[!IMPORTANT] A very important feature has been added: dedicated lists of VK/Max/OK Service networks that can be used to block OUTGOING traffic from your server (iptables/ipset and nftables formats are available). This can help reduce the risk of Messenger MAX being used to compromise your VPN server. The best security option is to avoid installing Messenger MAX at all on a phone where VPN access is configured.
This repository contains Python scripts that allow you to retrieve network lists based on either an Autonomous System (AS) name or a Network name. Also you can download and parse the whole RIPE database to get information about Networks for the further analysis.
Ready-to-use blacklists in multiple formats:
blacklists/ - Plain text format with IPv4/IPv6 separationblacklists_nginx/ - Ready to include in your nginx configblacklists_iptables/ - Optimized for iptables with ipsetblacklists_nftables/ - Ready-to-load sets and rules for nftablesblacklists_route/ - VK route blackholes to loopback (IPv4/IPv6)network_list_from_as.py: Retrieves a list of networks associated with a given AS name.network_list_from_netname.py: Retrieves a list of networks associated with a given Network name.get_info_from_ripe.py: Retrieves information about Russian AS numbers and Networks from RIPE database for the further analysis.get_description.py: Retrieves network names, AS names and organisation names from RIPE. Updates the lists in the folder auto/.parse_ripe_db.py: Parses the whole RIPE database to get information about Networks for the further analysis.generate_nft_blacklist.py: Takes text blacklist on the input and generates nftables config with sets.check_nft_blacklist.py: Checks IPv4/IPv6 address against generated nftables config.blacklists_updater_txt.sh: Generates text-based blacklists with IPv4/IPv6 separationblacklists_updater_nginx.sh: Generates nginx configuration files with deny directivesblacklists_updater_iptables.sh: Generates ipset configuration files for iptables/ip6tablesblacklists_updater_nftables.sh: Generates nftables blacklist files (mixed/v4/v6 and VK-specific)blacklists_updater_routes.sh: Generates Linux route files to send VK networks to loopback (127.0.0.1 / ::1)Text Format (blacklists/ folder):
blacklist.txt: Mixed IPv4/IPv6 blacklist (daily generated)blacklist-v4.txt: IPv4-only blacklist (daily generated)blacklist-v6.txt: IPv6-only blacklist (daily generated)blacklist_with_comments.txt: Blacklist with network metadata (daily generated)Nginx Format (blacklists_nginx/ folder):
blacklist.conf: Nginx deny rules for mixed IPv4/IPv6 (daily generated)blacklist-v4.conf: Nginx deny rules for IPv4 only (daily generated)blacklist-v6.conf: Nginx deny rules for IPv6 only (daily generated)README.md: Complete usage documentation for nginx integrationIPTables/IPSet Format (blacklists_iptables/ folder):
blacklist-v4.ipset: IPSet configuration for IPv4 only (daily generated)blacklist-v6.ipset: IPSet configuration for IPv6 only (daily generated)blacklist-vk-v4.ipset: IPSet configuration for VK-only IPv4 networks (daily generated)blacklist-vk-v6.ipset: IPSet configuration for VK-only IPv6 networks (daily generated)README.md: Complete usage documentation for iptables integrationnftables Format (blacklists_nftables/ folder):
blacklist.nft: nftables set definitions for mixed IPv4/IPv6 (daily generated)blacklist-v4.nft: nftables configuration for IPv4 only (daily generated)blacklist-v6.nft: nftables configuration for IPv6 only (daily generated)blacklist-vk.nft: nftables set definitions for VK-only mixed IPv4/IPv6 (daily generated)blacklist-vk-v4.nft: nftables configuration for VK-only IPv4 networks (daily generated)blacklist-vk-v6.nft: nftables configuration for VK-only IPv6 networks (daily generated)README.md: Complete usage documentation for nftables integrationLinux Routes Format (blacklists_route/ folder):
blacklist-vk-v4.routes: IPv4 routes for VK-only networks to 127.0.0.1 via lo (daily generated)blacklist-vk-v6.routes: IPv6 routes for VK-only networks to ::1 via lo (daily generated)Contributors are welcome!
lists/ru-gov-netnames.txt: A list of network names associated with the Russian government.auto/all-ru-asn.txt.auto/all-ru-*.txt: Monthly generated lists of all Russian networks and ASNsauto/ripe-ru-*.txt: Weekly generated lists of Russian networks from RIPE databaseThese scripts have been tested on MacOS, FreeBSD and Linux.
No setup required! Just download and use:
For Nginx:
# Download and include in your nginx configuration
wget https://raw.githubusercontent.com/C24Be/AS_Network_List/main/blacklists_nginx/blacklist.conf
# Then add to your nginx config: include /path/to/blacklist.conf;
For IPTables/IPSet:
# Download and load IPv4/IPv6 sets into ipset
wget https://raw.githubusercontent.com/C24Be/AS_Network_List/main/blacklists_iptables/blacklist-v4.ipset
wget https://raw.githubusercontent.com/C24Be/AS_Network_List/main/blacklists_iptables/blacklist-v6.ipset
ipset restore < blacklist-v4.ipset
ipset restore < blacklist-v6.ipset
iptables -I INPUT -m set --match-set blacklist-v4 src -m conntrack --ctstate NEW -j DROP
ip6tables -I INPUT -m set --match-set blacklist-v6 src -m conntrack --ctstate NEW -j DROP
For nftables:
# Download and load nftables sets
wget https://raw.githubusercontent.com/C24Be/AS_Network_List/main/blacklists_nftables/blacklist.nft
wget https://raw.githubusercontent.com/C24Be/AS_Network_List/main/blacklists_nftables/blacklist-v4.nft
wget https://raw.githubusercontent.com/C24Be/AS_Network_List/main/blacklists_nftables/blacklist-v6.nft
sudo nft -f blacklist.nft
sudo nft -f blacklist-v4.nft
sudo nft -f blacklist-v6.nft
# Protect VM from incoming blacklist sources
sudo nft add chain inet filter input '{ type filter hook input priority 0; policy accept; }'
sudo nft add rule inet filter input ip saddr @blacklist_v4 counter reject
sudo nft add rule inet filter input ip6 saddr @blacklist_v6 counter reject
# VK-only outbound blocking for VPN clients via NAT/FORWARD
wget https://raw.githubusercontent.com/C24Be/AS_Network_List/main/blacklists_nftables/blacklist-vk.nft
wget https://raw.githubusercontent.com/C24Be/AS_Network_List/main/blacklists_nftables/blacklist-vk-v4.nft
wget https://raw.githubusercontent.com/C24Be/AS_Network_List/main/blacklists_nftables/blacklist-vk-v6.nft
sudo nft -f blacklist-vk.nft
sudo nft -f blacklist-vk-v4.nft
sudo nft -f blacklist-vk-v6.nft
sudo nft add chain inet filter forward '{ type filter hook forward priority 0; policy accept; }'
sudo nft add rule inet filter forward iifname "<VPN_IFACE>" ip daddr @blacklist_vk_v4 counter reject
sudo nft add rule inet filter forward iifname "<VPN_IFACE>" ip6 daddr @blacklist_vk_v6 counter reject
# View the loaded rules
sudo nft list ruleset
For Linux Routes (VK loopback blackhole):
# Download and apply VK route files
wget https://raw.githubusercontent.com/C24Be/AS_Network_List/main/blacklists_route/blacklist-vk-v4.routes
wget https://raw.githubusercontent.com/C24Be/AS_Network_List/main/blacklists_route/blacklist-vk-v6.routes
sudo sh blacklist-vk-v4.routes
sudo sh blacklist-vk-v6.routes
For Custom Applications:
# Download plain text blacklist
wget https://raw.githubusercontent.com/C24Be/AS_Network_List/main/blacklists/blacklist.txt
See the README files in each folder for detailed usage instructions.
Clone this repository:
bash
git clone https://github.com/C24Be/AS_Network_List.git
Navigate to the repository folder:
bash
cd AS_Network_List
Install the required Python packages:
bash
./requirements.sh
If this step causes issue PEP 668 due to python version >=3.12 and you're unfamiliar with virtual environments, use this workaround:
bash
pip install -r requirements.txt --break-system-packages
network_list_from_as.pyRun the script with the AS number as an argument:
bash
./network_list_from_as.py AS61280
Run the script with a URL to a file with one ASN per line:
bash
./network_list_from_as.py https://example.com/asns.txt
Or better use the raw file link:
bash
./network_list_from_as.py https://example.com/asns-raw.txt
To display a help message, use the -h or --help switch:
bash
./network_list_from_as.py --help
network_list_from_netname.pyRun the script with a file containing a list of network names as an argument:
bash
./network_list_from_netname.py lists/ru-gov-netnames.txt
Run the script with a URL to a file in a GitHub repository as an argument:
bash
./network_list_from_netname.py https://github.com/C24Be/AS_Network_List/blob/main/lists/ru-gov-netnames.txt
Or better use the raw file link:
bash
./network_list_from_netname.py https://raw.githubusercontent.com/C24Be/AS_Network_List/main/lists/ru-gov-netnames.txt
To display a help message, use the -h or --help switch:
bash
./network_list_from_netname.py --help
generate_nft_blacklist.pyGenerate nftables config from blacklist:
bash
./generate_nft_blacklist.py blacklists/blacklist.txt blacklist.nft
check_nft_blacklist.pyCheck IP address against generated config:
bash
./check_nft_blacklist.py blacklist.nft 77.37.166.239
This repository uses GitHub Actions to automatically update blacklists:
update_blacklists.yml - Updates all blacklist formats (text, nginx, iptables)update_ru_all_lists.yml - Updates comprehensive Russian network listsparse_ripe_database.yml - Parses RIPE database for Russian networksresolve_networks.yml - Resolves network names and descriptionsAll blacklists are automatically regenerated and committed to ensure you always have the latest data.
We welcome contributions! Feel free to submit a pull request or open an issue.
$ claude mcp add AS_Network_List \
-- python -m otcore.mcp_server <graph>