banlist.start-stop

1. #!/bin/bash
2. #
3. # banlist  Start and stop ipset firewall banlist
4. #
5. declare -a PORTS
6. declare -A TRAPS WHITESETSPEC BLACKSETSPEC BANSETSPEC
7.  
8. CONFFILEPREFIX=/etc/sysconfig/banlist
9.  
10. ############################
11. ### DEFAULT VALUES BELOW ###
12. ############################
13. # Don't edit these variables directly, create a configuration file and redefine
14. # them in there.
15.  
16. # Create connection limit banning traps, format: ([trap]=hits,seconds ...)
17. # NOTE: The maximum value for hits = 20 unless you change the xt_recent module
18. # value for the specified trap. Only create traps you use in your PORTS.
19. TRAPS=([ssh]=4,600 [bt]=20,20 [scan]=3,60)
20.  
21. # Create guarded ports, format: (port/protocol,trap ... {'*',trap})
22. # NOTE: You can use * as the last port/protocol to guard everything not
23. # previously specified. All traps must be defined in TRAPS.
24. PORTS=(22/tcp,ssh 6881/tcp,bt 6881/udp,bt *,scan)
25.  
26. # Set the name prefix, hashsize and maxelem features for the whitelist,
27. # blacklist and banlist ipsets,
28. # format: (['name']=prefix ['4']=hashsize,maxelem ['6']=hashsize,maxelem),
29. # the banlist ipset also has a ['timeout']=bantime member specifying the
30. # automatic banning time in seconds.
31. # NOTE: The ipv4 sets will have exactly these names, the ipv6 sets will have a
32. # 6 appended. The numerical values are only used once for initializing the
33. # emtpy ipsets.
34. WHITESETSPEC=([name]=whitelist [4]=32,4096 [6]=32,4096)
35. BLACKSETSPEC=([name]=blacklist [4]=512,32768 [6]=512,32768)
36. BANSETSPEC=([name]=banlist [4]=1024,65536 [6]=1024,65536 [timeout]=3600)
37.  
38. # Set the name of the ip(6)tables chains you supplied. You must create and jump
39. # to these chains with iptables and ip6tables or firewall-cmd yourself.
40. CHAIN=INPUT_ban
41.  
42. # Set the name of the ip(6)tables automatic banning chain.
43. # NOTE: The ip(6)tables xt_recent lists will be named like the banchain with an
44. # underscore and the name of (one of) the traps appended.
45. BANCHAIN=BAN
46.  
47. # Set the system log prefix for automatically banned ips.
48. # NOTE: The name of the trap that got the ip banned will be wrappen in brackets
49. # and appended to this string.
50. LOGPREFIX=AUTOBAN
51.  
52. if [ ! -f ${CONFFILEPREFIX}.conf ]; then
53.     echo "Configuration error: configuration file '${CONFFILEPREFIX}.conf' not found." >&2
54.     exit 1
55. fi
56. source ${CONFFILEPREFIX}.conf
57.  
58. create() {
59.     ipset create ${WHITESETSPEC[name]}${1/4/} hash:net family inet${1/4/} hashsize ${WHITESETSPEC[${1}]%,*} maxelem ${WHITESETSPEC[${1}]#*,} comment
60.     ipset create ${BLACKSETSPEC[name]}${1/4/} hash:net family inet${1/4/} hashsize ${BLACKSETSPEC[${1}]%,*} maxelem ${BLACKSETSPEC[${1}]#*,} comment
61.     ipset create ${BANSETSPEC[name]}${1/4/} hash:ip family inet${1/4/} hashsize ${BANSETSPEC[${1}]%,*} maxelem ${BANSETSPEC[${1}]#*,} timeout ${BANSETSPEC[timeout]}
62. }
63.  
64. destroy() {
65.     ipset destroy ${WHITESETSPEC[name]}${1/4/}
66.     ipset destroy ${BLACKSETSPEC[name]}${1/4/}
67.     ipset destroy ${BANSETSPEC[name]}${1/4/}
68. }
69.  
70. exists() {
71.     ip${1/4/}tables -w -L ${2} -n >/dev/null 2>&1
72. }
73.  
74. add() {
75.     local i p
76.     ip${1/4/}tables -w -N ${BANCHAIN}
77.     ip${1/4/}tables -w -A ${BANCHAIN} -j SET --add-set ${BANSETSPEC[name]}${1/4/} src
78.     ip${1/4/}tables -w -A ${CHAIN} -m set --match-set ${WHITESETSPEC[name]}${1/4/} src -j RETURN
79.     ip${1/4/}tables -w -A ${CHAIN} -m set --match-set ${BLACKSETSPEC[name]}${1/4/} src -j DROP
80.     ip${1/4/}tables -w -A ${CHAIN} -m set --match-set ${BANSETSPEC[name]}${1/4/} src -j DROP
81.     for i in ${!TRAPS[*]}; do
82.         ip${1/4/}tables -w -A ${BANCHAIN} -m recent --name ${BANCHAIN}_${i} --remove -j LOG --log-prefix "${LOGPREFIX}(${i}) "
83.         ip${1/4/}tables -w -A ${CHAIN} -m recent --name ${BANCHAIN}_${i} --rcheck --rttl --seconds ${TRAPS[${i}]#*,} --hitcount ${TRAPS[${i}]%,*} -j ${BANCHAIN}
84.     done
85.     ip${1/4/}tables -w -A ${BANCHAIN} -j DROP
86.     for i in ${!PORTS[*]}; do
87.         p=${PORTS[${i}]%,*}
88.         if [ "${p}" == '*' ]; then
89.             ip${1/4/}tables -w -A ${CHAIN} -m recent --name ${BANCHAIN}_${PORTS[${i}]##*,} --set
90.         else
91. #           ip${1/4/}tables -w -A ${CHAIN} -p ${p#*/} --dport ${p%/*} -m state --state NEW -m recent --name ${BANCHAIN}_${PORTS[${i}]##*,} --set -j RETURN
92.             ip${1/4/}tables -w -A ${CHAIN} -p ${p#*/} --dport ${p%/*} -m recent --name ${BANCHAIN}_${PORTS[${i}]##*,} --set -j RETURN
93.         fi
94.     done
95. }
96.  
97. remove() {
98.     ip${1/4/}tables -w -F ${CHAIN}
99.     ip${1/4/}tables -w -F ${BANCHAIN}
100.     ip${1/4/}tables -w -X ${BANCHAIN}
101. }
102.  
103. wait_for_chain() {
104.     local tries=0
105.     until exists 4 ${CHAIN} && exists 6 ${CHAIN}; do
106.         ((++tries))
107.         if [ ${tries} -ge 150 ]; then
108.             echo "Configuration error: giving up waiting for firewall rules." >&2
109.             return 1
110.         fi
111.         sleep 0.2
112.     done
113.     return 0
114. }
115.  
116. is_running() {
117.     exists 4 ${BANCHAIN} && exists 6 ${BANCHAIN}
118. }
119.  
120. check_config() {
121.     local e=0
122.     if ! exists 4 ${CHAIN}; then
123.         echo "Configuration error: iptables chain '${CHAIN}' not present." >&2
124.         e=1
125.     fi
126.     if ! exists 6 ${CHAIN}; then
127.         echo "Configuration error: ip6tables chain '${CHAIN}' not present." >&2
128.         e=$((e + 2))
129.     fi
130.     return ${e}
131. }
132.  
133. start() {
134.     if is_running; then
135.         echo "Already running." >&2
136.         return 1
137.     fi
138.     if [ -f ${CONFFILEPREFIX}.sets ]; then
139.         ipset restore -file ${CONFFILEPREFIX}.sets
140.     else
141.         create 4
142.         create 6
143.     fi
144.     add 4
145.     add 6
146. }
147.  
148. stop() {
149.     if ! is_running; then
150.         echo "Not running." >&2
151.         return 1
152.     fi
153.     remove 4
154.     remove 6
155.     if [ "${1}" == 's' ]; then
156.         ipset save ${WHITESETSPEC[name]} > ${CONFFILEPREFIX}.sets
157.         ipset save ${WHITESETSPEC[name]}6 >> ${CONFFILEPREFIX}.sets
158.         ipset save ${BLACKSETSPEC[name]} >> ${CONFFILEPREFIX}.sets
159.         ipset save ${BLACKSETSPEC[name]}6 >> ${CONFFILEPREFIX}.sets
160.         ipset save ${BANSETSPEC[name]} >> ${CONFFILEPREFIX}.sets
161.         ipset save ${BANSETSPEC[name]}6 >> ${CONFFILEPREFIX}.sets
162.     fi
163.     destroy 4
164.     destroy 6
165. }
166.  
167. case "${1}" in
168.     start)
169.     check_config || exit 1
170.         start
171.         RETVAL=${?}
172.         ;;
173.     stop)
174.     check_config || exit 1
175.         stop s
176.         RETVAL=${?}
177.         ;;
178.     reload)
179.     check_config || exit 1
180.     stop
181.     start
182.         RETVAL=${?}
183.         ;;
184.     wait)
185.     wait_for_chain
186.     RETVAL=${?}
187.     ;;
188.     *)
189.         echo "Usage: banlist.start-stop {start|stop|reload}" >&2
190.         exit 1
191. esac
192.  
193. exit ${RETVAL}