API tools faq
paste
Advertisement
Guest User

OpenWRT - firewall.user Script IP blacklisting

a guest
Apr 25th, 2015
603
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 5.06 KB | None | 0 0
raw download clone embed print report
  1. #!/bin/sh
  2.  
  3. # IP blacklisting script for Linux servers
  4. # Pawel Krawczyk 2014-2015
  5. # documentation https://github.com/kravietz/blacklist-scripts
  6.  
  7. # Emerging Threats lists offensive IPs such as botnet command servers
  8. urls="http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt"
  9. # Blocklist.de collects reports from fail2ban probes, listing password brute-forces, scanners and other offenders
  10. urls="$urls https://www.blocklist.de/downloads/export-ips_all.txt"
  11. # badips.com_ssh, from score 0 up
  12. urls="$urls http://www.badips.com/get/list/ssh/0"
  13. # badips.com_http, from score 0 up
  14. urls="$urls http://www.badips.com/get/list/http/0"
  15. # badips.com_nginx-proxy, from score 0 up
  16. urls="$urls https://www.badips.com/get/list/nginxproxy/0"
  17. # badips.com_ftp, from score 0 up
  18. urls="$urls http://www.badips.com/get/list/ftp/0"
  19. # badips.com_squid-proxy, from score 0 up
  20. urls="$urls https://www.badips.com/get/list/squid/0"
  21. # badips.com_dns, from score 0 up
  22. urls="$urls http://www.badips.com/get/list/dns/0"
  23. # CustomList, hosted on dropbox , my sites or whatever...
  24. urls="$urls http://examples.com/ipblocklist/ipblocklist.txt"
  25.  
  26. blocklist_chain_name=blocklists
  27.  
  28. if [ -z "$(which ipset 2>/dev/null)" ]; then
  29. echo "Cannot find ipset"
  30. echo "Run \"apt-get install ipset\" or \"yum install ipset\""
  31. exit 1
  32. fi
  33.  
  34. if [ -z "$(which curl 2>/dev/null)" ]; then
  35. echo "Cannot find curl"
  36. echo "Run \"apt-get install curl\" or \"yum install curl\""
  37. exit 1
  38. fi
  39.  
  40. if [ "$(which uci 2>/dev/null)" ]; then
  41. # we're on OpenWRT
  42. wan_iface=$(uci get network.wan.ifname)
  43. IN_OPT="-i $wan_iface"
  44. INPUT=input_rule
  45. FORWARD=forwarding_rule
  46. COMPRESS_OPT=""
  47. else
  48. COMPRESS_OPT="--compressed"
  49. INPUT=INPUT
  50. FORWARD=FORWARD
  51. fi
  52.  
  53.  
  54. # create main blocklists chain
  55. if ! iptables -L | grep -q "Chain ${blocklist_chain_name}"; then
  56. iptables -N ${blocklist_chain_name}
  57. fi
  58.  
  59. # inject references to blocklist in the beginning of input and forward chains
  60. if ! iptables -L ${INPUT} | grep -q ${blocklist_chain_name}; then
  61. iptables -I ${INPUT} 1 ${IN_OPT} -j ${blocklist_chain_name}
  62. fi
  63. if ! iptables -L ${FORWARD} | grep -q ${blocklist_chain_name}; then
  64. iptables -I ${FORWARD} 1 ${IN_OPT} -j ${blocklist_chain_name}
  65. fi
  66.  
  67. # flush the chain referencing blacklists, they will be restored in a second
  68. iptables -F ${blocklist_chain_name}
  69.  
  70. # create the "manual" blacklist set
  71. set_name="manual-blacklist"
  72. if ! ipset list | grep -q "Name: ${set_name}"; then
  73. ipset create "${set_name}" hash:net
  74. fi
  75. iptables -A ${blocklist_chain_name} -m set --match-set "${set_name}" src,dst -m limit --limit 10/minute -j LOG --log-prefix "BLOCK ${set_name} "
  76. iptables -A ${blocklist_chain_name} -m set --match-set "${set_name}" src,dst -j DROP
  77.  
  78. # now process the dynamic blacklists
  79. for url in $urls; do
  80. # initialize temp files
  81. unsorted_blocklist=$(mktemp)
  82. sorted_blocklist=$(mktemp)
  83. new_set_file=$(mktemp)
  84. headers=$(mktemp)
  85.  
  86. # download the blocklist
  87. set_name=$(echo "$url" | awk -F/ '{print substr($3,0,21);}') # set name is derived from source URL hostname
  88. curl -v -s ${COMPRESS_OPT} -k "$url" >"${unsorted_blocklist}" 2>"${headers}"
  89.  
  90. # this is required for blocklist.de that sends compressed content if asked for it or not
  91. if [ -z "$COMPRESS_OPT" ]; then
  92. if grep -qi 'content-encoding: gzip' "${headers}"; then
  93. mv "${unsorted_blocklist}" "${unsorted_blocklist}.gz"
  94. gzip -d "${unsorted_blocklist}.gz"
  95. fi
  96. fi
  97.  
  98. sort -u <"${unsorted_blocklist}" | egrep "^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$" >"${sorted_blocklist}"
  99.  
  100. # calculate performance parameters for the new set
  101. tmp_set_name="tmp_${RANDOM}"
  102. new_list_size=$(wc -l "${sorted_blocklist}" | awk '{print $1;}' )
  103. hash_size=$(expr $new_list_size / 2)
  104.  
  105. if ! ipset -q list ${set_name} >/dev/null ; then
  106. ipset create ${set_name} hash:net family inet
  107. fi
  108.  
  109. # start writing new set file
  110. echo "create ${tmp_set_name} hash:net family inet hashsize ${hash_size} maxelem ${new_list_size}" >>"${new_set_file}"
  111.  
  112. # convert list of IPs to ipset statements
  113. while read line; do
  114. echo "add ${tmp_set_name} ${line}" >>"${new_set_file}"
  115. done <"$sorted_blocklist"
  116.  
  117. # replace old set with the new, temp one - this guarantees an atomic update
  118. echo "swap ${tmp_set_name} ${set_name}" >>"${new_set_file}"
  119.  
  120. # clear old set (now under temp name)
  121. echo "destroy ${tmp_set_name}" >>"${new_set_file}"
  122.  
  123. # actually execute the set update
  124. ipset -! -q restore < "${new_set_file}"
  125.  
  126. iptables -A ${blocklist_chain_name} -m set --match-set "${set_name}" src,dst -m limit --limit 10/minute -j LOG --log-prefix "BLOCK ${set_name} "
  127. iptables -A ${blocklist_chain_name} -m set --match-set "${set_name}" src,dst -j DROP
  128.  
  129. # clean up temp files
  130. rm "${unsorted_blocklist}" "${sorted_blocklist}" "${new_set_file}" "${headers}"
  131. done
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!