#!/bin/sh # # p2partisan v1.8 (30/04/2014) # # ########################################### # Adjust location where the files are kept P2Parisandir=/cifs1/p2partisan # # Edit the file "blacklists" to customise if needed # Edit the "whitelist" to overwrite the blacklist if needed # # # Enable logging? Use only for troubleshooting. 0=off 1=on syslogs=1 #Maximum number of logs to be recorded in a given 60 min # Consider set this very low (to 1 or 2) once your are happy # with the installation maxloghour=120 # to troubleshoot blocked connection close all the secondary # traffic e.g. p2p and try a connection to the blocked # site/port you should find a reference in the logs. # # ports to be whitelisted. Whitelisted ports will never be # blocked no matter what the source/destination IP is. # This is very important if you're running a service like # e.g. SMTP/HTTP/IMAP/else. Separate value in the list below # with commas - NOTE: Leave 80 and 443 untouched, add custom ports only # you might want to add remote admin and VPN ports here if any whiteports="80,443,993,25,21" # # Fastrouting will process the IP classes very quickly but use # Lot of resources. If you disable the effect is transparent # but the full process will take minutes rather than seconds # 0=disabled 1=enabled fastroutine=1 # #Schedule updates? (once a week is plenty) schedule="30 4 * * 1" # # ########################################### cd $P2Parisandir alias ipset='/usr/sbin/ipset' alias iptables='/usr/sbin/iptables' alias plog='logger -t P2PARTISAN -s' psoftstop() { ./iptables-del 2> /dev/null ./ipset-del /dev/null 2> /dev/null plog "Stopping P2Partisan" } pforcestop() { iptables -D INPUT -m state --state NEW -j P2PARTISAN 2> /dev/null iptables -F P2PARTISAN-DROP 2> /dev/null iptables -F P2PARTISAN 2> /dev/null iptables -X P2PARTISAN-DROP 2> /dev/null iptables -X P2PARTISAN 2> /dev/null ipset -F for i in `ipset --list | grep Name | cut -f2 -d ":" `; do ipset -X $i done rm ./iptables-del 2> /dev/null rm ./ipset-del 2> /dev/null plog "Stopping P2Partisan" } pstatus() { running=`iptables -L P2PARTISAN 2> /dev/null | grep -v target | grep -v Chain 2> /dev/null | wc -l` running1=`iptables -L P2PARTISAN-DROP 2> /dev/null | grep -v target | grep -v Chain 2> /dev/null | wc -l` running2=`iptables -L INPUT | grep P2PARTISAN 2> /dev/null | wc -l` if [[ $running -eq "0" ]] || [[ $running1 -eq "0" ]] || [[ $running2 -eq "0" ]]; then # echo "It appears like P2Partisan is already running" echo " P2Partisan running: NO " else echo " P2Partisan running: YES " fi } pscheduleset() { cru d P2Partisan-update cru a P2Partisan-update "$schedule $P2Parisandir/p2partisan.sh restart" } pscheduleunset() { cru d P2Partisan-update } pstart() { running=`iptables -L P2PARTISAN 2> /dev/null | grep -v target | grep -v Chain 2> /dev/null | wc -l` running1=`iptables -L P2PARTISAN-DROP 2> /dev/null | grep -v target | grep -v Chain 2> /dev/null | wc -l` running2=`iptables -L INPUT | grep P2PARTISAN 2> /dev/null | wc -l` if [[ $running -eq "0" ]] || [[ $running1 -eq "0" ]] || [[ $running2 -eq "0" ]]; then [ -f iptables-add ] && rm iptables-add [ -f iptables-del ] && rm iptables-del [ -f ipset-del ] && rm ipset-del echo "### PREPARATION ###" echo "loading modules" # Loading ipset modules lsmod | grep "ipt_set" > /dev/null 2>&1 || \ for module in ip_set ip_set_iptreemap ipt_set do insmod $module done counter=0 pos=1 echo "loading ports $whiteports exemption" iptables -N P2PARTISAN 2> /dev/null iptables -N P2PARTISAN-DROP 2> /dev/null echo "iptables -N P2PARTISAN 2> /dev/null" >> iptables-add echo "iptables -N P2PARTISAN-DROP 2> /dev/null" >> iptables-add echo "iptables -F P2PARTISAN 2> /dev/null" >> iptables-add echo "iptables -F P2PARTISAN-DROP 2> /dev/null" >> iptables-add echo "iptables -D INPUT -m state --state NEW -j P2PARTISAN 2> /dev/null" >> iptables-del echo "iptables -F P2PARTISAN-DROP 2> /dev/null" >> iptables-del echo "iptables -F P2PARTISAN 2> /dev/null" >> iptables-del echo "iptables -X P2PARTISAN-DROP 2> /dev/null" >> iptables-del echo "iptables -X P2PARTISAN 2> /dev/null" >> iptables-del echo "iptables -A P2PARTISAN -p tcp --match multiport --sports $whiteports -j ACCEPT 2> /dev/null" >> iptables-add echo "iptables -A P2PARTISAN -p udp --match multiport --sports $whiteports -j ACCEPT 2> /dev/null" >> iptables-add echo "iptables -A P2PARTISAN -p tcp --match multiport --dports $whiteports -j ACCEPT 2> /dev/null" >> iptables-add echo "iptables -A P2PARTISAN -p udp --match multiport --dports $whiteports -j ACCEPT 2> /dev/null" >> iptables-add echo "### WHITELIST ###" echo "loading the whitelist" #Load the whitelist if [ "$(ipset --swap whitelist whitelist 2>&1 | grep 'Unknown set')" != "" ] then ipset --create whitelist iptreemap cat whitelist | ( while read IP do echo "$IP" | grep "^#" >/dev/null 2>&1 && continue echo "$IP" | grep "^$" >/dev/null 2>&1 && continue ipset -A whitelist $IP done ) fi echo "ipset -F ipset -X whitelist" >> ipset-del echo "Preparing the whitelist for the iptables" echo "iptables -A P2PARTISAN -m set --set whitelist src,dst -j ACCEPT 2> /dev/null" >> iptables-add if [ $syslogs -eq "1" ]; then echo "iptables -A P2PARTISAN-DROP -m limit --limit $maxloghour/hour -j LOG --log-prefix "Blacklist-Dropped: " --log-level 1 2> /dev/null" >> iptables-add fi echo "iptables -A P2PARTISAN-DROP -j DROP 2> /dev/null" >> iptables-add echo "### BLACKLISTs ###" cat blacklists | ( while read line do echo "$line" | grep "^#" >/dev/null 2>&1 && continue echo "$line" | grep "^$" >/dev/null 2>&1 && continue counter=`expr $counter + 1` name=`echo $line |cut -d ' ' -f1` url=`echo $line |cut -d ' ' -f2` echo "loading blacklist #$counter --> ***$name***" if [[ $fastroutine -eq "1" ]]; then if [ "$(ipset --swap $name $name 2>&1 | grep 'Unknown set')" != "" ] then [ -e $name.gz ] || wget -q -O $name.gz "$url" { echo "-N $name iptreemap" gunzip -c $name.gz | \ sed -e "/^[\t ]*#.*\|^[\t ]*$/d;s/^.*:/-A $name /" echo COMMIT } | ipset -R fi else if [ "$(ipset --swap $name $name 2>&1 | grep 'Unknown set')" != "" ] then ipset --create $name iptreemap [ -e $name.lst ] || wget -q -O - "$url" | gunzip | cut -d: -f2 | grep -E "^[-0-9.]+$" > $name.lst for IP in $(cat $name.lst) do ipset -A $name $IP done fi fi echo "ipset -X $name " >> ipset-del echo "iptables -A P2PARTISAN -m set --set $name src,dst -j P2PARTISAN-DROP 2> /dev/null" >> iptables-add done ) input=`iptables -L INPUT | grep "P2PARTISAN" | wc -l` echo "iptables -I INPUT $pos -m state --state NEW -j P2PARTISAN 2> /dev/null" >> iptables-add chmod 777 ./iptables-* chmod 777 ./ipset-* ./iptables-add #protecting the LAN plog "Starting P2Partisan" else echo " It appears like P2Partisan is already running. Skipping... " fi } for p in $1 do case "$p" in "start") pstart pscheduleset exit ;; "stop") pscheduleunset pforcestop exit ;; "restart") pscheduleunset psoftstop ;; "status") pstatus exit ;; "update") pscheduleunset pforcestop ;; "help") echo " P2Partisan parameters: help Display this text start Starts the process (this runs also if no option is provided) stop Stops P2Partisan and removes the custom iptables/ipset restart Soft restart that also forces a list update status Display whether P2Partisan is currently running or not update Hard restart that also forces a list update " exit ;; *) echo "parameter not valid. please run: p2partisan.sh help " exit ;; esac done pstart pscheduleset exit