Thanks to visit codestin.com
Credit goes to Github.com

Skip to content

IP/CIDR blocklist management service for Linux servers utilizing iptables that integrates local and remote feeds, alongside safelists.

License

Notifications You must be signed in to change notification settings

blwarren/kidobo

Repository files navigation

kidobo

kidobo is a one-shot Linux firewall blocklist manager. It builds IPv4/IPv6 blocklists from local and remote sources, subtracts safelist entries, and updates ipset atomically with deterministic iptables/ip6tables wiring.

Requirements

  • Linux
  • sudo
  • ipset
  • iptables, iptables-save, iptables-restore
  • ip6tables (only when IPv6 is enabled)

doctor, sync, and flush run privileged commands via sudo -n .... With default system paths, init is also typically run with sudo.

Install

Release artifacts are currently published for Linux x86_64. For other targets, build from source.

Install latest release:

curl -fsSL https://raw.githubusercontent.com/blwarren/kidobo/main/scripts/install.sh | sudo bash

Install a specific release:

curl -fsSL https://raw.githubusercontent.com/blwarren/kidobo/main/scripts/install.sh | sudo bash -s -- --version v0.5.3

Install and initialize in one step:

curl -fsSL https://raw.githubusercontent.com/blwarren/kidobo/main/scripts/install.sh | sudo bash -s -- --init

Uninstall:

curl -fsSL https://raw.githubusercontent.com/blwarren/kidobo/main/scripts/install.sh | sudo bash -s -- --uninstall

Build from source:

cargo build --release --locked
./target/release/kidobo --help

Quick Start

  1. Initialize files:
sudo kidobo init
  1. Edit config:
sudoedit /etc/kidobo/config.toml
  1. (Optional) add local entries:
echo "203.0.113.0/24" | sudo tee -a /var/lib/kidobo/blocklist.txt
  1. Check environment:
sudo kidobo doctor
  1. Apply blocklists:
sudo kidobo sync
  1. Check whether targets match (offline):
kidobo lookup 203.0.113.7
kidobo lookup --file targets.txt
  1. Remove kidobo firewall/ipset artifacts (optional):
sudo kidobo flush
sudo kidobo flush --cache-only

Commands

kidobo init
kidobo doctor
kidobo sync
kidobo flush [--cache-only]
kidobo lookup [ip | --file <path>]

Global flags:

  • --version
  • --log-level <trace|debug|info|warn|error>

Logging format:

  • KIDOBO_LOG_FORMAT=auto|human|journal (default auto)
  • auto uses journal under systemd or when stderr is non-TTY, and human for interactive TTY runs
  • KIDOBO_LOG_COLOR=auto|always|never controls color in human format (default auto)
  • In auto, human format uses colored level labels on interactive TTY output and respects NO_COLOR

Minimal Config

/etc/kidobo/config.toml:

[ipset]
set_name = "kidobo"

[safe]
ips = []
include_github_meta = true
github_meta_url = "https://api.github.com/meta"

[remote]
timeout_secs = 30
urls = []

Useful options:

  • ipset.set_name_v6: optional, defaults to <set_name>-v6
  • ipset.enable_ipv6: default true
  • ipset.chain_action: DROP (default) or REJECT
  • ipset.maxelem: range [1, 500000]
  • remote.timeout_secs: range [1, 3600]

Defaults

  • Config file: /etc/kidobo/config.toml
  • Local blocklist: /var/lib/kidobo/blocklist.txt
  • Cache dir: /var/cache/kidobo
  • Systemd units:
    • /etc/systemd/system/kidobo-sync.service
    • /etc/systemd/system/kidobo-sync.timer

kidobo init creates missing files and systemd units. At default paths it also runs systemctl daemon-reload and enables kidobo-sync.timer, and writes KIDOBO_LOG_FORMAT=journal into kidobo-sync.service.

Notes

  • lookup does not fetch remote data; it only uses local and cached sources.
  • KIDOBO_ROOT relocates config/data/cache paths under a custom root.

License

MIT (see LICENSE).

About

IP/CIDR blocklist management service for Linux servers utilizing iptables that integrates local and remote feeds, alongside safelists.

Topics

Resources

License

Stars

Watchers

Forks