This is basically the easiest way to do it; I’ve implemented this exactly as [ciprian.craciun] has described.
Say you wanted to geoblock, using the lists at IPDeny.com:
#!/bin/bash
#Purpose: Block all traffic from countries (ipdeny + iso country name)
#/sbin/iptables -A INPUT -m set --match-set geoblock src -j DROP
ISO="af al ao az ba bh bd by bj bo bg bf bi bw bn kh cm cv cf td cn cg ci dj dz
eg gq er et ga gm gh gn gw hr ht in jo kz ke kw la lb ls lr ly mg mw ml mr mu mn
ma mm na ne ng om qa ro rs ru rw sa sc sd sl so za lk sz sy tj tz tg tn tr tm ug ua ae uz vn ye zm zw"
# use /tmp
# update the zone files
wget http://www.ipdeny.com/ipblocks/data/countries/all-zones.tar.gz -O /tmp/all-zones.tgz
# make the zonefile directory
mkdir /tmp/zones
# extract the all-zones file into the zones directory
tar xzCf /tmp/zones /tmp/all-zones.tgz
# flush the geoblock ipset
/sbin/ipset flush geoblock
# run the loop over the ISO codes, adding the entries to the geoblock list
for i in $ISO
do
for j in `cat /tmp/zones/$i.zone`
do
/sbin/ipset add geoblock $j
done
done
# remove the zonefile directory and source tarfile
rm -rf /tmp/zones /tmp/all-zones.tgz
Now, this script can be run adhoc, because it always flushes the ipset before attempting to load the new one. So, you could set up a cron job to run once daily, or however often you wanted to update. I have a couple of network groups, one for each that I want to block (Emerging Threats, VoIP, Geo, etc). Now, if I could only easily get it to run at boot, after vyos has configured itself…