p2partisan 2.00

1. #!/bin/sh
2. #
3. # p2partisan v2.0 (04/05/2014)
4. #
5. # <CONFIGURATION> ###########################################
6. # Adjust location where the files are kept
7. P2Partisandir=/cifs1/p2partisan
8. #
9. # Edit the file "blacklists" to customise if needed
10. # Edit the "whitelist" to overwrite the blacklist if needed
11. #
12. #
13. # Enable logging? Use only for troubleshooting. 0=off 1=on
14. syslogs=1
15. # Maximum number of logs to be recorded in a given 60 min
16. # Consider set this very low (like 3 or 6) once your are
17. # happy with the installation. To troubleshoot blocked
18. # connection close all the secondary traffic e.g. p2p
19. # and try a connection to the blocked site/port you should
20. # find a reference in the logs.
21. maxloghour=6
22. #
23. # What do you want to block?
24. # 1) Input (Router only, does your generate P2P traffic?)
25. # 2) LAN (LAN clients only)
26. # 3) Both *default
27. protection=3
28. #
29. # ports to be whitelisted. Whitelisted ports will never be
30. # blocked no matter what the source/destination IP is.
31. # This is very important if you're running a service like
32. # e.g. SMTP/HTTP/IMAP/else. Separate value in the list below
33. # with commas - NOTE: Leave 80 and 443 untouched, add custom ports only
34. # you might want to add remote admin and VPN ports here if any.
35. # Standard iptables syntax, number divided by "," or ":" for a range
36. # e.g. 80,443,2100:21300
37. whiteports="21,25,80,123,443,993,1194:1197"
38. #
39. # Fastrouting will process the IP classes very quickly but use
40. # Lot of resources. If you disable the effect is transparent
41. # but the full process will take minutes rather than seconds
42. # 0=disabled 1=enabled
43. fastroutine=1
44. #
45. # Schedule updates? (once a week is plenty)
46. schedule="30 4 * * 1"
47. #
48. # </CONFIGURATION> ###########################################
49.  
50. pidfile=/var/run/p2partisan.pid
51. cd $P2Partisandir
52.  
53. # Wait until Internet is available
54. while :
55. do
56.     ping -c 3 8.8.8.8 >/dev/null 2>&1
57.     if [ $? = 0 ]; then
58.         break
59.     fi
60.     sleep 2
61. done
62.  
63.  
64.  
65. alias ipset='/usr/sbin/ipset'
66. alias iptables='/usr/sbin/iptables'
67. alias service='/sbin/service'
68. alias plog='logger -t P2PARTISAN -s'
69. now=`date`
70. wanif=`nvram get wan_ifname`
71.  
72.  
73. psoftstop() {
74.     ./iptables-del 2> /dev/null
75.     plog "Stopping P2Partisan"
76.     [ -f $pidfile ] && rm -f "$pidfile" 2> /dev/null
77. }
78.  
79. pforcestop() {
80.     iptables -D wanin -i $wanif -m state --state NEW -j P2PARTISAN-IN 2> /dev/null
81.     iptables -D wanout -o $wanif -m state --state NEW -j P2PARTISAN-OUT 2> /dev/null
82.     iptables -D INPUT -i $wanif -m state --state NEW -j P2PARTISAN-IN 2> /dev/null
83.     iptables -D OUTPUT -o $wanif -m state --state NEW -j P2PARTISAN-OUT 2> /dev/null
84.     iptables -F P2PARTISAN-DROP 2> /dev/null
85.     iptables -F P2PARTISAN-IN 2> /dev/null
86.     iptables -F P2PARTISAN-OUT 2> /dev/null
87.     iptables -X P2PARTISAN-DROP 2> /dev/null   
88.     iptables -X P2PARTISAN-IN 2> /dev/null
89.     iptables -X P2PARTISAN-OUT 2> /dev/null
90. ipset -F
91. for i in `ipset --list | grep Name | cut -f2 -d ":" `; do
92.     ipset -X $i
93. done
94.     [ -f iptables-add ] && rm iptables-add
95.     [ -f iptables-del ] && rm iptables-del
96.     [ -f ipset-del ] && rm ipset-del
97.     [ -f $pidfile ] && rm -f "$pidfile" 2> /dev/null
98. plog "Stopping P2Partisan"
99. }
100.  
101. pstatus() {
102.     running0=`iptables -L P2PARTISAN-IN  2> /dev/null | grep -v target | grep -v Chain 2> /dev/null | wc -l`
103.     running1=`iptables -L P2PARTISAN-OUT  2> /dev/null | grep -v target | grep -v Chain 2> /dev/null | wc -l`
104.     running2=`iptables -L P2PARTISAN-DROP  2> /dev/null | grep -v target | grep -v Chain 2> /dev/null | wc -l`
105.     running3=`iptables -L | grep P2PARTISAN-IN  2> /dev/null | wc -l`
106.     running4=`[ -f $pidfile ] && echo 1 || echo 0`
107.     running5=`nvram get script_fire | grep p2partisan >/dev/null && echo Yes || echo No`
108.     running6=`cru l | grep P2Partisan-update >/dev/null && echo Yes || echo No`
109.     running7=`tail -200 /var/log/messages | grep Dropped | tail -1`
110.    
111.     if [[ $running0 -eq "0" ]] || [[ $running1 -eq "0" ]] || [[ $running2 -eq "0" ]] || [[ $running3 -eq "0" ]] || [[ $running3 -eq "0" ]]; then
112.         echo "### P2Partisan status ####################################
113.     P2Partisan running: No
114.     P2Partisan autorun: $running5
115.     P2Partisan scheduled: $running6
116. ### Last log recorded ####################################"
117.     else
118.         echo "### P2Partisan status ####################################
119.     P2Partisan running: Yes
120.     P2Partisan autorun: $running5
121.     P2Partisan scheduled: $running6
122. ### Last log recorded ####################################"
123.     fi
124.     echo "Remember your max logs per hour is set to: $maxloghour
125. $running7
126. ##########################################################"
127. }
128.  
129. pautorunset() {
130. p=`nvram get script_fire | grep p2partisan | wc -l`
131. if [ $p -eq "0" ] ; then
132. t=`nvram get script_fire`; t=`printf "$t\n$P2Partisandir/p2partisan.sh\n"` ; nvram set "script_fire=$t"
133. fi
134. plog "P2Partisan AUTORUN is ON"
135. }
136.  
137. pautorununset() {
138. p=`nvram get script_fire | grep p2partisan | wc -l`
139. if [ $p -eq "1" ]; then
140. t=`nvram get script_fire`; t=`printf "$t\n$P2Partisandir/p2partisan.sh\n" | grep -v p2partisan` ; nvram set "script_fire=$t"
141. fi
142. plog "P2Partisan AUTORUN is OFF"
143. }
144.  
145. pscheduleset() {
146. cru d P2Partisan-update
147. cru a P2Partisan-update "$schedule $P2Partisandir/p2partisan.sh update"
148. plog "P2Partisan AUTO UPDATE is ON"
149. }
150.  
151. pscheduleunset() {
152. cru d P2Partisan-update
153. plog "P2Partisan AUTO UPDATE is OFF"
154. }
155.  
156. pstart() {
157.     # running0=`iptables -L P2PARTISAN-IN  2> /dev/null | grep -v target | grep -v Chain 2> /dev/null | wc -l`
158.     # running1=`iptables -L P2PARTISAN-OUT  2> /dev/null | grep -v target | grep -v Chain 2> /dev/null | wc -l`
159.     # running2=`iptables -L P2PARTISAN-DROP  2> /dev/null | grep -v target | grep -v Chain 2> /dev/null | wc -l`
160.     # running3=`iptables -L | grep P2PARTISAN-IN  2> /dev/null | wc -l`
161.     running4=`[ -f $pidfile ] && echo 1 || echo 0`
162.     if [ $running4 -eq "0" ]; then
163.  
164.     echo $$ > $pidfile
165.  
166.    
167.     # service firewall restart
168.     sleep 2
169.    
170.     [ -f iptables-add ] && rm iptables-add
171.     [ -f iptables-del ] && rm iptables-del
172.     [ -f ipset-del ] && rm ipset-del
173.      
174.         echo "### PREPARATION ###"
175.         echo "loading modules"
176.         # Loading ipset modules
177.         ipset_test=`lsmod | grep "ipt_set" | wc -l`
178.         if [ $ipset_test -gt "0" ]; then
179.             echo "Loading the ipset module"
180.         else
181.             echo "###########################################
182. ATTENTION: ipset not found! Please check if
183. your tomato release has support for ipset
184. ###########################################"
185.         fi
186.     lsmod | grep "ipt_set" > /dev/null 2>&1 || \
187.         for module in ip_set ip_set_iptreemap ipt_set
188.             do
189.                 insmod $module
190.             done
191.  
192. counter=0
193. pos=1
194.         echo "loading ports $whiteports exemption"
195.  
196.    
197.         echo "# $now
198. iptables -N P2PARTISAN-IN 2> /dev/null
199. iptables -N P2PARTISAN-OUT 2> /dev/null
200. iptables -N P2PARTISAN-DROP 2> /dev/null
201. iptables -F P2PARTISAN-IN 2> /dev/null
202. iptables -F P2PARTISAN-OUT 2> /dev/null
203. iptables -F P2PARTISAN-DROP 2> /dev/null
204. iptables -A P2PARTISAN-IN -p tcp --match multiport --sports $whiteports -j ACCEPT 2> /dev/null
205. iptables -A P2PARTISAN-IN -p udp --match multiport --sports $whiteports -j ACCEPT 2> /dev/null
206. iptables -A P2PARTISAN-IN -p tcp --match multiport --dports $whiteports -j ACCEPT 2> /dev/null
207. iptables -A P2PARTISAN-IN -p udp --match multiport --dports $whiteports -j ACCEPT 2> /dev/null
208. iptables -A P2PARTISAN-OUT -p tcp --match multiport --sports $whiteports -j ACCEPT 2> /dev/null
209. iptables -A P2PARTISAN-OUT -p udp --match multiport --sports $whiteports -j ACCEPT 2> /dev/null
210. iptables -A P2PARTISAN-OUT -p tcp --match multiport --dports $whiteports -j ACCEPT 2> /dev/null
211. iptables -A P2PARTISAN-OUT -p udp --match multiport --dports $whiteports -j ACCEPT 2> /dev/null" >> iptables-add
212.  
213.  
214.         echo "# $now
215. iptables -D wanin -i $wanif -m state --state NEW -j P2PARTISAN-IN 2> /dev/null
216. iptables -D wanout -o $wanif -m state --state NEW -j P2PARTISAN-OUT 2> /dev/null
217. iptables -D INPUT -i $wanif -m state --state NEW -j P2PARTISAN-IN 2> /dev/null
218. iptables -D OUTPUT -o $wanif -m state --state NEW -j P2PARTISAN-OUT 2> /dev/null
219. iptables -F P2PARTISAN-DROP 2> /dev/null
220. iptables -F P2PARTISAN-IN 2> /dev/null
221. iptables -F P2PARTISAN-OUT 2> /dev/null
222. iptables -X P2PARTISAN-IN 2> /dev/null
223. iptables -X P2PARTISAN-OUT 2> /dev/null
224. iptables -X P2PARTISAN-DROP 2> /dev/null" >> iptables-del
225.  
226.  
227. echo "### WHITELIST ###"
228. echo "loading the whitelist"
229. #Load the whitelist
230. if [ "$(ipset --swap whitelist whitelist 2>&1 | grep 'Unknown set')" != "" ]
231.     then
232.     ipset --create whitelist iptreemap
233.     cat whitelist | grep -v "^10." | grep -v "^172.16." | grep -v "^192.168." |
234.     (
235.     while read IP
236.     do
237.             echo "$IP" | grep "^#" >/dev/null 2>&1 && continue
238.             echo "$IP" | grep "^$" >/dev/null 2>&1 && continue
239.                     ipset -A whitelist $IP
240.             done
241.     )
242. fi
243.         echo "# $now
244. ipset -F
245. ipset -X whitelist" > ipset-del
246.  
247.             echo "Preparing the whitelist for the iptables"
248.             echo "iptables -A P2PARTISAN-IN -m set --set whitelist src -j ACCEPT 2> /dev/null
249. iptables -A P2PARTISAN-OUT -m set --set whitelist dst -j ACCEPT 2> /dev/null" >> iptables-add
250.  
251.         if [ $syslogs -eq "1" ]; then        
252.             echo "iptables -A P2PARTISAN-DROP -m limit --limit $maxloghour/hour -j LOG --log-prefix \"P2Partisan Dropped: \" --log-level 1 2> /dev/null" >> iptables-add
253.         fi
254.         echo "iptables -A P2PARTISAN-DROP -j DROP 2> /dev/null"  >> iptables-add
255.  
256.  
257. echo "### BLACKLISTs ###"
258. cat blacklists |
259.    (
260.     while read line
261.     do
262.             echo "$line" | grep "^#" >/dev/null 2>&1 && continue
263.             echo "$line" | grep "^$" >/dev/null 2>&1 && continue
264.             counter=`expr $counter + 1`
265.             name=`echo $line |cut -d ' ' -f1`
266.             url=`echo $line |cut -d ' ' -f2`
267.             echo "loading blacklist #$counter --> ***$name***"
268.      
269.     if [ $fastroutine -eq "1" ]; then
270.      
271.     if [ "$(ipset --swap $name $name 2>&1 | grep 'Unknown set')" != "" ]
272.       then
273.       [ -e $name.gz ] || wget -q -O $name.gz "$url"
274.       { echo "-N $name iptreemap"
275.         gunzip -c  $name.gz | \
276.         sed -e "/^[\t ]*#.*\|^[\t ]*$/d;s/^.*:/-A $name /"
277.         echo COMMIT
278.       } | ipset -R
279.     fi
280.      
281.     else
282.      
283.         if [ "$(ipset --swap $name $name 2>&1 | grep 'Unknown set')" != "" ]
284.             then
285.             ipset --create $name iptreemap
286.             [ -e $name.lst ] || wget -q -O - "$url" | gunzip | cut -d: -f2 | grep -E "^[-0-9.]+$" > $name.lst
287.             for IP in $(cat $name.lst)
288.                     do
289.                     ipset -A $name $IP
290.                     done
291.             fi
292.              
293.     fi
294.  
295.                 echo "ipset -X $name " >> ipset-del
296.                 echo "iptables -A P2PARTISAN-IN -m set --set $name src -j P2PARTISAN-DROP 2> /dev/null
297. iptables -A P2PARTISAN-OUT -m set --set $name dst -j P2PARTISAN-DROP 2> /dev/null" >> iptables-add 
298.             done
299.     )
300.  
301.  
302.         if [ $protection -eq "1" ]; then
303.             echo "iptables -I INPUT $pos -i $wanif -m state --state NEW -j P2PARTISAN-IN 2> /dev/null
304. iptables -I OUTPUT $pos -o $wanif -m state --state NEW -j P2PARTISAN-OUT 2> /dev/null" >> iptables-add
305.         elif [ $protection -eq "2" ]; then
306.             echo "iptables -I wanin $pos -i $wanif -m state --state NEW -j P2PARTISAN-IN 2> /dev/null
307. iptables -I wanout $pos -o $wanif -m state --state NEW -j P2PARTISAN-OUT 2> /dev/null" >> iptables-add
308.         elif [ $protection -eq "3" ]; then
309.             echo "iptables -I INPUT $pos -i $wanif -m state --state NEW -j P2PARTISAN-IN 2> /dev/null
310. iptables -I OUTPUT $pos -o $wanif -m state --state NEW -j P2PARTISAN-OUT 2> /dev/null
311. iptables -I wanin $pos -i $wanif -m state --state NEW -j P2PARTISAN-IN 2> /dev/null
312. iptables -I wanout $pos -o $wanif -m state --state NEW -j P2PARTISAN-OUT 2> /dev/null" >> iptables-add
313.         fi
314.  
315. chmod 777 ./iptables-*
316. chmod 777 ./ipset-*
317. ./iptables-add  #protecting
318.  
319. plog "... P2Partisan started."
320.  
321. p=`nvram get dnsmasq_custom | grep log-async | wc -l`
322. if [ $p -eq "1" ]; then
323. plog "log-async found under dnsmasq -> OK"
324. else
325. plog "
326. It appears like you don't have a log-async parameter
327. in your dnsmasq config. This is strongly suggested
328. due to the amount of logs involved. please consider
329. adding the following command under Advanced/DHCP/DNS
330. /Dnsmasq Custom configuration
331.  
332. log-async=10
333. "
334. fi
335.  
336.  
337.  
338. else
339.         echo "
340.     It appears like P2Partisan is already running. Skipping...
341.            
342.     If this is not what you expected? Try:
343.     p2partisan.sh update
344.         "
345.     fi
346. }
347.  
348.  
349. for p in $1
350. do
351. case "$p" in
352.         "start")
353.                 pstart
354.                 exit
355.                 ;;     
356.         "stop")
357.                 pforcestop
358.                 exit
359.                 ;;
360.         "restart")
361.                 psoftstop
362.                 ;;
363.         "status")
364.                 pstatus
365.                 exit               
366.                 ;;     
367.         "update")
368.                 pscheduleunset
369.                 pforcestop
370.                 pscheduleset
371.                 ;;
372.         "autorun-on")
373.                 pautorunset
374.                 exit
375.                 ;;
376.         "autorun-off")
377.                 pautorununset
378.                 exit
379.                 ;;
380.         "autoupdate-on")
381.                 pscheduleset
382.                 exit
383.                 ;;
384.         "autoupdate-off")
385.                 pscheduleunset
386.                 exit
387.                 ;;
388.         "help")
389.                 echo " 
390. P2Partisan parameters:
391.                
392.     help        Display this text      
393.     start       Starts the process (this runs also if no option
394.             is provided)
395.     stop        Stops P2Partisan
396.     restart     Soft restart, quick, updates iptables only
397.     update      Hard restart, slow removes p2partisan, updates
398.             the lists and does a fresh start
399.     status      Display P2Partisan running status + extra info
400.     autorun-on  Sets P2Partisan to boot with the router
401.     autorun-off Sets P2Partisan not to boot with the router
402.     autoupdate-on   Sets automatic updates on
403.     autoupdate-off  Sets automatic updates off
404.                 "
405.                 exit
406.                 ;;
407.         *)
408.                 echo "parameter not valid. please run:
409.                
410.     p2partisan.sh help
411.     "
412.                 exit
413.             ;;
414.  
415. esac
416. done
417.  
418. pstart
419.  
420.  
421. exit