Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/sh
- #
- # p2partisan v1.0 (11/10/2013)
- #
- #########################################################
- # Adjust location where the files are kept
- cd /cifs1/p2partisan
- #
- # Edit the file "blacklists" to customise if needed
- # Edit the "whitelist" to overwrite the blacklist if needed
- #
- #Maximum number of logs to be recorded in a given 60 sec
- maxloghour=120
- # to troubleshoot blocked connection close all the secondary
- # traffic e.g. p2p and try a connection to the blocked
- # site/port you should find a reference in the logs
- #########################################################
- echo "loading modules"
- # Loading ipset modules
- lsmod | grep "ipt_set" > /dev/null 2>&1 || \
- for module in ip_set ip_set_iptreemap ipt_set
- do
- insmod $module
- done
- counter=0
- echo "loading ports 80,443 exemption"
- iptabweb=`iptables -L FORWARD | grep "ports www,https" | wc -l`
- if [ $iptabweb -eq 0 ]; then
- iptables -I FORWARD 2 -p tcp --match multiport --sports 80,443,21,25,465,993 -j ACCEPT
- iptables -I FORWARD 3 -p tcp --match multiport --dports 80,443,21,25,465,993 -j ACCEPT
- elif [ $iptabweb -ne 2 ]; then
- iptables -D FORWARD -p tcp --match multiport --sports 80,443,21,25,465,993 -j ACCEPT
- iptables -D FORWARD -p tcp --match multiport --dports 80,443,21,25,465,993 -j ACCEPT
- fi
- echo "loading the whitelist"
- #Load the whitelist
- if [ "$(ipset --swap whitelist whitelist 2>&1 | grep 'Unknown set')" != "" ]
- then
- ipset --create whitelist iptreemap
- cat whitelist |
- (
- while read IP
- do
- echo "$IP" | grep "^#" >/dev/null 2>&1 && continue
- echo "$IP" | grep "^$" >/dev/null 2>&1 && continue
- ipset -A whitelist $IP
- done
- )
- fi
- iptabwhite=`iptables -L FORWARD | grep whitelist | wc -l`
- if [ $iptabwhite -eq 0 ]; then
- echo "Setting whitelist iptables"
- iptables -I FORWARD 5 -m set --set whitelist src,dst -j ACCEPT
- elif [ $iptabwhite -gt 1 ]; then
- echo "Re-setting whitelist iptables"
- iptables -D FORWARD -m set --set whitelist src,dst -j ACCEPT
- fi
- # set iptables to log blacklisted related drops
- logging=`iptables -L | grep "Chain LOGGING" | wc -l`
- if [ $logging = 0 ]; then
- iptables -N LOGGING
- fi
- iptables -F LOGGING
- iptables -A LOGGING -m limit --limit $maxloghour/hour -j LOG --log-prefix "Blacklist-Dropped: " --log-level 1
- iptables -A LOGGING -j DROP
- cat blacklists |
- (
- while read line
- do
- echo "$line" | grep "^#" >/dev/null 2>&1 && continue
- echo "$line" | grep "^$" >/dev/null 2>&1 && continue
- counter=`expr $counter + 1`
- name=`echo $line |cut -d ' ' -f1`
- url=`echo $line |cut -d ' ' -f2`
- echo "loading blacklist $counter - $name"
- #Load the blacklists
- if [ "$(ipset --swap $name $name 2>&1 | grep 'Unknown set')" != "" ]
- then
- ipset --create $name iptreemap
- [ -e $name.lst ] || wget -q -O - "$url" | gunzip | cut -d: -f2 | grep -E "^[-0-9.]+$" > $name.lst
- for IP in $(cat $name.lst)
- do
- ipset -A $name $IP
- done
- fi
- iptabin=`iptables -L FORWARD | grep $name | wc -l`
- pos=`expr 13 + $counter`
- if [ $iptabin -eq 0 ]; then
- echo "Setting FORWARD iptables"
- iptables -I FORWARD $pos -m set --set $name src,dst -j LOGGING
- elif [ $iptabin -gt 1 ]; then
- echo "Re-setting FORWARD iptables"
- iptables -D FORWARD -m set --set $name src,dst -j LOGGING
- fi
- done
- )
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement