p2partisan 2.51

1. #!/bin/sh
2. #
3. # p2partisan v2.51 (18/08/2014)
4. #
5. # <CONFIGURATION> ###########################################
6. # Adjust location where the files are kept
7. P2Partisandir=/cifs1/p2partisan
8. #
9. # Edit the file "blacklists" to customise if needed
10. # Edit the "whitelist" to overwrite the blacklist if needed
11. #
12. # Enable logging? Use only for troubleshooting. 0=off 1=on
13. syslogs=1
14. # Maximum number of logs to be recorded in a given 60 min
15. # Consider set this very low (like 3 or 6) once your are
16. # happy with the installation. To troubleshoot blocked
17. # connection close all the secondary traffic e.g. p2p
18. # and try a connection to the blocked site/port you should
19. # find a reference in the logs.
20. maxloghour=1
21. #
22. # What do you want to block?
23. # 1) Input (Router only, does your generate P2P traffic?)
24. # 2) LAN (LAN clients only)
25. # 3) Both *default
26. protection=3
27. #
28. # ports to be whitelisted. Whitelisted ports will never be
29. # blocked no matter what the source/destination IP is.
30. # This is very important if you're running a service like
31. # e.g. SMTP/HTTP/IMAP/else. Separate value in the list below
32. # with commas - NOTE: Leave 80 and 443 untouched, add custom ports only
33. # you might want to add remote admin and VPN ports here if any.
34. # Standard iptables syntax, number divided by "," or ":" for a range
35. # e.g. 80,443,2100:21300. Note: maximum 15 references as per
36. # iptables --multiport limitation
37. whiteports="21,25,53,80,443,1194:1196,44,3658,5730:5739,8080,8800:8899,14020"
38. #
39. # Fastrouting will process the IP classes very quickly but use
40. # Lot of resources. If you disable the effect is transparent
41. # but the full process will take minutes rather than seconds
42. # 0=disabled 1=enabled
43. fastroutine=1
44. #
45. # Enable check on script availability to help autorun
46. # E.g. wait for the file to be available in cifs before run it
47. # instead of quit with a file missing error
48. autorun_availability_check=1
49. #
50. # Schedule updates? (once a week is plenty)
51. schedule="30 4 * * 1"
52. #
53. testip="8.8.8.8"
54. # </CONFIGURATION> ###########################################
55.  
56. # Wait until Internet is available
57.     while :
58.     do
59.         ping -c 3 $testip >/dev/null 2>&1
60.         if [ $? = 0 ]; then
61.             break
62.         fi
63.         sleep 2
64.     done
65.  
66. pidfile=/var/run/p2partisan.pid
67. cd $P2Partisandir
68. version=`head -3 ./p2partisan.sh | tail -1 | cut -f 3- -d " "`
69.  
70. alias ipset='/bin/nice -n19 /usr/sbin/ipset'
71. alias sed='/bin/nice -n19 /bin/sed'
72. alias iptables='/usr/sbin/iptables'
73. alias service='/sbin/service'
74. alias plog='logger -t P2PARTISAN -s'
75. now=`date +"%H:%M:%S - %d/%m/%y"`
76. wanif=`nvram get wan_ifname`
77.  
78.  
79. psoftstop() {
80.     ./iptables-del 2> /dev/null
81.     plog "Stopping P2Partisan"
82.     [ -f $pidfile ] && rm -f "$pidfile" 2> /dev/null
83. }
84.  
85. pblock() {
86.     plog "P2PArtisan: Applying paranoia block"
87.     iptables -N PARANOIA-DROP 2> /dev/null
88.     iptables -A PARANOIA-DROP -p tcp --match multiport --sports $whiteports -j ACCEPT 2> /dev/null
89.     iptables -A PARANOIA-DROP -p udp --match multiport --sports $whiteports -j ACCEPT 2> /dev/null
90.     iptables -A PARANOIA-DROP -p tcp --match multiport --dports $whiteports -j ACCEPT 2> /dev/null
91.     iptables -A PARANOIA-DROP -p udp --match multiport --dports $whiteports -j ACCEPT 2> /dev/null
92.     iptables -A PARANOIA-DROP -m limit --limit $maxloghour/hour --limit-burst 5 -j LOG --log-prefix "P2Partisan Rejected (paranoia): " --log-level 1 2> /dev/null
93.     iptables -A PARANOIA-DROP -j REJECT --reject-with icmp-proto-unreachable
94.     iptables -I wanin 1 -i $wanif -m state --state NEW -j PARANOIA-DROP 2> /dev/null
95.     iptables -I wanout 1 -o $wanif -m state --state NEW -j PARANOIA-DROP 2> /dev/null
96.     iptables -I INPUT 1 -i $wanif -m state --state NEW -j PARANOIA-DROP 2> /dev/null
97.     iptables -I OUTPUT 1 -o $wanif -m state --state NEW -j PARANOIA-DROP 2> /dev/null
98. }
99.  
100. punblock() {
101.     while iptables -L wanin 2> /dev/null | grep "PARANOIA-DROP"
102.     do
103.         iptables -D wanin -i $wanif -m state --state NEW -j PARANOIA-DROP 2> /dev/null
104.     done
105.     while iptables -L wanout 2> /dev/null | grep "PARANOIA-DROP"
106.     do
107.         iptables -D wanout -o $wanif -m state --state NEW -j PARANOIA-DROP 2> /dev/null
108.     done
109.     while iptables -L INPUT 2> /dev/null | grep "PARANOIA-DROP"
110.     do
111.         iptables -D INPUT -i $wanif -m state --state NEW -j PARANOIA-DROP 2> /dev/null
112.     done
113.     while iptables -L OUTPUT 2> /dev/null | grep "PARANOIA-DROP"
114.     do
115.         iptables -D OUTPUT -o $wanif -m state --state NEW -j PARANOIA-DROP 2> /dev/null
116.     done
117.     iptables -F PARANOIA-DROP 2> /dev/null && plog "P2PArtisan: Removing paranoia block"
118.     iptables -X PARANOIA-DROP 2> /dev/null
119. }
120.  
121. pforcestop() {
122.     while iptables -L wanin 2> /dev/null | grep P2PARTISAN-IN
123.     do
124.         iptables -D wanin -i $wanif -m state --state NEW -j P2PARTISAN-IN 2> /dev/null
125.     done
126.     while iptables -L wanout 2> /dev/null | grep P2PARTISAN-OUT
127.     do
128.         iptables -D wanout -o $wanif -m state --state NEW -j P2PARTISAN-OUT 2> /dev/null
129.     done
130.     while iptables -L INPUT | grep P2PARTISAN-IN
131.     do
132.         iptables -D INPUT -i $wanif -m state --state NEW -j P2PARTISAN-IN 2> /dev/null
133.     done
134.     while iptables -L OUTPUT | grep P2PARTISAN-OUT
135.     do
136.         iptables -D OUTPUT -o $wanif -m state --state NEW -j P2PARTISAN-OUT 2> /dev/null
137.     done
138.     iptables -F P2PARTISAN-DROP 2> /dev/null
139.     iptables -F P2PARTISAN-IN 2> /dev/null
140.     iptables -F P2PARTISAN-OUT 2> /dev/null
141.     iptables -X P2PARTISAN-DROP 2> /dev/null   
142.     iptables -X P2PARTISAN-IN 2> /dev/null
143.     iptables -X P2PARTISAN-OUT 2> /dev/null
144.     ipset -F
145.     for i in `ipset --list | grep Name | cut -f2 -d ":" `; do
146.         ipset -X $i
147.     done
148.     chmod 777 ./*.gz
149.     [ -f iptables-add ] && rm iptables-add
150.     [ -f iptables-del ] && rm iptables-del
151.     [ -f ipset-del ] && rm ipset-del
152.     [ -f $pidfile ] && rm -f "$pidfile" 2> /dev/null
153. plog "Unloading ipset modules"
154.     lsmod | grep "ipt_set" > /dev/null 2>&1 && sleep 2 ; rmmod -f ipt_set 2> /dev/null
155.     lsmod | grep "ip_set_iptreemap" > /dev/null 2>&1 && sleep 2 ; rmmod -f ip_set_iptreemap 2> /dev/null
156.     lsmod | grep "ip_set" > /dev/null 2>&1 && sleep 2 ; rmmod -f ip_set 2> /dev/null
157. plog "Stopping P2Partisan"
158. }
159.  
160. pstatus() {
161.     running3=`iptables -L | grep P2PARTISAN-IN  2> /dev/null | wc -l`
162.     running4=`[ -f $pidfile ] && echo 1 || echo 0`
163.     running5=`nvram get script_fire | grep p2partisan >/dev/null && echo Yes || echo No`
164.     running6=`cru l | grep P2Partisan-update >/dev/null && echo Yes || echo No`
165.     running7=`tail -200 /var/log/messages | grep Rejected | tail -1`
166.    
167.     from=`head -1 ./iptables-add 2> /dev/null | cut -c3-`
168.     drop_packet_count=`iptables -vL P2PARTISAN-DROP 2> /dev/null| grep " REJECT " | awk '{print $1}'`
169.    
170.     if [[ $running3 -eq "0" ]] && [[ $running4 -eq "0" ]]; then
171.         running8=No
172.     elif [[ $running3 -eq "0" ]] && [[ $running4 -eq "1" ]]; then
173.         running8=Loading...
174.     elif [[ $running3 -gt "0" ]] && [[ $running4 -eq "0" ]]; then
175.         running8=Not quite... try to run \"p2partisan.sh update\"
176.     else
177.         running8=Yes
178.     fi
179.    
180.     echo "################### P2Partisan ##########################
181. #   Release version: $version
182. ################# P2Partisan status #####################
183. #   P2Partisan running:   $running8
184. #   P2Partisan autorun:   $running5
185. #   P2Partisan scheduled: $running6
186. #########################################################
187. #   P2Partisan activity since: $from
188. #   Rejected connections: $drop_packet_count
189. ################# Last log recorded #####################
190. #   Remember your max logs per hour is set to: $maxloghour
191. $running7
192. #########################################################"
193. }
194.  
195. if [ $autorun_availability_check = 1 ]; then
196. av="while true; do [ -f $P2Partisandir/p2partisan.sh ] && break || sleep 5; done ;"
197. fi
198.  
199. pautorunset() {
200.     p=`nvram get script_fire | grep "p2partisan.sh" | grep -v cru | wc -l`
201.     if [ $p -eq "0" ] ; then
202.         t=`nvram get script_fire`; t=`printf "$t\n$av$P2Partisandir/p2partisan.sh\n"` ; nvram set "script_fire=$t"
203.     fi
204.     plog "P2Partisan AUTO RUN is ON"
205.     nvram commit
206. }
207.  
208. pautorununset() {
209.     p=`nvram get script_fire | grep "p2partisan.sh" | grep -v cru | wc -l`
210.     if [ $p -eq "1" ]; then
211.     t=`nvram get script_fire`; t=`printf "$t\n$P2Partisandir/p2partisan.sh\n" | grep -v p2partisan` ; nvram set "script_fire=$t"
212.     fi
213.     plog "P2Partisan AUTO RUN is OFF"
214.     nvram commit
215. }
216.  
217. pscheduleset() {
218.     cru d P2Partisan-update
219.     cru a P2Partisan-update "$schedule $P2Partisandir/p2partisan.sh paranoia-update"
220.     pp=`nvram get script_fire | grep "p2partisan.sh" | grep -v cru | wc -l`
221.     p=`nvram get script_fire | grep "cru a P2Partisan-update" | wc -l`
222.     if [ $p -eq "0" ] ; then
223.         if [ $pp -eq "0" ]; then
224.         t=`nvram get script_fire`; t=`printf "$t\ncru a P2Partisan-update \"$schedule $P2Partisandir/p2partisan.sh paranoia-update\"\n"` ; nvram set "script_fire=$t"
225.         else
226.         pautorununset
227.         t=`nvram get script_fire`; t=`printf "$t\ncru a P2Partisan-update \"$schedule $P2Partisandir/p2partisan.sh paranoia-update\"\n"` ; nvram set "script_fire=$t"
228.         pautorunset
229.         fi
230.     fi
231.     plog "P2Partisan AUTO UPDATE is ON"
232.     nvram commit
233. }
234.  
235. pscheduleunset() {
236.     cru d P2Partisan-update
237.     p=`nvram get script_fire | grep "cru a P2Partisan-update" | wc -l`
238.     if [ $p -eq "1" ] ; then
239.     t=`nvram get script_fire`; t=`printf "$t\ncru a P2Partisan-update \"$schedule $P2Partisandir/p2partisan.sh paranoia-update\"\n" | grep -v "cru a P2Partisan-update"` ; nvram set "script_fire=$t"
240.     fi
241.     plog "P2Partisan AUTO UPDATE is OFF"
242.     nvram commit
243. }
244.  
245. pstart() {
246.     running3=`iptables -L | grep P2PARTISAN-IN  2> /dev/null | wc -l`
247.     running4=`[ -f $pidfile ] && echo 1 || echo 0`
248.     if [[ $running3 -eq "0" ]] || [[ $running4 -eq "0" ]] ; then
249.  
250.     echo $$ > $pidfile
251.  
252.     sleep 2
253.    
254.     [ -f iptables-add ] && rm iptables-add
255.     [ -f iptables-del ] && rm iptables-del
256.     [ -f ipset-del ] && rm ipset-del
257.      
258.     echo "### PREPARATION ###"
259.     echo "Loading the ipset modules"
260.     lsmod | grep "ip_set" > /dev/null 2>&1 || insmod ip_set
261.     lsmod | grep "ip_set_iptreemap" > /dev/null 2>&1 || insmod ip_set_iptreemap
262.     lsmod | grep "ipt_set" > /dev/null 2>&1 || insmod ipt_set
263.  
264. counter=0
265. pos=1
266. couscous=`cat blacklist-custom | grep -v "^#" | grep -v "^$" | wc -l`
267.  
268.         echo "### CUSTOM BLACKLIST ###
269. blacklist-custom file -> $couscous entries found"
270.  if [ $couscous -eq "0" ]; then
271.         echo "No custom blacklist entries found: skipping"
272.  else
273.         echo "loading blacklist #$counter --> ***Custom IP blacklist***"
274.         ipset --create blacklist-custom iptreemap
275.         if [ -e blacklist-custom ]; then
276.         for IP in `cat blacklist-custom | grep -v "^#" | grep -v "^$" | cut -d: -f2`
277.             do
278.                 ipset -A blacklist-custom $IP
279.             done
280.         fi
281. fi
282.    
283. echo "### WHITELIST ###"           
284.         echo "loading ports $whiteports exemption"
285.  
286.    
287.         echo "# $now
288. iptables -N P2PARTISAN-IN 2> /dev/null
289. iptables -N P2PARTISAN-OUT 2> /dev/null
290. iptables -N P2PARTISAN-DROP 2> /dev/null
291. iptables -F P2PARTISAN-IN 2> /dev/null
292. iptables -F P2PARTISAN-OUT 2> /dev/null
293. iptables -F P2PARTISAN-DROP 2> /dev/null
294. iptables -A P2PARTISAN-IN -m set --set blacklist-custom src -j P2PARTISAN-DROP 2> /dev/null
295. iptables -A P2PARTISAN-OUT -m set --set blacklist-custom src -j P2PARTISAN-DROP 2> /dev/null
296. iptables -A P2PARTISAN-IN -p tcp --match multiport --sports $whiteports -j ACCEPT 2> /dev/null
297. iptables -A P2PARTISAN-IN -p udp --match multiport --sports $whiteports -j ACCEPT 2> /dev/null
298. iptables -A P2PARTISAN-IN -p tcp --match multiport --dports $whiteports -j ACCEPT 2> /dev/null
299. iptables -A P2PARTISAN-IN -p udp --match multiport --dports $whiteports -j ACCEPT 2> /dev/null
300. iptables -A P2PARTISAN-OUT -p tcp --match multiport --sports $whiteports -j ACCEPT 2> /dev/null
301. iptables -A P2PARTISAN-OUT -p udp --match multiport --sports $whiteports -j ACCEPT 2> /dev/null
302. iptables -A P2PARTISAN-OUT -p tcp --match multiport --dports $whiteports -j ACCEPT 2> /dev/null
303. iptables -A P2PARTISAN-OUT -p udp --match multiport --dports $whiteports -j ACCEPT 2> /dev/null" >> iptables-add
304.  
305.  
306.         echo "# $now
307. iptables -D wanin -i $wanif -m state --state NEW -j P2PARTISAN-IN 2> /dev/null
308. iptables -D wanout -o $wanif -m state --state NEW -j P2PARTISAN-OUT 2> /dev/null
309. iptables -D INPUT -i $wanif -m state --state NEW -j P2PARTISAN-IN 2> /dev/null
310. iptables -D OUTPUT -o $wanif -m state --state NEW -j P2PARTISAN-OUT 2> /dev/null
311. iptables -F P2PARTISAN-DROP 2> /dev/null
312. iptables -F P2PARTISAN-IN 2> /dev/null
313. iptables -F P2PARTISAN-OUT 2> /dev/null
314. iptables -X P2PARTISAN-IN 2> /dev/null
315. iptables -X P2PARTISAN-OUT 2> /dev/null
316. iptables -X P2PARTISAN-DROP 2> /dev/null" >> iptables-del
317.  
318.  
319. echo "preparing the whitelist for the iptables"
320. #Load the whitelist
321. if [ "$(ipset --swap whitelist whitelist 2>&1 | grep 'Unknown set')" != "" ]
322.     then
323.     ipset --create whitelist iptreemap
324.     cat whitelist | grep -v "^10." | grep -v "^172.16." | grep -v "^192.168." |
325.     (
326.     while read IP
327.     do
328.             echo "$IP" | grep "^#" >/dev/null 2>&1 && continue
329.             echo "$IP" | grep "^$" >/dev/null 2>&1 && continue
330.                     ipset -A whitelist $IP
331.             done
332.     )
333. fi
334.         echo "# $now
335. ipset -F
336. ipset -X blacklist-custom
337. ipset -X whitelist" > ipset-del
338.  
339.             echo "loading the whitelist"
340.             echo "iptables -A P2PARTISAN-IN -m set --set whitelist src -j ACCEPT 2> /dev/null
341. iptables -A P2PARTISAN-OUT -m set --set whitelist dst -j ACCEPT 2> /dev/null" >> iptables-add
342.  
343.         if [ $syslogs -eq "1" ]; then        
344.             echo "iptables -A P2PARTISAN-DROP -m limit --limit $maxloghour/hour --limit-burst 1 -j LOG --log-prefix \"P2Partisan Rejected: \" --log-level 1 2> /dev/null" >> iptables-add
345.         fi
346.         echo "iptables -A P2PARTISAN-DROP -j REJECT --reject-with icmp-proto-unreachable"  >> iptables-add
347.  
348.  
349. echo "### BLACKLISTs ###"
350.    
351.     cat blacklists |
352.    (
353.     while read line
354.     do
355.             echo "$line" | grep "^#" >/dev/null 2>&1 && continue
356.             echo "$line" | grep "^$" >/dev/null 2>&1 && continue
357.             counter=`expr $counter + 1`
358.             name=`echo $line |cut -d ' ' -f1`
359.             url=`echo $line |cut -d ' ' -f2`
360.             echo "loading blacklist #$counter --> ***$name***"
361.      
362.     if [ $fastroutine -eq "1" ]; then
363.      
364.      if [ "$(ipset --swap $name $name 2>&1 | grep 'Unknown set')" != "" ]
365.       then
366.  
367.           [ -e $name.gz ] || wget -q -O $name.gz "$url"
368.           { echo "-N $name iptreemap"
369.             gunzip -c  $name.gz | \
370.             sed -e "/^[\t ]*#.*\|^[\t ]*$/d;s/^.*:/-A $name /"
371.             echo COMMIT
372.           } | ipset -R
373.      fi
374.     else
375.      
376.         if [ "$(ipset --swap $name $name 2>&1 | grep 'Unknown set')" != "" ]
377.             then
378.             ipset --create $name iptreemap
379.             [ -e $name.lst ] || wget -q -O - "$url" | gunzip | cut -d: -f2 | grep -E "^[-0-9.]+$" > $name.lst
380.             for IP in $(cat $name.lst)
381.                     do
382.                     ipset -A $name $IP
383.                     done
384.             fi
385.              
386.     fi
387.  
388.                 echo "ipset -X $name " >> ipset-del
389.                 echo "iptables -A P2PARTISAN-IN -m set --set $name src -j P2PARTISAN-DROP 2> /dev/null
390. iptables -A P2PARTISAN-OUT -m set --set $name dst -j P2PARTISAN-DROP 2> /dev/null" >> iptables-add 
391.             done
392.     )
393.  
394.  
395.         if [ $protection -eq "1" ]; then
396.             echo "iptables -I INPUT $pos -i $wanif -m state --state NEW -j P2PARTISAN-IN 2> /dev/null
397. iptables -I OUTPUT $pos -o $wanif -m state --state NEW -j P2PARTISAN-OUT 2> /dev/null" >> iptables-add
398.         elif [ $protection -eq "2" ]; then
399.             echo "iptables -I wanin $pos -i $wanif -m state --state NEW -j P2PARTISAN-IN 2> /dev/null
400. iptables -I wanout $pos -o $wanif -m state --state NEW -j P2PARTISAN-OUT 2> /dev/null" >> iptables-add
401.         elif [ $protection -eq "3" ]; then
402.             echo "iptables -I INPUT $pos -i $wanif -m state --state NEW -j P2PARTISAN-IN 2> /dev/null
403. iptables -I OUTPUT $pos -o $wanif -m state --state NEW -j P2PARTISAN-OUT 2> /dev/null
404. iptables -I wanin $pos -i $wanif -m state --state NEW -j P2PARTISAN-IN 2> /dev/null
405. iptables -I wanout $pos -o $wanif -m state --state NEW -j P2PARTISAN-OUT 2> /dev/null" >> iptables-add
406.         fi
407.  
408. chmod 777 ./iptables-*
409. chmod 777 ./ipset-*
410. ./iptables-add  #protecting
411.  
412. plog "... P2Partisan started."
413.  
414. p=`nvram get dnsmasq_custom | grep log-async | wc -l`
415. if [ $p -eq "1" ]; then
416.     plog "log-async found under dnsmasq -> OK"
417. else
418.     plog "
419. It appears like you don't have a log-async parameter
420. in your dnsmasq config. This is strongly suggested
421. due to the amount of logs involved. please consider
422. adding the following command under Advanced/DHCP/DNS
423. /Dnsmasq Custom configuration
424.  
425. log-async=10
426. "
427. fi
428.  
429. punblock  #remove paranoia DROPs if any
430.  
431. else
432.         echo "
433.     It appears like P2Partisan is already running. Skipping...
434.            
435.     If this is not what you expected? Try:
436.     p2partisan.sh update
437.         "
438.     fi
439. }
440.  
441.  
442. for p in $1
443. do
444. case "$p" in
445.         "start")
446.                 pstart
447.                 exit
448.                 ;;     
449.         "stop")
450.                 pforcestop
451.                 exit
452.                 ;;
453.         "restart")
454.                 pscheduleunset
455.                 psoftstop
456.                 pscheduleset
457.                 ;;
458.         "status")
459.                 pstatus
460.                 exit               
461.                 ;;     
462.         "update")
463.                 pscheduleunset
464.                 pforcestop
465.                 pscheduleset
466.                 ;;
467.         "paranoia-update")
468.                 pscheduleunset
469.                 pblock
470.                 pforcestop
471.                 pscheduleset
472.                 ;;
473.         "autorun-on")
474.                 pautorunset
475.                 exit
476.                 ;;
477.         "autorun-off")
478.                 pautorununset
479.                 exit
480.                 ;;
481.         "autoupdate-on")
482.                 pscheduleset
483.                 exit
484.                 ;;
485.         "autoupdate-off")
486.                 pscheduleunset
487.                 exit
488.                 ;;
489.         "help")
490.                 echo " 
491. P2Partisan parameters:
492.                
493.     help        Display this text      
494.     start       Starts the process (this runs also if no option
495.             is provided)
496.     stop        Stops P2Partisan
497.     restart     Soft restart, quick, updates iptables only
498.     update      Hard restart, slow removes p2partisan, updates
499.             the lists and does a fresh start
500.     paranoia-update Like update but blocks any new connection until
501.             P2Partisan is running again
502.     status      Display P2Partisan running status + extra info
503.     autorun-on  Sets P2Partisan to boot with the router
504.     autorun-off Sets P2Partisan not to boot with the router
505.     autoupdate-on   Sets automatic updates on
506.     autoupdate-off  Sets automatic updates off
507.                 "
508.                 exit
509.                 ;;
510.         *)
511.                 echo "parameter not valid. please run:
512.                
513.     p2partisan.sh help
514.     "
515.                 exit
516.             ;;
517.  
518. esac
519. done
520.  
521. pstart
522.  
523. exit