doc++

blockers/linux-ipset/README.rst

 
-Code in this directory will fetch 'bad' ips from the server and block
-them on the current host/server, using kernel "ipset"s. This is for linux only.
+Code in this directory will fetch 'bad' IPs from the server and add them to ipset 'sets'. We
+use one for IPv4 and one for IPv6.
 
+The proper setup is the following
+* those sets are created, typically by init scripts at boot. How to do that depends on your distribution
+* configure iptables to USE those sets. Again, this is distribution dependant.
+* this script will fill those two sets by querying the botfreak server
+
+Creating the sets
+-----------------
 The kernel must be compiled with ipset support for hash:ip
     CONFIG_IP_SET
     CONFIG_IP_SET_HASH_IP
 
+And you need to create two sets:
+    ipset create botfreak-ipv4 hash:ip family inet maxelem 5000000
+    ipset create botfreak-ipv6 hash:ip family inet6 maxelem 5000000
+
+The botfreak blocker will check for those before doing anything else, reports, and stops if not present.
+
+Blocking traffic
+----------------
+(for those sets)
+
+iptables -A INPUT -i $EXTERNAL_INTERFACE -m set --match-set botfreak-ipv4 src -j DROP
+ip6tables -A INPUT -i $EXTERNAL_INTERFACE -m set --match-set botfreak-ipv6 src -j DROP
+
+Gentoo
+------
+Put those 4 lines in a file /etc/local.d/botfreak.start
+