API tools faq
paste
Advertisement
rs232

p2partisan 1.03

rs232
Oct 14th, 2013
158
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 4.23 KB | None | 0 0
raw download clone embed print report
  1. #!/bin/sh
  2. #
  3. # p2partisan v1.3 (14/10/2013)
  4. #
  5. #########################################################
  6. # Adjust location where the files are kept
  7. cd /cifs1/p2partisan
  8. #
  9. # Edit the file "blacklists" to customise if needed
  10. # Edit the "whitelist" to overwrite the blacklist if needed
  11. #
  12. #Maximum number of logs to be recorded in a given 60 sec
  13. maxloghour=120
  14. # to troubleshoot blocked connection close all the secondary
  15. # traffic e.g. p2p and try a connection to the blocked
  16. # site/port you should find a reference in the logs.
  17. #
  18. # ports to be whitelisted, very important if you're running
  19. # a service like SMTP/HTTP/IMAP/else. Separate value with
  20. #commas - NOTE: 80,443 are always white listed
  21. whiteports="993,25,21"
  22. #########################################################
  23.  
  24. [ -f iptables-add ] && rm iptables-add
  25. [ -f iptables-del ] && rm iptables-del
  26. [ -f ipset-del ] && rm ipset-del
  27.  
  28.  
  29. echo "loading modules"
  30. # Loading ipset modules
  31. lsmod | grep "ipt_set" > /dev/null 2>&1 || \
  32. for module in ip_set ip_set_iptreemap ipt_set
  33.     do
  34.     insmod $module
  35.     done
  36.  
  37. counter=0
  38.  
  39. echo "loading ports 80,443,$whiteports exemption"
  40. iptabweb=`iptables -L FORWARD | grep "ports www,https" | wc -l`
  41. if [ $iptabweb -eq 0 ]; then
  42.     echo "iptables -I FORWARD 2 -p tcp --match multiport --sports 80,443,$whiteports -j ACCEPT
  43.     iptables -I FORWARD 2 -p tcp --match multiport --dports 80,443,$whiteports -j ACCEPT" >> iptables-add
  44.  
  45.     elif [ $iptabweb -ne 2 ]; then
  46.         echo "iptables -D FORWARD -p tcp --match multiport --sports 80,443,$whiteports -j ACCEPT
  47.     iptables -D FORWARD -p tcp --match multiport --dports 80,443,$whiteports -j ACCEPT" >> iptables-add
  48. fi
  49. echo "iptables -D FORWARD -p tcp --match multiport --sports 80,443,$whiteports -j ACCEPT
  50.       iptables -D FORWARD -p tcp --match multiport --dports 80,443,$whiteports -j ACCEPT" >> iptables-del
  51.    
  52. echo "loading the whitelist"
  53. #Load the whitelist
  54. if [ "$(ipset --swap whitelist whitelist 2>&1 | grep 'Unknown set')" != "" ]
  55.     then
  56.     ipset --create whitelist iptreemap
  57. cat whitelist |
  58. (
  59. while read IP
  60. do
  61.     echo "$IP" | grep "^#" >/dev/null 2>&1 && continue
  62.     echo "$IP" | grep "^$" >/dev/null 2>&1 && continue
  63.         ipset -A whitelist $IP
  64.     done
  65. )
  66. fi
  67.     echo "ipset -X whitelist" >> ipset-del
  68.  
  69. iptabwhite=`iptables -L FORWARD | grep whitelist | wc -l`
  70. if [ $iptabwhite -eq 0 ]; then
  71.     echo "Setting whitelist iptables"
  72.     echo "iptables -I FORWARD 5 -m set --set whitelist src,dst -j ACCEPT" >> iptables-add
  73.  
  74.     elif [ $iptabwhite -gt 1 ]; then
  75.     echo "Re-setting whitelist iptables"
  76.     echo "iptables -D FORWARD -m set --set whitelist src,dst -j ACCEPT" >> iptables-add
  77. fi
  78.     echo "iptables -D FORWARD -m set --set whitelist src,dst -j ACCEPT" >> iptables-del
  79.    
  80. # set iptables to log blacklisted related drops
  81. logging=`iptables -L | grep "Chain LOGGING" | wc -l`
  82. if [ $logging = 0 ]; then
  83.     echo "iptables -N LOGGING " >> iptables-add
  84. fi
  85. echo "iptables -F LOGGING
  86. iptables -A LOGGING -m limit --limit $maxloghour/hour -j LOG --log-prefix "Blacklist-Dropped: " --log-level 1
  87. iptables -A LOGGING -j DROP" >> iptables-add
  88.  
  89. cat blacklists |
  90. (
  91. while read line
  92. do
  93.     echo "$line" | grep "^#" >/dev/null 2>&1 && continue
  94.     echo "$line" | grep "^$" >/dev/null 2>&1 && continue
  95.     counter=`expr $counter + 1`
  96.     name=`echo $line |cut -d ' ' -f1`
  97.     url=`echo $line |cut -d ' ' -f2`
  98.     echo "loading blacklist $counter - $name"
  99.  
  100. #Load the blacklists
  101. if [ "$(ipset --swap $name $name 2>&1 | grep 'Unknown set')" != "" ]
  102.     then
  103.     ipset --create $name iptreemap
  104.     [ -e $name.lst ] || wget -q -O - "$url" | gunzip | cut -d: -f2 | grep -E "^[-0-9.]+$" > $name.lst
  105.     for IP in $(cat $name.lst)
  106.         do
  107.         ipset -A $name $IP
  108.         done
  109. fi
  110.  
  111. echo "ipset -X $name " >> ipset-del
  112.  
  113. iptabin=`iptables -L FORWARD | grep $name | wc -l`
  114. pos=`expr 13 + $counter`
  115. if [ $iptabin -eq 0 ]; then
  116.     echo "Setting FORWARD iptables"
  117.     echo "iptables -I FORWARD $pos -m set --set $name src,dst -j LOGGING" >> iptables-add
  118. elif [ $iptabin -gt 1 ]; then
  119.     echo "Re-setting FORWARD iptables"
  120.     echo "iptables -D FORWARD -m set --set $name src,dst -j LOGGING" >> iptables-add
  121. fi
  122.     echo "iptables -D FORWARD -m set --set $name src,dst -j LOGGING" >> iptables-del
  123. done
  124.  
  125. )
  126. echo "iptables -F LOGGING " >> iptables-del
  127. echo "iptables -X LOGGING " >> iptables-del
  128. iptables-add
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!