iptables/ipset blacklists

Short: ready-to-use ipset files for iptables/ip6tables (general and VK-only, separated by IPv4/IPv6).

Download links

How to use

1) Protect VM from incoming connections (general blacklists)

Load IPv4 and IPv6 sets:

ipset restore < blacklist-v4.ipset
ipset restore < blacklist-v6.ipset

Apply inbound rules to traffic connecting to the VM and forwarded through the host:

iptables -I INPUT -m set --match-set blacklist-v4 src -m conntrack --ctstate NEW -j DROP
iptables -I FORWARD -m set --match-set blacklist-v4 src -m conntrack --ctstate NEW -j DROP
ip6tables -I INPUT -m set --match-set blacklist-v6 src -m conntrack --ctstate NEW -j DROP
ip6tables -I FORWARD -m set --match-set blacklist-v6 src -m conntrack --ctstate NEW -j DROP

2) Block VK outbound traffic

Load VK IPv4 and IPv6 sets:

ipset restore < blacklist-vk-v4.ipset
ipset restore < blacklist-vk-v6.ipset

Apply OUTPUT rules for traffic originated on this host:

iptables -I OUTPUT -m set --match-set blacklist-vk-v4 dst -j REJECT
ip6tables -I OUTPUT -m set --match-set blacklist-vk-v6 dst -j REJECT

If you also need to block forwarded VPN-client traffic via NAT, add FORWARD rules (replace <VPN_IFACE>):

iptables -I FORWARD -i <VPN_IFACE> -m set --match-set blacklist-vk-v4 dst -j REJECT
ip6tables -I FORWARD -i <VPN_IFACE> -m set --match-set blacklist-vk-v6 dst -j REJECT