p2partisan 1.05

#!/bin/sh
#
# p2partisan v1.5 (22/03/2014)
#
# <CONFIGURATION> ###########################################
# Adjust location where the files are kept
cd /cifs1/p2partisan
#
# Edit the file "blacklists" to customise if needed
# Edit the "whitelist" to overwrite the blacklist if needed
#
#Maximum number of logs to be recorded in a given 60 sec
maxloghour=120
# to troubleshoot blocked connection close all the secondary
# traffic e.g. p2p and try a connection to the blocked
# site/port you should find a reference in the logs.
#
# ports to be whitelisted. Whitelisted ports will never be
# blocked no matter what the source/destination IP is.
# This is very important if you're running a service like
# e.g. SMTP/HTTP/IMAP/else. Separate value in the list below
# with commas - NOTE: keep at least 80 and 443 in this list
whiteports="80,443,993,25,21"
#
# Fastrouting will process the IP classes very quickly but use
# Lot of resources. If you disable the effect is transparent
# but the full process will take minutes rather than seconds
# 0=disabled 1=enabled
fastroutine=1
#
# </CONFIGURATION> ###########################################

    [ -f iptables-add ] && rm iptables-add
    [ -f iptables-del ] && rm iptables-del
    [ -f ipset-del ] && rm ipset-del

echo "### PREPARATION ###"
echo "loading modules"
# Loading ipset modules
lsmod | grep "ipt_set" > /dev/null 2>&1 || \
for module in ip_set ip_set_iptreemap ipt_set
        do
        insmod $module
        done

counter=0

echo "loading ports $whiteports exemption"
iptabweb=`iptables -L FORWARD | grep "ports www,https" | wc -l`
if [ $iptabweb -eq 0 ]; then
    echo "iptables -A FORWARD -p tcp --match multiport --sports $whiteports -j ACCEPT
iptables -A FORWARD -p tcp --match multiport --dports $whiteports -j ACCEPT" >> iptables-add
elif [ $iptabweb -ne 2 ]; then
    echo "iptables -D FORWARD -p tcp --match multiport --sports $whiteports -j ACCEPT
iptables -D FORWARD -p tcp --match multiport --dports $whiteports -j ACCEPT" >> iptables-add
fi
echo "iptables -D FORWARD -p tcp --match multiport --sports $whiteports -j ACCEPT
iptables -D FORWARD -p tcp --match multiport --dports $whiteports -j ACCEPT" >> iptables-del

echo "### WHITELIST ###"
echo "loading the whitelist"
#Load the whitelist
if [ "$(ipset --swap whitelist whitelist 2>&1 | grep 'Unknown set')" != "" ]
    then
    ipset --create whitelist iptreemap
    cat whitelist |
    (
    while read IP
    do
            echo "$IP" | grep "^#" >/dev/null 2>&1 && continue
            echo "$IP" | grep "^$" >/dev/null 2>&1 && continue
                    ipset -A whitelist $IP
            done
    )
fi
echo "ipset -X whitelist" >> ipset-del

iptabwhite=`iptables -L FORWARD | grep whitelist | wc -l`
if [ $iptabwhite -eq 0 ]; then
    echo "Preparing the whitelist for the iptables"
    echo "iptables -A FORWARD -m set --set whitelist src,dst -j ACCEPT" >> iptables-add
elif [ $iptabwhite -gt 1 ]; then
    echo "Re-setting whitelist iptables"
    echo "iptables -D FORWARD -m set --set whitelist src,dst -j ACCEPT" >> iptables-add
fi
echo "iptables -D FORWARD -m set --set whitelist src,dst -j ACCEPT" >> iptables-del

# set iptables to log blacklisted related drops
logging=`iptables -L | grep "Chain LOGGING" | wc -l`
if [ $logging = 0 ]; then
   echo "iptables -N LOGGING " >> iptables-add
fi
echo "iptables -F LOGGING
iptables -A LOGGING -m limit --limit $maxloghour/hour -j LOG --log-prefix "Blacklist-Dropped: " --log-level 1
iptables -A LOGGING -j DROP" >> iptables-add

echo "### BLACKLISTs ###"
cat blacklists |
   (
    while read line
    do
            echo "$line" | grep "^#" >/dev/null 2>&1 && continue
            echo "$line" | grep "^$" >/dev/null 2>&1 && continue
            counter=`expr $counter + 1`
            name=`echo $line |cut -d ' ' -f1`
            url=`echo $line |cut -d ' ' -f2`
            echo "loading blacklist #$counter --> ***$name***"

    if [[ $fastroutine -eq 1 ]]; then

    if [ "$(ipset --swap $name $name 2>&1 | grep 'Unknown set')" != "" ]
      then
      [ -e $name.gz ] || wget -q -O $name.gz "$url"
      { echo "-N $name iptreemap"
        gunzip -c  $name.gz | \
        sed -e "/^[\t ]*#.*\|^[\t ]*$/d;s/^.*:/-A $name /"
        echo COMMIT
      } | ipset -R
    fi

    else

        if [ "$(ipset --swap $name $name 2>&1 | grep 'Unknown set')" != "" ]
            then
            ipset --create $name iptreemap
            [ -e $name.lst ] || wget -q -O - "$url" | gunzip | cut -d: -f2 | grep -E "^[-0-9.]+$" > $name.lst
            for IP in $(cat $name.lst)
                    do
                    ipset -A $name $IP
                    done
            fi

    fi

        echo "ipset -X $name " >> ipset-del
        iptabin=`iptables -L FORWARD | grep $name | wc -l`
        if [ $iptabin -eq 0 ]; then
            echo "Preparing blacklist ***$name*** into the FORWARD iptables"
            echo "iptables -A FORWARD -m set --set $name src,dst -j LOGGING" >> iptables-add
        elif [ $iptabin -gt 1 ]; then
            echo "Re-setting FORWARD iptables"
            echo "iptables -D FORWARD -m set --set $name src,dst -j LOGGING" >> iptables-add
        fi
        echo "iptables -D FORWARD -m set --set $name src,dst -j LOGGING" >> iptables-del
    done
    )
echo "iptables -F LOGGING " >> iptables-del
echo "iptables -X LOGGING " >> iptables-del
chmod 777 ./iptables-*
chmod 777 ./ipset-*
echo "### NOTEs ###"
echo "Tomato is now running the script: iptables-add"
echo "If you wish to remove p2partisan from your system"
echo "run the command ./iptables-del ; ./ipset-del"
./iptables-add  #protecting the LAN
echo "### DONE ###"