In this thread, we will use a very simple python script to write discard routes for junos. You can create a "set config" and load that into your junos device.
The geoip source used in this example comes from denyip which keeps a up to date list. You can also use other geodata such as { https://www.ip2location.com/free/visitor-blocker } and call up the country and cidr format in your request.
I like ipdeny since the data is clear and simple formatted. Just make sure to change the 2-letter country.code to the country that you want.
https://www.ipdeny.com/ipblocks/data/countries/ch.zone
they are working on a firewall configuration-tool that I hope would be ready soon.
Just set the two-letter country code in your request when pulling down the CIDR blocks.
Next, just call the python script and read the text file back and in to generate the junos set commands.
# file.txt would be the name prefix list in CIDR format
#!/usr/bin/python
#
# junos discard route creator version1.0
# socpuppets
#
# set the two letter country code to whatever country of interest
#
# ch=china in this example
#
# https://www.ipdeny.com/ipblocks/data/countries/ch.zone
with open("file.text") as f:
next(f)
for prefix in f:
print "set routing-options static route" , prefix.rstrip(), "discard"
This will format the discard routes in a similar fashion;
set routing-options static route 1.0.8.0/21 discard
set routing-options static route 1.0.32.0/19 discard
set routing-options static route 1.1.0.0/24 discard
set routing-options static route 1.1.2.0/23 discard
set routing-options static route 1.1.4.0/22 discard
set routing-options static route 1.1.8.0/24 discard
set routing-options static route 1.1.9.0/24 discard
set routing-options static route 1.1.10.0/23 discard
set routing-options static route 1.1.12.0/22 discard
set routing-options static route 1.1.16.0/20 discard
set routing-options static route 1.1.32.0/19 discard
set routing-options static route 1.2.0.0/23 discard
set routing-options static route 1.2.2.0/24 discard
set routing-options static route 1.2.4.0/24 discard
set routing-options static route 1.2.5.0/24 discard
Just save the above text into a file and then load that into the juniper device and commit the changes.
./china_blocks.py > junos_china_netblocks.set-format
scp ./junos_china_netblocks.set-format kfelix@juniper.example.com:
and then login and commit the changes on the juniper device
ssh kfelix@juniper.example.com
config
commit check
load set china_netblocks.set
commit and-quit
I hope this demo will show you a quick means for blocking address from a particular country. Great if you need to quickly block a country due to unwarranted activities.
Ken FelixNSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \
No comments:
Post a Comment