This will configure the IPtables firewall with an IP blocklist for specific countries and an IP blocklist for IPs and IP netblocks that are known threats. This uses the IP Sets utility for faster table updates to the blocklist and faster matching in the firewall.
Install ufw and ipset utility
apt -y install ufw ipset libnet-ip-perl
Download script to aggregate CIDR address blocks
wget -O /usr/local/bin/ip-aggregate.pl https://www.neblink.net/blocklist/linux-scripts/ip-aggregate.pl chmod +rx /usr/local/bin/ip-aggregate.pl
Country Blocking
Download script for loading IP tables of blocked countries. Update the ISO= line with the 2-letter (lowercase) ISO country code for the countries you wish to block. See IPdeny IP country blocks
wget -O /usr/local/bin/country-block.sh https://www.neblink.net/blocklist/linux-scripts/country-block.sh chmod +rx /usr/local/bin/country-block.sh
Run Script
/usr/local/bin/country-block.sh
Create scheduled task to update blocklist weekly
(crontab -l ; echo "@weekly /usr/local/bin/country-block.sh" )| crontab -
Emerging Threats Blocklist
Download script for loading IP table of known threats.
wget -O /usr/local/bin/emerging-threats-update.sh https://www.neblink.net/blocklist/linux-scripts/emerging-threats-update.sh chmod +rx /usr/local/bin/emerging-threats-update.sh
Run Script
/usr/local/bin/emerging-threats-update.sh
Create scheduled task to update threat list daily
(crontab -l ; echo "@daily /usr/local/bin/emerging-threats-update.sh" )| crontab -
Firewall Setup
Create firewall rules to only allow ssh (tcp/22) and webmin (tcp/10000) and block defined block lists.
cat > /etc/iptables.up.rules <<EOF *filter :OUTPUT ACCEPT [0:0] :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] -N GEODROP -A GEODROP -j LOG --log-level info --log-prefix "GEO DROP: " -A GEODROP -j DROP -N ETDROP -A ETDROP -j LOG --log-level info --log-prefix "THREAT DROP: " -A ETDROP -j DROP -A INPUT -p tcp -m set --match-set geo-block src -j GEODROP -A INPUT -p tcp -m set --match-set threat-ip src -j ETDROP -A INPUT -p tcp -m set --match-set threat-net src -j ETDROP -A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT -A INPUT -p tcp -m tcp --dport ssh -j ACCEPT COMMIT EOF
Start Firewall
ufw disable iptables -F iptables -X ufw --force reset iptables-restore < /etc/iptables.up.rules ufw --force enable
Create boot script to run blocklist update scripts and load firewall rules
cat > /etc/rc.local <<EOF #!/bin/sh -e # # rc.local # /usr/local/bin/emerging-threats-update.sh /usr/local/bin/country-block.sh ufw disable iptables -F iptables -X ufw --force reset iptables-restore < /etc/iptables.up.rules ufw --force enable exit 0 EOF chmod +rx /etc/rc.local
Suggested Next Step
If you want to setup an Internet Web Server, I would suggest the Virtualmin LAMP Server or Virtualmin LEMP Server. Otherwise, install the Webmin System Administration Console.