p2partisan 1.06

1. #!/bin/sh
2. #
3. # p2partisan v1.6 (23/03/2014)
4. #
5. # <CONFIGURATION> ###########################################
6. # Adjust location where the files are kept
7. cd /cifs1/p2partisan
8. #
9. # Edit the file "blacklists" to customise if needed
10. # Edit the "whitelist" to overwrite the blacklist if needed
11. #
12. #Maximum number of logs to be recorded in a given 60 sec
13. maxloghour=120
14. # to troubleshoot blocked connection close all the secondary
15. # traffic e.g. p2p and try a connection to the blocked
16. # site/port you should find a reference in the logs.
17. #
18. # ports to be whitelisted. Whitelisted ports will never be
19. # blocked no matter what the source/destination IP is.
20. # This is very important if you're running a service like
21. # e.g. SMTP/HTTP/IMAP/else. Separate value in the list below
22. # with commas - NOTE: Leave 80 and 443 untouched, add custom ports only
23. # you might want to add remote admin and VPN ports here if any
24. whiteports="80,443,993,25,21"
25. #
26. # Fastrouting will process the IP classes very quickly but use
27. # Lot of resources. If you disable the effect is transparent
28. # but the full process will take minutes rather than seconds
29. # 0=disabled 1=enabled
30. fastroutine=1
31. #
32. # </CONFIGURATION> ###########################################
33.  
34.     [ -f iptables-add ] && rm iptables-add
35.     [ -f iptables-del ] && rm iptables-del
36.     [ -f ipset-del ] && rm ipset-del
37.      
38. echo "### PREPARATION ###"
39. echo "loading modules"
40. # Loading ipset modules
41. lsmod | grep "ipt_set" > /dev/null 2>&1 || \
42. for module in ip_set ip_set_iptreemap ipt_set
43.         do
44.         insmod $module
45.         done
46.  
47. counter=0
48. pos=1
49.  
50. echo "loading ports $whiteports exemption"
51.  
52. # set iptables to log blacklisted related drops
53. logging=`iptables -L | grep "Chain P2PARTISAN" | wc -l`
54. if [ $logging = 0 ]; then
55. iptables -N P2PARTISAN
56. fi
57. echo "iptables -F P2PARTISAN" >> iptables-add
58.  
59. # set iptables to log blacklisted related drops
60. logging=`iptables -L | grep "Chain P2PARTISAN-DROP" | wc -l`
61. if [ $logging = 0 ]; then
62. iptables -N P2PARTISAN-DROP
63. fi
64. echo "iptables -F P2PARTISAN-DROP" >> iptables-add
65. echo "iptables -D INPUT -m state --state NEW -j P2PARTISAN" >> iptables-del
66.  
67.  
68. echo "iptables -A P2PARTISAN -p tcp --match multiport --sports $whiteports -j ACCEPT" >> iptables-add
69. echo "iptables -A P2PARTISAN -p udp --match multiport --sports $whiteports -j ACCEPT" >> iptables-add
70. echo "iptables -A P2PARTISAN -p tcp --match multiport --dports $whiteports -j ACCEPT" >> iptables-add
71. echo "iptables -A P2PARTISAN -p udp --match multiport --dports $whiteports -j ACCEPT" >> iptables-add
72.  
73. echo "### WHITELIST ###"
74. echo "loading the whitelist"
75. #Load the whitelist
76. if [ "$(ipset --swap whitelist whitelist 2>&1 | grep 'Unknown set')" != "" ]
77.     then
78.     ipset --create whitelist iptreemap
79.     cat whitelist |
80.     (
81.     while read IP
82.     do
83.             echo "$IP" | grep "^#" >/dev/null 2>&1 && continue
84.             echo "$IP" | grep "^$" >/dev/null 2>&1 && continue
85.                     ipset -A whitelist $IP
86.             done
87.     )
88. fi
89. echo "ipset -X whitelist" >> ipset-del
90.  
91.     echo "Preparing the whitelist for the iptables"
92.     echo "iptables -A P2PARTISAN -m set --set whitelist src,dst -j ACCEPT" >> iptables-add
93.  
94.            
95. echo "iptables -A P2PARTISAN-DROP -m limit --limit $maxloghour/hour -j LOG --log-prefix "Blacklist-Dropped: " --log-level 1
96. iptables -A P2PARTISAN-DROP -j DROP"  >> iptables-add
97.  
98. echo "### BLACKLISTs ###"
99. cat blacklists |
100.    (
101.     while read line
102.     do
103.             echo "$line" | grep "^#" >/dev/null 2>&1 && continue
104.             echo "$line" | grep "^$" >/dev/null 2>&1 && continue
105.             counter=`expr $counter + 1`
106.             name=`echo $line |cut -d ' ' -f1`
107.             url=`echo $line |cut -d ' ' -f2`
108.             echo "loading blacklist #$counter --> ***$name***"
109.      
110.     if [[ $fastroutine -eq 1 ]]; then
111.      
112.     if [ "$(ipset --swap $name $name 2>&1 | grep 'Unknown set')" != "" ]
113.       then
114.       [ -e $name.gz ] || wget -q -O $name.gz "$url"
115.       { echo "-N $name iptreemap"
116.         gunzip -c  $name.gz | \
117.         sed -e "/^[\t ]*#.*\|^[\t ]*$/d;s/^.*:/-A $name /"
118.         echo COMMIT
119.       } | ipset -R
120.     fi
121.      
122.     else
123.      
124.         if [ "$(ipset --swap $name $name 2>&1 | grep 'Unknown set')" != "" ]
125.             then
126.             ipset --create $name iptreemap
127.             [ -e $name.lst ] || wget -q -O - "$url" | gunzip | cut -d: -f2 | grep -E "^[-0-9.]+$" > $name.lst
128.             for IP in $(cat $name.lst)
129.                     do
130.                     ipset -A $name $IP
131.                     done
132.             fi
133.              
134.     fi
135.  
136.         echo "ipset -X $name " >> ipset-del
137.         echo "Preparing blacklist ***$name*** into the P2PARTISAN iptables"
138.         echo "iptables -A P2PARTISAN -m set --set $name src,dst -j P2PARTISAN-DROP" >> iptables-add
139.     done
140.     )
141.  
142. echo "iptables -F P2PARTISAN-DROP " >> iptables-del
143. echo "iptables -F P2PARTISAN " >> iptables-del
144. echo "iptables -X P2PARTISAN-DROP " >> iptables-del
145. echo "iptables -X P2PARTISAN " >> iptables-del
146.  
147. input=`iptables -L INPUT | grep "P2PARTISAN" | wc -l`
148. if [ $input = 0 ]; then
149. echo "iptables -I INPUT $pos -m state --state NEW -j P2PARTISAN" >> iptables-add
150. fi
151.  
152. chmod 777 ./iptables-*
153. chmod 777 ./ipset-*
154. echo "### NOTEs ###"
155. echo "Tomato is now running the script: iptables-add"
156. echo "If you wish to remove p2partisan from your system"
157. echo "run the command ./iptables-del ; ./ipset-del"
158. ./iptables-add  #protecting the LAN
159. echo "### DONE ###"