netfilter_drop_ipset_zeus_spamhaus.sh

#!/bin/bash

# +-----------------------------------------------------------------------+
# | netfilter_drop_ipset_zeus_spamhaus.sh                                 |
# |                                                                       |
# | Create ipset lists from zeus project and spamhaus                     |
# | Add netfilter INPUT rules matching ipset lists to DROP unwanted ips   |
# |                                                                       |
# | Add this script in /etc/cron.daily/netfilter_drop_ipset_zeus_spamhaus |
# | #!/bin/sh                                                             |
# | /path/to/netfilter_drop_ipset_zeus_spamhaus.sh                        |
# |                                                                       |
# +-----------------------------------------------------------------------+

LOGFILE=/var/log/$(basename $0 .sh).log
DROP_RULE_POSITION=6 # Set the correct position according to your netfilter INPUT rules
ZEUS_BLOCKLIST_URL='https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist'
ZEUS_BLOCKLIST_FILE=/etc/zeus-list.txt
SPAMHAUS_BLOCKLIST_URL='https://www.spamhaus.org/drop/drop.txt'
SPAMHAUS_BLOCKLIST_FILE=/etc/spamhaus-list.txt

function message {
    if [ ! -z "$1" ]; then
        echo "[$(date +'%d/%m/%Y %H:%M:%S')] $*" | tee -a ${LOGFILE}
    fi
}

function ok_failed {
    if [ ! -z "$1" ] && [ $1 -eq 0 ]; then
        message "OK"
    else
        message "Failed"
        exit $?
    fi
}

message "[+] Check if wget command is available"
which wget &>/dev/null
ok_failed $?

message "[+] Check if ipset command is available"
which ipset &>/dev/null
ok_failed $?

message "[+] Download https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist"
/usr/bin/wget --no-check-certificate ${ZEUS_BLOCKLIST_URL} -O ${ZEUS_BLOCKLIST_FILE} &>/dev/null
ok_failed $?
sed -i -r -e '/^[#;].*$/d;/^\s*$/d' ${ZEUS_BLOCKLIST_FILE}

message "[+] Download ${SPAMHAUS_BLOCKLIST_URL} to ${SPAMHAUS_BLOCKLIST_FILE}"
/usr/bin/wget --no-check-certificate ${SPAMHAUS_BLOCKLIST_URL} -O ${SPAMHAUS_BLOCKLIST_FILE} &>/dev/null
ok_failed $?
sed -i -r -e '/^[#;].*$/d;/^\s*$/d' ${SPAMHAUS_BLOCKLIST_FILE}
sed -i -r -e 's/\s*;.*$//' ${SPAMHAUS_BLOCKLIST_FILE}

ZEUS_IPSET_IPS="zeus_ipset_ips"
message "[+] Check ipset list ${ZEUS_IPSET_IPS}"
ipset list ${ZEUS_IPSET_IPS} &>/dev/null
if [ $? -ne 0 ]; then
    message "[+] Create ipset iphash ${ZEUS_IPSET_IPS}"
    ipset create ${ZEUS_IPSET_IPS} iphash
    ok_failed $?
    message "[+] Add DROP netfilter rule at position ${DROP_RULE_POSITION}"
    iptables -I INPUT ${DROP_RULE_POSITION} -m set --match-set ${ZEUS_IPSET_IPS} src -j DROP
    ok_failed $?
else
    message "[+] Flush ipset ${ZEUS_IPSET_IPS}"
    ipset flush ${ZEUS_IPSET_IPS}
fi

message "[+] Adding IPs to be blocked from ${ZEUS_BLOCKLIST_FILE} $(wc -l ${ZEUS_BLOCKLIST_FILE} | awk '{print $1}') entries"
for i in $(cat ${ZEUS_BLOCKLIST_FILE})
    do
        ipset add ${ZEUS_IPSET_IPS} $i
    done
message "Done."

SPAMHAUS_IPSET_IPRANGES="spamhaus_ipset_ipranges"
message "[+] Check ipset list ${SPAMHAUS_IPSET_IPRANGES}"
ipset list ${SPAMHAUS_IPSET_IPRANGES} &>/dev/null
if [ $? -ne 0 ]; then
    message "[+] Create ipset hash:net ${SPAMHAUS_IPSET_IPRANGES}"
    ipset create ${SPAMHAUS_IPSET_IPRANGES} hash:net
    ok_failed $?
    message "[+] Add DROP netfilter rule at position ${DROP_RULE_POSITION}"
    iptables -I INPUT ${DROP_RULE_POSITION} -m set --match-set ${SPAMHAUS_IPSET_IPRANGES} src -j DROP
    ok_failed $?
else
    message "[+] Flush ipset ${SPAMHAUS_IPSET_IPRANGES}"
    ipset flush ${SPAMHAUS_IPSET_IPRANGES}
fi

message "[+] Adding IP RANGES to be blocked from ${SPAMHAUS_BLOCKLIST_FILE} $(wc -l ${SPAMHAUS_BLOCKLIST_FILE} | awk '{print $1}') entries"
for i in $(cat ${SPAMHAUS_BLOCKLIST_FILE})
    do
        ipset add ${SPAMHAUS_IPSET_IPRANGES} $i
    done
message "Done."

message "[+] Netfilter INPUT rules"
iptables -L INPUT -n -v --line-numbers | tee -a ${LOGFILE}