verybadsoldier / docker-firehol-update-ipsets

Docker image to download and update most recent FireHOL IP list

FireHOL update-ipsets is a great script to download and update most recent iplist of internet attackers.

http://iplists.firehol.org/

This docker image will run update-ipsets and apply the ipset to the local computer periodically.

First, lets download and start a firehol-update-ipsets container. By entering the following command, permanent periodic update process will be created.

$ docker volume create firehol-update-ipsets
$ docker run --name firehol-update-ipsets -it -d --restart=always --cap-add=NET_ADMIN --net=host -v firehol-update-ipsets:/etc/firehol/ipsets devrt/firehol-update-ipsets

Then, lets enable the ipset. For example, we enable protection by firehol_level2 and tor_exits iplist.

$ docker exec firehol-update-ipsets enable firehol_level2
$ docker exec firehol-update-ipsets enable tor_exits

Above command will apply the ipset to iptables automatically, so be careful when you enable the ipset which contains private IPs (e.g. firehol_level1). You will be locked out from the server if such ipset is enabled. You can find the iplist contains private IPs from the following URL:

http://iplists.firehol.org/?ipset=iblocklist_iana_private

Lets check that the ipset applied to the kernel correctly.

$ sudo ipset list -t
$ sudo iptables-save

From now on, the ipset is updated periodically to the most recent one by the update-ipsets script. You can confirm the update by the following command.

$ docker logs firehol-update-ipsets

Notes: The container will not run as root user. A special non-root user with UID 6721 is embedded into the image. It is not possible to change it to a different user because it would mess up the file permissions.

Example docker-compose.yml:

version: '3'
services:
  firehol-update-ipsets:
    container_name: firehol-update-ipsets
    image: "ghcr.io/verybadsoldier/docker-firehol-update-ipsets:1.3.0"
    environment:
      - IPTABLES_CMD=iptables
      - SKIP_LISTS=fullbogons greensnow
      - FIREHOL_LISTS_INIT=firehol_level1 firehol_level2 firehol_level3 blocklist_de blocklist_net_ua botscout_30d blocklist_de bruteforceblocker
    volumes:
      - ./data:/etc/firehol/ipsets
    network_mode: host
    cap_drop:
      - ALL
    cap_add:
      - NET_ADMIN
      - NET_RAW

    restart: always

Make sure to give UID 6721 file permisssions to the data folder.

Yosuke Matsusaka yosuke.matsusaka@gmail.com

tweaks by vbs vbs@springrts.de

Distributed under MIT license.