Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/bash
- #
- # banlist Start and stop ipset firewall banlist
- #
- declare -a PORTS
- declare -A TRAPS WHITESETSPEC BLACKSETSPEC BANSETSPEC
- CONFFILEPREFIX=/etc/sysconfig/banlist
- ############################
- ### DEFAULT VALUES BELOW ###
- ############################
- # Don't edit these variables directly, create a configuration file and redefine
- # them in there.
- # Create connection limit banning traps, format: ([trap]=hits,seconds ...)
- # NOTE: The maximum value for hits = 20 unless you change the xt_recent module
- # value for the specified trap. Only create traps you use in your PORTS.
- TRAPS=([ssh]=4,600 [bt]=20,20 [scan]=3,60)
- # Create guarded ports, format: (port/protocol,trap ... {'*',trap})
- # NOTE: You can use * as the last port/protocol to guard everything not
- # previously specified. All traps must be defined in TRAPS.
- PORTS=(22/tcp,ssh 6881/tcp,bt 6881/udp,bt *,scan)
- # Set the name prefix, hashsize and maxelem features for the whitelist,
- # blacklist and banlist ipsets,
- # format: (['name']=prefix ['4']=hashsize,maxelem ['6']=hashsize,maxelem),
- # the banlist ipset also has a ['timeout']=bantime member specifying the
- # automatic banning time in seconds.
- # NOTE: The ipv4 sets will have exactly these names, the ipv6 sets will have a
- # 6 appended. The numerical values are only used once for initializing the
- # emtpy ipsets.
- WHITESETSPEC=([name]=whitelist [4]=32,4096 [6]=32,4096)
- BLACKSETSPEC=([name]=blacklist [4]=512,32768 [6]=512,32768)
- BANSETSPEC=([name]=banlist [4]=1024,65536 [6]=1024,65536 [timeout]=3600)
- # Set the name of the ip(6)tables chains you supplied. You must create and jump
- # to these chains with iptables and ip6tables or firewall-cmd yourself.
- CHAIN=INPUT_ban
- # Set the name of the ip(6)tables automatic banning chain.
- # NOTE: The ip(6)tables xt_recent lists will be named like the banchain with an
- # underscore and the name of (one of) the traps appended.
- BANCHAIN=BAN
- # Set the system log prefix for automatically banned ips.
- # NOTE: The name of the trap that got the ip banned will be wrappen in brackets
- # and appended to this string.
- LOGPREFIX=AUTOBAN
- if [ ! -f ${CONFFILEPREFIX}.conf ]; then
- echo "Configuration error: configuration file '${CONFFILEPREFIX}.conf' not found." >&2
- exit 1
- fi
- source ${CONFFILEPREFIX}.conf
- create() {
- ipset create ${WHITESETSPEC[name]}${1/4/} hash:net family inet${1/4/} hashsize ${WHITESETSPEC[${1}]%,*} maxelem ${WHITESETSPEC[${1}]#*,} comment
- ipset create ${BLACKSETSPEC[name]}${1/4/} hash:net family inet${1/4/} hashsize ${BLACKSETSPEC[${1}]%,*} maxelem ${BLACKSETSPEC[${1}]#*,} comment
- ipset create ${BANSETSPEC[name]}${1/4/} hash:ip family inet${1/4/} hashsize ${BANSETSPEC[${1}]%,*} maxelem ${BANSETSPEC[${1}]#*,} timeout ${BANSETSPEC[timeout]}
- }
- destroy() {
- ipset destroy ${WHITESETSPEC[name]}${1/4/}
- ipset destroy ${BLACKSETSPEC[name]}${1/4/}
- ipset destroy ${BANSETSPEC[name]}${1/4/}
- }
- exists() {
- ip${1/4/}tables -w -L ${2} -n >/dev/null 2>&1
- }
- add() {
- local i p
- ip${1/4/}tables -w -N ${BANCHAIN}
- ip${1/4/}tables -w -A ${BANCHAIN} -j SET --add-set ${BANSETSPEC[name]}${1/4/} src
- ip${1/4/}tables -w -A ${CHAIN} -m set --match-set ${WHITESETSPEC[name]}${1/4/} src -j RETURN
- ip${1/4/}tables -w -A ${CHAIN} -m set --match-set ${BLACKSETSPEC[name]}${1/4/} src -j DROP
- ip${1/4/}tables -w -A ${CHAIN} -m set --match-set ${BANSETSPEC[name]}${1/4/} src -j DROP
- for i in ${!TRAPS[*]}; do
- ip${1/4/}tables -w -A ${BANCHAIN} -m recent --name ${BANCHAIN}_${i} --remove -j LOG --log-prefix "${LOGPREFIX}(${i}) "
- ip${1/4/}tables -w -A ${CHAIN} -m recent --name ${BANCHAIN}_${i} --rcheck --rttl --seconds ${TRAPS[${i}]#*,} --hitcount ${TRAPS[${i}]%,*} -j ${BANCHAIN}
- done
- ip${1/4/}tables -w -A ${BANCHAIN} -j DROP
- for i in ${!PORTS[*]}; do
- p=${PORTS[${i}]%,*}
- if [ "${p}" == '*' ]; then
- ip${1/4/}tables -w -A ${CHAIN} -m recent --name ${BANCHAIN}_${PORTS[${i}]##*,} --set
- else
- # ip${1/4/}tables -w -A ${CHAIN} -p ${p#*/} --dport ${p%/*} -m state --state NEW -m recent --name ${BANCHAIN}_${PORTS[${i}]##*,} --set -j RETURN
- ip${1/4/}tables -w -A ${CHAIN} -p ${p#*/} --dport ${p%/*} -m recent --name ${BANCHAIN}_${PORTS[${i}]##*,} --set -j RETURN
- fi
- done
- }
- remove() {
- ip${1/4/}tables -w -F ${CHAIN}
- ip${1/4/}tables -w -F ${BANCHAIN}
- ip${1/4/}tables -w -X ${BANCHAIN}
- }
- wait_for_chain() {
- local tries=0
- until exists 4 ${CHAIN} && exists 6 ${CHAIN}; do
- ((++tries))
- if [ ${tries} -ge 150 ]; then
- echo "Configuration error: giving up waiting for firewall rules." >&2
- return 1
- fi
- sleep 0.2
- done
- return 0
- }
- is_running() {
- exists 4 ${BANCHAIN} && exists 6 ${BANCHAIN}
- }
- check_config() {
- local e=0
- if ! exists 4 ${CHAIN}; then
- echo "Configuration error: iptables chain '${CHAIN}' not present." >&2
- e=1
- fi
- if ! exists 6 ${CHAIN}; then
- echo "Configuration error: ip6tables chain '${CHAIN}' not present." >&2
- e=$((e + 2))
- fi
- return ${e}
- }
- start() {
- if is_running; then
- echo "Already running." >&2
- return 1
- fi
- if [ -f ${CONFFILEPREFIX}.sets ]; then
- ipset restore -file ${CONFFILEPREFIX}.sets
- else
- create 4
- create 6
- fi
- add 4
- add 6
- }
- stop() {
- if ! is_running; then
- echo "Not running." >&2
- return 1
- fi
- remove 4
- remove 6
- if [ "${1}" == 's' ]; then
- ipset save ${WHITESETSPEC[name]} > ${CONFFILEPREFIX}.sets
- ipset save ${WHITESETSPEC[name]}6 >> ${CONFFILEPREFIX}.sets
- ipset save ${BLACKSETSPEC[name]} >> ${CONFFILEPREFIX}.sets
- ipset save ${BLACKSETSPEC[name]}6 >> ${CONFFILEPREFIX}.sets
- ipset save ${BANSETSPEC[name]} >> ${CONFFILEPREFIX}.sets
- ipset save ${BANSETSPEC[name]}6 >> ${CONFFILEPREFIX}.sets
- fi
- destroy 4
- destroy 6
- }
- case "${1}" in
- start)
- check_config || exit 1
- start
- RETVAL=${?}
- ;;
- stop)
- check_config || exit 1
- stop s
- RETVAL=${?}
- ;;
- reload)
- check_config || exit 1
- stop
- start
- RETVAL=${?}
- ;;
- wait)
- wait_for_chain
- RETVAL=${?}
- ;;
- *)
- echo "Usage: banlist.start-stop {start|stop|reload}" >&2
- exit 1
- esac
- exit ${RETVAL}
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement