p2partisan 1.00

1. #!/bin/sh
2. #
3. # p2partisan v1.0 (11/10/2013)
4. #
5. #########################################################
6. # Adjust location where the files are kept
7. cd /cifs1/p2partisan
8. #
9. # Edit the file "blacklists" to customise if needed
10. # Edit the "whitelist" to overwrite the blacklist if needed
11. #
12. #Maximum number of logs to be recorded in a given 60 sec
13. maxloghour=120
14. # to troubleshoot blocked connection close all the secondary
15. # traffic e.g. p2p and try a connection to the blocked
16. # site/port you should find a reference in the logs
17. #########################################################
18.  
19. echo "loading modules"
20. # Loading ipset modules
21. lsmod | grep "ipt_set" > /dev/null 2>&1 || \
22. for module in ip_set ip_set_iptreemap ipt_set
23.    do
24.    insmod $module
25.    done
26.  
27. counter=0
28.  
29.  
30. echo "loading ports 80,443 exemption"
31. iptabweb=`iptables -L FORWARD | grep "ports www,https" | wc -l`
32. if [ $iptabweb -eq 0 ]; then
33.    iptables -I FORWARD 2 -p tcp --match multiport --sports 80,443,21,25,465,993 -j ACCEPT
34.    iptables -I FORWARD 3 -p tcp --match multiport --dports 80,443,21,25,465,993 -j ACCEPT
35.    elif [ $iptabweb -ne 2 ]; then
36.    iptables -D FORWARD -p tcp --match multiport --sports 80,443,21,25,465,993 -j ACCEPT
37.    iptables -D FORWARD -p tcp --match multiport --dports 80,443,21,25,465,993 -j ACCEPT
38. fi
39.  
40. echo "loading the whitelist"
41. #Load the whitelist
42. if [ "$(ipset --swap whitelist whitelist 2>&1 | grep 'Unknown set')" != "" ]
43.    then
44.    ipset --create whitelist iptreemap
45. cat whitelist |
46. (
47. while read IP
48. do
49.    echo "$IP" | grep "^#" >/dev/null 2>&1 && continue
50.    echo "$IP" | grep "^$" >/dev/null 2>&1 && continue
51.      ipset -A whitelist $IP
52.    done
53. )
54. fi
55.  
56. iptabwhite=`iptables -L FORWARD | grep whitelist | wc -l`
57. if [ $iptabwhite -eq 0 ]; then
58.    echo "Setting whitelist iptables"
59.    iptables -I FORWARD 5 -m set --set whitelist src,dst -j ACCEPT
60.    elif [ $iptabwhite -gt 1 ]; then
61.    echo "Re-setting whitelist iptables"
62.    iptables -D FORWARD -m set --set whitelist src,dst -j ACCEPT
63. fi
64.  
65. # set iptables to log blacklisted related drops
66. logging=`iptables -L | grep "Chain LOGGING" | wc -l`
67. if [ $logging = 0 ]; then
68.    iptables -N LOGGING
69. fi
70. iptables -F LOGGING
71. iptables -A LOGGING -m limit --limit $maxloghour/hour -j LOG --log-prefix "Blacklist-Dropped: " --log-level 1
72. iptables -A LOGGING -j DROP
73.  
74. cat blacklists |
75. (
76. while read line
77. do
78.    echo "$line" | grep "^#" >/dev/null 2>&1 && continue
79.    echo "$line" | grep "^$" >/dev/null 2>&1 && continue
80.    counter=`expr $counter + 1`
81.    name=`echo $line |cut -d ' ' -f1`
82.    url=`echo $line |cut -d ' ' -f2`
83.    echo "loading blacklist $counter - $name"
84.  
85. #Load the blacklists
86. if [ "$(ipset --swap $name $name 2>&1 | grep 'Unknown set')" != "" ]
87.    then
88.    ipset --create $name iptreemap
89.    [ -e $name.lst ] || wget -q -O - "$url" | gunzip | cut -d: -f2 | grep -E "^[-0-9.]+$" > $name.lst
90.    for IP in $(cat $name.lst)
91.      do
92.      ipset -A $name $IP
93.      done
94. fi
95.  
96. iptabin=`iptables -L FORWARD | grep $name | wc -l`
97. pos=`expr 13 + $counter`
98. if [ $iptabin -eq 0 ]; then
99.    echo "Setting FORWARD iptables"
100.    iptables -I FORWARD $pos -m set --set $name src,dst -j LOGGING
101. elif [ $iptabin -gt 1 ]; then
102.    echo "Re-setting FORWARD iptables"
103.    iptables -D FORWARD -m set --set $name src,dst -j LOGGING
104. fi
105.  
106. done
107.  
108. )