Whitelisting IP address

[drzraf]

In the hope to finally close #16, #38 and #69

[PaulGuijt]

When e.g. blocklist.de has blacklisted an IP, it is not a good idea to disregard that locally.
If it is falsely blacklisted, that blacklisting should be corrected at blocklist.

[drzraf]

Use-case: Some of the servers expect incoming SQL connexions from OVH, other do a file_get_contents(), ... Non-dedicated OVH machines may very well be used by spammers and get blacklisted. Still I want my service to work. My whitelist is already set in ufw/iptables. But since ipset-blacklist/ipset usually comes *BEFORE* in the rule set, I need these IP to be whitelisted in ipset-blacklist too (as are 127.0.0.1, ...) OVH has already been blacklist by several blacklists many times, I sometimes even requested the unban myself with CC: to OVH. But each time my service may stop running many hours and the only solution is either a manual unban or disabling ipset which a worst than whitelisting. IMHO, whitelisting is a must-have and only affect users who chose to use it.

[trick77]

@drzraf I get the need for whitelisting but your proposal won't work in most cases. For example if your public IP address you want to whitelist is 1.2.3.4 and a blacklist submits 1.2.2.0/23, your IP address will still be blacklisted. This can't be regex matched. We would have to calculate CIDR ranges or deaggregate every IP range in order to make this work - which is a rather long and CPU intense operation.

[drzraf]

Right, CIDR make things complex but: 1) whitelisting for simple case could already work and be useful right now 2) For IP ranges software exists (eg: https://github.com/firehol/iprange), Python modules too. But none of them fit a bash script intended to stay simple. Thus we are restricted to either: Doing it in an imperfect way *OR* use a suitable language (python-whatever-...) providing modules IP-calc tasks *OR* increase bash script complexity *OR* not implementing it (the worst solution)

[drzraf]

Since iprange has been merge, I think whitelisting can now be reconsidered.

[nenominal]

Hi @drzraf & @trick77 .
First of all, thanks guys for this script, very handy and it makes a sysadmin life a bit easy.

I'm using it and I needed to implement a white-list and I patched the master branch using the commits of @drzraf and it works pretty well.

Unfortunately from time to time I bump in some cases that @trick77 have figured out, when I have an IP that I need to whitelist but it's a part of a blacklisted CIDR.

Do you guys figured out a way to deaggregate the IP and then rebuild the larger CIDR into small ones without the IP that we want to whitelist?

[drzraf]

The issue of expanding/collapsing CIDR is a pandora box.
There are some ways to deal with it, but I think none seem compatible with ipset-blacklist characteristics (simple, small footprint, one-file, bash-based script with few external dependencies)

[giannisantoua]

Hello. I use your script and I have the following two problems. First of all, how can I add apiv6 besides ipv4? When I go to crontab to do this process it sends me this error
line 35: ipset: command not found
line 41: ipset: command not found
Error: while creating the initial ipset

And the process is not complete. But if I go to the folder and run it manually it works fine.
Thanks very much

[drzraf]

Could it be reconsidered?