Investigating IP address information / location

Asphyxia

Owner
Administrator
Apr 25, 2015
1,844
2
2,197
327
Recently, I checked the forum and noticed over 1,000 guests.

1579708162742.png

Hmm, wtf might these bots be..

We have 114.119.164.134 as an IP example from the large list. How do we know what owns this?

I prefer ipinfo.io, we simply add the IP address to the end of this web address like https://ipinfo.io/114.119.164.134

1579708272283.png

1579708285369.png

So now we know some Asian cloud service is scanning the piss out of the forum.

Cool! Fuck you.

We could block their entire route (114.119.160.0/21) if we wanted to. Their ASN is 136907.. so they could own other IP ranges/routes, hmm?

Introducing ASN lookups:

Although the above link is maybe being deprecated, replaced by:

So this new tool actually highlights some wickedly awesome ways to block this host:

1579708556071.png

Code:
object network 136907-4-SN0
subnet 159.138.76.0 255.255.255.0
object network 136907-4-SN1
subnet 159.138.16.0 255.255.252.0
object network 136907-4-SN2
subnet 159.138.48.0 255.255.240.0
object network 136907-4-SN3
subnet 159.138.208.0 255.255.248.0
object network 136907-6-SN0
subnet 2405:f080:1000::/39
object network 136907-4-SN4
subnet 103.215.3.0 255.255.255.0
object network 136907-4-SN5
subnet 159.138.182.0 255.255.254.0
object network 136907-4-SN6
subnet 159.138.160.0 255.255.240.0
object network 136907-6-SN1
subnet 2405:f080::/39
object network 136907-4-SN7
subnet 159.138.80.0 255.255.240.0
object network 136907-4-SN8
subnet 159.138.112.0 255.255.248.0
object network 136907-4-SN9
subnet 159.138.20.0 255.255.252.0
object network 136907-4-SN10
subnet 159.138.77.0 255.255.255.0
object network 136907-4-SN11
subnet 159.138.144.0 255.255.240.0
object network 136907-4-SN12
subnet 159.138.152.0 255.255.248.0
object network 136907-4-SN13
subnet 114.119.128.0 255.255.224.0
object network 136907-4-SN14
subnet 159.138.79.0 255.255.255.0
object network 136907-4-SN15
subnet 119.8.32.0 255.255.224.0
object network 136907-6-SN2
subnet 2405:f080:2000::/39
object network 136907-4-SN16
subnet 159.138.128.0 255.255.240.0
object network 136907-4-SN17
subnet 159.138.0.0 255.255.240.0
object network 136907-4-SN18
subnet 159.138.176.0 255.255.240.0
object network 136907-4-SN19
subnet 159.138.24.0 255.255.248.0
object network 136907-4-SN20
subnet 159.138.32.0 255.255.240.0
object network 136907-4-SN21
subnet 159.138.125.0 255.255.255.0
object network 136907-4-SN22
subnet 114.119.160.0 255.255.248.0
object network 136907-4-SN23
subnet 159.138.224.0 255.255.240.0
object network 136907-4-SN24
subnet 159.138.64.0 255.255.248.0
object network 136907-4-SN25
subnet 114.119.176.0 255.255.240.0
object network 136907-4-SN26
subnet 159.138.144.0 255.255.255.0
object network 136907-4-SN27
subnet 159.138.240.0 255.255.240.0
object network 136907-4-SN28
subnet 159.138.67.0 255.255.255.0
object network 136907-6-SN3
subnet 2405:f080:400::/39
object network 136907-4-SN29
subnet 159.138.192.0 255.255.240.0
object network 136907-4-SN30
subnet 119.8.0.0 255.255.248.0
object network 136907-4-SN31
subnet 159.138.96.0 255.255.240.0
object-group network 136907
network-object object 136907-4-SN0
network-object object 136907-4-SN1
network-object object 136907-4-SN2
network-object object 136907-4-SN3
network-object object 136907-6-SN0
network-object object 136907-4-SN4
network-object object 136907-4-SN5
network-object object 136907-4-SN6
network-object object 136907-6-SN1
network-object object 136907-4-SN7
network-object object 136907-4-SN8
network-object object 136907-4-SN9
network-object object 136907-4-SN10
network-object object 136907-4-SN11
network-object object 136907-4-SN12
network-object object 136907-4-SN13
network-object object 136907-4-SN14
network-object object 136907-4-SN15
network-object object 136907-6-SN2
network-object object 136907-4-SN16
network-object object 136907-4-SN17
network-object object 136907-4-SN18
network-object object 136907-4-SN19
network-object object 136907-4-SN20
network-object object 136907-4-SN21
network-object object 136907-4-SN22
network-object object 136907-4-SN23
network-object object 136907-4-SN24
network-object object 136907-4-SN25
network-object object 136907-4-SN26
network-object object 136907-4-SN27
network-object object 136907-4-SN28
network-object object 136907-6-SN3
network-object object 136907-4-SN29
network-object object 136907-4-SN30
network-object object 136907-4-SN31

Code:
IP Address,Subnet Mask,CIDR,Type
159.138.76.0,255.255.255.0,24,4
159.138.16.0,255.255.252.0,22,4
159.138.48.0,255.255.240.0,20,4
159.138.208.0,255.255.248.0,21,4
2405:f080:1000::,FALSE,39,6
103.215.3.0,255.255.255.0,24,4
159.138.182.0,255.255.254.0,23,4
159.138.160.0,255.255.240.0,20,4
2405:f080::,FALSE,39,6
159.138.80.0,255.255.240.0,20,4
159.138.112.0,255.255.248.0,21,4
159.138.20.0,255.255.252.0,22,4
159.138.77.0,255.255.255.0,24,4
159.138.144.0,255.255.240.0,20,4
159.138.152.0,255.255.248.0,21,4
114.119.128.0,255.255.224.0,19,4
159.138.79.0,255.255.255.0,24,4
119.8.32.0,255.255.224.0,19,4
2405:f080:2000::,FALSE,39,6
159.138.128.0,255.255.240.0,20,4
159.138.0.0,255.255.240.0,20,4
159.138.176.0,255.255.240.0,20,4
159.138.24.0,255.255.248.0,21,4
159.138.32.0,255.255.240.0,20,4
159.138.125.0,255.255.255.0,24,4
114.119.160.0,255.255.248.0,21,4
159.138.224.0,255.255.240.0,20,4
159.138.64.0,255.255.248.0,21,4
114.119.176.0,255.255.240.0,20,4
159.138.144.0,255.255.255.0,24,4
159.138.240.0,255.255.240.0,20,4
159.138.67.0,255.255.255.0,24,4
2405:f080:400::,FALSE,39,6
159.138.192.0,255.255.240.0,20,4
119.8.0.0,255.255.248.0,21,4
159.138.96.0,255.255.240.0,20,4

Code:
Order Deny,Allow
Deny from 159.138.76.0/24
Deny from 159.138.16.0/22
Deny from 159.138.48.0/20
Deny from 159.138.208.0/21
Deny from 2405:f080:1000::/39
Deny from 103.215.3.0/24
Deny from 159.138.182.0/23
Deny from 159.138.160.0/20
Deny from 2405:f080::/39
Deny from 159.138.80.0/20
Deny from 159.138.112.0/21
Deny from 159.138.20.0/22
Deny from 159.138.77.0/24
Deny from 159.138.144.0/20
Deny from 159.138.152.0/21
Deny from 114.119.128.0/19
Deny from 159.138.79.0/24
Deny from 119.8.32.0/19
Deny from 2405:f080:2000::/39
Deny from 159.138.128.0/20
Deny from 159.138.0.0/20
Deny from 159.138.176.0/20
Deny from 159.138.24.0/21
Deny from 159.138.32.0/20
Deny from 159.138.125.0/24
Deny from 114.119.160.0/21
Deny from 159.138.224.0/20
Deny from 159.138.64.0/21
Deny from 114.119.176.0/20
Deny from 159.138.144.0/24
Deny from 159.138.240.0/20
Deny from 159.138.67.0/24
Deny from 2405:f080:400::/39
Deny from 159.138.192.0/20
Deny from 119.8.0.0/21
Deny from 159.138.96.0/20

Code:
ip route add blackhole 159.138.76.0/24
ip route add blackhole 159.138.16.0/22
ip route add blackhole 159.138.48.0/20
ip route add blackhole 159.138.208.0/21
ip route add blackhole 2405:f080:1000::/39
ip route add blackhole 103.215.3.0/24
ip route add blackhole 159.138.182.0/23
ip route add blackhole 159.138.160.0/20
ip route add blackhole 2405:f080::/39
ip route add blackhole 159.138.80.0/20
ip route add blackhole 159.138.112.0/21
ip route add blackhole 159.138.20.0/22
ip route add blackhole 159.138.77.0/24
ip route add blackhole 159.138.144.0/20
ip route add blackhole 159.138.152.0/21
ip route add blackhole 114.119.128.0/19
ip route add blackhole 159.138.79.0/24
ip route add blackhole 119.8.32.0/19
ip route add blackhole 2405:f080:2000::/39
ip route add blackhole 159.138.128.0/20
ip route add blackhole 159.138.0.0/20
ip route add blackhole 159.138.176.0/20
ip route add blackhole 159.138.24.0/21
ip route add blackhole 159.138.32.0/20
ip route add blackhole 159.138.125.0/24
ip route add blackhole 114.119.160.0/21
ip route add blackhole 159.138.224.0/20
ip route add blackhole 159.138.64.0/21
ip route add blackhole 114.119.176.0/20
ip route add blackhole 159.138.144.0/24
ip route add blackhole 159.138.240.0/20
ip route add blackhole 159.138.67.0/24
ip route add blackhole 2405:f080:400::/39
ip route add blackhole 159.138.192.0/20
ip route add blackhole 119.8.0.0/21
ip route add blackhole 159.138.96.0/20

Code:
ip route del blackhole 159.138.76.0/24
ip route del blackhole 159.138.16.0/22
ip route del blackhole 159.138.48.0/20
ip route del blackhole 159.138.208.0/21
ip route del blackhole 2405:f080:1000::/39
ip route del blackhole 103.215.3.0/24
ip route del blackhole 159.138.182.0/23
ip route del blackhole 159.138.160.0/20
ip route del blackhole 2405:f080::/39
ip route del blackhole 159.138.80.0/20
ip route del blackhole 159.138.112.0/21
ip route del blackhole 159.138.20.0/22
ip route del blackhole 159.138.77.0/24
ip route del blackhole 159.138.144.0/20
ip route del blackhole 159.138.152.0/21
ip route del blackhole 114.119.128.0/19
ip route del blackhole 159.138.79.0/24
ip route del blackhole 119.8.32.0/19
ip route del blackhole 2405:f080:2000::/39
ip route del blackhole 159.138.128.0/20
ip route del blackhole 159.138.0.0/20
ip route del blackhole 159.138.176.0/20
ip route del blackhole 159.138.24.0/21
ip route del blackhole 159.138.32.0/20
ip route del blackhole 159.138.125.0/24
ip route del blackhole 114.119.160.0/21
ip route del blackhole 159.138.224.0/20
ip route del blackhole 159.138.64.0/21
ip route del blackhole 114.119.176.0/20
ip route del blackhole 159.138.144.0/24
ip route del blackhole 159.138.240.0/20
ip route del blackhole 159.138.67.0/24
ip route del blackhole 2405:f080:400::/39
ip route del blackhole 159.138.192.0/20
ip route del blackhole 119.8.0.0/21
ip route del blackhole 159.138.96.0/20

Code:
ipset -N 136907-4 hash:net family inet
ipset -N 136907-6 hash:net family inet6
ipset -A 136907-4 159.138.76.0/24
ipset -A 136907-4 159.138.16.0/22
ipset -A 136907-4 159.138.48.0/20
ipset -A 136907-4 159.138.208.0/21
ipset -A 136907-6 2405:f080:1000::/39
ipset -A 136907-4 103.215.3.0/24
ipset -A 136907-4 159.138.182.0/23
ipset -A 136907-4 159.138.160.0/20
ipset -A 136907-6 2405:f080::/39
ipset -A 136907-4 159.138.80.0/20
ipset -A 136907-4 159.138.112.0/21
ipset -A 136907-4 159.138.20.0/22
ipset -A 136907-4 159.138.77.0/24
ipset -A 136907-4 159.138.144.0/20
ipset -A 136907-4 159.138.152.0/21
ipset -A 136907-4 114.119.128.0/19
ipset -A 136907-4 159.138.79.0/24
ipset -A 136907-4 119.8.32.0/19
ipset -A 136907-6 2405:f080:2000::/39
ipset -A 136907-4 159.138.128.0/20
ipset -A 136907-4 159.138.0.0/20
ipset -A 136907-4 159.138.176.0/20
ipset -A 136907-4 159.138.24.0/21
ipset -A 136907-4 159.138.32.0/20
ipset -A 136907-4 159.138.125.0/24
ipset -A 136907-4 114.119.160.0/21
ipset -A 136907-4 159.138.224.0/20
ipset -A 136907-4 159.138.64.0/21
ipset -A 136907-4 114.119.176.0/20
ipset -A 136907-4 159.138.144.0/24
ipset -A 136907-4 159.138.240.0/20
ipset -A 136907-4 159.138.67.0/24
ipset -A 136907-6 2405:f080:400::/39
ipset -A 136907-4 159.138.192.0/20
ipset -A 136907-4 119.8.0.0/21
ipset -A 136907-4 159.138.96.0/20
iptables -A INPUT -m set --match-set 136907-4 src -j DROP
ip6tables -A INPUT -m set --match-set 136907-6 src -j DROP

Code:
set policy-options prefix-list 136907v4 159.138.76.0/24
set policy-options prefix-list 136907v4 159.138.16.0/22
set policy-options prefix-list 136907v4 159.138.48.0/20
set policy-options prefix-list 136907v4 159.138.208.0/21
set policy-options prefix-list 136907v6 2405:f080:1000::/39
set policy-options prefix-list 136907v4 103.215.3.0/24
set policy-options prefix-list 136907v4 159.138.182.0/23
set policy-options prefix-list 136907v4 159.138.160.0/20
set policy-options prefix-list 136907v6 2405:f080::/39
set policy-options prefix-list 136907v4 159.138.80.0/20
set policy-options prefix-list 136907v4 159.138.112.0/21
set policy-options prefix-list 136907v4 159.138.20.0/22
set policy-options prefix-list 136907v4 159.138.77.0/24
set policy-options prefix-list 136907v4 159.138.144.0/20
set policy-options prefix-list 136907v4 159.138.152.0/21
set policy-options prefix-list 136907v4 114.119.128.0/19
set policy-options prefix-list 136907v4 159.138.79.0/24
set policy-options prefix-list 136907v4 119.8.32.0/19
set policy-options prefix-list 136907v6 2405:f080:2000::/39
set policy-options prefix-list 136907v4 159.138.128.0/20
set policy-options prefix-list 136907v4 159.138.0.0/20
set policy-options prefix-list 136907v4 159.138.176.0/20
set policy-options prefix-list 136907v4 159.138.24.0/21
set policy-options prefix-list 136907v4 159.138.32.0/20
set policy-options prefix-list 136907v4 159.138.125.0/24
set policy-options prefix-list 136907v4 114.119.160.0/21
set policy-options prefix-list 136907v4 159.138.224.0/20
set policy-options prefix-list 136907v4 159.138.64.0/21
set policy-options prefix-list 136907v4 114.119.176.0/20
set policy-options prefix-list 136907v4 159.138.144.0/24
set policy-options prefix-list 136907v4 159.138.240.0/20
set policy-options prefix-list 136907v4 159.138.67.0/24
set policy-options prefix-list 136907v6 2405:f080:400::/39
set policy-options prefix-list 136907v4 159.138.192.0/20
set policy-options prefix-list 136907v4 119.8.0.0/21
set policy-options prefix-list 136907v4 159.138.96.0/20

Code:
159.138.76.0/24
159.138.16.0/22
159.138.48.0/20
159.138.208.0/21
2405:f080:1000::/39
103.215.3.0/24
159.138.182.0/23
159.138.160.0/20
2405:f080::/39
159.138.80.0/20
159.138.112.0/21
159.138.20.0/22
159.138.77.0/24
159.138.144.0/20
159.138.152.0/21
114.119.128.0/19
159.138.79.0/24
119.8.32.0/19
2405:f080:2000::/39
159.138.128.0/20
159.138.0.0/20
159.138.176.0/20
159.138.24.0/21
159.138.32.0/20
159.138.125.0/24
114.119.160.0/21
159.138.224.0/20
159.138.64.0/21
114.119.176.0/20
159.138.144.0/24
159.138.240.0/20
159.138.67.0/24
2405:f080:400::/39
159.138.192.0/20
119.8.0.0/21
159.138.96.0/20

Code:
159.138.76.0/24
159.138.16.0/22
159.138.48.0/20
159.138.208.0/21
2405:f080:1000::/39
103.215.3.0/24
159.138.182.0/23
159.138.160.0/20
2405:f080::/39
159.138.80.0/20
159.138.112.0/21
159.138.20.0/22
159.138.77.0/24
159.138.144.0/20
159.138.152.0/21
114.119.128.0/19
159.138.79.0/24
119.8.32.0/19
2405:f080:2000::/39
159.138.128.0/20
159.138.0.0/20
159.138.176.0/20
159.138.24.0/21
159.138.32.0/20
159.138.125.0/24
114.119.160.0/21
159.138.224.0/20
159.138.64.0/21
114.119.176.0/20
159.138.144.0/24
159.138.240.0/20
159.138.67.0/24
2405:f080:400::/39
159.138.192.0/20
119.8.0.0/21
159.138.96.0/20

Code:
deny 159.138.76.0/24;
deny 159.138.16.0/22;
deny 159.138.48.0/20;
deny 159.138.208.0/21;
deny 2405:f080:1000::/39;
deny 103.215.3.0/24;
deny 159.138.182.0/23;
deny 159.138.160.0/20;
deny 2405:f080::/39;
deny 159.138.80.0/20;
deny 159.138.112.0/21;
deny 159.138.20.0/22;
deny 159.138.77.0/24;
deny 159.138.144.0/20;
deny 159.138.152.0/21;
deny 114.119.128.0/19;
deny 159.138.79.0/24;
deny 119.8.32.0/19;
deny 2405:f080:2000::/39;
deny 159.138.128.0/20;
deny 159.138.0.0/20;
deny 159.138.176.0/20;
deny 159.138.24.0/21;
deny 159.138.32.0/20;
deny 159.138.125.0/24;
deny 114.119.160.0/21;
deny 159.138.224.0/20;
deny 159.138.64.0/21;
deny 114.119.176.0/20;
deny 159.138.144.0/24;
deny 159.138.240.0/20;
deny 159.138.67.0/24;
deny 2405:f080:400::/39;
deny 159.138.192.0/20;
deny 119.8.0.0/21;
deny 159.138.96.0/20;

Code:
IP Address    Subnet Mask    CIDR    Type
159.138.76.0    255.255.255.0    24    4
159.138.16.0    255.255.252.0    22    4
159.138.48.0    255.255.240.0    20    4
159.138.208.0    255.255.248.0    21    4
2405:f080:1000::    FALSE    39    6
103.215.3.0    255.255.255.0    24    4
159.138.182.0    255.255.254.0    23    4
159.138.160.0    255.255.240.0    20    4
2405:f080::    FALSE    39    6
159.138.80.0    255.255.240.0    20    4
159.138.112.0    255.255.248.0    21    4
159.138.20.0    255.255.252.0    22    4
159.138.77.0    255.255.255.0    24    4
159.138.144.0    255.255.240.0    20    4
159.138.152.0    255.255.248.0    21    4
114.119.128.0    255.255.224.0    19    4
159.138.79.0    255.255.255.0    24    4
119.8.32.0    255.255.224.0    19    4
2405:f080:2000::    FALSE    39    6
159.138.128.0    255.255.240.0    20    4
159.138.0.0    255.255.240.0    20    4
159.138.176.0    255.255.240.0    20    4
159.138.24.0    255.255.248.0    21    4
159.138.32.0    255.255.240.0    20    4
159.138.125.0    255.255.255.0    24    4
114.119.160.0    255.255.248.0    21    4
159.138.224.0    255.255.240.0    20    4
159.138.64.0    255.255.248.0    21    4
114.119.176.0    255.255.240.0    20    4
159.138.144.0    255.255.255.0    24    4
159.138.240.0    255.255.240.0    20    4
159.138.67.0    255.255.255.0    24    4
2405:f080:400::    FALSE    39    6
159.138.192.0    255.255.240.0    20    4
119.8.0.0    255.255.248.0    21    4
159.138.96.0    255.255.240.0    20    4

As you scroll through the above lists, you will begin to realize there are all different but represent similar functions - either to block/unblock (rare).. the specific ASN ranges. This works on either a firewall, web server configuration, or other configuration to mitigate the ASN from your server(s).

Some discussion on blocking IPs can also be found here on the MikroTik forum.

Blacklisting with BGP: https://forum.mikrotik.com/viewtopic.php?t=127382

Utilize ASNs for blacklisting if you have strong reason to believe a specific ASN has multiple abuses: https://forum.mikrotik.com/viewtopic.php?t=98804#p503005

Let's say for example host 159.138.67.1 is scanning all your TCP port 22, then you add that into a "blackmark" area of their ASN in a database. If you see also 159.138.67.2 or even 159.138.67.45.. and so on keep trying to port scan your 22, fuck 'em all? Do away with the ASN if many people are being abusive from those ASNs. Because if blocking 10 IP addresses from an ASN is not working, maybe fuck their whole ASN.. YES!!

If 5 people are bad, okay. If everyone from the ASN sucks, then they all fucking suck.. all their shitty IPs.

So.. what if you have iptables?

Name this as asn-to-iptables.sh and place somewhere special:
Code:
#!/bin/bash
#
# asn-to-iptables
# Looks up the routes for an autonomous system and creates an iptables chain
# or ip6tables chain suitable for inclusion into a firewall.

# Defaults
route="route6"
compare="compare_v6"
iptables="ip6tables"
dir="-d"
asn=""
chain=""
match=""
target="REJECT"

usage() {
    echo "usage: $0 [-46ds] -a <asn> -c <chain> -m <matches> -t <target>" 1>&2
    echo "" 1>&2
    echo "-4 Look up IPv4 routes" 1>&2
    echo "-6 Look up IPv6 routes (default)" 1>&2
    echo "-a ASN to look up" 1>&2
    echo "-c iptables chain name to create" 1>&2
    echo "-d Treat addresses as the destination address (default)" 1>&2
    echo "-m Additional iptables matches to apply" 1>&2
    echo "-s Treat addresses as the source address" 1>&2
    echo "-t iptables target (default REJECT)" 1>&2
    exit 1
}

jwhois_missing() {
    echo "jwhois was not found on your system. Please install jwhois and try again." 1>&2
    exit 1
}

aggregate_missing() {
    echo "aggregate was not found on your system. Routes may not be aggregated." 1>&2
}

sipcalc_missing() {
    echo "sipcalc was not found on your system. Routes may not be aggregated." 1>&2
}

compare_v4() {
    larger_start=$(sipcalc -b $2 | fgrep "Network address" | cut -d '-' -f 2 | tr -d ' ')
    larger_end=$(sipcalc -b $2 | fgrep "Broadcast address" | cut -d '-' -f 2 | tr -d ' ')
    smaller_start=$(sipcalc -b $1 | fgrep "Network address" | cut -d '-' -f 2 | tr -d ' ')
    if [ "$larger_start" \< "$smaller_start" -o "$larger_start" = "$smaller_start" ]; then
        if [ "$smaller_start" \< "$larger_end" ]; then
            return 1
        fi
    fi
    return 0
}

compare_v6() {
    larger_start=$(sipcalc $2 | fgrep "Network range" | cut -d '-' -f 2 | tr -d ' ')
    larger_end=$(sipcalc $2 | fgrep "$(echo -ne \\t\\t\\t)" | tr -d ' \011')
    smaller_start=$(sipcalc $1 | fgrep "Network range" | cut -d '-' -f 2 | tr -d ' ')
#    echo "$larger_start $larger_end $smaller_start" 1>&2
    if [ "$larger_start" \< "$smaller_start" -o "$larger_start" = "$smaller_start" ]; then
        if [ "$smaller_start" \< "$larger_end" ]; then
#            echo Removing $1 as it matched $2 1>&2
            return 1
        fi
    fi
    return 0
}

aggregator() {
    compare=$1
    shift
    local routes=( $@ )
    aggregated=( )
    index=0
    while [ "$index" -lt "${#routes[@]}" ]; do
        inner_index=0
        remove=0
        while [ "$inner_index" -lt "$index" ]; do
            $compare ${routes[$index]} ${routes[$inner_index]} || remove=1
            if [ "$remove" -eq "1" ]; then
                break
            fi
            ((inner_index++))
        done
        if [ "$remove" -eq "0" ]; then
            aggregated+=( ${routes[$index]} )
        fi
        ((index++))
    done
    printf -- '%s\n' "${aggregated[@]}"
}

while getopts ":46da:s:c:m:t:" option; do
    case $option in 
        4)
            route="route"
            iptables="iptables"
            compare="compare_v4"
            ;;
        6)
            route="route6"
            iptables="ip6tables"
            compare="compare_v6"
            ;;
        a)
            asn=$OPTARG
            ;;
        c)
            chain=$OPTARG
            ;;
        d)
            dir="-d"
            ;;
        m)
            match=$OPTARG
            ;;
        s)
            dir="-s"
            ;;
        t)
            target=$OPTARG
            ;;
        \?)
            echo "$optarg: invalid option" 1>&2
            usage
            ;;
        :)
            echo "$optarg requires an argument" 1>&2
            usage
            ;;
    esac
done

# Sanity checks
if [ "$asn" = "" ]; then
    echo "Missing option -a" 1>&2
    usage
fi
if [ "$chain" = "" ]; then
    echo "Missing option -c" 1>&2
    usage
fi
if [ "$target" = "" ]; then
    echo "Missing option -t" 1>&2
    usage
fi

# We really need jwhois
which jwhois >&/dev/null || jwhois_missing

# We could use aggregate
which aggregate >&/dev/null || aggregate_missing
# We could use sipcalc
which sipcalc >&/dev/null || sipcalc_missing

# OK, let's do it!
echo "$iptables -F $chain"
routes=$(jwhois -h whois.radb.net -- -i origin -T $route $asn | grep ^${route} | awk '{print $NF}' | sort -t / -k 2n)
if [ "$?" != 0 ]; then
    exit 1
fi

# aggregate doesn't handle IPv6 routes
if [ "$compare" = "compare_v4" ]; then
    if which aggregate >&/dev/null; then
        agg=$(printf "%s\n" "${routes[@]}" | aggregate -q)
    elif which sipcalc >&/dev/null; then
        agg=$(aggregator $compare ${routes[@]})
    else
        agg=${routes[@]}
    fi
else
    if which sipcalc >&/dev/null; then
        agg=$(aggregator $compare ${routes[@]})
    else
        agg=${routes[@]}
    fi
fi

for a_route in $agg; do
    echo "$iptables -A $chain $dir $a_route $match -j $target"
done
You might be able to wget https://www.ringingliberty.com/wp-content/uploads/2014/07/asn-to-iptables.sh
Just be careful and inspect for any sketchy links.

Make sure you also have:
Requirements
asn-to-iptables.sh requires the GNU jwhois utility to be installed. This is the default whois on most Linux distributions, so it should not be much of an issue.

In order to perform route aggregation, either aggregate (recommended for performance) or sipcalc (currently required for IPv6 aggregation) must be installed. If you are working with both IPv4 and IPv6 routes, install both. If neither is installed, the script will continue to work, but will not summarize routes.

These are only required to be on the system on which you generate the firewall rules. They do not need to be installed on the destination system to which you apply the rules.
 
Top