Untitled

#!/bin/sh
#################################################################################################
## 25/12/2013 --- RT-AC56U / RT-ACRT66U / RT-AC68U Firewall Addition v1.0 Beta                  #
######################################################################################################
###          ----- Make Sure To Edit The Following Files -----                                       #
### /jffs/scripts/firewall-start                    <-- Blacklists IP's From /jffs/scripts/ipset.txt #
### /jffs/scripts/ipset.txt                   <-- Banned IP List/IPSet Rules                         #
######################################################################################################

##############################
#####Commands / Variables#####
##############################
UNBANSINGLE="unban"          # <-- Remove Single IP From Blacklist
UNBANALL="unbanall"          # <-- Unbans All IPs In Blacklist
REMOVEBANS="removeall"       # <-- Remove All Entries From Blacklist
SAVEIPSET="save"             # <-- Save Blacklists to /jffs/scripts/ipset.txt
BANSINGLE="ban"              # <-- Adds Entry To Blacklist
BANCOUNTRYSINGLE="country"   # <-- Adds entire country to blacklist
BANCOUNTRYLIST="bancountry"  # <-- Bans specified countries in this file
HIDEMYASS="hideme"           # <-- Switch to unrestricted DNS (proxydns.co)
BACKUPRULES="backup"         # <-- Backup IPSet Rules to /jffs/scripts/ipset2.txt
##############################


started=`date`
bannedips=/jffs/scripts/ipamount

###############################################################################################
# Unban / Unbanall / Removeall / Scan / Ban / Country / Bancountry / Hideme / Findme / Backup #
###############################################################################################

if [ X"$@" = X"$UNBANSINGLE" ]
then
    echo "Input IP Address To Unban"
    read unbannedip
    logger -t Firewall "[Unbanning And Removing $unbannedip From Blacklist] ... ... ..."
    ipset -q -D Blacklist $unbannedip
    echo "`sed /$unbannedip/d /jffs/scripts/ipset.txt`" > /jffs/scripts/ipset.txt
    echo "$unbannedip Is Now Unbanned"

elif [ X"$@" = X"$UNBANALL" ]
then
    echo "[Unbanning All IP's] ... ... ..."
    logger -t Firewall "[Unbanning All IP's] ... ... ..."
    ipset flush

elif [ X"$@" = X"$REMOVEBANS" ]
then
    expr `ipset list | wc -l` - 15 > /jffs/scripts/ipamount
    echo "[Deleting All `cat $bannedips` Entries From Blacklist] ... ... ..."
    logger -t Firewall "[Deleting `cat $bannedips` Entries From Blacklist] ... ... ..."
    ipset flush
    ipset save > /tmp/home/root/ipset.txt

elif [ X"$@" = X"$SAVEIPSET" ]
then
    echo "[Saving Blacklists] ... ... ..."
    ipset save > /jffs/scripts/ipset.txt
    echo "`sed '/crond: USER admin/d' /tmp/syslog.log`" > /tmp/syslog.log

elif [ X"$@" = X"$BANSINGLE" ]
then
    echo "Input IP Address"
    read bannedip
    logger -t Firewall "[Adding $bannedip To Blacklist] ... ... ..."
    ipset -q -A Blacklist $bannedip
    echo "$bannedip Is Now Banned"

elif [ X"$@" = X"$BANCOUNTRYSINGLE" ]
then
    echo "Input Country Abreviation"
    read country
    for ip in $(wget -q -O - http://www.ipdeny.com/ipblocks/data/countries/$country.zone)
    do
    ipset -q -A BlockedCountries $ip
    done

elif [ X"$@" = X"$BANCOUNTRYLIST" ]
then
    echo "[Banning Spam Countries] ... ... ..."
    for country in cn pk ur af
    do
    for IP in $(wget -q -O - http://www.ipdeny.com/ipblocks/data/countries/$country.zone)
    do
    ipset -q -A BlockedCountries $IP
    done
    done

elif [ X"$@" = X"$HIDEMYASS" ]
then
    echo "Switching To Unrestricted Proxy DNS"
    logger -t Firewall "[Switching To Unrestricted Proxy DNS] ... ... ..."
    echo "nameserver 74.207.242.213" > /etc/resolv.conf
    echo "nameserver 50.116.28.138" >> /etc/resolv.conf
    killall dnsmasq
    dnsmasq


elif [ X"$@" = X"$BACKUPRULES" ]
then
    echo "Backing Up Current IPSet Rules"
    cp -f /jffs/scripts/ipset.txt /jffs/scripts/ipset2.txt

else
    echo "[IP Banning Started] ... ... ..."
    logger -t Firewall "[IP Banning Started] ... ... ..."
    # load ipset modules
    IPSET_PATH=/lib/modules/2.6.22.19/kernel/net/ipv4/netfilter
    insmod $IPSET_PATH/ip_set.ko
    insmod $IPSET_PATH/ip_set_nethash.ko
    insmod $IPSET_PATH/ip_set_iphash.ko
    insmod $IPSET_PATH/ipt_set.ko
    sleep 2
    echo "0 * * * * /jffs/scripts/firewall-start save" > /var/spool/cron/crontabs/admin
    echo "0 5 * * * /jffs/scripts/firewall-start backup" >> /var/spool/cron/crontabs/admin
    [ -n "`pidof crond`" ] && killall -q crond
    sleep 1
    crond

    ipset -! restore -f /jffs/scripts/ipset.txt
    ipset -N -q Blacklist iphash --hashsize 1024 --maxelem 200000
    ipset -N -q BlockedCountries nethash --hashsize 4096 --maxelem 200000
    iptables -D logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
    iptables -D INPUT -m set --set Blacklist src -j DROP
    iptables -D INPUT -m set --set BlockedCountries src -j DROP
    iptables -D logdrop -m state --state NEW -j SET --add-set Blacklist src
    iptables -I INPUT -m set --set Blacklist src -j DROP
    iptables -I INPUT -m set --set BlockedCountries src -j DROP
    iptables -I logdrop -m state --state NEW -j SET --add-set Blacklist src
    echo "`sed '/DROP IN=/d' /tmp/syslog.log`" > /tmp/syslog.log
fi

#########
#Logging#
#########
OLDAMOUNT=`cat /jffs/scripts/ipamount`
echo "Started:  $started"
echo "Finished: `date`"
expr `ipset list | wc -l` - 15 > /jffs/scripts/ipamount
NEWAMOUNT=`cat /jffs/scripts/ipamount`
echo "`cat $bannedips` IP's currently banned."
logger -t Firewall "[Complete] `cat $bannedips` IPs currently banned. `expr $NEWAMOUNT - $OLDAMOUNT` New IP's Banned. "