Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

--- know-how:firewall [2021/02/09 11:19] – [Proxy] cc
+++ know-how:firewall [2024/02/26 10:31] (aktuell) – cc
@@ Zeile 1: / Zeile 1: @@
+~~ODT~~
 FIXME
 ====== Features ======
@@ Zeile 834: / Zeile 835: @@
 supersede dhcp-renewal-time 300;
 </code>
-====== roadworker openvpn wake on lan (wol) trigger ======
+====== VPN ======
+===== roadworker mfa - multiple factor auth =====
+  * Bei **OpenVPN** mit entsprechender Konfiguration wäre sie implizit gegeben wenn zB: ein Zertifikat zur Authentifizierung benutzt wird + Username + Password
+  * OpenVPN Server - **roadworker-auth.conf**:
+<code>
+...
+auth-user-pass-verify /etc/openvpn/roadworker-auth/hybrid_auth.sh via-env
+script-security 3
+...
+</code>
+  * **/etc/openvpn/roadworker-auth/hybrid_auth.sh**
+<code>
+#!/bin/bash
+function bailout ()
+{
+  echo $1
+  exit 1
+}
+export username
+export password
+#env > /tmp/debug
+#echo "u: -$AUTH_USERNAME-" >> /tmp/debug
+#echo "p: -$AUTH_PASSWORD-" >> /tmp/debug
+ORIGINAL_PASSWORD="$password"
+AUTH_TOTP_SECRET="/etc/openvpn/roadworker-auth/totp/$username"
+echo $username | grep -P -q "^[A-Za-z0-9\.]+$"
+#2021-09-21 cc: Somehow malformed
+[[ $? != 0 ]] && bailout "Username malformed"
+[[ -f $AUTH_TOTP_SECRET && ${#password} -lt 7 ]] && bailout "TOTP is used but password is too small"
+#2021-09-21 cc: The last 6 digits contain the TOTP string / the rest is the password
+[[ -f $AUTH_TOTP_SECRET ]] && password=$(echo ${ORIGINAL_PASSWORD::-6})
+/etc/openvpn/roadworker-auth/smb_auth.sh
+RET_SMB_AUTH=$?
+[[ ! -f $AUTH_TOTP_SECRET ]] && exit $?
+#echo "smb auth: $RET_SMB_AUTH" > /tmp/smb_auth
+[[ $RET_SMB_AUTH != 0 ]] && bailout "SMB Auth invalid"
+password=$(echo ${ORIGINAL_PASSWORD: -6})
+/etc/openvpn/roadworker-auth/totp_auth.sh
+exit $?
+</code>
+  * **/etc/openvpn/roadworker-auth/smb_auth.sh**
+  *  Gültiger Account check via smb FIXME check username
+<code>
+AUTH_USERNAME="$username"
+AUTH_PASSWORD="$password"
+AUTH_SERVER="SERVER_AUTH"
+[[ $AUTH_USERNAME == "" || $AUTH_USERNAME == " " ]] &&  AUTH_USERNAME="---"
+[[ $AUTH_PASSWORD == "" || $AUTH_USERNAME == " " ]] &&  AUTH_PASSWORD="---"
+#env > /tmp/debug
+#echo "u: -$AUTH_USERNAME-" >> /tmp/debug_smb
+#echo "p: -$AUTH_PASSWORD-" >> /tmp/debug_smb
+echo $AUTH_PASSWORD | /usr/bin/smbclient -mSMB3 --ip-address=$AUTH_SERVER --list=$AUTH_SERVER --user=$AUTH_USERNAME --timeout=5 &> /dev/null
+exit $?
+</code>
+  * **/etc/openvpn/roadworker-auth/totp_auth.sh**
+  * TOTP Check mit **oathtool**
+<code>
+#!/bin/bash
+function bailout ()
+{
+  echo $1
+  exit 1
+}
+AUTH_USERNAME="$username"
+AUTH_PASSWORD="$password"
+AUTH_TOTP_SECRET="/etc/openvpn/roadworker-auth/totp/$AUTH_USERNAME"
+[[ $AUTH_USERNAME == "" || $AUTH_USERNAME == " " ]] &&  AUTH_USERNAME="---"
+[[ $AUTH_PASSWORD == "" || $AUTH_USERNAME == " " ]] &&  AUTH_PASSWORD="---"
+echo $AUTH_USERNAME | grep -P -q "^[A-Za-z0-9\.]+$"
+#2021-09-21 cc: Somehow malformed
+[[ $? != 0 ]] && bailout "Username malformed"
+#2021-09-21 cc: Somehow not 6 digits
+echo $AUTH_PASSWORD | grep -P -q "^[0-9]{6}$"
+[[ $? != 0 ]] && bailout "Digits malformed"
+#2021-09-21 cc: This is tricky , if there's no secret file - it hasn't been created yet so auth succeeds
+[[ ! -f $AUTH_TOTP_SECRET ]] && exit 0
+TOTP_SEED=$(cat $AUTH_TOTP_SECRET)
+DIGIT_CODE=$(oathtool -b --totp $TOTP_SEED)
+#env > /tmp/debug
+#echo "u: -$AUTH_USERNAME-" >> /tmp/debug
+#echo "p: -$AUTH_PASSWORD-" >> /tmp/debug
+#echo "c: -$DIGIT_CODE" >> /tmp/debug
+[[ $DIGIT_CODE == $AUTH_PASSWORD ]] && exit 0
+exit 1
+</code>
+  * Um für bestimmten User **TOTP zu aktivieren**
+<code>
+pwgen -0 -s -1 16 > /etc/openvpn/roadworker-auth/totp/username
+</code>
+  * Dieser TOTP Seed , der nun unter **/etc/openvpn/roadworker-auth/totp/username** zB: **ABCABCBABCBCDFFG** muss dem entsprechenden User **sicher** übermittelt werden zB: über Signal/Whatsapp - er kann ihn zB: im **Google Authenticator** als eigenen Eintrag hinzufügen
+  * Variante um bei bestehender zertifikatsbasierender Authentifizierung OTP zu aktivieren:
+  * **für bestimmtes Gerät d.h. Zertifikat ** wird es obligatorisch und User können zum Zertifikat spezifiziert werden
+  * **/etc/openvpn/roadworker-cert/roadworker-cert.conf**
+<code>
+...
+auth-user-pass-verify /etc/openvpn/roadworker-cert/totp_auth.sh via-env
+auth-user-pass-optional
+script-security 3
+....
+</code>
+  * **/etc/openvpn/roadworker-cert/totp_auth.sh**
+<code>
+#!/bin/bash
+function bailout ()
+{
+	  echo $1
+	  echo $1 | logger -t totp
+	    exit 1
+    }
+    AUTH_USERNAME="$username"
+    AUTH_PASSWORD="$password"
+    AUTH_COMMON_NAME="$common_name"
+    AUTH_TOTP_ROOT_SECRET="/etc/openvpn/roadworker-cert/totp/"
+    AUTH_TOTP_SECRET="$AUTH_TOTP_ROOT_SECRET/$AUTH_COMMON_NAME/$AUTH_USERNAME"
+    #2021-10-14 cc: Certificate required
+    echo $common_name | grep -P -q "^[A-Za-z0-9\.\-]+$"
+    [[ $? != 0 ]] && bailout "Common certificate Name malformed"
+    #2021-10-14 cc: IF directory with common name does not exist OTP is not activated
+    [[ ! -d "$AUTH_TOTP_ROOT_SECRET/$AUTH_COMMON_NAME" ]] && exit 0
+    echo $AUTH_USERNAME | grep -P -q "^[A-Za-z0-9\.]+$"
+    #2021-09-21 cc: Somehow malformed
+    [[ $? != 0 ]] && bailout "Username malformed"
+    #2021-09-21 cc: Somehow not 6 digits
+    echo $AUTH_PASSWORD | grep -P -q "^[0-9]{6}$"
+    [[ $? != 0 ]] && bailout "Digits malformed"
+    #2021-09-21 cc: This is tricky , if there's no secret file - it has been created yet so auth succeeds
+    #2021-10-14 cc: If common_name root path exists there must be a file for the user
+    [[ ! -f $AUTH_TOTP_SECRET ]] && bailout "TOTP Secret not found - is needed"
+    TOTP_SEED=$(cat $AUTH_TOTP_SECRET)
+    DIGIT_CODE=$(oathtool -b --totp $TOTP_SEED)
+    #env > /tmp/debug
+    #echo "u: -$AUTH_USERNAME-" >> /tmp/debug
+    #echo "p: -$AUTH_PASSWORD-" >> /tmp/debug
+    #echo "c: -$DIGIT_CODE" >> /tmp/debug
+    [[ $DIGIT_CODE == $AUTH_PASSWORD ]] && exit 0
+    exit 1
+</code>
+===== roadworker openvpn wake on lan (wol) trigger =====
   * zB: bei Roadworkern die per Remote Desktop auf ihre Bürorechner zugreifen möchten / Die Bürorechner können ruhig heruntergefahren werden / Sobald eine erfolgreiche authentifizierte Verbindung aufgebaut wurde wird wol für den Rechner getriggered
@@ Zeile 873: / Zeile 1093: @@
 </code>
-====== roadworker strongswan ipsec ======
+===== roadworker strongswan ipsec =====
   * FIXME Auth über radius server / Trigger bei strongswan für wake on lan
   * Getestet auf: **Ubuntu 18.04**
@@ Zeile 922: / Zeile 1142: @@
 </code>
+====== unbound ======
+  * Rekursiver DNS Resolver der DNSSEC validiert und auch dns over tls unterstützt
+===== internal dns zone =====
+  * zB: wenn intern ein AD Server benutzt wird für interne Domäne
+<code>
+server:
+..
+..
+    #2024-02-11 cc: if pannoniait.intern was used by a e.g. windows ad server
+    private-domain: pannoniait.intern
+    domain-insecure: pannoniait.intern
+..
+..
+#2024-02-11 cc: If pannoniait.intern was used e.g. by windows ad server
+forward-zone:
+   name: pannoniait.intern
+   forward-addr: IP_DNS_SERVER
+</code>
+===== dns over tls =====
+  * führt zu massiven DNS Performanceeinbruch FIXME performance + prefetch usw.
+<code>
+server:
+..
+..
+    #2024-02-11 cc: The debian place where the bundle can be found
+    tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"
+..
+..
+forward-zone:
+    name: "."
+    forward-addr: 9.9.9.9@853#dns.quad9.net
+    forward-addr: 149.112.112.112@853#dns.quad9.net
+    forward-tls-upstream: yes
+..
+..
+</code>
+====== Traffic Shaping - tc ======
+  * FIXME - Großteil "man" Seiten https://wiki.archlinux.org/title/Advanced_traffic_control / https://tldp.org/en/Traffic-Control-HOWTO/ar01s06.html
+  * FIXME - PLAYGROUND - für bestimmten Traffic Bandbreite insgesamt einschränken , damit zB: ein Pool von Adressen eingeschränkt werden kann wie zB: Windows Updates :) entweder über iptables Markierungen oder über ipset Matches
+<code>
+#!/bin/sh -x
+# Maximum allowed downlink. Set to 90% of the achievable downlink in mbit
+DOWNLINK=60
+# Interface facing the Internet
+EXTDEV=wlp2s0
+# Load IFB, all other modules all loaded automatically
+modprobe ifb
+ip link set dev ifb0 down
+# Clear old queuing disciplines (qdisc) on the interfaces and the MANGLE table
+tc qdisc del dev $EXTDEV root    2> /dev/null > /dev/null
+tc qdisc del dev $EXTDEV ingress 2> /dev/null > /dev/null
+tc qdisc del dev ifb0 root       2> /dev/null > /dev/null
+tc qdisc del dev ifb0 ingress    2> /dev/null > /dev/null
+iptables -t mangle -F
+# appending "stop" (without quotes) after the name of the script stops here.
+if [ "$1" = "stop" ]
+then
+        echo "Shaping removed on $EXTDEV."
+        exit
+fi
+ip link set dev ifb0 up
+# HTB classes on IFB with rate limiting - default class 3:30
+tc qdisc add dev ifb0 root handle 3: htb default 30
+tc class add dev ifb0 parent 3:3 classid 3:30 htb rate 60mbit ceil 60mbit
+tc class add dev ifb0 parent 3:3 classid 3:33 htb rate 10mbit ceil 10mbit
+# Packets marked with "2" on IFB flow through class 3:33
+tc filter add dev ifb0 parent 3:0 protocol ip handle 2 fw flowid 3:33
+# Martin Devera, author of HTB, then recommends SFQ for beneath these classes:
+tc qdisc add dev ifb0 parent 3:30 handle 30: sfq perturb 10
+tc qdisc add dev ifb0 parent 3:33 handle 33: sfq perturb 10
+#https://speed.hetzner.de/1GB.bin
+iptables -t mangle -A PREROUTING -s 88.198.248.254 -j MARK --set-mark 2
+iptables -t mangle -A PREROUTING -j CONNMARK --save-mark
+# Forward all ingress traffic on internet interface to the IFB device
+tc qdisc add dev $EXTDEV ingress handle ffff:
+tc filter add dev $EXTDEV parent ffff: protocol ip \
+        u32 match u32 0 0 \
+        action connmark \
+        action mirred egress redirect dev ifb0 \
+        flowid ffff:1
+# Kein markieren mehr der Pakete / iptables fällt weg über ipset
+# root@mrWhiteGhost:/home/urnilxfgbez/Desktop# ipset create slowdown hash:ip
+#root@mrWhiteGhost:/home/urnilxfgbez/Desktop# tc filter add dev ifb0 parent 3:0 protocol ip basic match 'ipset(slowdown src,dst)' flowid 3:33
+#
+#
+#
+#
+#root@mrWhiteGhost:/tmp# tc -s class show dev ifb0
+#class htb 3:33 root prio 0 rate 10Mbit ceil 10Mbit burst 1600b cburst 1600b
+# Sent 28375626 bytes 20582 pkt (dropped 0, overlimits 20488 requeues 0)
+# backlog 0b 0p requeues 0
+# lended: 20582 borrowed: 0 giants: 0
+# tokens: -16889 ctokens: -16889
+#
+#class htb 3:30 root prio 0 rate 60Mbit ceil 60Mbit burst 1590b cburst 1590b
+# Sent 1760229 bytes 3364 pkt (dropped 0, overlimits 884 requeues 0)
+# backlog 0b 0p requeues 0
+# lended: 3364 borrowed: 0 giants: 0
+# tokens: 3125 ctokens: 3125
+exit 0
+</code>
+====== GeoIP - iptables matches ======
+  * Getestet mit Debian Buster - **Achtung** hier gibt es keine xtables-addons* Pakete mehr / Sukzessive Wechsel zu **nftables** wird spürbar(er)
+  * Dafür gibt es die Pakete in Debian Bullseye wieder / Die Pakete für bullseye scheinen auch unter Debian Buster zu laufen (**xtables-addons-common_3.13-1_amd64.deb/xtables-addons-dkms_3.13-1_all.deb** ) FIXME testen,testen,testen
+  * Grundsätzliches: **iptables -m geoip --help**
+<code>
+iptables -m geoip --help
+iptables v1.8.2
+Usage: iptables -[ACD] chain rule-specification [options]
+	iptables -I chain [rulenum] rule-specification [options]
+	iptables -R chain rulenum rule-specification [options]
+	iptables -D chain rulenum [options]
+	iptables -[LS] [chain [rulenum]] [options]
+	iptables -[FZ] [chain] [options]
+	iptables -[NX] chain
+	iptables -E old-chain-name new-chain-name
+	iptables -P chain target [options]
+	iptables -h (print this help information)
+Commands:
+Either long or short options are allowed.
+  --append  -A chain		Append to chain
+  --check   -C chain		Check for the existence of a rule
+  --delete  -D chain		Delete matching rule from chain
+  --delete  -D chain rulenum
+				Delete rule rulenum (1 = first) from chain
+  --insert  -I chain [rulenum]
+				Insert in chain as rulenum (default 1=first)
+  --replace -R chain rulenum
+				Replace rule rulenum (1 = first) in chain
+  --list    -L [chain [rulenum]]
+				List the rules in a chain or all chains
+  --list-rules -S [chain [rulenum]]
+				Print the rules in a chain or all chains
+  --flush   -F [chain]		Delete all rules in  chain or all chains
+  --zero    -Z [chain [rulenum]]
+				Zero counters in chain or all chains
+  --new     -N chain		Create a new user-defined chain
+  --delete-chain
+	     -X [chain]		Delete a user-defined chain
+  --policy  -P chain target
+				Change policy on chain to target
+  --rename-chain
+	     -E old-chain new-chain
+				Change chain name, (moving any references)
+Options:
+    --ipv4	-4		Nothing (line is ignored by ip6tables-restore)
+    --ipv6	-6		Error (line is ignored by iptables-restore)
+[!] --proto	-p proto	protocol: by number or name, eg. `tcp'
+[!] --source	-s address[/mask][...]
+				source specification
+[!] --destination -d address[/mask][...]
+				destination specification
+[!] --in-interface -i input name[+]
+				network interface name ([+] for wildcard)
+ --jump	-j target
+				target for rule (may load target extension)
+  --goto      -g chain
+			       jump to chain with no return
+  --match	-m match
+				extended match (may load extension)
+  --numeric	-n		numeric output of addresses and ports
+[!] --out-interface -o output name[+]
+				network interface name ([+] for wildcard)
+  --table	-t table	table to manipulate (default: `filter')
+  --verbose	-v		verbose mode
+  --wait	-w [seconds]	maximum wait to acquire xtables lock before give up
+  --wait-interval -W [usecs]	wait time to try to acquire xtables lock
+				default is 1 second
+  --line-numbers		print line numbers when listing
+  --exact	-x		expand numbers (display exact values)
+[!] --fragment	-f		match second or further fragments only
+  --modprobe=<command>		try to insert modules using this command
+  --set-counters PKTS BYTES	set the counter during insert/append
+[!] --version	-V		print package version.
+geoip match options:
+[!] --src-cc, --source-country country[,country...]
+	Match packet coming from (one of) the specified country(ies)
+[!] --dst-cc, --destination-country country[,country...]
+	Match packet going to (one of) the specified country(ies)
+NOTE: The country is inputed by its ISO3166 code
+</code>
+  * Datenbank aktualisieren 1x im Monat **update-geoip.sh**
+<code>
+#!/bin/bash
+DST_TEMP_DB="/tmp/dbip-country-lite.csv.gz"
+SRC_URL="https://download.db-ip.com/free/dbip-country-lite-$(date +%Y)-$(date +%m).csv.gz"
+#Required on Ubuntu 18.04: libtext-csv-xs-perl, libnet-cidr-lite-perl / took xt_geoip_build from ubuntu 20.04
+XTABLES_BUILD_SCRIPT="/usr/lib/xtables-addons/xt_geoip_build"
+XTABLES_GEOIP_DIRECTORY="/usr/share/xt_geoip"
+function bailout
+{
+	>&2 echo -e "$1"
+	exit 2
+}
+[[ -f $DST_TEMP_DB ]] && bailout "FAIL: $DST_TEMP_DB already found aborting"
+wget -q "$SRC_URL" -O $DST_TEMP_DB || bailout "FAIL: $DST_TEMP_DB cannot be downloaded from $SRC_URL"
+gunzip -t $DST_TEMP_DB || bailout "FAIL: Gzip Format failure from $SRC_URL"
+[[ -d "$XTABLES_GEOIP_DIRECTORY" ]] || echo "FAIL: could not find Destination: $XTABLES_GEOIP_DIRECTORY"
+gunzip -f $DST_TEMP_DB --to-stdout > $XTABLES_GEOIP_DIRECTORY/dbip-country-lite.csv || bailout "FAIL: cannot gunzip file from $SRC_URL"
+[[ -x $XTABLES_BUILD_SCRIPT  ]] || echo "FAIL: could not find $XTABLES_BUILD_SCRIPT"
+$XTABLES_BUILD_SCRIPT -D "$XTABLES_GEOIP_DIRECTORY" -S "$XTABLES_GEOIP_DIRECTORY"
+rm $DST_TEMP_DB
+exit 0
+</code>
+  * **Achtung** **/usr/lib/xtables-addons/xt_geoip_build** stammt aus dem Ubuntu 20.04 Paket von **xtables-addons-common_3.8-2_amd64.deb**
+  * Nach 20 Minuten Tests mit iptables matches gabs noch keine panic :)
+<code>
+   976 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            -m geoip --source-country CN,RS  LOG flags 0 level 4
+</code>
+====== GeoIP - map-geoip.sh ======
+  * GeoIP Lookup aus vorhandenen Logfiles / kann auch gepiped werden um vorher relevante Auszüge rauszugreppen
+  * **map-geoip.sh**
+<code>
+#!/bin/bash
+# cmd: foo=$(mmdblookup -f /usr/local/share/ip-db/dbip-country-lite.mmdb  -i 192.168.0.1 country iso_code 2>/dev/null)
+# https://download.db-ip.com/free/dbip-country-lite-2022-03.mmdb.gz
+PATH_LOGS="/var/log/fw.log.1"
+PATH_GEODB="/usr/local/share/ip-db/dbip-country-lite.mmdb"
+function bailout
+{
+        echo -e "$1" >&2
+	echo -e "\nUsage: $0 [LOGFILE_FIREWALLS]"
+	exit 2
+}
+function lookup_geo
+{
+	mmdblookup -f $PATH_GEODB  -i $1 country iso_code 2>/dev/null | grep -o -P "\"[a-zA-Z]{2}\"" | tr -d "\""
+}
+function lookup_ip
+{
+    echo $1 | grep -o -P "$2(([0-9]{1,3}\.)){3}[0-9]{1,3}"
+}
+[[ -r $PATH_GEODB ]] || bailout "Cannot read geodb database: $PATH_GEODB"
+[[ -r "$1" ]] && PATH_LOGS="$1"
+[[ $1 == "-" ]] && PATH_LOGS="-"
+[[ -r $PATH_LOGS || $PATH_LOGS == "-"  ]] || bailout "Cannot read path logs: $PATH_LOGS"
+which mmdblookup >/dev/null || bailout "Cannot find mmdblookup please install\n"
+IFS=$'\n'
+while read foo ;
+do
+        LOG_SUFFIX=""
+	SRC_IP=""
+	DST_IP=""
+	SRC_IP=$(lookup_ip $foo "SRC=" |tr -d "SRC=")
+	DST_IP=$(lookup_ip $foo "DST=" | tr -d "DST=" )
+	#echo "SRC: $SRC_IP"
+	#echo "DST: $DST_IP"
+	if [ ${#SRC_IP} -gt 0 ] && [ ${#DST_IP} -gt 0 ]
+	then
+		SRC_GEO=$(lookup_geo $SRC_IP)
+		DST_GEO=$(lookup_geo $DST_IP)
+                [[ -z $SRC_GEO  ]] && SRC_GEO="00"
+		[[ -z $DST_GEO ]] && DST_GEO="00"
+		LOG_SUFFIX="SRC_GEO=$SRC_GEO DST_GEO=$DST_GEO"
+		echo "$foo$LOG_SUFFIX"
+	fi
+done < <(zcat -f $PATH_LOGS )
+</code>
 ====== WEB Module ======
-===== Hostnamen =====
+===== Blocks - Multi - IPSET =====
+  * In Kombination mit dnsmasq und seiner Funktionalität ipsets aktualisieren zu können
+  *  www-data muss dnsmasq neu starten können zB: visudo -> www-data  ALL=(ALL)NOPASSWD:/usr/sbin/service dnsmasq restart / und die entsprechenden Berechtigungen für das Set File besitzen unter /etc/dnsmasq.d/ipset-foo.conf
+  * **Achtung:** Wenn es eine Vielzahl an Sets gibt die mit dnsmasq befüllt werden sollen muss auf die dnsmasq Syntax geachtet werden **ipset=/hostname/set1/set2/set3** und nicht jeweils eine extra Datei für set1, set2, set3
+  * **merge-ipsets.sh**
+<code>
+#!/bin/bash
+function bailout
+{
+        echo -e "$1" >&2
+        exit 2
+}
+which dnsmasq >/dev/null || bailout "Cannot find dnsmasq binary"
+LOCATION_DNSMASQS="/etc/dnsmasq.conf /etc/dnsmasq.d/*"
+TMP_LOCATION=$(mktemp)
+FINAL_LOCATION="/etc/dnsmasq.d/ipset-master.conf"
+if [ ! -w $FINAL_LOCATION ]
+then
+	rm $TMP_LOCATION
+	bailout "FAIL: Final config file: $FINAL_LOCATION cannot be written to "
+fi
+grep -h  "^ipset=" $LOCATION_DNSMASQS  | cut -d"/" -f"2" | sort | uniq -c  | while read hosts ;
+do
+	nr_matches=$(echo $hosts | awk '{print $1}')
+	host_entry=$(echo $hosts | awk '{print $2}')
+        if (($nr_matches > 1 ))  &&  [ -n $host_entry ] ;
+	then
+                 build_entry="ipset=/$host_entry"
+		 while read found_sets
+		 do
+			 build_entry+="/$found_sets"
+		 done <<< $(grep -h "^ipset=/$host_entry/" $LOCATION_DNSMASQS | cut -d"/" -f 3- | tr "/" "\n" | sort | uniq )
+		echo $build_entry >> $TMP_LOCATION
+                echo $build_entry
+	fi
+done
+filesize_tmp=$(stat -c %s $TMP_LOCATION)
+if [ $filesize_tmp == "0" ]
+then
+rm $TMP_LOCATION
+echo "No double ipsets found in $LOCATION_DNSMASQS"
+exit 0
+fi
+cmp -s $TMP_LOCATION $FINAL_LOCATION
+compare_ret="$?"
+if [ $compare_ret == "0" ]
+then
+	rm $TMP_LOCATION
+        echo "Current ipsets have already been merged"
+	exit 0
+fi
+dnsmasq --test --conf-file=$TMP_LOCATION
+ipset_tests="$?"
+if [ $ipset_tests != "0" ]
+then
+	rm $TMP_LOCATION
+	bailout "FAIL: Malformed config file: $TMP_LOCATION"
+fi
+#2022-02-21 cc: Keep Ownership intact
+cat $TMP_LOCATION > $FINAL_LOCATION
+rm $TMP_LOCATION
+systemctl reload dnsmasq || bailout "FAIL: Cannot reload dnsmasq"
+exit 0
+</code>
+  * {{ :know-how:ipset-master.zip |}}
+===== Blocks - IPSET =====
+  * In Kombination mit dnsmasq und seiner Funktionalität ipsets aktualisieren zu können
+  *  www-data muss dnsmasq neu starten können zB: visudo -> www-data  ALL=(ALL)NOPASSWD:/usr/sbin/service dnsmasq restart / und die entsprechenden Berechtigungen für das Set File besitzen unter /etc/dnsmasq.d/ipset-foo.conf
+  * {{ :know-how:blocked-ipset.zip |}}
+===== Blocks - Hostnamen =====
+  * In Kombination mit dnsmasq / um quasi "dns Spoofing" zu betreiben d.h. das Resolving zu überschreiben für bestimmte Hostnamen
+  * www-data muss dnsmasq neu starten können zB: visudo -> www-data  ALL=(ALL)NOPASSWD:/usr/sbin/service dnsmasq restart
+  * {{ :know-how:blocked-addresses.zip |}}
 ===== Proxy =====
   * Um squid proxy ACLs zu bearbeiten