@
# nftables Blacklist Configuration
# nftables blacklists
This folder contains nftables blacklist configurations generated from Russian government agency network lists.
Short: ready-to-use nftables set files (general and VK-only, separated by IPv4/IPv6).
## Available Files
## Download links
- `blacklist.nft` - Mixed IPv4/IPv6 blacklist (**daily generated**)
- `blacklist-v4.nft` - IPv4-only blacklist (**daily generated**)
- `blacklist-v6.nft` - IPv6-only blacklist (**daily generated**)
- https://raw.githubusercontent.com/C24Be/AS_Network_List/refs/heads/main/blacklists_nftables/blacklist.nft
- https://raw.githubusercontent.com/C24Be/AS_Network_List/refs/heads/main/blacklists_nftables/blacklist-v4.nft
- https://raw.githubusercontent.com/C24Be/AS_Network_List/refs/heads/main/blacklists_nftables/blacklist-v6.nft
- https://raw.githubusercontent.com/C24Be/AS_Network_List/refs/heads/main/blacklists_nftables/blacklist-vk.nft
- https://raw.githubusercontent.com/C24Be/AS_Network_List/refs/heads/main/blacklists_nftables/blacklist-vk-v4.nft
- https://raw.githubusercontent.com/C24Be/AS_Network_List/refs/heads/main/blacklists_nftables/blacklist-vk-v6.nft
## Quick Start
## How to use
### Download and Load
````bash
# Download the blacklist
wget https://raw.githubusercontent.com/C24Be/AS_Network_List/main/blacklists_nftables/blacklist.nft
### 1) Protect VM from incoming connections (general blacklists)
# Load the configuration
Load either mixed or split general set files:
```bash
sudo nft -f blacklist.nft
# or:
sudo nft -f blacklist-v4.nft
sudo nft -f blacklist-v6.nft
```
# Verify it's loaded
sudo nft list ruleset
````
Apply rules for inbound traffic to the VM:
### Automatic Updates
```bash
sudo nft add chain inet filter input '{ type filter hook input priority 0; policy accept; }'
sudo nft add rule inet filter input ip saddr @blacklist_v4 counter reject
sudo nft add rule inet filter input ip6 saddr @blacklist_v6 counter reject
```
Add to crontab for daily updates:
````bash
0 2 * * * wget -O /etc/nftables.d/blacklist.nft https://raw.githubusercontent.com/C24Be/AS_Network_List/main/blacklists_nftables/blacklist.nft && nft -f /etc/nftables.d/blacklist.nft
````
### 2) Block VK outbound traffic for VPN clients via NAT/FORWARD
## Configuration Details
Load either mixed or split VK set files:
The generated nftables configuration uses:
- **Sets with interval flag** for efficient CIDR matching
- **Named sets** (`blacklist_v4` and `blacklist_v6`) for easy management
- **Counter** directive to track dropped packets
- **Stateful filtering** to allow established connections
```bash
sudo nft -f blacklist-vk.nft
# or:
sudo nft -f blacklist-vk-v4.nft
sudo nft -f blacklist-vk-v6.nft
```
### Configuration Structure
table inet filter {
set blacklist_v4 {
type ipv4_addr
flags interval
elements = { 1.2.3.0/24, 5.6.7.0/24, ... }
}
set blacklist_v6 {
type ipv6_addr
flags interval
elements = { 2001:db8::/32, ... }
}
Apply rules for forwarded client traffic (replace `<VPN_IFACE>`):
chain input {
type filter hook input priority 0;
policy accept;
ct state { established, related } accept
ip saddr @blacklist_v4 counter drop
ip6 saddr @blacklist_v6 counter drop
}
}
## Integration Options
### Option 1: Standalone Configuration
Load the blacklist as a complete ruleset:
````bash
sudo nft -f blacklist.nft
````
### Option 2: Include in Existing Configuration
If you have an existing nftables configuration:
1. Copy only the set definitions from the generated file
2. Add set lookups to your existing input chain:
````bash
ip saddr @blacklist_v4 counter drop
ip6 saddr @blacklist_v6 counter drop
````
### Option 3: Persistent Configuration
For systemd-based systems:
````bash
# Copy to nftables config directory
sudo cp blacklist.nft /etc/nftables.d/
# Edit /etc/nftables.conf to include:
# include "/etc/nftables.d/blacklist.nft"
# Enable and restart
sudo systemctl enable nftables
sudo systemctl restart nftables
````
## Checking IPs Against the Blacklist
Use the `check_nft_blacklist.py` script to verify if an IP is blocked:
````bash
# Check an IPv4 address
python3 check_nft_blacklist.py blacklist.nft 192.168.1.1
# Check an IPv6 address
python3 check_nft_blacklist.py blacklist.nft 2001:db8::1
````
## Monitoring
### View Dropped Packets
````bash
# View all rules with counters
sudo nft list chain inet filter input -a
# Monitor in real-time
sudo nft monitor
````
### Check Set Contents
````bash
# View IPv4 blacklist
sudo nft list set inet filter blacklist_v4
# View IPv6 blacklist
sudo nft list set inet filter blacklist_v6
````
## Advantages of nftables
- **Better Performance**: O(1) lookup time with sets vs O(n) for sequential rules
- **Lower Memory Usage**: More efficient than iptables for large rulesets
- **Atomic Updates**: All rules updated in a single transaction
- **Modern Syntax**: Cleaner, more readable configuration
- **Unified Tool**: Single tool for IPv4, IPv6, and ARP filtering
## File Format Comparison
| Format | Use Case | Performance | Memory |
|--------|----------|-------------|--------|
| **nftables** | Modern firewalls | Excellent | Low |
| **iptables** | Legacy systems | Good | Medium |
| **nginx** | Web layer | Good | Low |
## Troubleshooting
### Configuration Won't Load
````bash
# Check syntax
sudo nft -c -f blacklist.nft
# View detailed errors
sudo nft -f blacklist.nft 2>&1 | less
````
### Rules Not Blocking Traffic
````bash
# Verify sets are populated
sudo nft list set inet filter blacklist_v4 | wc -l
# Check rule priority
sudo nft list chain inet filter input
# Test with logging temporarily
sudo nft add rule inet filter input ip saddr @blacklist_v4 log prefix "BLOCKED: "
````
### Performance Issues
If experiencing performance problems with very large sets:
1. Consider splitting into multiple smaller sets
2. Use `blacklist-v4.nft` or `blacklist-v6.nft` if only one protocol is needed
3. Ensure kernel supports nftables fully (Linux 4.0+)
## Additional Resources
- [nftables Wiki](https://wiki.nftables.org/)
- [nftables Quick Reference](https://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-nftables_in_10_minutes)
- [Netfilter Documentation](https://www.netfilter.org/documentation/)
## Contributing
Found an issue or have suggestions? Please open an issue or submit a pull request!
```bash
sudo nft add chain inet filter forward '{ type filter hook forward priority 0; policy accept; }'
sudo nft add rule inet filter forward iifname "<VPN_IFACE>" ip daddr @blacklist_vk_v4 counter reject
sudo nft add rule inet filter forward iifname "<VPN_IFACE>" ip6 daddr @blacklist_vk_v6 counter reject
```

63
blacklists_nftables/blacklist-v4.nft
View File

@@ -1,7 +1,14 @@
# Autogenerated nftables blacklist
# Generated: 2026-03-25T06:55:55.860917Z
# Generated: 2026-03-29T06:56:51.790157Z
# Source: /tmp/blacklist-v4.txt
# IPv4: 804, IPv6: 0
# IPv4: 778, IPv6: 0
#
# Usage:
# sudo nft -f <this-file>
# # VM protection from incoming blacklist sources
# sudo nft add chain inet filter input '{ type filter hook input priority 0; policy accept; }'
# sudo nft add rule inet filter input ip saddr @blacklist_v4 counter reject
# sudo nft add rule inet filter input ip6 saddr @blacklist_v6 counter reject
table inet filter {
@@ -16,7 +23,6 @@ table inet filter {
5.188.140.0/22,
31.44.63.64/29,
31.177.95.0/24,
31.177.104.0/22,
37.28.161.48/30,
37.29.53.16/30,
37.29.57.52/30,
@@ -28,6 +34,7 @@ table inet filter {
45.136.20.0/22,
46.20.70.160/28,
46.29.152.0/22,
46.29.156.0/23,
46.46.142.160/28,
46.46.148.40/29,
46.47.197.128/30,
@@ -112,8 +119,6 @@ table inet filter {
79.133.75.176/30,
79.137.132.0/24,
79.137.139.0/24,
79.137.140.0/24,
79.137.142.0/24,
79.137.157.0/24,
79.137.164.0/24,
79.137.167.0/24,
@@ -122,9 +127,6 @@ table inet filter {
79.137.183.0/24,
79.137.240.0/21,
79.142.88.0/28,
79.143.229.0/24,
79.143.230.0/24,
79.143.232.0/24,
80.73.16.0/20,
80.73.168.80/28,
80.73.169.244/30,
@@ -166,10 +168,9 @@ table inet filter {
81.195.125.96/30,
81.195.148.140/30,
81.195.150.248/30,
81.195.151.0/24,
81.195.151.172/30,
81.195.155.0/30,
81.195.161.12/30,
81.195.164.0/24,
81.195.165.64/28,
81.195.168.24/30,
81.195.177.160/30,
@@ -380,20 +381,13 @@ table inet filter {
90.156.216.0/22,
90.156.232.0/21,
91.103.194.184/29,
91.135.212.0/22,
91.135.216.0/21,
91.195.136.0/23,
91.208.20.0/24,
91.215.168.0/22,
91.217.34.0/23,
91.219.192.0/22,
91.219.224.0/22,
91.221.140.0/23,
91.226.250.0/24,
91.227.32.0/24,
91.231.132.0/22,
91.237.76.0/24,
92.38.217.0/24,
92.39.106.20/30,
92.39.106.168/30,
92.39.111.84/30,
@@ -443,7 +437,6 @@ table inet filter {
95.54.193.80/28,
95.142.192.0/20,
95.163.32.0/19,
95.163.133.0/24,
95.163.180.0/22,
95.163.208.0/21,
95.163.216.0/22,
@@ -455,6 +448,7 @@ table inet filter {
95.167.29.104/29,
95.167.54.76/30,
95.167.59.244/30,
95.167.59.248/30,
95.167.64.20/30,
95.167.68.216/29,
95.167.69.116/30,
@@ -513,8 +507,8 @@ table inet filter {
176.109.0.0/21,
176.112.168.0/21,
176.116.96.0/20,
176.116.112.0/22,
178.16.156.148/30,
178.17.176.0/20,
178.20.234.224/29,
178.22.88.0/21,
178.49.148.176/29,
@@ -596,7 +590,6 @@ table inet filter {
188.247.36.124/30,
188.247.36.128/28,
188.247.36.204/30,
193.33.230.0/23,
193.47.146.0/24,
193.203.40.0/22,
193.232.70.0/24,
@@ -607,7 +600,6 @@ table inet filter {
194.140.247.0/24,
194.150.202.0/23,
194.165.22.0/23,
194.186.63.0/24,
194.186.112.80/28,
194.190.9.0/24,
194.215.248.0/24,
@@ -654,7 +646,6 @@ table inet filter {
195.211.20.0/22,
195.218.175.40/29,
195.218.190.0/23,
195.226.203.0/24,
195.239.80.32/29,
195.239.113.0/24,
195.239.247.0/24,
@@ -711,7 +702,6 @@ table inet filter {
212.57.159.0/24,
212.59.98.48/29,
212.59.99.96/27,
212.111.84.0/22,
212.119.174.0/23,
212.120.169.48/29,
212.120.174.88/29,
@@ -724,10 +714,6 @@ table inet filter {
212.120.191.120/29,
212.120.191.248/29,
212.192.156.0/22,
212.233.72.0/21,
212.233.88.0/21,
212.233.96.0/22,
212.233.120.0/22,
213.24.34.0/24,
213.24.75.0/24,
213.24.76.0/23,
@@ -768,7 +754,6 @@ table inet filter {
213.172.27.224/30,
213.172.27.252/30,
213.172.30.136/30,
213.176.232.0/22,
213.177.111.0/24,
213.183.253.56/29,
213.219.212.0/22,
@@ -787,8 +772,7 @@ table inet filter {
213.243.106.48/28,
213.243.116.0/24,
217.16.16.0/20,
217.20.86.128/26,
217.20.86.232/29,
217.20.86.128/25,
217.20.144.0/20,
217.23.88.168/29,
217.23.88.248/29,
@@ -798,18 +782,15 @@ table inet filter {
217.67.177.208/29,
217.69.128.0/20,
217.106.0.0/16,
217.107.5.8/29,
217.107.5.16/28,
217.107.5.40/29,
217.107.5.80/28,
217.107.5.96/29,
217.107.5.112/29,
217.107.0.0/18,
217.107.200.0/21,
217.107.208.0/20,
217.147.23.112/28,
217.148.216.156/30,
217.148.220.160/29,
217.172.18.0/23,
217.174.188.0/22,
217.172.20.0/22,
217.174.188.0/23,
217.195.92.16/28,
217.195.93.144/29,
217.195.94.200/29
@@ -821,12 +802,4 @@ table inet filter {
flags interval
}
chain input {
type filter hook input priority 0;
policy accept;
ct state { established, related } accept
ip saddr @blacklist_v4 counter drop
}
}

35
blacklists_nftables/blacklist-v6.nft
View File

@@ -1,7 +1,14 @@
# Autogenerated nftables blacklist
# Generated: 2026-03-25T06:55:55.890847Z
# Generated: 2026-03-29T06:56:51.821007Z
# Source: /tmp/blacklist-v6.txt
# IPv4: 0, IPv6: 17
# IPv4: 0, IPv6: 3
#
# Usage:
# sudo nft -f <this-file>
# # VM protection from incoming blacklist sources
# sudo nft add chain inet filter input '{ type filter hook input priority 0; policy accept; }'
# sudo nft add rule inet filter input ip saddr @blacklist_v4 counter reject
# sudo nft add rule inet filter input ip6 saddr @blacklist_v6 counter reject
table inet filter {
@@ -14,32 +21,10 @@ table inet filter {
type ipv6_addr
flags interval
elements = {
2a00:1148::/29,
2a00:46e0::/32,
2a00:a300::/32,
2a00:b4c0::/32,
2a00:bdc0::/33,
2a00:bdc0:8000::/34,
2a00:bdc0:c000::/35,
2a00:bdc0:e002::/47,
2a00:bdc0:e004::/47,
2a00:bdc0:e007::/48,
2a00:bdc0:f000::/36,
2a00:bdc1::/32,
2a00:bdc2::/31,
2a00:bdc4::/30,
2a14:25c0::/32,
2a14:25c5::/32,
2a14:25c6::/31
2a00:bdc0:e007::/48
}
}
chain input {
type filter hook input priority 0;
policy accept;
ct state { established, related } accept
ip6 saddr @blacklist_v6 counter drop
}
}

21
blacklists_nftables/blacklist-vk-v4.nft
View File

@@ -1,11 +1,18 @@
# Autogenerated nftables blacklist
# Generated: 2026-03-25T06:55:55.950173Z
# Generated: 2026-03-29T06:56:51.880649Z
# Source: /home/runner/work/AS_Network_List/AS_Network_List/blacklists/blacklist-vk-v4.txt
# IPv4: 92, IPv6: 0
#
# Usage:
# sudo nft -f <this-file>
# # VK egress blocking for VPN clients via NAT/FORWARD
# sudo nft add chain inet filter forward '{ type filter hook forward priority 0; policy accept; }'
# sudo nft add rule inet filter forward iifname "<VPN_IFACE>" ip daddr @blacklist_vk_v4 counter reject
# sudo nft add rule inet filter forward iifname "<VPN_IFACE>" ip6 daddr @blacklist_vk_v6 counter reject
table inet filter {
set blacklist_v4 {
set blacklist_vk_v4 {
type ipv4_addr
flags interval
elements = {
@@ -104,17 +111,9 @@ table inet filter {
}
}
set blacklist_v6 {
set blacklist_vk_v6 {
type ipv6_addr
flags interval
}
chain input {
type filter hook input priority 0;
policy accept;
ct state { established, related } accept
ip saddr @blacklist_v4 counter drop
}
}

21
blacklists_nftables/blacklist-vk-v6.nft
View File

@@ -1,16 +1,23 @@
# Autogenerated nftables blacklist
# Generated: 2026-03-25T06:55:55.977234Z
# Generated: 2026-03-29T06:56:51.906867Z
# Source: /home/runner/work/AS_Network_List/AS_Network_List/blacklists/blacklist-vk-v6.txt
# IPv4: 0, IPv6: 1
#
# Usage:
# sudo nft -f <this-file>
# # VK egress blocking for VPN clients via NAT/FORWARD
# sudo nft add chain inet filter forward '{ type filter hook forward priority 0; policy accept; }'
# sudo nft add rule inet filter forward iifname "<VPN_IFACE>" ip daddr @blacklist_vk_v4 counter reject
# sudo nft add rule inet filter forward iifname "<VPN_IFACE>" ip6 daddr @blacklist_vk_v6 counter reject
table inet filter {
set blacklist_v4 {
set blacklist_vk_v4 {
type ipv4_addr
flags interval
}
set blacklist_v6 {
set blacklist_vk_v6 {
type ipv6_addr
flags interval
elements = {
@@ -18,12 +25,4 @@ table inet filter {
}
}
chain input {
type filter hook input priority 0;
policy accept;
ct state { established, related } accept
ip6 saddr @blacklist_v6 counter drop
}
}

22
blacklists_nftables/blacklist-vk.nft
View File

@@ -1,11 +1,18 @@
# Autogenerated nftables blacklist
# Generated: 2026-03-25T06:55:55.920011Z
# Generated: 2026-03-29T06:56:51.850694Z
# Source: /home/runner/work/AS_Network_List/AS_Network_List/blacklists/blacklist-vk.txt
# IPv4: 92, IPv6: 1
#
# Usage:
# sudo nft -f <this-file>
# # VK egress blocking for VPN clients via NAT/FORWARD
# sudo nft add chain inet filter forward '{ type filter hook forward priority 0; policy accept; }'
# sudo nft add rule inet filter forward iifname "<VPN_IFACE>" ip daddr @blacklist_vk_v4 counter reject
# sudo nft add rule inet filter forward iifname "<VPN_IFACE>" ip6 daddr @blacklist_vk_v6 counter reject
table inet filter {
set blacklist_v4 {
set blacklist_vk_v4 {
type ipv4_addr
flags interval
elements = {
@@ -104,7 +111,7 @@ table inet filter {
}
}
set blacklist_v6 {
set blacklist_vk_v6 {
type ipv6_addr
flags interval
elements = {
@@ -112,13 +119,4 @@ table inet filter {
}
}
chain input {
type filter hook input priority 0;
policy accept;
ct state { established, related } accept
ip saddr @blacklist_v4 counter drop
ip6 saddr @blacklist_v6 counter drop
}
}

80
blacklists_nftables/blacklist.nft
View File

@@ -1,7 +1,14 @@
# Autogenerated nftables blacklist
# Generated: 2026-03-25T06:55:55.816581Z
# Generated: 2026-03-29T06:56:51.740005Z
# Source: /home/runner/work/AS_Network_List/AS_Network_List/blacklists/blacklist.txt
# IPv4: 804, IPv6: 17
# IPv4: 778, IPv6: 3
#
# Usage:
# sudo nft -f <this-file>
# # VM protection from incoming blacklist sources
# sudo nft add chain inet filter input '{ type filter hook input priority 0; policy accept; }'
# sudo nft add rule inet filter input ip saddr @blacklist_v4 counter reject
# sudo nft add rule inet filter input ip6 saddr @blacklist_v6 counter reject
table inet filter {
@@ -16,7 +23,6 @@ table inet filter {
5.188.140.0/22,
31.44.63.64/29,
31.177.95.0/24,
31.177.104.0/22,
37.28.161.48/30,
37.29.53.16/30,
37.29.57.52/30,
@@ -28,6 +34,7 @@ table inet filter {
45.136.20.0/22,
46.20.70.160/28,
46.29.152.0/22,
46.29.156.0/23,
46.46.142.160/28,
46.46.148.40/29,
46.47.197.128/30,
@@ -112,8 +119,6 @@ table inet filter {
79.133.75.176/30,
79.137.132.0/24,
79.137.139.0/24,
79.137.140.0/24,
79.137.142.0/24,
79.137.157.0/24,
79.137.164.0/24,
79.137.167.0/24,
@@ -122,9 +127,6 @@ table inet filter {
79.137.183.0/24,
79.137.240.0/21,
79.142.88.0/28,
79.143.229.0/24,
79.143.230.0/24,
79.143.232.0/24,
80.73.16.0/20,
80.73.168.80/28,
80.73.169.244/30,
@@ -166,10 +168,9 @@ table inet filter {
81.195.125.96/30,
81.195.148.140/30,
81.195.150.248/30,
81.195.151.0/24,
81.195.151.172/30,
81.195.155.0/30,
81.195.161.12/30,
81.195.164.0/24,
81.195.165.64/28,
81.195.168.24/30,
81.195.177.160/30,
@@ -380,20 +381,13 @@ table inet filter {
90.156.216.0/22,
90.156.232.0/21,
91.103.194.184/29,
91.135.212.0/22,
91.135.216.0/21,
91.195.136.0/23,
91.208.20.0/24,
91.215.168.0/22,
91.217.34.0/23,
91.219.192.0/22,
91.219.224.0/22,
91.221.140.0/23,
91.226.250.0/24,
91.227.32.0/24,
91.231.132.0/22,
91.237.76.0/24,
92.38.217.0/24,
92.39.106.20/30,
92.39.106.168/30,
92.39.111.84/30,
@@ -443,7 +437,6 @@ table inet filter {
95.54.193.80/28,
95.142.192.0/20,
95.163.32.0/19,
95.163.133.0/24,
95.163.180.0/22,
95.163.208.0/21,
95.163.216.0/22,
@@ -455,6 +448,7 @@ table inet filter {
95.167.29.104/29,
95.167.54.76/30,
95.167.59.244/30,
95.167.59.248/30,
95.167.64.20/30,
95.167.68.216/29,
95.167.69.116/30,
@@ -513,8 +507,8 @@ table inet filter {
176.109.0.0/21,
176.112.168.0/21,
176.116.96.0/20,
176.116.112.0/22,
178.16.156.148/30,
178.17.176.0/20,
178.20.234.224/29,
178.22.88.0/21,
178.49.148.176/29,
@@ -596,7 +590,6 @@ table inet filter {
188.247.36.124/30,
188.247.36.128/28,
188.247.36.204/30,
193.33.230.0/23,
193.47.146.0/24,
193.203.40.0/22,
193.232.70.0/24,
@@ -607,7 +600,6 @@ table inet filter {
194.140.247.0/24,
194.150.202.0/23,
194.165.22.0/23,
194.186.63.0/24,
194.186.112.80/28,
194.190.9.0/24,
194.215.248.0/24,
@@ -654,7 +646,6 @@ table inet filter {
195.211.20.0/22,
195.218.175.40/29,
195.218.190.0/23,
195.226.203.0/24,
195.239.80.32/29,
195.239.113.0/24,
195.239.247.0/24,
@@ -711,7 +702,6 @@ table inet filter {
212.57.159.0/24,
212.59.98.48/29,
212.59.99.96/27,
212.111.84.0/22,
212.119.174.0/23,
212.120.169.48/29,
212.120.174.88/29,
@@ -724,10 +714,6 @@ table inet filter {
212.120.191.120/29,
212.120.191.248/29,
212.192.156.0/22,
212.233.72.0/21,
212.233.88.0/21,
212.233.96.0/22,
212.233.120.0/22,
213.24.34.0/24,
213.24.75.0/24,
213.24.76.0/23,
@@ -768,7 +754,6 @@ table inet filter {
213.172.27.224/30,
213.172.27.252/30,
213.172.30.136/30,
213.176.232.0/22,
213.177.111.0/24,
213.183.253.56/29,
213.219.212.0/22,
@@ -787,8 +772,7 @@ table inet filter {
213.243.106.48/28,
213.243.116.0/24,
217.16.16.0/20,
217.20.86.128/26,
217.20.86.232/29,
217.20.86.128/25,
217.20.144.0/20,
217.23.88.168/29,
217.23.88.248/29,
@@ -798,18 +782,15 @@ table inet filter {
217.67.177.208/29,
217.69.128.0/20,
217.106.0.0/16,
217.107.5.8/29,
217.107.5.16/28,
217.107.5.40/29,
217.107.5.80/28,
217.107.5.96/29,
217.107.5.112/29,
217.107.0.0/18,
217.107.200.0/21,
217.107.208.0/20,
217.147.23.112/28,
217.148.216.156/30,
217.148.220.160/29,
217.172.18.0/23,
217.174.188.0/22,
217.172.20.0/22,
217.174.188.0/23,
217.195.92.16/28,
217.195.93.144/29,
217.195.94.200/29
@@ -820,33 +801,10 @@ table inet filter {
type ipv6_addr
flags interval
elements = {
2a00:1148::/29,
2a00:46e0::/32,
2a00:a300::/32,
2a00:b4c0::/32,
2a00:bdc0::/33,
2a00:bdc0:8000::/34,
2a00:bdc0:c000::/35,
2a00:bdc0:e002::/47,
2a00:bdc0:e004::/47,
2a00:bdc0:e007::/48,
2a00:bdc0:f000::/36,
2a00:bdc1::/32,
2a00:bdc2::/31,
2a00:bdc4::/30,
2a14:25c0::/32,
2a14:25c5::/32,
2a14:25c6::/31
2a00:bdc0:e007::/48
}
}
chain input {
type filter hook input priority 0;
policy accept;
ct state { established, related } accept
ip saddr @blacklist_v4 counter drop
ip6 saddr @blacklist_v6 counter drop
}
}

0
blacklists_nginx/.keep
View File

302
blacklists_nginx/README.md
View File

@@ -1,302 +1,24 @@
# Nginx Blacklist Configurations
# nginx blacklists
Auto-generated nginx configuration files for blocking networks and IP addresses.
Short: ready-to-use deny lists for nginx (mixed, IPv4-only, and IPv6-only).
## Available Files
## Download links
### Mixed IPv4/IPv6
- https://raw.githubusercontent.com/C24Be/AS_Network_List/refs/heads/main/blacklists_nginx/blacklist.conf
- https://raw.githubusercontent.com/C24Be/AS_Network_List/refs/heads/main/blacklists_nginx/blacklist-v4.conf
- https://raw.githubusercontent.com/C24Be/AS_Network_List/refs/heads/main/blacklists_nginx/blacklist-v6.conf
- **`blacklist.conf`** - Contains both IPv4 and IPv6 deny rules (809 entries)
## How to use
### IPv4 Only
- **`blacklist-v4.conf`** - Contains only IPv4 deny rules (806 entries)
### IPv6 Only
- **`blacklist-v6.conf`** - Contains only IPv6 deny rules (3 entries)
## Usage
### Basic Usage
Include the desired configuration file in your nginx `server` or `location` block:
1. Download one file (`blacklist.conf`, `blacklist-v4.conf`, or `blacklist-v6.conf`).
2. Include it in your `server` or `location` block:
```nginx
server {
listen 80;
server_name example.com;
# Include the blacklist
include /path/to/blacklist.conf;
location / {
# your configuration
}
}
include /etc/nginx/blacklist.conf;
```
### Separate IPv4/IPv6 Files
For more granular control, use separate files:
```nginx
server {
listen 80;
listen [::]:80;
server_name example.com;
# Include both IPv4 and IPv6 blacklists
include /path/to/blacklist-v4.conf;
include /path/to/blacklist-v6.conf;
location / {
# your configuration
}
}
```
### HTTP Block Level
Apply the blacklist globally to all virtual hosts:
```nginx
http {
# Apply blacklist globally
include /path/to/blacklist.conf;
server {
listen 80;
server_name example.com;
# ...
}
server {
listen 80;
server_name another.com;
# ...
}
}
```
### Location Block Level
For selective blocking within specific locations:
```nginx
server {
listen 80;
server_name example.com;
location /admin {
# Apply blacklist only to admin area
include /path/to/blacklist.conf;
# ...
}
location /public {
# Public area without blacklist
# ...
}
}
```
## Testing Configuration
After adding the blacklist, always test your nginx configuration:
3. Test and reload nginx:
```bash
# Test configuration
nginx -t
# Reload nginx if test passes
nginx -s reload
# or
systemctl reload nginx
sudo nginx -t && sudo systemctl reload nginx
```
## Custom Response
By default, denied IPs receive a connection drop. To customize the response:
```nginx
server {
listen 80;
server_name example.com;
# Return custom error page
error_page 403 /403.html;
include /path/to/blacklist.conf;
location = /403.html {
root /usr/share/nginx/html;
internal;
}
}
```
Note: For large blacklists, using `deny` directives (as in these files) is more efficient than `if` statements.
## Performance Considerations
- **Deny directives** are processed in order and stop at the first match
- For optimal performance, most frequently matched IPs should be at the top
- Current files are sorted for consistency
- Nginx handles hundreds of deny rules efficiently
- For very large blacklists (10,000+ entries), consider using:
- Nginx GeoIP2 module for geographic blocking
- nftables/iptables at the firewall level for better performance
- Stream module for TCP/UDP level blocking
## Integration Examples
### Docker Deployment
```dockerfile
FROM nginx:alpine
# Copy blacklist
COPY blacklist.conf /etc/nginx/blacklist.conf
# Copy nginx config that includes the blacklist
COPY nginx.conf /etc/nginx/nginx.conf
EXPOSE 80 443
CMD ["nginx", "-g", "daemon off;"]
```
### Kubernetes ConfigMap
```yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: nginx-blacklist
data:
blacklist.conf: |
# Include blacklist content here
deny 109.124.119.88/29;
deny 109.124.66.128/30;
# ...
```
### Automated Updates
Set up a cron job to automatically fetch the latest blacklist:
```bash
#!/bin/bash
# /etc/cron.daily/update-nginx-blacklist
# Download latest blacklist
wget -q https://raw.githubusercontent.com/C24Be/AS_Network_List/main/blacklists_nginx/blacklist.conf \
-O /etc/nginx/blacklist.conf.new
# Test nginx configuration
nginx -t -c /etc/nginx/nginx.conf
# If test passes, reload nginx
if [ $? -eq 0 ]; then
mv /etc/nginx/blacklist.conf.new /etc/nginx/blacklist.conf
systemctl reload nginx
echo "Blacklist updated successfully"
else
rm /etc/nginx/blacklist.conf.new
echo "Nginx config test failed, blacklist not updated"
fi
```
## Logging Blocked Requests
To log denied requests:
```nginx
server {
listen 80;
server_name example.com;
# Custom log format for denied IPs
log_format blocked '$remote_addr - $remote_user [$time_local] '
'"$request" 403 0 '
'"$http_referer" "$http_user_agent"';
access_log /var/log/nginx/blocked.log blocked;
include /path/to/blacklist.conf;
location / {
# your configuration
}
}
```
## Monitoring
Check how many IPs are being blocked:
```bash
# Count deny rules
grep -c "deny" /path/to/blacklist.conf
# Check blocked access logs
tail -f /var/log/nginx/blocked.log
# Count blocked requests today
grep "$(date +%d/%b/%Y)" /var/log/nginx/access.log | grep " 403 " | wc -l
```
## Troubleshooting
### Configuration Test Fails
```bash
# Check syntax
nginx -t
# Check for duplicate includes
grep -r "include.*blacklist" /etc/nginx/
# Verify file permissions
ls -l /path/to/blacklist.conf
```
### Legitimate Users Blocked
Check if their IP is in the blacklist:
```bash
grep "YOUR_IP" /path/to/blacklist.conf
```
Whitelist specific IPs before applying the blacklist:
```nginx
server {
listen 80;
server_name example.com;
# Whitelist before blacklist
allow 192.168.1.100; # Trusted IP
# Then apply blacklist
include /path/to/blacklist.conf;
# Deny all others not explicitly allowed
# deny all; # Optional
}
```
## Automatic Updates
These files are automatically regenerated daily when the blacklists are updated via the GitHub Actions workflow.
## Source
Generated from the blacklist files in the `blacklists/` directory by `blacklists_updater_nginx.sh`.
## See Also
- [IPTables/IPSet Format](../blacklists_iptables/README.md) - For firewall-level blocking
- [Text Format](../blacklists/README.md) - For custom integrations
- [Main Repository](https://github.com/C24Be/AS_Network_List) - Complete documentation

72
blacklists_nginx/blacklist-v4.conf
View File

@@ -1,6 +1,6 @@
# Nginx blacklist configuration (IPv4 only)
# Auto-generated from blacklist-v4.txt
# Last updated: 2026-03-25 06:55:55 UTC
# Last updated: 2026-03-29 06:56:50 UTC
#
# Usage: Include this file in your nginx server or location block:
# include /path/to/blacklist-v4.conf;
@@ -38,7 +38,6 @@ deny 128.140.168.0/23;
deny 128.140.170.0/24;
deny 128.140.171.0/24;
deny 128.140.172.0/22;
deny 128.140.173.0/24;
deny 130.49.224.0/19;
deny 145.255.238.240/28;
deny 146.185.208.0/22;
@@ -51,14 +50,9 @@ deny 149.62.55.240/30;
deny 155.212.192.0/20;
deny 176.109.0.0/21;
deny 176.112.168.0/21;
deny 176.116.112.0/22;
deny 176.116.96.0/20;
deny 178.16.156.148/30;
deny 178.17.176.0/23;
deny 178.17.178.0/23;
deny 178.17.180.0/23;
deny 178.17.182.0/23;
deny 178.17.184.0/22;
deny 178.17.188.0/22;
deny 178.20.234.224/29;
deny 178.22.88.0/21;
deny 178.22.89.64/26;
@@ -73,7 +67,6 @@ deny 178.237.24.0/24;
deny 178.237.240.0/20;
deny 178.237.248.0/21;
deny 178.237.28.0/24;
deny 178.237.29.0/24;
deny 178.237.30.0/23;
deny 178.248.232.137/32;
deny 178.248.232.60/32;
@@ -120,7 +113,6 @@ deny 185.130.112.0/22;
deny 185.130.112.0/23;
deny 185.130.114.0/23;
deny 185.131.68.0/22;
deny 185.131.68.0/23;
deny 185.149.160.0/24;
deny 185.149.161.0/24;
deny 185.149.162.0/24;
@@ -131,8 +123,6 @@ deny 185.16.150.0/23;
deny 185.16.244.0/22;
deny 185.16.244.0/23;
deny 185.16.246.0/23;
deny 185.16.246.0/24;
deny 185.16.247.0/24;
deny 185.168.60.0/24;
deny 185.168.61.0/24;
deny 185.168.62.0/24;
@@ -205,14 +195,12 @@ deny 188.93.61.0/24;
deny 188.93.62.0/24;
deny 193.203.40.0/22;
deny 193.232.70.0/24;
deny 193.33.230.0/23;
deny 193.47.146.0/24;
deny 194.140.247.0/25;
deny 194.140.247.128/25;
deny 194.150.202.0/23;
deny 194.165.22.0/23;
deny 194.186.112.80/28;
deny 194.186.63.0/24;
deny 194.190.9.0/24;
deny 194.215.248.0/24;
deny 194.226.116.0/22;
@@ -249,7 +237,6 @@ deny 195.211.22.0/24;
deny 195.211.23.0/24;
deny 195.218.175.40/29;
deny 195.218.190.0/23;
deny 195.226.203.0/24;
deny 195.239.113.0/24;
deny 195.239.247.0/24;
deny 195.239.80.32/29;
@@ -270,7 +257,6 @@ deny 195.98.38.16/28;
deny 195.98.43.104/29;
deny 195.98.73.56/29;
deny 195.98.77.100/30;
deny 212.111.84.0/22;
deny 212.119.174.0/24;
deny 212.119.175.0/24;
deny 212.120.169.48/29;
@@ -296,10 +282,6 @@ deny 212.17.9.144/28;
deny 212.192.156.0/22;
deny 212.23.85.48/30;
deny 212.23.85.56/29;
deny 212.233.120.0/22;
deny 212.233.72.0/21;
deny 212.233.88.0/21;
deny 212.233.96.0/22;
deny 212.32.198.64/29;
deny 212.48.134.192/26;
deny 212.48.138.240/28;
@@ -404,8 +386,6 @@ deny 213.172.27.224/30;
deny 213.172.27.252/30;
deny 213.172.30.136/30;
deny 213.172.4.192/26;
deny 213.176.232.0/23;
deny 213.176.234.0/23;
deny 213.177.111.0/24;
deny 213.183.253.56/29;
deny 213.219.212.0/22;
@@ -461,7 +441,9 @@ deny 217.106.203.240/29;
deny 217.106.203.88/29;
deny 217.106.93.192/26;
deny 217.106.95.112/28;
deny 217.107.0.0/18;
deny 217.107.200.0/21;
deny 217.107.208.0/20;
deny 217.107.5.112/29;
deny 217.107.5.16/29;
deny 217.107.5.24/29;
@@ -477,7 +459,7 @@ deny 217.16.16.0/20;
deny 217.16.16.0/21;
deny 217.16.24.0/21;
deny 217.172.18.0/23;
deny 217.174.188.0/22;
deny 217.172.20.0/22;
deny 217.174.188.0/23;
deny 217.195.92.16/28;
deny 217.195.93.144/29;
@@ -492,7 +474,10 @@ deny 217.20.156.0/23;
deny 217.20.158.0/24;
deny 217.20.159.0/24;
deny 217.20.86.128/26;
deny 217.20.86.192/27;
deny 217.20.86.224/29;
deny 217.20.86.232/29;
deny 217.20.86.240/28;
deny 217.23.88.168/29;
deny 217.23.88.248/29;
deny 217.27.142.176/30;
@@ -501,9 +486,7 @@ deny 217.65.219.160/29;
deny 217.67.177.208/29;
deny 217.69.128.0/20;
deny 217.69.128.0/21;
deny 217.69.132.0/24;
deny 217.69.136.0/21;
deny 31.177.104.0/22;
deny 31.177.95.0/24;
deny 31.44.63.64/29;
deny 37.139.32.0/22;
@@ -526,6 +509,7 @@ deny 45.84.130.0/23;
deny 46.20.70.160/28;
deny 46.228.0.232/29;
deny 46.29.152.0/22;
deny 46.29.156.0/23;
deny 46.46.142.160/28;
deny 46.46.148.40/29;
deny 46.47.197.128/30;
@@ -637,9 +621,6 @@ deny 79.137.132.128/25;
deny 79.137.139.0/24;
deny 79.137.139.0/25;
deny 79.137.139.128/25;
deny 79.137.140.0/24;
deny 79.137.142.0/24;
deny 79.137.157.0/24;
deny 79.137.157.0/25;
deny 79.137.157.128/25;
deny 79.137.164.0/24;
@@ -659,9 +640,6 @@ deny 79.137.240.0/21;
deny 79.137.240.0/22;
deny 79.137.244.0/22;
deny 79.142.88.0/28;
deny 79.143.229.0/24;
deny 79.143.230.0/24;
deny 79.143.232.0/24;
deny 80.237.11.88/29;
deny 80.237.39.112/29;
deny 80.237.98.80/28;
@@ -671,8 +649,6 @@ deny 80.247.46.0/24;
deny 80.254.100.40/29;
deny 80.254.119.168/29;
deny 80.73.16.0/20;
deny 80.73.16.0/21;
deny 80.73.16.0/24;
deny 80.73.168.80/28;
deny 80.73.169.244/30;
deny 80.82.43.24/29;
@@ -696,11 +672,9 @@ deny 81.195.124.52/30;
deny 81.195.125.96/30;
deny 81.195.148.140/30;
deny 81.195.150.248/30;
deny 81.195.151.0/24;
deny 81.195.151.172/30;
deny 81.195.155.0/30;
deny 81.195.161.12/30;
deny 81.195.164.0/24;
deny 81.195.165.64/28;
deny 81.195.168.24/30;
deny 81.195.177.160/30;
@@ -879,8 +853,6 @@ deny 87.239.108.0/22;
deny 87.240.128.0/18;
deny 87.240.128.0/19;
deny 87.240.160.0/19;
deny 87.240.166.0/24;
deny 87.240.167.0/24;
deny 87.242.112.0/22;
deny 87.245.133.0/24;
deny 87.249.16.32/28;
@@ -948,9 +920,6 @@ deny 89.21.140.104/29;
deny 89.21.152.104/29;
deny 89.221.228.0/22;
deny 89.221.232.0/21;
deny 89.221.232.0/22;
deny 89.221.235.0/24;
deny 89.221.236.0/22;
deny 89.28.253.168/29;
deny 89.28.255.56/29;
deny 90.150.176.52/30;
@@ -973,7 +942,6 @@ deny 90.150.189.32/29;
deny 90.156.148.0/22;
deny 90.156.148.0/23;
deny 90.156.150.0/23;
deny 90.156.151.0/24;
deny 90.156.212.0/22;
deny 90.156.212.0/23;
deny 90.156.214.0/23;
@@ -982,29 +950,15 @@ deny 90.156.216.0/23;
deny 90.156.218.0/23;
deny 90.156.232.0/21;
deny 91.103.194.184/29;
deny 91.135.212.0/22;
deny 91.135.216.0/21;
deny 91.135.220.0/24;
deny 91.135.221.0/24;
deny 91.195.136.0/23;
deny 91.208.20.0/24;
deny 91.215.168.0/22;
deny 91.217.34.0/23;
deny 91.219.192.0/22;
deny 91.219.224.0/22;
deny 91.221.140.0/23;
deny 91.221.140.0/24;
deny 91.221.141.0/24;
deny 91.226.250.0/24;
deny 91.227.32.0/24;
deny 91.231.132.0/22;
deny 91.231.132.0/24;
deny 91.231.133.0/24;
deny 91.231.134.0/24;
deny 91.237.76.0/24;
deny 92.101.253.152/29;
deny 92.101.253.96/29;
deny 92.38.217.0/24;
deny 92.39.106.168/30;
deny 92.39.106.20/30;
deny 92.39.111.84/30;
@@ -1046,7 +1000,6 @@ deny 94.100.184.0/21;
deny 94.124.192.192/29;
deny 94.139.244.0/22;
deny 94.139.244.0/23;
deny 94.139.244.0/24;
deny 94.139.246.0/23;
deny 94.199.64.0/21;
deny 94.25.119.228/30;
@@ -1063,9 +1016,6 @@ deny 95.142.200.0/21;
deny 95.142.201.0/24;
deny 95.142.202.0/24;
deny 95.142.203.0/24;
deny 95.142.204.0/23;
deny 95.142.207.0/24;
deny 95.163.133.0/24;
deny 95.163.180.0/22;
deny 95.163.180.0/23;
deny 95.163.182.0/23;
@@ -1103,6 +1053,7 @@ deny 95.167.5.64/28;
deny 95.167.5.80/28;
deny 95.167.54.76/30;
deny 95.167.59.244/30;
deny 95.167.59.248/30;
deny 95.167.64.20/30;
deny 95.167.68.216/29;
deny 95.167.69.116/30;
@@ -1120,7 +1071,6 @@ deny 95.173.128.0/19;
deny 95.173.128.0/20;
deny 95.173.144.0/20;
deny 95.213.0.0/17;
deny 95.213.0.0/18;
deny 95.213.0.0/20;
deny 95.213.16.0/21;
deny 95.213.24.0/23;
@@ -1135,8 +1085,6 @@ deny 95.213.33.0/24;
deny 95.213.34.0/23;
deny 95.213.36.0/22;
deny 95.213.40.0/21;
deny 95.213.44.0/24;
deny 95.213.45.0/24;
deny 95.213.48.0/20;
deny 95.213.64.0/18;
deny 95.53.248.0/29;

19
blacklists_nginx/blacklist-v6.conf
View File

@@ -1,31 +1,14 @@
# Nginx blacklist configuration (IPv6 only)
# Auto-generated from blacklist-v6.txt
# Last updated: 2026-03-25 06:55:55 UTC
# Last updated: 2026-03-29 06:56:50 UTC
#
# Usage: Include this file in your nginx server or location block:
# include /path/to/blacklist-v6.conf;
#
deny 2a00:1148::/29;
deny 2a00:1148::/32;
deny 2a00:46e0:2::/48;
deny 2a00:46e0::/32;
deny 2a00:a300::/32;
deny 2a00:b4c0::/32;
deny 2a00:bdc0:8000::/34;
deny 2a00:bdc0::/33;
deny 2a00:bdc0:c000::/35;
deny 2a00:bdc0:e002::/48;
deny 2a00:bdc0:e003::/48;
deny 2a00:bdc0:e004::/48;
deny 2a00:bdc0:e005::/48;
deny 2a00:bdc0:e007::/48;
deny 2a00:bdc0:f000::/36;
deny 2a00:bdc1::/32;
deny 2a00:bdc2::/31;
deny 2a00:bdc4::/30;
deny 2a14:25c0::/32;
deny 2a14:25c5::/32;
deny 2a14:25c6::/32;
deny 2a14:25c7::/32;

89
blacklists_nginx/blacklist.conf
View File

@@ -1,6 +1,6 @@
# Nginx blacklist configuration (mixed IPv4/IPv6)
# Auto-generated from blacklist.txt
# Last updated: 2026-03-25 06:55:55 UTC
# Last updated: 2026-03-29 06:56:50 UTC
#
# Usage: Include this file in your nginx server or location block:
# include /path/to/blacklist.conf;
@@ -38,7 +38,6 @@ deny 128.140.168.0/23;
deny 128.140.170.0/24;
deny 128.140.171.0/24;
deny 128.140.172.0/22;
deny 128.140.173.0/24;
deny 130.49.224.0/19;
deny 145.255.238.240/28;
deny 146.185.208.0/22;
@@ -51,14 +50,9 @@ deny 149.62.55.240/30;
deny 155.212.192.0/20;
deny 176.109.0.0/21;
deny 176.112.168.0/21;
deny 176.116.112.0/22;
deny 176.116.96.0/20;
deny 178.16.156.148/30;
deny 178.17.176.0/23;
deny 178.17.178.0/23;
deny 178.17.180.0/23;
deny 178.17.182.0/23;
deny 178.17.184.0/22;
deny 178.17.188.0/22;
deny 178.20.234.224/29;
deny 178.22.88.0/21;
deny 178.22.89.64/26;
@@ -73,7 +67,6 @@ deny 178.237.24.0/24;
deny 178.237.240.0/20;
deny 178.237.248.0/21;
deny 178.237.28.0/24;
deny 178.237.29.0/24;
deny 178.237.30.0/23;
deny 178.248.232.137/32;
deny 178.248.232.60/32;
@@ -120,7 +113,6 @@ deny 185.130.112.0/22;
deny 185.130.112.0/23;
deny 185.130.114.0/23;
deny 185.131.68.0/22;
deny 185.131.68.0/23;
deny 185.149.160.0/24;
deny 185.149.161.0/24;
deny 185.149.162.0/24;
@@ -131,8 +123,6 @@ deny 185.16.150.0/23;
deny 185.16.244.0/22;
deny 185.16.244.0/23;
deny 185.16.246.0/23;
deny 185.16.246.0/24;
deny 185.16.247.0/24;
deny 185.168.60.0/24;
deny 185.168.61.0/24;
deny 185.168.62.0/24;
@@ -205,14 +195,12 @@ deny 188.93.61.0/24;
deny 188.93.62.0/24;
deny 193.203.40.0/22;
deny 193.232.70.0/24;
deny 193.33.230.0/23;
deny 193.47.146.0/24;
deny 194.140.247.0/25;
deny 194.140.247.128/25;
deny 194.150.202.0/23;
deny 194.165.22.0/23;
deny 194.186.112.80/28;
deny 194.186.63.0/24;
deny 194.190.9.0/24;
deny 194.215.248.0/24;
deny 194.226.116.0/22;
@@ -249,7 +237,6 @@ deny 195.211.22.0/24;
deny 195.211.23.0/24;
deny 195.218.175.40/29;
deny 195.218.190.0/23;
deny 195.226.203.0/24;
deny 195.239.113.0/24;
deny 195.239.247.0/24;
deny 195.239.80.32/29;
@@ -270,7 +257,6 @@ deny 195.98.38.16/28;
deny 195.98.43.104/29;
deny 195.98.73.56/29;
deny 195.98.77.100/30;
deny 212.111.84.0/22;
deny 212.119.174.0/24;
deny 212.119.175.0/24;
deny 212.120.169.48/29;
@@ -296,10 +282,6 @@ deny 212.17.9.144/28;
deny 212.192.156.0/22;
deny 212.23.85.48/30;
deny 212.23.85.56/29;
deny 212.233.120.0/22;
deny 212.233.72.0/21;
deny 212.233.88.0/21;
deny 212.233.96.0/22;
deny 212.32.198.64/29;
deny 212.48.134.192/26;
deny 212.48.138.240/28;
@@ -404,8 +386,6 @@ deny 213.172.27.224/30;
deny 213.172.27.252/30;
deny 213.172.30.136/30;
deny 213.172.4.192/26;
deny 213.176.232.0/23;
deny 213.176.234.0/23;
deny 213.177.111.0/24;
deny 213.183.253.56/29;
deny 213.219.212.0/22;
@@ -461,7 +441,9 @@ deny 217.106.203.240/29;
deny 217.106.203.88/29;
deny 217.106.93.192/26;
deny 217.106.95.112/28;
deny 217.107.0.0/18;
deny 217.107.200.0/21;
deny 217.107.208.0/20;
deny 217.107.5.112/29;
deny 217.107.5.16/29;
deny 217.107.5.24/29;
@@ -477,7 +459,7 @@ deny 217.16.16.0/20;
deny 217.16.16.0/21;
deny 217.16.24.0/21;
deny 217.172.18.0/23;
deny 217.174.188.0/22;
deny 217.172.20.0/22;
deny 217.174.188.0/23;
deny 217.195.92.16/28;
deny 217.195.93.144/29;
@@ -492,7 +474,10 @@ deny 217.20.156.0/23;
deny 217.20.158.0/24;
deny 217.20.159.0/24;
deny 217.20.86.128/26;
deny 217.20.86.192/27;
deny 217.20.86.224/29;
deny 217.20.86.232/29;
deny 217.20.86.240/28;
deny 217.23.88.168/29;
deny 217.23.88.248/29;
deny 217.27.142.176/30;
@@ -501,31 +486,12 @@ deny 217.65.219.160/29;
deny 217.67.177.208/29;
deny 217.69.128.0/20;
deny 217.69.128.0/21;
deny 217.69.132.0/24;
deny 217.69.136.0/21;
deny 2a00:1148::/29;
deny 2a00:1148::/32;
deny 2a00:46e0:2::/48;
deny 2a00:46e0::/32;
deny 2a00:a300::/32;
deny 2a00:b4c0::/32;
deny 2a00:bdc0:8000::/34;
deny 2a00:bdc0::/33;
deny 2a00:bdc0:c000::/35;
deny 2a00:bdc0:e002::/48;
deny 2a00:bdc0:e003::/48;
deny 2a00:bdc0:e004::/48;
deny 2a00:bdc0:e005::/48;
deny 2a00:bdc0:e007::/48;
deny 2a00:bdc0:f000::/36;
deny 2a00:bdc1::/32;
deny 2a00:bdc2::/31;
deny 2a00:bdc4::/30;
deny 2a14:25c0::/32;
deny 2a14:25c5::/32;
deny 2a14:25c6::/32;
deny 2a14:25c7::/32;
deny 31.177.104.0/22;
deny 31.177.95.0/24;
deny 31.44.63.64/29;
deny 37.139.32.0/22;
@@ -548,6 +514,7 @@ deny 45.84.130.0/23;
deny 46.20.70.160/28;
deny 46.228.0.232/29;
deny 46.29.152.0/22;
deny 46.29.156.0/23;
deny 46.46.142.160/28;
deny 46.46.148.40/29;
deny 46.47.197.128/30;
@@ -659,9 +626,6 @@ deny 79.137.132.128/25;
deny 79.137.139.0/24;
deny 79.137.139.0/25;
deny 79.137.139.128/25;
deny 79.137.140.0/24;
deny 79.137.142.0/24;
deny 79.137.157.0/24;
deny 79.137.157.0/25;
deny 79.137.157.128/25;
deny 79.137.164.0/24;
@@ -681,9 +645,6 @@ deny 79.137.240.0/21;
deny 79.137.240.0/22;
deny 79.137.244.0/22;
deny 79.142.88.0/28;
deny 79.143.229.0/24;
deny 79.143.230.0/24;
deny 79.143.232.0/24;
deny 80.237.11.88/29;
deny 80.237.39.112/29;
deny 80.237.98.80/28;
@@ -693,8 +654,6 @@ deny 80.247.46.0/24;
deny 80.254.100.40/29;
deny 80.254.119.168/29;
deny 80.73.16.0/20;
deny 80.73.16.0/21;
deny 80.73.16.0/24;
deny 80.73.168.80/28;
deny 80.73.169.244/30;
deny 80.82.43.24/29;
@@ -718,11 +677,9 @@ deny 81.195.124.52/30;
deny 81.195.125.96/30;
deny 81.195.148.140/30;
deny 81.195.150.248/30;
deny 81.195.151.0/24;
deny 81.195.151.172/30;
deny 81.195.155.0/30;
deny 81.195.161.12/30;
deny 81.195.164.0/24;
deny 81.195.165.64/28;
deny 81.195.168.24/30;
deny 81.195.177.160/30;
@@ -901,8 +858,6 @@ deny 87.239.108.0/22;
deny 87.240.128.0/18;
deny 87.240.128.0/19;
deny 87.240.160.0/19;
deny 87.240.166.0/24;
deny 87.240.167.0/24;
deny 87.242.112.0/22;
deny 87.245.133.0/24;
deny 87.249.16.32/28;
@@ -970,9 +925,6 @@ deny 89.21.140.104/29;
deny 89.21.152.104/29;
deny 89.221.228.0/22;
deny 89.221.232.0/21;
deny 89.221.232.0/22;
deny 89.221.235.0/24;
deny 89.221.236.0/22;
deny 89.28.253.168/29;
deny 89.28.255.56/29;
deny 90.150.176.52/30;
@@ -995,7 +947,6 @@ deny 90.150.189.32/29;
deny 90.156.148.0/22;
deny 90.156.148.0/23;
deny 90.156.150.0/23;
deny 90.156.151.0/24;
deny 90.156.212.0/22;
deny 90.156.212.0/23;
deny 90.156.214.0/23;
@@ -1004,29 +955,15 @@ deny 90.156.216.0/23;
deny 90.156.218.0/23;
deny 90.156.232.0/21;
deny 91.103.194.184/29;
deny 91.135.212.0/22;
deny 91.135.216.0/21;
deny 91.135.220.0/24;
deny 91.135.221.0/24;
deny 91.195.136.0/23;
deny 91.208.20.0/24;
deny 91.215.168.0/22;
deny 91.217.34.0/23;
deny 91.219.192.0/22;
deny 91.219.224.0/22;
deny 91.221.140.0/23;
deny 91.221.140.0/24;
deny 91.221.141.0/24;
deny 91.226.250.0/24;
deny 91.227.32.0/24;
deny 91.231.132.0/22;
deny 91.231.132.0/24;
deny 91.231.133.0/24;
deny 91.231.134.0/24;
deny 91.237.76.0/24;
deny 92.101.253.152/29;
deny 92.101.253.96/29;
deny 92.38.217.0/24;
deny 92.39.106.168/30;
deny 92.39.106.20/30;
deny 92.39.111.84/30;
@@ -1068,7 +1005,6 @@ deny 94.100.184.0/21;
deny 94.124.192.192/29;
deny 94.139.244.0/22;
deny 94.139.244.0/23;
deny 94.139.244.0/24;
deny 94.139.246.0/23;
deny 94.199.64.0/21;
deny 94.25.119.228/30;
@@ -1085,9 +1021,6 @@ deny 95.142.200.0/21;
deny 95.142.201.0/24;
deny 95.142.202.0/24;
deny 95.142.203.0/24;
deny 95.142.204.0/23;
deny 95.142.207.0/24;
deny 95.163.133.0/24;
deny 95.163.180.0/22;
deny 95.163.180.0/23;
deny 95.163.182.0/23;
@@ -1125,6 +1058,7 @@ deny 95.167.5.64/28;
deny 95.167.5.80/28;
deny 95.167.54.76/30;
deny 95.167.59.244/30;
deny 95.167.59.248/30;
deny 95.167.64.20/30;
deny 95.167.68.216/29;
deny 95.167.69.116/30;
@@ -1142,7 +1076,6 @@ deny 95.173.128.0/19;
deny 95.173.128.0/20;
deny 95.173.144.0/20;
deny 95.213.0.0/17;
deny 95.213.0.0/18;
deny 95.213.0.0/20;
deny 95.213.16.0/21;
deny 95.213.24.0/23;
@@ -1157,8 +1090,6 @@ deny 95.213.33.0/24;
deny 95.213.34.0/23;
deny 95.213.36.0/22;
deny 95.213.40.0/21;
deny 95.213.44.0/24;
deny 95.213.45.0/24;
deny 95.213.48.0/20;
deny 95.213.64.0/18;
deny 95.53.248.0/29;

274
blacklists_route/blacklist-vk-v4.routes Normal file
View File

@@ -0,0 +1,274 @@
# Linux routes for VK networks (IPv4)
# Auto-generated by blacklists_updater_routes.sh
# Last updated: 2026-03-29 06:56:52 UTC
#
# Apply:
# sudo sh blacklist-vk-v4.routes
#
ip route replace 109.120.180.0/22 via 127.0.0.1 dev lo onlink
ip route replace 109.120.180.0/23 via 127.0.0.1 dev lo onlink
ip route replace 109.120.182.0/23 via 127.0.0.1 dev lo onlink
ip route replace 109.120.188.0/22 via 127.0.0.1 dev lo onlink
ip route replace 109.120.188.0/23 via 127.0.0.1 dev lo onlink
ip route replace 109.120.190.0/23 via 127.0.0.1 dev lo onlink
ip route replace 128.140.168.0/21 via 127.0.0.1 dev lo onlink
ip route replace 128.140.168.0/23 via 127.0.0.1 dev lo onlink
ip route replace 128.140.170.0/24 via 127.0.0.1 dev lo onlink
ip route replace 128.140.171.0/24 via 127.0.0.1 dev lo onlink
ip route replace 128.140.172.0/22 via 127.0.0.1 dev lo onlink
ip route replace 130.49.224.0/19 via 127.0.0.1 dev lo onlink
ip route replace 146.185.208.0/22 via 127.0.0.1 dev lo onlink
ip route replace 146.185.208.0/23 via 127.0.0.1 dev lo onlink
ip route replace 146.185.210.0/23 via 127.0.0.1 dev lo onlink
ip route replace 146.185.240.0/22 via 127.0.0.1 dev lo onlink
ip route replace 146.185.240.0/23 via 127.0.0.1 dev lo onlink
ip route replace 146.185.242.0/23 via 127.0.0.1 dev lo onlink
ip route replace 155.212.192.0/20 via 127.0.0.1 dev lo onlink
ip route replace 176.112.168.0/21 via 127.0.0.1 dev lo onlink
ip route replace 178.22.88.0/21 via 127.0.0.1 dev lo onlink
ip route replace 178.22.89.64/26 via 127.0.0.1 dev lo onlink
ip route replace 178.22.94.0/23 via 127.0.0.1 dev lo onlink
ip route replace 178.237.16.0/20 via 127.0.0.1 dev lo onlink
ip route replace 178.237.16.0/21 via 127.0.0.1 dev lo onlink
ip route replace 178.237.24.0/22 via 127.0.0.1 dev lo onlink
ip route replace 178.237.30.0/23 via 127.0.0.1 dev lo onlink
ip route replace 185.100.104.0/22 via 127.0.0.1 dev lo onlink
ip route replace 185.100.104.0/23 via 127.0.0.1 dev lo onlink
ip route replace 185.100.106.0/23 via 127.0.0.1 dev lo onlink
ip route replace 185.130.112.0/22 via 127.0.0.1 dev lo onlink
ip route replace 185.130.112.0/23 via 127.0.0.1 dev lo onlink
ip route replace 185.130.114.0/23 via 127.0.0.1 dev lo onlink
ip route replace 185.131.68.0/22 via 127.0.0.1 dev lo onlink
ip route replace 185.16.148.0/22 via 127.0.0.1 dev lo onlink
ip route replace 185.16.148.0/23 via 127.0.0.1 dev lo onlink
ip route replace 185.16.150.0/23 via 127.0.0.1 dev lo onlink
ip route replace 185.16.244.0/22 via 127.0.0.1 dev lo onlink
ip route replace 185.16.244.0/23 via 127.0.0.1 dev lo onlink
ip route replace 185.16.246.0/23 via 127.0.0.1 dev lo onlink
ip route replace 185.180.200.0/22 via 127.0.0.1 dev lo onlink
ip route replace 185.187.63.0/24 via 127.0.0.1 dev lo onlink
ip route replace 185.187.63.0/25 via 127.0.0.1 dev lo onlink
ip route replace 185.187.63.128/25 via 127.0.0.1 dev lo onlink
ip route replace 185.226.52.0/22 via 127.0.0.1 dev lo onlink
ip route replace 185.226.52.0/23 via 127.0.0.1 dev lo onlink
ip route replace 185.226.54.0/23 via 127.0.0.1 dev lo onlink
ip route replace 185.241.192.0/22 via 127.0.0.1 dev lo onlink
ip route replace 185.241.192.0/23 via 127.0.0.1 dev lo onlink
ip route replace 185.241.194.0/23 via 127.0.0.1 dev lo onlink
ip route replace 185.29.128.0/22 via 127.0.0.1 dev lo onlink
ip route replace 185.29.130.0/24 via 127.0.0.1 dev lo onlink
ip route replace 185.32.248.0/22 via 127.0.0.1 dev lo onlink
ip route replace 185.32.248.0/23 via 127.0.0.1 dev lo onlink
ip route replace 185.32.250.0/23 via 127.0.0.1 dev lo onlink
ip route replace 185.5.136.0/22 via 127.0.0.1 dev lo onlink
ip route replace 185.5.136.0/23 via 127.0.0.1 dev lo onlink
ip route replace 185.5.138.0/23 via 127.0.0.1 dev lo onlink
ip route replace 185.6.244.0/22 via 127.0.0.1 dev lo onlink
ip route replace 185.6.244.0/23 via 127.0.0.1 dev lo onlink
ip route replace 185.6.246.0/23 via 127.0.0.1 dev lo onlink
ip route replace 185.86.144.0/22 via 127.0.0.1 dev lo onlink
ip route replace 185.86.144.0/23 via 127.0.0.1 dev lo onlink
ip route replace 185.86.146.0/23 via 127.0.0.1 dev lo onlink
ip route replace 188.93.56.0/21 via 127.0.0.1 dev lo onlink
ip route replace 188.93.56.0/24 via 127.0.0.1 dev lo onlink
ip route replace 188.93.57.0/24 via 127.0.0.1 dev lo onlink
ip route replace 188.93.58.0/24 via 127.0.0.1 dev lo onlink
ip route replace 188.93.60.0/24 via 127.0.0.1 dev lo onlink
ip route replace 188.93.61.0/24 via 127.0.0.1 dev lo onlink
ip route replace 188.93.62.0/24 via 127.0.0.1 dev lo onlink
ip route replace 193.203.40.0/22 via 127.0.0.1 dev lo onlink
ip route replace 194.84.16.12/30 via 127.0.0.1 dev lo onlink
ip route replace 195.211.20.0/22 via 127.0.0.1 dev lo onlink
ip route replace 195.211.22.0/24 via 127.0.0.1 dev lo onlink
ip route replace 195.211.23.0/24 via 127.0.0.1 dev lo onlink
ip route replace 212.111.84.0/22 via 127.0.0.1 dev lo onlink
ip route replace 212.233.120.0/22 via 127.0.0.1 dev lo onlink
ip route replace 212.233.72.0/21 via 127.0.0.1 dev lo onlink
ip route replace 212.233.88.0/21 via 127.0.0.1 dev lo onlink
ip route replace 212.233.96.0/22 via 127.0.0.1 dev lo onlink
ip route replace 213.219.212.0/22 via 127.0.0.1 dev lo onlink
ip route replace 213.219.212.0/23 via 127.0.0.1 dev lo onlink
ip route replace 213.219.214.0/23 via 127.0.0.1 dev lo onlink
ip route replace 217.16.16.0/20 via 127.0.0.1 dev lo onlink
ip route replace 217.16.16.0/21 via 127.0.0.1 dev lo onlink
ip route replace 217.16.24.0/21 via 127.0.0.1 dev lo onlink
ip route replace 217.174.188.0/23 via 127.0.0.1 dev lo onlink
ip route replace 217.20.144.0/20 via 127.0.0.1 dev lo onlink
ip route replace 217.20.144.0/22 via 127.0.0.1 dev lo onlink
ip route replace 217.20.148.0/24 via 127.0.0.1 dev lo onlink
ip route replace 217.20.149.0/24 via 127.0.0.1 dev lo onlink
ip route replace 217.20.150.0/23 via 127.0.0.1 dev lo onlink
ip route replace 217.20.152.0/22 via 127.0.0.1 dev lo onlink
ip route replace 217.20.156.0/23 via 127.0.0.1 dev lo onlink
ip route replace 217.20.158.0/24 via 127.0.0.1 dev lo onlink
ip route replace 217.20.159.0/24 via 127.0.0.1 dev lo onlink
ip route replace 217.69.128.0/20 via 127.0.0.1 dev lo onlink
ip route replace 217.69.128.0/21 via 127.0.0.1 dev lo onlink
ip route replace 217.69.136.0/21 via 127.0.0.1 dev lo onlink
ip route replace 37.139.32.0/22 via 127.0.0.1 dev lo onlink
ip route replace 37.139.32.0/23 via 127.0.0.1 dev lo onlink
ip route replace 37.139.34.0/23 via 127.0.0.1 dev lo onlink
ip route replace 37.139.40.0/22 via 127.0.0.1 dev lo onlink
ip route replace 37.139.40.0/23 via 127.0.0.1 dev lo onlink
ip route replace 37.139.42.0/23 via 127.0.0.1 dev lo onlink
ip route replace 45.136.20.0/22 via 127.0.0.1 dev lo onlink
ip route replace 45.136.20.0/23 via 127.0.0.1 dev lo onlink
ip route replace 45.136.22.0/23 via 127.0.0.1 dev lo onlink
ip route replace 45.84.128.0/22 via 127.0.0.1 dev lo onlink
ip route replace 45.84.128.0/23 via 127.0.0.1 dev lo onlink
ip route replace 45.84.130.0/23 via 127.0.0.1 dev lo onlink
ip route replace 5.101.40.0/22 via 127.0.0.1 dev lo onlink
ip route replace 5.101.40.0/23 via 127.0.0.1 dev lo onlink
ip route replace 5.101.42.0/23 via 127.0.0.1 dev lo onlink
ip route replace 5.181.60.0/22 via 127.0.0.1 dev lo onlink
ip route replace 5.181.60.0/24 via 127.0.0.1 dev lo onlink
ip route replace 5.181.61.0/24 via 127.0.0.1 dev lo onlink
ip route replace 5.181.62.0/23 via 127.0.0.1 dev lo onlink
ip route replace 5.188.140.0/22 via 127.0.0.1 dev lo onlink
ip route replace 5.188.140.0/23 via 127.0.0.1 dev lo onlink
ip route replace 5.188.142.0/23 via 127.0.0.1 dev lo onlink
ip route replace 5.61.16.0/21 via 127.0.0.1 dev lo onlink
ip route replace 5.61.16.0/22 via 127.0.0.1 dev lo onlink
ip route replace 5.61.20.0/22 via 127.0.0.1 dev lo onlink
ip route replace 5.61.232.0/21 via 127.0.0.1 dev lo onlink
ip route replace 5.61.232.0/22 via 127.0.0.1 dev lo onlink
ip route replace 5.61.236.0/23 via 127.0.0.1 dev lo onlink
ip route replace 5.61.238.0/24 via 127.0.0.1 dev lo onlink
ip route replace 5.61.239.0/27 via 127.0.0.1 dev lo onlink
ip route replace 5.61.239.128/25 via 127.0.0.1 dev lo onlink
ip route replace 5.61.239.40/29 via 127.0.0.1 dev lo onlink
ip route replace 5.61.239.48/28 via 127.0.0.1 dev lo onlink
ip route replace 5.61.239.64/26 via 127.0.0.1 dev lo onlink
ip route replace 62.217.160.0/20 via 127.0.0.1 dev lo onlink
ip route replace 62.217.160.0/21 via 127.0.0.1 dev lo onlink
ip route replace 62.217.168.0/21 via 127.0.0.1 dev lo onlink
ip route replace 79.137.132.0/24 via 127.0.0.1 dev lo onlink
ip route replace 79.137.132.0/25 via 127.0.0.1 dev lo onlink
ip route replace 79.137.132.128/25 via 127.0.0.1 dev lo onlink
ip route replace 79.137.139.0/24 via 127.0.0.1 dev lo onlink
ip route replace 79.137.139.0/25 via 127.0.0.1 dev lo onlink
ip route replace 79.137.139.128/25 via 127.0.0.1 dev lo onlink
ip route replace 79.137.157.0/25 via 127.0.0.1 dev lo onlink
ip route replace 79.137.157.128/25 via 127.0.0.1 dev lo onlink
ip route replace 79.137.164.0/24 via 127.0.0.1 dev lo onlink
ip route replace 79.137.164.0/25 via 127.0.0.1 dev lo onlink
ip route replace 79.137.164.128/25 via 127.0.0.1 dev lo onlink
ip route replace 79.137.167.0/24 via 127.0.0.1 dev lo onlink
ip route replace 79.137.167.0/25 via 127.0.0.1 dev lo onlink
ip route replace 79.137.167.128/25 via 127.0.0.1 dev lo onlink
ip route replace 79.137.174.0/23 via 127.0.0.1 dev lo onlink
ip route replace 79.137.174.0/24 via 127.0.0.1 dev lo onlink
ip route replace 79.137.175.0/24 via 127.0.0.1 dev lo onlink
ip route replace 79.137.180.0/24 via 127.0.0.1 dev lo onlink
ip route replace 79.137.180.0/25 via 127.0.0.1 dev lo onlink
ip route replace 79.137.180.128/25 via 127.0.0.1 dev lo onlink
ip route replace 79.137.240.0/21 via 127.0.0.1 dev lo onlink
ip route replace 79.137.240.0/22 via 127.0.0.1 dev lo onlink
ip route replace 79.137.244.0/22 via 127.0.0.1 dev lo onlink
ip route replace 83.166.232.0/21 via 127.0.0.1 dev lo onlink
ip route replace 83.166.232.0/22 via 127.0.0.1 dev lo onlink
ip route replace 83.166.236.0/22 via 127.0.0.1 dev lo onlink
ip route replace 83.166.248.0/21 via 127.0.0.1 dev lo onlink
ip route replace 83.166.248.0/22 via 127.0.0.1 dev lo onlink
ip route replace 83.166.252.0/22 via 127.0.0.1 dev lo onlink
ip route replace 83.217.216.0/22 via 127.0.0.1 dev lo onlink
ip route replace 83.217.216.0/23 via 127.0.0.1 dev lo onlink
ip route replace 83.217.218.0/23 via 127.0.0.1 dev lo onlink
ip route replace 83.222.28.0/22 via 127.0.0.1 dev lo onlink
ip route replace 84.23.52.0/22 via 127.0.0.1 dev lo onlink
ip route replace 84.23.52.0/23 via 127.0.0.1 dev lo onlink
ip route replace 84.23.54.0/23 via 127.0.0.1 dev lo onlink
ip route replace 85.114.31.108/30 via 127.0.0.1 dev lo onlink
ip route replace 85.192.32.0/22 via 127.0.0.1 dev lo onlink
ip route replace 85.192.32.0/23 via 127.0.0.1 dev lo onlink
ip route replace 85.192.34.0/23 via 127.0.0.1 dev lo onlink
ip route replace 85.198.106.0/24 via 127.0.0.1 dev lo onlink
ip route replace 85.198.107.0/24 via 127.0.0.1 dev lo onlink
ip route replace 87.239.104.0/21 via 127.0.0.1 dev lo onlink
ip route replace 87.239.104.0/22 via 127.0.0.1 dev lo onlink
ip route replace 87.239.108.0/22 via 127.0.0.1 dev lo onlink
ip route replace 87.240.128.0/18 via 127.0.0.1 dev lo onlink
ip route replace 87.240.128.0/19 via 127.0.0.1 dev lo onlink
ip route replace 87.240.160.0/19 via 127.0.0.1 dev lo onlink
ip route replace 87.242.112.0/22 via 127.0.0.1 dev lo onlink
ip route replace 89.208.196.0/22 via 127.0.0.1 dev lo onlink
ip route replace 89.208.196.0/23 via 127.0.0.1 dev lo onlink
ip route replace 89.208.198.0/23 via 127.0.0.1 dev lo onlink
ip route replace 89.208.208.0/22 via 127.0.0.1 dev lo onlink
ip route replace 89.208.208.0/23 via 127.0.0.1 dev lo onlink
ip route replace 89.208.210.0/23 via 127.0.0.1 dev lo onlink
ip route replace 89.208.216.0/21 via 127.0.0.1 dev lo onlink
ip route replace 89.208.216.0/23 via 127.0.0.1 dev lo onlink
ip route replace 89.208.218.0/23 via 127.0.0.1 dev lo onlink
ip route replace 89.208.220.0/22 via 127.0.0.1 dev lo onlink
ip route replace 89.208.228.0/22 via 127.0.0.1 dev lo onlink
ip route replace 89.208.228.0/23 via 127.0.0.1 dev lo onlink
ip route replace 89.208.230.0/23 via 127.0.0.1 dev lo onlink
ip route replace 89.208.84.0/22 via 127.0.0.1 dev lo onlink
ip route replace 89.208.84.0/23 via 127.0.0.1 dev lo onlink
ip route replace 89.208.86.0/23 via 127.0.0.1 dev lo onlink
ip route replace 89.221.228.0/22 via 127.0.0.1 dev lo onlink
ip route replace 89.221.232.0/21 via 127.0.0.1 dev lo onlink
ip route replace 90.156.148.0/22 via 127.0.0.1 dev lo onlink
ip route replace 90.156.148.0/23 via 127.0.0.1 dev lo onlink
ip route replace 90.156.150.0/23 via 127.0.0.1 dev lo onlink
ip route replace 90.156.212.0/22 via 127.0.0.1 dev lo onlink
ip route replace 90.156.212.0/23 via 127.0.0.1 dev lo onlink
ip route replace 90.156.214.0/23 via 127.0.0.1 dev lo onlink
ip route replace 90.156.216.0/22 via 127.0.0.1 dev lo onlink
ip route replace 90.156.216.0/23 via 127.0.0.1 dev lo onlink
ip route replace 90.156.218.0/23 via 127.0.0.1 dev lo onlink
ip route replace 90.156.232.0/21 via 127.0.0.1 dev lo onlink
ip route replace 91.219.224.0/22 via 127.0.0.1 dev lo onlink
ip route replace 91.231.132.0/22 via 127.0.0.1 dev lo onlink
ip route replace 91.237.76.0/24 via 127.0.0.1 dev lo onlink
ip route replace 93.153.255.84/30 via 127.0.0.1 dev lo onlink
ip route replace 93.186.224.0/20 via 127.0.0.1 dev lo onlink
ip route replace 93.186.224.0/21 via 127.0.0.1 dev lo onlink
ip route replace 93.186.232.0/21 via 127.0.0.1 dev lo onlink
ip route replace 94.100.176.0/20 via 127.0.0.1 dev lo onlink
ip route replace 94.100.176.0/21 via 127.0.0.1 dev lo onlink
ip route replace 94.100.184.0/21 via 127.0.0.1 dev lo onlink
ip route replace 94.139.244.0/22 via 127.0.0.1 dev lo onlink
ip route replace 94.139.244.0/23 via 127.0.0.1 dev lo onlink
ip route replace 94.139.246.0/23 via 127.0.0.1 dev lo onlink
ip route replace 95.142.192.0/20 via 127.0.0.1 dev lo onlink
ip route replace 95.142.192.0/21 via 127.0.0.1 dev lo onlink
ip route replace 95.142.200.0/21 via 127.0.0.1 dev lo onlink
ip route replace 95.163.180.0/22 via 127.0.0.1 dev lo onlink
ip route replace 95.163.180.0/23 via 127.0.0.1 dev lo onlink
ip route replace 95.163.182.0/23 via 127.0.0.1 dev lo onlink
ip route replace 95.163.208.0/21 via 127.0.0.1 dev lo onlink
ip route replace 95.163.208.0/23 via 127.0.0.1 dev lo onlink
ip route replace 95.163.210.0/23 via 127.0.0.1 dev lo onlink
ip route replace 95.163.212.0/22 via 127.0.0.1 dev lo onlink
ip route replace 95.163.216.0/22 via 127.0.0.1 dev lo onlink
ip route replace 95.163.216.0/23 via 127.0.0.1 dev lo onlink
ip route replace 95.163.218.0/23 via 127.0.0.1 dev lo onlink
ip route replace 95.163.248.0/21 via 127.0.0.1 dev lo onlink
ip route replace 95.163.248.0/22 via 127.0.0.1 dev lo onlink
ip route replace 95.163.252.0/23 via 127.0.0.1 dev lo onlink
ip route replace 95.163.254.0/23 via 127.0.0.1 dev lo onlink
ip route replace 95.163.32.0/19 via 127.0.0.1 dev lo onlink
ip route replace 95.163.32.0/22 via 127.0.0.1 dev lo onlink
ip route replace 95.163.36.0/22 via 127.0.0.1 dev lo onlink
ip route replace 95.163.40.0/21 via 127.0.0.1 dev lo onlink
ip route replace 95.163.48.0/20 via 127.0.0.1 dev lo onlink
ip route replace 95.213.0.0/17 via 127.0.0.1 dev lo onlink
ip route replace 95.213.0.0/20 via 127.0.0.1 dev lo onlink
ip route replace 95.213.16.0/21 via 127.0.0.1 dev lo onlink
ip route replace 95.213.24.0/23 via 127.0.0.1 dev lo onlink
ip route replace 95.213.26.0/24 via 127.0.0.1 dev lo onlink
ip route replace 95.213.27.0/24 via 127.0.0.1 dev lo onlink
ip route replace 95.213.28.0/24 via 127.0.0.1 dev lo onlink
ip route replace 95.213.29.0/24 via 127.0.0.1 dev lo onlink
ip route replace 95.213.30.0/24 via 127.0.0.1 dev lo onlink
ip route replace 95.213.31.0/24 via 127.0.0.1 dev lo onlink
ip route replace 95.213.32.0/24 via 127.0.0.1 dev lo onlink
ip route replace 95.213.33.0/24 via 127.0.0.1 dev lo onlink
ip route replace 95.213.34.0/23 via 127.0.0.1 dev lo onlink
ip route replace 95.213.36.0/22 via 127.0.0.1 dev lo onlink
ip route replace 95.213.40.0/21 via 127.0.0.1 dev lo onlink
ip route replace 95.213.48.0/20 via 127.0.0.1 dev lo onlink
ip route replace 95.213.64.0/18 via 127.0.0.1 dev lo onlink

9
blacklists_route/blacklist-vk-v6.routes Normal file
View File

@@ -0,0 +1,9 @@
# Linux routes for VK networks (IPv6)
# Auto-generated by blacklists_updater_routes.sh
# Last updated: 2026-03-29 06:56:52 UTC
#
# Apply:
# sudo sh blacklist-vk-v6.routes
#
ip -6 route replace 2a00:bdc0::/29 via ::1 dev lo

74
blacklists_updater_iptables.sh
View File

@@ -11,7 +11,7 @@ blacklist_v6_file="${SCRIPT_DIR}/blacklists/blacklist-v6.txt"
auto_all_v4_file="${SCRIPT_DIR}/auto/all-ru-ipv4.txt"
auto_all_v6_file="${SCRIPT_DIR}/auto/all-ru-ipv6.txt"
auto_ripe_v4_file="${SCRIPT_DIR}/auto/ripe-ru-ipv4.txt"
vk_name_pattern='VK[[:space:]-]*CLOUD|VKCOMPANY|VKONTAKTE'
vk_name_pattern='vk[[:space:]-]*cloud|vkcompany|vkontakte'
# Additional VK-only text blacklists
blacklist_vk_file="${SCRIPT_DIR}/blacklists/blacklist-vk.txt"
@@ -20,21 +20,19 @@ blacklist_vk_v6_file="${SCRIPT_DIR}/blacklists/blacklist-vk-v6.txt"
# Output directory and files
iptables_output_dir="${SCRIPT_DIR}/blacklists_iptables"
iptables_output_file="${iptables_output_dir}/blacklist.ipset"
iptables_v4_output_file="${iptables_output_dir}/blacklist-v4.ipset"
iptables_v6_output_file="${iptables_output_dir}/blacklist-v6.ipset"
iptables_vk_output_file="${iptables_output_dir}/blacklist-vk.ipset"
iptables_vk_v4_output_file="${iptables_output_dir}/blacklist-vk-v4.ipset"
iptables_vk_v6_output_file="${iptables_output_dir}/blacklist-vk-v6.ipset"
# Create iptables directory if it doesn't exist
mkdir -p "${iptables_output_dir}"
# Create required directories if they don't exist
mkdir -p "${iptables_output_dir}" "${SCRIPT_DIR}/blacklists"
# Build additional VK-only blacklist from network names in auto/*.txt files
tmp_vk_file="$(mktemp "${SCRIPT_DIR}/blacklists/.blacklist-vk.XXXXXX")"
for source_file in "${auto_all_v4_file}" "${auto_all_v6_file}" "${auto_ripe_v4_file}"; do
[ -f "${source_file}" ] || continue
awk -v pattern="${vk_name_pattern}" 'BEGIN { IGNORECASE = 1 } $0 ~ pattern { print $1 }' "${source_file}" >> "${tmp_vk_file}"
awk -v pattern="${vk_name_pattern}" 'tolower($0) ~ pattern { print $1 }' "${source_file}" >> "${tmp_vk_file}"
done
sort -u "${tmp_vk_file}" > "${blacklist_vk_file}"
grep ':' "${blacklist_vk_file}" | sort -u > "${blacklist_vk_v6_file}" || true
@@ -106,70 +104,10 @@ generate_ipset_config "${blacklist_v6_file}" "${iptables_v6_output_file}" "(IPv6
generate_ipset_config "${blacklist_vk_v4_file}" "${iptables_vk_v4_output_file}" "(VK names, IPv4 only)" "blacklist-vk-v4" "inet"
generate_ipset_config "${blacklist_vk_v6_file}" "${iptables_vk_v6_output_file}" "(VK names, IPv6 only)" "blacklist-vk-v6" "inet6"
# For mixed file, we need to create two sets (IPv4 and IPv6) as ipset doesn't support mixed families
cat > "${iptables_output_file}" << EOF
# IPSet blacklist configuration (mixed IPv4/IPv6)
# Auto-generated from $(basename ${blacklist_file})
# Last updated: $(date -u +"%Y-%m-%d %H:%M:%S UTC")
#
# Usage:
# 1. Load the ipset:
# ipset restore < $(basename ${iptables_output_file})
#
# 2. Use with iptables/ip6tables:
# iptables -I INPUT -m set --match-set blacklist-v4 src -m conntrack --ctstate NEW -j DROP
# iptables -I FORWARD -m set --match-set blacklist-v4 src -m conntrack --ctstate NEW -j DROP
# ip6tables -I INPUT -m set --match-set blacklist-v6 src -m conntrack --ctstate NEW -j DROP
# ip6tables -I FORWARD -m set --match-set blacklist-v6 src -m conntrack --ctstate NEW -j DROP
#
# 3. To flush/delete the sets:
# ipset flush blacklist-v4 && ipset destroy blacklist-v4
# ipset flush blacklist-v6 && ipset destroy blacklist-v6
#
EOF
# Append both IPv4 and IPv6 sets to the mixed file
tail -n +2 "${iptables_v4_output_file}" | grep -E "^(create|add)" >> "${iptables_output_file}"
echo "" >> "${iptables_output_file}"
tail -n +2 "${iptables_v6_output_file}" | grep -E "^(create|add)" >> "${iptables_output_file}"
echo "✓ Generated (mixed IPv4/IPv6): ${iptables_output_file}"
echo " Total entries: $(wc -l < "${blacklist_file}" | tr -d ' ')"
# Generate mixed VK-only ipset file (contains both v4 and v6 sets)
cat > "${iptables_vk_output_file}" << EOF
# IPSet blacklist configuration (VK names: VK Cloud / VKCOMPANY / VKONTAKTE)
# Auto-generated from name-filtered auto/*.txt sources
# Last updated: $(date -u +"%Y-%m-%d %H:%M:%S UTC")
#
# Usage:
# 1. Load the ipset:
# ipset restore < $(basename "${iptables_vk_output_file}")
#
# 2. Use with iptables/ip6tables:
# iptables -I OUTPUT -m set --match-set blacklist-vk-v4 dst -j REJECT
# iptables -I FORWARD -m set --match-set blacklist-vk-v4 dst -j REJECT
# ip6tables -I OUTPUT -m set --match-set blacklist-vk-v6 dst -j REJECT
# ip6tables -I FORWARD -m set --match-set blacklist-vk-v6 dst -j REJECT
#
# 3. To flush/delete the sets:
# ipset flush blacklist-vk-v4 && ipset destroy blacklist-vk-v4
# ipset flush blacklist-vk-v6 && ipset destroy blacklist-vk-v6
#
EOF
tail -n +2 "${iptables_vk_v4_output_file}" | grep -E "^(create|add)" >> "${iptables_vk_output_file}"
echo "" >> "${iptables_vk_output_file}"
tail -n +2 "${iptables_vk_v6_output_file}" | grep -E "^(create|add)" >> "${iptables_vk_output_file}"
echo "✓ Generated (VK names, mixed IPv4/IPv6): ${iptables_vk_output_file}"
echo " Total entries: $(wc -l < "${blacklist_vk_file}" | tr -d ' ')"
echo ""
echo "VK outgoing block examples (iptables/ipset):"
echo " ipset restore < ${iptables_vk_output_file}"
echo " ipset restore < ${iptables_vk_v4_output_file}"
echo " ipset restore < ${iptables_vk_v6_output_file}"
echo " iptables -I OUTPUT -m set --match-set blacklist-vk-v4 dst -j REJECT"
echo " iptables -I FORWARD -m set --match-set blacklist-vk-v4 dst -j REJECT"
echo " ip6tables -I OUTPUT -m set --match-set blacklist-vk-v6 dst -j REJECT"

28
blacklists_updater_nftables.sh
View File

@@ -11,15 +11,15 @@ OUTPUT_DIR="$SCRIPT_DIR/blacklists_nftables"
AUTO_ALL_V4_FILE="$SCRIPT_DIR/auto/all-ru-ipv4.txt"
AUTO_ALL_V6_FILE="$SCRIPT_DIR/auto/all-ru-ipv6.txt"
AUTO_RIPE_V4_FILE="$SCRIPT_DIR/auto/ripe-ru-ipv4.txt"
VK_NAME_PATTERN='VK[[:space:]-]*CLOUD|VKCOMPANY|VKONTAKTE'
VK_NAME_PATTERN='vk[[:space:]-]*cloud|vkcompany|vkontakte'
# Additional VK-only text blacklists
VK_INPUT_FILE="$SCRIPT_DIR/blacklists/blacklist-vk.txt"
VK_INPUT_V4_FILE="$SCRIPT_DIR/blacklists/blacklist-vk-v4.txt"
VK_INPUT_V6_FILE="$SCRIPT_DIR/blacklists/blacklist-vk-v6.txt"
# Create output directory if it doesn't exist
mkdir -p "$OUTPUT_DIR"
# Create required directories if they don't exist
mkdir -p "$OUTPUT_DIR" "$SCRIPT_DIR/blacklists"
echo "Generating nftables blacklists..."
@@ -27,14 +27,14 @@ echo "Generating nftables blacklists..."
TMP_VK_FILE="$(mktemp "$SCRIPT_DIR/blacklists/.blacklist-vk.XXXXXX")"
for source_file in "$AUTO_ALL_V4_FILE" "$AUTO_ALL_V6_FILE" "$AUTO_RIPE_V4_FILE"; do
[[ -f "$source_file" ]] || continue
awk -v pattern="$VK_NAME_PATTERN" 'BEGIN { IGNORECASE = 1 } $0 ~ pattern { print $1 }' "$source_file" >> "$TMP_VK_FILE"
awk -v pattern="$VK_NAME_PATTERN" 'tolower($0) ~ pattern { print $1 }' "$source_file" >> "$TMP_VK_FILE"
done
sort -u "$TMP_VK_FILE" > "$VK_INPUT_FILE"
grep ':' "$VK_INPUT_FILE" | sort -u > "$VK_INPUT_V6_FILE" || true
grep -v ':' "$VK_INPUT_FILE" | sort -u > "$VK_INPUT_V4_FILE" || true
rm -f "$TMP_VK_FILE"
# Generate mixed IPv4/IPv6 blacklist
# Generate mixed IPv4/IPv6 blacklist (recommended single-file load)
python3 "$SCRIPT_DIR/generate_nft_blacklist.py" \
"$INPUT_FILE" \
"$OUTPUT_DIR/blacklist.nft"
@@ -69,10 +69,20 @@ rm -f "$TMP_V4_FILE" "$TMP_V6_FILE"
echo "nftables blacklists generated successfully!"
echo ""
echo "VK outgoing block examples (nftables):"
echo "VM incoming block examples (all lists, nftables):"
echo " sudo nft -f $OUTPUT_DIR/blacklist.nft"
echo " sudo nft -f $OUTPUT_DIR/blacklist-v4.nft"
echo " sudo nft -f $OUTPUT_DIR/blacklist-v6.nft"
echo " sudo nft add chain inet filter input '{ type filter hook input priority 0; policy accept; }'"
echo " sudo nft add rule inet filter input ip saddr @blacklist_v4 counter reject"
echo " sudo nft add rule inet filter input ip6 saddr @blacklist_v6 counter reject"
echo ""
echo "VK outbound block examples for VPN clients via NAT (nftables):"
echo " sudo nft -f $OUTPUT_DIR/blacklist-vk.nft"
echo " sudo nft add chain inet filter output '{ type filter hook output priority 0; policy accept; }'"
echo " sudo nft add rule inet filter output ip daddr @blacklist_v4 counter reject"
echo " sudo nft add rule inet filter output ip6 daddr @blacklist_v6 counter reject"
echo " sudo nft -f $OUTPUT_DIR/blacklist-vk-v4.nft"
echo " sudo nft -f $OUTPUT_DIR/blacklist-vk-v6.nft"
echo " sudo nft add chain inet filter forward '{ type filter hook forward priority 0; policy accept; }'"
echo " sudo nft add rule inet filter forward iifname \"<VPN_IFACE>\" ip daddr @blacklist_vk_v4 counter reject"
echo " sudo nft add rule inet filter forward iifname \"<VPN_IFACE>\" ip6 daddr @blacklist_vk_v6 counter reject"
echo ""
echo "Tip: Do not install Messenger MAX on the same phone/device that has VPN access configured."

4
blacklists_updater_nginx.sh
View File

@@ -11,8 +11,8 @@ nginx_output_file="${nginx_output_dir}/blacklist.conf"
nginx_v4_output_file="${nginx_output_dir}/blacklist-v4.conf"
nginx_v6_output_file="${nginx_output_dir}/blacklist-v6.conf"
# Create nginx directory if it doesn't exist
mkdir -p "${nginx_output_dir}"
# Create required directories if they don't exist
mkdir -p "${nginx_output_dir}" "blacklists"
# Function to generate nginx config from input file
generate_nginx_config() {

78
blacklists_updater_routes.sh Executable file
View File

@@ -0,0 +1,78 @@
#!/bin/sh
set -e
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
# Source files for name-based VK filtering
AUTO_ALL_V4_FILE="${SCRIPT_DIR}/auto/all-ru-ipv4.txt"
AUTO_ALL_V6_FILE="${SCRIPT_DIR}/auto/all-ru-ipv6.txt"
AUTO_RIPE_V4_FILE="${SCRIPT_DIR}/auto/ripe-ru-ipv4.txt"
VK_NAME_PATTERN='vk[[:space:]-]*cloud|vkcompany|vkontakte'
# Additional VK-only text blacklists
VK_INPUT_FILE="${SCRIPT_DIR}/blacklists/blacklist-vk.txt"
VK_INPUT_V4_FILE="${SCRIPT_DIR}/blacklists/blacklist-vk-v4.txt"
VK_INPUT_V6_FILE="${SCRIPT_DIR}/blacklists/blacklist-vk-v6.txt"
# Output directory and files
ROUTES_OUTPUT_DIR="${SCRIPT_DIR}/blacklists_route"
ROUTES_V4_FILE="${ROUTES_OUTPUT_DIR}/blacklist-vk-v4.routes"
ROUTES_V6_FILE="${ROUTES_OUTPUT_DIR}/blacklist-vk-v6.routes"
mkdir -p "${ROUTES_OUTPUT_DIR}" "${SCRIPT_DIR}/blacklists"
echo "Generating VK route blacklists..."
# Build additional VK-only blacklist from network names in auto/*.txt files
TMP_VK_FILE="$(mktemp "${SCRIPT_DIR}/blacklists/.blacklist-vk.XXXXXX")"
for source_file in "${AUTO_ALL_V4_FILE}" "${AUTO_ALL_V6_FILE}" "${AUTO_RIPE_V4_FILE}"; do
[ -f "${source_file}" ] || continue
awk -v pattern="${VK_NAME_PATTERN}" 'tolower($0) ~ pattern { print $1 }' "${source_file}" >> "${TMP_VK_FILE}"
done
sort -u "${TMP_VK_FILE}" > "${VK_INPUT_FILE}"
grep ':' "${VK_INPUT_FILE}" | sort -u > "${VK_INPUT_V6_FILE}" || true
grep -v ':' "${VK_INPUT_FILE}" | sort -u > "${VK_INPUT_V4_FILE}" || true
rm -f "${TMP_VK_FILE}"
# Generate IPv4 routes file (route VK prefixes to loopback via 127.0.0.1)
cat > "${ROUTES_V4_FILE}" << EOF
# Linux routes for VK networks (IPv4)
# Auto-generated by $(basename "$0")
# Last updated: $(date -u +"%Y-%m-%d %H:%M:%S UTC")
#
# Apply:
# sudo sh $(basename "${ROUTES_V4_FILE}")
#
EOF
while IFS= read -r network; do
[ -n "${network}" ] || continue
printf 'ip route replace %s via 127.0.0.1 dev lo onlink\n' "${network}" >> "${ROUTES_V4_FILE}"
done < "${VK_INPUT_V4_FILE}"
# Generate IPv6 routes file (route VK prefixes to loopback via ::1)
cat > "${ROUTES_V6_FILE}" << EOF
# Linux routes for VK networks (IPv6)
# Auto-generated by $(basename "$0")
# Last updated: $(date -u +"%Y-%m-%d %H:%M:%S UTC")
#
# Apply:
# sudo sh $(basename "${ROUTES_V6_FILE}")
#
EOF
while IFS= read -r network; do
[ -n "${network}" ] || continue
printf 'ip -6 route replace %s via ::1 dev lo\n' "${network}" >> "${ROUTES_V6_FILE}"
done < "${VK_INPUT_V6_FILE}"
echo "✓ Generated: ${ROUTES_V4_FILE} (entries: $(wc -l < "${VK_INPUT_V4_FILE}" | tr -d ' '))"
echo "✓ Generated: ${ROUTES_V6_FILE} (entries: $(wc -l < "${VK_INPUT_V6_FILE}" | tr -d ' '))"
echo ""
echo "Examples:"
echo " sudo sh ${ROUTES_V4_FILE}"
echo " sudo sh ${ROUTES_V6_FILE}"

2
blacklists_updater_txt.sh
View File

@@ -11,6 +11,8 @@ black_names="uvd|umvd|fgup|grchc|roskomnad|federalnaya sluzhba|ufsb|zonatelecom|
# M100 - mail.ru
white_names="ruvds"
mkdir -p blacklists auto
grep -iE "${black_names}" auto/all-ru-asn.txt | grep -viE "${white_names}" | awk '{ print "# AS-Name: " $0 "\n" $1}' > ${auto_black_ass}
./network_list_from_as.py ${auto_black_ass} > ${outfile_w_comments}
./network_list_from_netname.py lists/ru-gov-netnames.txt >> ${outfile_w_comments}

66
check_nft_blacklist.py
View File

@@ -12,6 +12,27 @@ import re
from ipaddress import ip_address, ip_network, AddressValueError
from pathlib import Path
def iter_set_blocks(content):
current_name = None
current_lines = []
brace_depth = 0
for line in content.splitlines():
if current_name is None:
match = re.match(r"\s*set\s+([A-Za-z0-9_]+)\s*\{", line)
if match:
current_name = match.group(1)
current_lines = [line]
brace_depth = line.count("{") - line.count("}")
continue
current_lines.append(line)
brace_depth += line.count("{") - line.count("}")
if brace_depth == 0:
yield current_name, "\n".join(current_lines)
current_name = None
current_lines = []
def parse_nft_config(config_path):
"""Extract IPv4 and IPv6 prefixes from nftables config."""
p = Path(config_path)
@@ -21,37 +42,20 @@ def parse_nft_config(config_path):
content = p.read_text(encoding="utf-8")
v4_prefixes = []
v6_prefixes = []
# Parse IPv4 set (blacklist_v4)
v4_match = re.search(
r'set blacklist_v4\s*\{[^}]*elements\s*=\s*\{([^}]+)\}',
content,
re.DOTALL
)
if v4_match:
elements = v4_match.group(1)
# Extract all CIDR notations
for match in re.finditer(r'(\d+\.\d+\.\d+\.\d+(?:/\d+)?)', elements):
try:
v4_prefixes.append(ip_network(match.group(1), strict=False))
except Exception as e:
print(f"Warning: Could not parse IPv4 prefix '{match.group(1)}': {e}", file=sys.stderr)
# Parse IPv6 set (blacklist_v6)
v6_match = re.search(
r'set blacklist_v6\s*\{[^}]*elements\s*=\s*\{([^}]+)\}',
content,
re.DOTALL
)
if v6_match:
elements = v6_match.group(1)
# Extract all IPv6 CIDR notations
for match in re.finditer(r'([0-9a-fA-F:]+(?:/\d+)?)', elements):
try:
v6_prefixes.append(ip_network(match.group(1), strict=False))
except Exception as e:
# Skip false matches from comments or other text
pass
for _, block in iter_set_blocks(content):
if "type ipv4_addr" in block:
for match in re.finditer(r"(\d+\.\d+\.\d+\.\d+(?:/\d+)?)", block):
try:
v4_prefixes.append(ip_network(match.group(1), strict=False))
except Exception as e:
print(f"Warning: Could not parse IPv4 prefix '{match.group(1)}': {e}", file=sys.stderr)
elif "type ipv6_addr" in block:
for match in re.finditer(r"([0-9a-fA-F:]+(?:/\d+)?)", block):
try:
v6_prefixes.append(ip_network(match.group(1), strict=False))
except Exception:
pass
return v4_prefixes, v6_prefixes

73
generate_nft_blacklist.py
View File

@@ -13,7 +13,7 @@ Usage:
import sys
from ipaddress import ip_network, collapse_addresses
from pathlib import Path
from datetime import datetime
from datetime import datetime, UTC
def read_lines(path_or_dash):
if path_or_dash == "-":
@@ -43,55 +43,69 @@ def aggregate_prefixes(lines):
agg_v6 = list(collapse_addresses(sorted(v6, key=lambda x: (int(x.network_address), x.prefixlen))))
return agg_v4, agg_v6, invalid
def make_nft_config(agg_v4, agg_v6, comment=None):
def make_nft_config(agg_v4, agg_v6, comment=None, usage_profile="vm_input"):
if usage_profile == "vk_forward":
set_v4_name = "blacklist_vk_v4"
set_v6_name = "blacklist_vk_v6"
rule_v4 = f'sudo nft add rule inet filter forward iifname "<VPN_IFACE>" ip daddr @{set_v4_name} counter reject'
rule_v6 = f'sudo nft add rule inet filter forward iifname "<VPN_IFACE>" ip6 daddr @{set_v6_name} counter reject'
else:
set_v4_name = "blacklist_v4"
set_v6_name = "blacklist_v6"
rule_v4 = f"sudo nft add rule inet filter input ip saddr @{set_v4_name} counter reject"
rule_v6 = f"sudo nft add rule inet filter input ip6 saddr @{set_v6_name} counter reject"
lines = []
lines.append("# Autogenerated nftables blacklist")
lines.append(f"# Generated: {datetime.utcnow().isoformat()}Z")
lines.append(f"# Generated: {datetime.now(UTC).isoformat().replace('+00:00', 'Z')}")
if comment:
lines.append(f"# {comment}")
lines.append(f"# IPv4: {len(agg_v4)}, IPv6: {len(agg_v6)}")
lines.append("#")
lines.append("# Usage:")
lines.append("# sudo nft -f <this-file>")
if usage_profile == "vk_forward":
lines.append("# # VK egress blocking for VPN clients via NAT/FORWARD")
lines.append("# sudo nft add chain inet filter forward '{ type filter hook forward priority 0; policy accept; }'")
lines.append(f"# {rule_v4}")
lines.append(f"# {rule_v6}")
else:
lines.append("# # VM protection from incoming blacklist sources")
lines.append("# sudo nft add chain inet filter input '{ type filter hook input priority 0; policy accept; }'")
lines.append(f"# {rule_v4}")
lines.append(f"# {rule_v6}")
lines.append("")
lines.append("table inet filter {")
lines.append("")
# Define IPv4 blacklist set
lines.append(" set blacklist_v4 {")
lines.append(f" set {set_v4_name} {{")
lines.append(" type ipv4_addr")
lines.append(" flags interval")
if agg_v4:
lines.append(" elements = {")
for i, net in enumerate(agg_v4):
comma = "," if i < len(agg_v4) - 1 else ""
lines.append(f" {net.with_prefixlen}{comma}")
rendered_net = net.with_prefixlen if hasattr(net, "with_prefixlen") else str(net)
lines.append(f" {rendered_net}{comma}")
lines.append(" }")
lines.append(" }")
lines.append("")
# Define IPv6 blacklist set
lines.append(" set blacklist_v6 {")
lines.append(f" set {set_v6_name} {{")
lines.append(" type ipv6_addr")
lines.append(" flags interval")
if agg_v6:
lines.append(" elements = {")
for i, net in enumerate(agg_v6):
comma = "," if i < len(agg_v6) - 1 else ""
lines.append(f" {net.with_prefixlen}{comma}")
rendered_net = net.with_prefixlen if hasattr(net, "with_prefixlen") else str(net)
lines.append(f" {rendered_net}{comma}")
lines.append(" }")
lines.append(" }")
lines.append("")
# Define input chain with set lookups
lines.append(" chain input {")
lines.append(" type filter hook input priority 0;")
lines.append(" policy accept;")
lines.append("")
lines.append(" ct state { established, related } accept")
lines.append("")
if agg_v4:
lines.append(" ip saddr @blacklist_v4 counter drop")
if agg_v6:
lines.append(" ip6 saddr @blacklist_v6 counter drop")
lines.append(" }")
lines.append("}")
return "\n".join(lines)
@@ -119,7 +133,8 @@ def main(argv):
if not any(line.strip() and not line.strip().startswith("#") for line in lines):
print("WARNING: input contains no prefixes (empty or only comments). Nothing to aggregate.")
nft_conf = make_nft_config([], [], comment="Empty input produced no prefixes")
profile = "vk_forward" if "vk" in Path(infile).name.lower() else "vm_input"
nft_conf = make_nft_config([], [], comment="Empty input produced no prefixes", usage_profile=profile)
write_output(outfile, nft_conf)
return 0
@@ -137,7 +152,8 @@ def main(argv):
for n in agg_v6:
print(" v6:", n)
nft_conf = make_nft_config(agg_v4, agg_v6, comment=f"Source: {infile}")
profile = "vk_forward" if "vk" in Path(infile).name.lower() else "vm_input"
nft_conf = make_nft_config(agg_v4, agg_v6, comment=f"Source: {infile}", usage_profile=profile)
try:
write_output(outfile, nft_conf)
except Exception as e:
@@ -146,9 +162,12 @@ def main(argv):
print("Done.")
print("Load with: sudo nft -f <output.conf>")
print("View counters: sudo nft list chain inet filter input -a")
print("View sets: sudo nft list set inet filter blacklist_v4")
print(" sudo nft list set inet filter blacklist_v6")
if profile == "vk_forward":
print("View sets: sudo nft list set inet filter blacklist_vk_v4")
print(" sudo nft list set inet filter blacklist_vk_v6")
else:
print("View sets: sudo nft list set inet filter blacklist_v4")
print(" sudo nft list set inet filter blacklist_v6")
return 0
if __name__ == "__main__":

94
network_list_from_as.py
View File

@@ -1,60 +1,94 @@
#!/usr/bin/env python3
import requests
import argparse
import re
from cymruwhois import Client
import sys
import requests
from pylib.whois import whois_query
ASN_RE = re.compile(r"\bAS\d+\b", re.IGNORECASE)
def get_as_prefixes(asn):
url = f"https://stat.ripe.net/data/announced-prefixes/data.json?resource={asn}"
response = requests.get(url)
if response.status_code == 200:
data = response.json()
prefixes = data['data']['prefixes']
return [prefix['prefix'] for prefix in prefixes]
else:
return []
response = requests.get(url, timeout=30)
response.raise_for_status()
data = response.json()
prefixes = data["data"]["prefixes"]
return [prefix["prefix"] for prefix in prefixes]
def convert_to_raw_github_url(url):
return url.replace("https://github.com/", "https://raw.githubusercontent.com/").replace("/blob", "")
def print_prefixes(asn):
line = re.sub(r'[^AS0-9]', '', asn)
if not args.quiet:
print(f"# Networks announced by {line}")
response = whois_query(line, "as-name", True)
def normalize_asn(value):
match = ASN_RE.search(value)
if match:
return match.group(0).upper()
return None
def print_prefixes(asn, quiet=False):
normalized_asn = normalize_asn(asn)
if normalized_asn is None:
return
if not quiet:
print(f"# Networks announced by {normalized_asn}")
response = whois_query(normalized_asn, "as-name", True)
if response is not None:
info = response.strip()
print(f"# AS-Name (ORG): {info}")
prefixes = get_as_prefixes(line)
prefixes = get_as_prefixes(normalized_asn)
for prefix in prefixes:
print(prefix)
def extract_asses(asn_filename_or_url):
if asn_filename_or_url.startswith('AS'):
print_prefixes(asn_filename_or_url)
def extract_asses(asn_filename_or_url, quiet=False):
if normalize_asn(asn_filename_or_url) and not asn_filename_or_url.startswith(("http://", "https://")):
print_prefixes(asn_filename_or_url, quiet=quiet)
return None
if asn_filename_or_url.startswith('http://') or asn_filename_or_url.startswith('https://'):
if 'github.com' in asn_filename_or_url:
if asn_filename_or_url.startswith("http://") or asn_filename_or_url.startswith("https://"):
if "github.com" in asn_filename_or_url:
asn_filename_or_url = convert_to_raw_github_url(asn_filename_or_url)
response = requests.get(asn_filename_or_url)
lines = response.text.split('\n')
response = requests.get(asn_filename_or_url, timeout=30)
response.raise_for_status()
lines = response.text.splitlines()
else:
with open(asn_filename_or_url, 'r') as file:
with open(asn_filename_or_url, "r", encoding="utf-8") as file:
lines = file.readlines()
for line in lines:
if re.match(r'^AS.*', line):
print_prefixes(line)
normalized_asn = normalize_asn(line)
if normalized_asn:
print_prefixes(normalized_asn, quiet=quiet)
return None
parser = argparse.ArgumentParser(description='./as_network_list.py -q AS61280')
parser.add_argument('asn_filename_or_url', help='The AS number to get networks / The file or URL to extract AS numbers from.')
parser.add_argument('-q', '--quiet', action='store_true', help='Disable all output except prefixes.')
args = parser.parse_args()
extract_asses(args.asn_filename_or_url)
def build_parser():
parser = argparse.ArgumentParser(description="./network_list_from_as.py -q AS61280")
parser.add_argument("asn_filename_or_url", help="The AS number to get networks / The file or URL to extract AS numbers from.")
parser.add_argument("-q", "--quiet", action="store_true", help="Disable all output except prefixes.")
return parser
def main(argv=None):
parser = build_parser()
args = parser.parse_args(argv)
try:
extract_asses(args.asn_filename_or_url, quiet=args.quiet)
except requests.RequestException as exc:
print(f"ERROR: failed to fetch ASN data: {exc}", file=sys.stderr)
return 1
except OSError as exc:
print(f"ERROR: failed to read input: {exc}", file=sys.stderr)
return 1
return 0
if __name__ == "__main__":
sys.exit(main())

81
network_list_from_netname.py
View File

@@ -1,41 +1,72 @@
#!/usr/bin/env python3
import argparse
import requests
import re
from pylib.whois import whois_query
from pylib.ip import convert_to_cidr
import sys
import requests
from pylib.ip import convert_to_cidr
from pylib.whois import whois_query
def convert_to_raw_github_url(url):
return url.replace("https://github.com/", "https://raw.githubusercontent.com/").replace("/blob", "")
def extract_netname(filename_or_url):
if filename_or_url.startswith('http://') or filename_or_url.startswith('https://'):
if 'github.com' in filename_or_url:
def iter_netnames(lines):
for line in lines:
stripped = line.strip()
if not stripped or stripped.startswith("#"):
continue
if re.match(r"^netname:", stripped, re.IGNORECASE):
yield stripped.split(":", 1)[1].strip()
else:
yield stripped
def extract_netname(filename_or_url, quiet=False):
if filename_or_url.startswith("http://") or filename_or_url.startswith("https://"):
if "github.com" in filename_or_url:
filename_or_url = convert_to_raw_github_url(filename_or_url)
response = requests.get(filename_or_url)
lines = response.text.split('\n')
response = requests.get(filename_or_url, timeout=30)
response.raise_for_status()
lines = response.text.splitlines()
else:
with open(filename_or_url, 'r') as file:
with open(filename_or_url, "r", encoding="utf-8") as file:
lines = file.readlines()
for line in lines:
if re.match(r'^netname:', line):
netname = line.split(':')[1].strip()
response = whois_query(netname, "inetnum")
if response is not None and len(response) > 0:
if not args.quiet:
print(f"# Network name: {netname}")
for cidr in response:
net = convert_to_cidr(cidr)
net = net[0]
print(net)
for netname in iter_netnames(lines):
response = whois_query(netname, "inetnum")
if response is not None and len(response) > 0:
if not quiet:
print(f"# Network name: {netname}")
for cidr in response:
for network in convert_to_cidr(cidr):
print(network)
return None
parser = argparse.ArgumentParser(description='Extract netname from file.')
parser.add_argument('filename_or_url', help='The file or URL to extract netnames from.')
parser.add_argument('-q', '--quiet', action='store_true', help='Disable all output except prefixes.')
args = parser.parse_args()
extract_netname(args.filename_or_url)
def build_parser():
parser = argparse.ArgumentParser(description="Extract netname from file.")
parser.add_argument("filename_or_url", help="The file or URL to extract netnames from.")
parser.add_argument("-q", "--quiet", action="store_true", help="Disable all output except prefixes.")
return parser
def main(argv=None):
parser = build_parser()
args = parser.parse_args(argv)
try:
extract_netname(args.filename_or_url, quiet=args.quiet)
except requests.RequestException as exc:
print(f"ERROR: failed to fetch netname data: {exc}", file=sys.stderr)
return 1
except OSError as exc:
print(f"ERROR: failed to read input: {exc}", file=sys.stderr)
return 1
return 0
if __name__ == "__main__":
sys.exit(main())

112
parse_ripe_db.py
View File

@@ -1,62 +1,84 @@
#!/usr/bin/env python3
import argparse
import re
import json
from pylib.ip import convert_to_cidr
import sys
from pylib.ip import convert_to_cidr
country = "RU"
def normalize_record(record):
if not record:
return None
if record.get("country") != country:
return None
normalized = dict(record)
normalized["inetnum"] = convert_to_cidr(record["inetnum"])
return normalized
def parse(filename, output_text, output_json):
cList = []
c_list = []
record = {}
with open(filename, 'r', encoding='latin-1') as f:
with open(filename, "r", encoding="latin-1") as f:
lines = f.readlines()
f.close()
for line in lines:
if re.match(r'^inetnum:', line):
if record:
record['inetnum'] = convert_to_cidr(record['inetnum'])
if record['country'] == country:
# print(record)
cList.append(record)
if line.startswith("inetnum:"):
normalized = normalize_record(record)
if normalized is not None:
c_list.append(normalized)
record = {}
record['inetnum'] = line.split('inetnum:', 1)[1].strip()
record['descr'] = ''
record['netname'] = ''
record['country'] = ''
record['org'] = ''
if re.match(r'^netname:', line):
record['netname'] = line.split('netname:', 1)[1].strip()
if re.match(r'^descr:', line):
record['descr'] = str(record['descr'].strip() + ' ' + line.split('descr:', 1)[1].strip()).strip()
if re.match(r'^mnt-by:', line):
record['netname'] = str(record['netname'].strip() + ' ' + line.split('mnt-by:', 1)[1].strip()).strip()
if re.match(r'^country:', line):
record['country'] = line.split('country:', 1)[1].strip()
if re.match(r'^org:', line):
record['org'] = line.split('org:', 1)[1].strip()
if record:
cList.append(record)
record["inetnum"] = line.split("inetnum:", 1)[1].strip()
record["descr"] = ""
record["netname"] = ""
record["country"] = ""
record["org"] = ""
if line.startswith("netname:"):
record["netname"] = line.split("netname:", 1)[1].strip()
if line.startswith("descr:"):
record["descr"] = str(record["descr"].strip() + " " + line.split("descr:", 1)[1].strip()).strip()
if line.startswith("mnt-by:"):
record["netname"] = str(record["netname"].strip() + " " + line.split("mnt-by:", 1)[1].strip()).strip()
if line.startswith("country:"):
record["country"] = line.split("country:", 1)[1].strip()
if line.startswith("org:"):
record["org"] = line.split("org:", 1)[1].strip()
with open(output_json, 'w') as f:
json.dump(cList, f, indent=4)
f.close()
normalized = normalize_record(record)
if normalized is not None:
c_list.append(normalized)
with open(output_text, 'w') as f:
for record in cList:
for net in record['inetnum']:
f.write(net + ' ' + record['netname'] + ' (' + record['org'] + ') [' + record['descr'] + ']\n')
f.close()
with open(output_json, "w", encoding="utf-8") as f:
json.dump(c_list, f, indent=4)
parser = argparse.ArgumentParser(description='Parse RIPE DB for getting a list of RU networks.')
parser.add_argument('filename', help='ripe.db.inetnum file to parse.')
parser.add_argument('output_text', help='write text db to...')
parser.add_argument('output_json', help='write json do to...')
args = parser.parse_args()
with open(output_text, "w", encoding="utf-8") as f:
for item in c_list:
for net in item["inetnum"]:
f.write(net + " " + item["netname"] + " (" + item["org"] + ") [" + item["descr"] + "]\n")
if not (args.filename):
parser.print_help()
exit()
parse(args.filename, args.output_text, args.output_json)
def build_parser():
parser = argparse.ArgumentParser(description="Parse RIPE DB for getting a list of RU networks.")
parser.add_argument("filename", help="ripe.db.inetnum file to parse.")
parser.add_argument("output_text", help="write text db to...")
parser.add_argument("output_json", help="write json db to...")
return parser
def main(argv=None):
parser = build_parser()
args = parser.parse_args(argv)
try:
parse(args.filename, args.output_text, args.output_json)
except OSError as exc:
print(f"ERROR: {exc}", file=sys.stderr)
return 1
return 0
if __name__ == "__main__":
sys.exit(main())

26
tests/test_check_nft_blacklist.py Normal file
View File

@@ -0,0 +1,26 @@
import tempfile
import unittest
from pathlib import Path
from check_nft_blacklist import check_ip_in_blacklist, parse_nft_config
from generate_nft_blacklist import make_nft_config
class CheckNftBlacklistTests(unittest.TestCase):
def test_vk_sets_are_parsed(self):
config = make_nft_config(["87.240.128.0/18"], [], usage_profile="vk_forward")
with tempfile.TemporaryDirectory() as tmpdir:
config_path = Path(tmpdir) / "blacklist-vk-v4.nft"
config_path.write_text(config, encoding="utf-8")
v4_prefixes, v6_prefixes = parse_nft_config(config_path)
blocked, prefix = check_ip_in_blacklist("87.240.128.1", v4_prefixes, v6_prefixes)
self.assertEqual(len(v4_prefixes), 1)
self.assertTrue(blocked)
self.assertEqual(str(prefix), "87.240.128.0/18")
if __name__ == "__main__":
unittest.main()

25
tests/test_generate_nft_blacklist.py Normal file
View File

@@ -0,0 +1,25 @@
import unittest
from generate_nft_blacklist import make_nft_config
class GenerateNftBlacklistTests(unittest.TestCase):
def test_general_profile_generates_plain_sets_only(self):
config = make_nft_config(["10.0.0.0/24"], [], usage_profile="vm_input")
self.assertIn("set blacklist_v4", config)
self.assertNotIn("chain input", config)
self.assertIn("ip saddr @blacklist_v4", config)
def test_vk_profile_uses_vk_set_names_and_forward_example(self):
config = make_nft_config(["10.0.0.0/24"], ["2001:db8::/32"], usage_profile="vk_forward")
self.assertIn("set blacklist_vk_v4", config)
self.assertIn("set blacklist_vk_v6", config)
self.assertNotIn("chain forward", config)
self.assertIn("ip daddr @blacklist_vk_v4", config)
self.assertIn("ip6 daddr @blacklist_vk_v6", config)
if __name__ == "__main__":
unittest.main()

41
tests/test_parse_ripe_db.py Normal file
View File

@@ -0,0 +1,41 @@
import json
import tempfile
import unittest
from pathlib import Path
from parse_ripe_db import parse
class ParseRipeDbTests(unittest.TestCase):
def test_skips_non_ru_last_record_and_normalizes_last_ru_record(self):
sample = """\
inetnum: 10.0.0.0 - 10.0.0.255
netname: TEST1
country: RU
org: ORG-1
descr: desc1
inetnum: 20.0.0.0 - 20.0.0.255
netname: TEST2
country: US
org: ORG-2
"""
with tempfile.TemporaryDirectory() as tmpdir:
source = Path(tmpdir) / "ripe.db.inetnum"
output_text = Path(tmpdir) / "out.txt"
output_json = Path(tmpdir) / "out.json"
source.write_text(sample, encoding="latin-1")
parse(str(source), str(output_text), str(output_json))
payload = json.loads(output_json.read_text(encoding="utf-8"))
self.assertEqual(len(payload), 1)
self.assertEqual(payload[0]["inetnum"], ["10.0.0.0/24"])
self.assertEqual(payload[0]["country"], "RU")
text_lines = output_text.read_text(encoding="utf-8").splitlines()
self.assertEqual(text_lines, ["10.0.0.0/24 TEST1 (ORG-1) [desc1]"])
if __name__ == "__main__":
unittest.main()