p2partisan 2.21

1. #!/bin/sh
2. #
3. # p2partisan v2.21 (12/05/2014)
4. #
5. # <CONFIGURATION> ###########################################
6. # Adjust location where the files are kept
7. P2Partisandir=/cifs1/p2partisan
8. #
9. # Edit the file "blacklists" to customise if needed
10. # Edit the "whitelist" to overwrite the blacklist if needed
11. #
12. #
13. # Enable logging? Use only for troubleshooting. 0=off 1=on
14. syslogs=1
15. # Maximum number of logs to be recorded in a given 60 min
16. # Consider set this very low (like 3 or 6) once your are
17. # happy with the installation. To troubleshoot blocked
18. # connection close all the secondary traffic e.g. p2p
19. # and try a connection to the blocked site/port you should
20. # find a reference in the logs.
21. maxloghour=6
22. #
23. # What do you want to block?
24. # 1) Input (Router only, does your generate P2P traffic?)
25. # 2) LAN (LAN clients only)
26. # 3) Both *default
27. protection=3
28. #
29. # ports to be whitelisted. Whitelisted ports will never be
30. # blocked no matter what the source/destination IP is.
31. # This is very important if you're running a service like
32. # e.g. SMTP/HTTP/IMAP/else. Separate value in the list below
33. # with commas - NOTE: Leave 80 and 443 untouched, add custom ports only
34. # you might want to add remote admin and VPN ports here if any.
35. # Standard iptables syntax, number divided by "," or ":" for a range
36. # e.g. 80,443,2100:21300
37. whiteports="21,25,53,80,123,443,993,1194:1196"
38. #
39. # Fastrouting will process the IP classes very quickly but use
40. # Lot of resources. If you disable the effect is transparent
41. # but the full process will take minutes rather than seconds
42. # 0=disabled 1=enabled
43. fastroutine=1
44. #
45. # Schedule updates? (once a week is plenty)
46. schedule="30 4 * * 1"
47. #
48. testip="8.8.8.8"
49. # </CONFIGURATION> ###########################################
50.  
51. pidfile=/var/run/p2partisan.pid
52. cd $P2Partisandir
53.  
54. # Wait until Internet is available
55. while :
56. do
57.     ping -c 3 $testip >/dev/null 2>&1
58.     if [ $? = 0 ]; then
59.         break
60.     fi
61.     sleep 2
62. done
63.  
64. alias ipset='/usr/sbin/ipset'
65. alias iptables='/usr/sbin/iptables'
66. alias service='/sbin/service'
67. alias plog='logger -t P2PARTISAN -s'
68. now=`date +"%H:%M:%S - %D"`
69. wanif=`nvram get wan_ifname`
70.  
71.  
72. psoftstop() {
73.     ./iptables-del 2> /dev/null
74.     plog "Stopping P2Partisan"
75.     [ -f $pidfile ] && rm -f "$pidfile" 2> /dev/null
76. }
77.  
78. pblock() {
79.     iptables -N PARANOIA-DROP 2> /dev/null
80.     iptables -A PARANOIA-DROP -j DROP 2> /dev/null
81.     iptables -I wanin 1 -i $wanif -m state --state NEW -j PARANOIA-DROP 2> /dev/null
82.     iptables -I wanout 1 -o $wanif -m state --state NEW -j PARANOIA-DROP 2> /dev/null
83.     iptables -I INPUT 1 -i $wanif -m state --state NEW -j PARANOIA-DROP 2> /dev/null
84.     iptables -I OUTPUT 1 -o $wanif -m state --state NEW -j PARANOIA-DROP 2> /dev/null
85. }
86.  
87. punblock() {
88.     while iptables -L wanin | grep "PARANOIA-DROP"
89.     do
90.         iptables -D wanin -i $wanif -m state --state NEW -j PARANOIA-DROP 2> /dev/null
91.     done
92.     while iptables -L wanout | grep "PARANOIA-DROP"
93.     do
94.         iptables -D wanout -o $wanif -m state --state NEW -j PARANOIA-DROP 2> /dev/null
95.     done
96.     while iptables -L INPUT | grep "PARANOIA-DROP"
97.     do
98.         iptables -D INPUT -i $wanif -m state --state NEW -j PARANOIA-DROP 2> /dev/null
99.     done
100.     while iptables -L OUTPUT | grep "PARANOIA-DROP"
101.     do
102.         iptables -D OUTPUT -o $wanif -m state --state NEW -j PARANOIA-DROP 2> /dev/null
103.     done
104.     iptables -F PARANOIA-DROP 2> /dev/null
105.     iptables -X PARANOIA-DROP 2> /dev/null
106. }
107.  
108. pforcestop() {
109.     while iptables -L wanin | grep P2PARTISAN-IN
110.     do
111.         iptables -D wanin -i $wanif -m state --state NEW -j P2PARTISAN-IN 2> /dev/null
112.     done
113.     while iptables -L wanout | grep P2PARTISAN-OUT
114.     do
115.         iptables -D wanout -o $wanif -m state --state NEW -j P2PARTISAN-OUT 2> /dev/null
116.     done
117.     while iptables -L INPUT | grep P2PARTISAN-IN
118.     do
119.         iptables -D INPUT -i $wanif -m state --state NEW -j P2PARTISAN-IN 2> /dev/null
120.     done
121.     while iptables -L OUTPUT | grep P2PARTISAN-OUT
122.     do
123.         iptables -D OUTPUT -o $wanif -m state --state NEW -j P2PARTISAN-OUT 2> /dev/null
124.     done
125.     iptables -F P2PARTISAN-DROP 2> /dev/null
126.     iptables -F P2PARTISAN-IN 2> /dev/null
127.     iptables -F P2PARTISAN-OUT 2> /dev/null
128.     iptables -X P2PARTISAN-DROP 2> /dev/null   
129.     iptables -X P2PARTISAN-IN 2> /dev/null
130.     iptables -X P2PARTISAN-OUT 2> /dev/null
131.     ipset -F
132.     for i in `ipset --list | grep Name | cut -f2 -d ":" `; do
133.         ipset -X $i
134.     done
135.     [ -f iptables-add ] && rm iptables-add
136.     [ -f iptables-del ] && rm iptables-del
137.     [ -f ipset-del ] && rm ipset-del
138.     [ -f $pidfile ] && rm -f "$pidfile" 2> /dev/null
139. plog "Unloading ipset modules"
140.     lsmod | grep "ipt_set" > /dev/null 2>&1 && sleep 2 ; rmmod -f ipt_set 2> /dev/null
141.     lsmod | grep "ip_set_iptreemap" > /dev/null 2>&1 && sleep 2 ; rmmod -f ip_set_iptreemap 2> /dev/null
142.     lsmod | grep "ip_set" > /dev/null 2>&1 && sleep 2 ; rmmod -f ip_set 2> /dev/null
143. plog "Stopping P2Partisan"
144. }
145.  
146. pstatus() {
147.     running0=`iptables -L P2PARTISAN-IN  2> /dev/null | grep -v target | grep -v Chain 2> /dev/null | wc -l`
148.     running1=`iptables -L P2PARTISAN-OUT  2> /dev/null | grep -v target | grep -v Chain 2> /dev/null | wc -l`
149.     running2=`iptables -L P2PARTISAN-DROP  2> /dev/null | grep -v target | grep -v Chain 2> /dev/null | wc -l`
150.     running3=`iptables -L | grep P2PARTISAN-IN  2> /dev/null | wc -l`
151.     running4=`[ -f $pidfile ] && echo 1 || echo 0`
152.     running5=`nvram get script_fire | grep p2partisan >/dev/null && echo Yes || echo No`
153.     running6=`cru l | grep P2Partisan-update >/dev/null && echo Yes || echo No`
154.     running7=`tail -200 /var/log/messages | grep Dropped | tail -1`
155.    
156.     from=`head -1 ./iptables-add 2> /dev/null | cut -c3-`
157.     drop_packet_count=`iptables -vL P2PARTISAN-DROP 2> /dev/null| grep " DROP " | awk '{print $1}' | sed "s#G#000000000#g" | sed "s#M#000000#g" | sed "s#K#000#g"`
158.    
159.     if [[ $running0 -eq "0" ]] || [[ $running1 -eq "0" ]] || [[ $running2 -eq "0" ]] || [[ $running3 -eq "0" ]] || [[ $running4 -eq "0" ]]; then
160.         running8=No
161.     else
162.         running8=Yes
163.     fi
164.    
165.     echo "################# P2Partisan status #####################
166. #   P2Partisan running:   $running8
167. #   P2Partisan autorun:   $running5
168. #   P2Partisan scheduled: $running6
169. #########################################################
170. #   P2Partisan activity since $from
171. #   Dropped connections  ~ $drop_packet_count
172. ################# Last log recorded #####################
173. #   Remember your max logs per hour is set to: $maxloghour
174. $running7
175. #########################################################"
176. }
177.  
178. pautorunset() {
179.     p=`nvram get script_fire | grep p2partisan | wc -l`
180.     if [ $p -eq "0" ] ; then
181.     t=`nvram get script_fire`; t=`printf "$t\n$P2Partisandir/p2partisan.sh\n"` ; nvram set "script_fire=$t"
182.     fi
183.     plog "P2Partisan AUTORUN is ON"
184. }
185.  
186. pautorununset() {
187.     p=`nvram get script_fire | grep p2partisan | wc -l`
188.     if [ $p -eq "1" ]; then
189.     t=`nvram get script_fire`; t=`printf "$t\n$P2Partisandir/p2partisan.sh\n" | grep -v p2partisan` ; nvram set "script_fire=$t"
190.     fi
191.     plog "P2Partisan AUTORUN is OFF"
192. }
193.  
194. pscheduleset() {
195.     cru d P2Partisan-update
196.     cru a P2Partisan-update "$schedule $P2Partisandir/p2partisan.sh paranoia-update"
197.     plog "P2Partisan AUTO UPDATE is ON"
198. }
199.  
200. pscheduleunset() {
201.     cru d P2Partisan-update
202.     plog "P2Partisan AUTO UPDATE is OFF"
203. }
204.  
205. pstart() {
206.     running4=`[ -f $pidfile ] && echo 1 || echo 0`
207.     if [ $running4 -eq "0" ]; then
208.  
209.     echo $$ > $pidfile
210.  
211.     sleep 2
212.    
213.     [ -f iptables-add ] && rm iptables-add
214.     [ -f iptables-del ] && rm iptables-del
215.     [ -f ipset-del ] && rm ipset-del
216.      
217.     echo "### PREPARATION ###"
218.     echo "Loading the ipset modules"
219.     lsmod | grep "ip_set" > /dev/null 2>&1 || insmod ip_set
220.     lsmod | grep "ip_set_iptreemap" > /dev/null 2>&1 || insmod ip_set_iptreemap
221.     lsmod | grep "ipt_set" > /dev/null 2>&1 || insmod ipt_set
222.  
223. counter=0
224. pos=1
225.         echo "loading ports $whiteports exemption"
226.  
227.    
228.         echo "# $now
229. iptables -N P2PARTISAN-IN 2> /dev/null
230. iptables -N P2PARTISAN-OUT 2> /dev/null
231. iptables -N P2PARTISAN-DROP 2> /dev/null
232. iptables -F P2PARTISAN-IN 2> /dev/null
233. iptables -F P2PARTISAN-OUT 2> /dev/null
234. iptables -F P2PARTISAN-DROP 2> /dev/null
235. iptables -A P2PARTISAN-IN -p tcp --match multiport --sports $whiteports -j ACCEPT 2> /dev/null
236. iptables -A P2PARTISAN-IN -p udp --match multiport --sports $whiteports -j ACCEPT 2> /dev/null
237. iptables -A P2PARTISAN-IN -p tcp --match multiport --dports $whiteports -j ACCEPT 2> /dev/null
238. iptables -A P2PARTISAN-IN -p udp --match multiport --dports $whiteports -j ACCEPT 2> /dev/null
239. iptables -A P2PARTISAN-OUT -p tcp --match multiport --sports $whiteports -j ACCEPT 2> /dev/null
240. iptables -A P2PARTISAN-OUT -p udp --match multiport --sports $whiteports -j ACCEPT 2> /dev/null
241. iptables -A P2PARTISAN-OUT -p tcp --match multiport --dports $whiteports -j ACCEPT 2> /dev/null
242. iptables -A P2PARTISAN-OUT -p udp --match multiport --dports $whiteports -j ACCEPT 2> /dev/null" >> iptables-add
243.  
244.  
245.         echo "# $now
246. iptables -D wanin -i $wanif -m state --state NEW -j P2PARTISAN-IN 2> /dev/null
247. iptables -D wanout -o $wanif -m state --state NEW -j P2PARTISAN-OUT 2> /dev/null
248. iptables -D INPUT -i $wanif -m state --state NEW -j P2PARTISAN-IN 2> /dev/null
249. iptables -D OUTPUT -o $wanif -m state --state NEW -j P2PARTISAN-OUT 2> /dev/null
250. iptables -F P2PARTISAN-DROP 2> /dev/null
251. iptables -F P2PARTISAN-IN 2> /dev/null
252. iptables -F P2PARTISAN-OUT 2> /dev/null
253. iptables -X P2PARTISAN-IN 2> /dev/null
254. iptables -X P2PARTISAN-OUT 2> /dev/null
255. iptables -X P2PARTISAN-DROP 2> /dev/null" >> iptables-del
256.  
257.  
258. echo "### WHITELIST ###"
259. echo "loading the whitelist"
260. #Load the whitelist
261. if [ "$(ipset --swap whitelist whitelist 2>&1 | grep 'Unknown set')" != "" ]
262.     then
263.     ipset --create whitelist iptreemap
264.     cat whitelist | grep -v "^10." | grep -v "^172.16." | grep -v "^192.168." |
265.     (
266.     while read IP
267.     do
268.             echo "$IP" | grep "^#" >/dev/null 2>&1 && continue
269.             echo "$IP" | grep "^$" >/dev/null 2>&1 && continue
270.                     ipset -A whitelist $IP
271.             done
272.     )
273. fi
274.         echo "# $now
275. ipset -F
276. ipset -X whitelist" > ipset-del
277.  
278.             echo "Preparing the whitelist for the iptables"
279.             echo "iptables -A P2PARTISAN-IN -m set --set whitelist src -j ACCEPT 2> /dev/null
280. iptables -A P2PARTISAN-OUT -m set --set whitelist dst -j ACCEPT 2> /dev/null" >> iptables-add
281.  
282.         if [ $syslogs -eq "1" ]; then        
283.             echo "iptables -A P2PARTISAN-DROP -m limit --limit $maxloghour/hour --limit-burst 1 -j LOG --log-prefix \"P2Partisan Dropped: \" --log-level 1 2> /dev/null" >> iptables-add
284.         fi
285.         echo "iptables -A P2PARTISAN-DROP -j DROP 2> /dev/null"  >> iptables-add
286.  
287.  
288. echo "### BLACKLISTs ###"
289. cat blacklists |
290.    (
291.     while read line
292.     do
293.             echo "$line" | grep "^#" >/dev/null 2>&1 && continue
294.             echo "$line" | grep "^$" >/dev/null 2>&1 && continue
295.             counter=`expr $counter + 1`
296.             name=`echo $line |cut -d ' ' -f1`
297.             url=`echo $line |cut -d ' ' -f2`
298.             echo "loading blacklist #$counter --> ***$name***"
299.      
300.     if [ $fastroutine -eq "1" ]; then
301.      
302.     if [ "$(ipset --swap $name $name 2>&1 | grep 'Unknown set')" != "" ]
303.       then
304.       [ -e $name.gz ] || wget -q -O $name.gz "$url"
305.       { echo "-N $name iptreemap"
306.         gunzip -c  $name.gz | \
307.         sed -e "/^[\t ]*#.*\|^[\t ]*$/d;s/^.*:/-A $name /"
308.         echo COMMIT
309.       } | ipset -R
310.     fi
311.      
312.     else
313.      
314.         if [ "$(ipset --swap $name $name 2>&1 | grep 'Unknown set')" != "" ]
315.             then
316.             ipset --create $name iptreemap
317.             [ -e $name.lst ] || wget -q -O - "$url" | gunzip | cut -d: -f2 | grep -E "^[-0-9.]+$" > $name.lst
318.             for IP in $(cat $name.lst)
319.                     do
320.                     ipset -A $name $IP
321.                     done
322.             fi
323.              
324.     fi
325.  
326.                 echo "ipset -X $name " >> ipset-del
327.                 echo "iptables -A P2PARTISAN-IN -m set --set $name src -j P2PARTISAN-DROP 2> /dev/null
328. iptables -A P2PARTISAN-OUT -m set --set $name dst -j P2PARTISAN-DROP 2> /dev/null" >> iptables-add 
329.             done
330.     )
331.  
332.  
333.         if [ $protection -eq "1" ]; then
334.             echo "iptables -I INPUT $pos -i $wanif -m state --state NEW -j P2PARTISAN-IN 2> /dev/null
335. iptables -I OUTPUT $pos -o $wanif -m state --state NEW -j P2PARTISAN-OUT 2> /dev/null" >> iptables-add
336.         elif [ $protection -eq "2" ]; then
337.             echo "iptables -I wanin $pos -i $wanif -m state --state NEW -j P2PARTISAN-IN 2> /dev/null
338. iptables -I wanout $pos -o $wanif -m state --state NEW -j P2PARTISAN-OUT 2> /dev/null" >> iptables-add
339.         elif [ $protection -eq "3" ]; then
340.             echo "iptables -I INPUT $pos -i $wanif -m state --state NEW -j P2PARTISAN-IN 2> /dev/null
341. iptables -I OUTPUT $pos -o $wanif -m state --state NEW -j P2PARTISAN-OUT 2> /dev/null
342. iptables -I wanin $pos -i $wanif -m state --state NEW -j P2PARTISAN-IN 2> /dev/null
343. iptables -I wanout $pos -o $wanif -m state --state NEW -j P2PARTISAN-OUT 2> /dev/null" >> iptables-add
344.         fi
345.  
346. chmod 777 ./iptables-*
347. chmod 777 ./ipset-*
348. ./iptables-add  #protecting
349.  
350. plog "... P2Partisan started."
351.  
352. p=`nvram get dnsmasq_custom | grep log-async | wc -l`
353. if [ $p -eq "1" ]; then
354.     plog "log-async found under dnsmasq -> OK"
355. else
356.     plog "
357. It appears like you don't have a log-async parameter
358. in your dnsmasq config. This is strongly suggested
359. due to the amount of logs involved. please consider
360. adding the following command under Advanced/DHCP/DNS
361. /Dnsmasq Custom configuration
362.  
363. log-async=10
364. "
365. fi
366.  
367. punblock  #removes new connection DROPs if any
368.  
369. else
370.         echo "
371.     It appears like P2Partisan is already running. Skipping...
372.            
373.     If this is not what you expected? Try:
374.     p2partisan.sh update
375.         "
376.     fi
377. }
378.  
379.  
380. for p in $1
381. do
382. case "$p" in
383.         "start")
384.                 pstart
385.                 exit
386.                 ;;     
387.         "stop")
388.                 pforcestop
389.                 exit
390.                 ;;
391.         "restart")
392.                 pscheduleunset
393.                 psoftstop
394.                 pscheduleset
395.                 ;;
396.         "status")
397.                 pstatus
398.                 exit               
399.                 ;;     
400.         "update")
401.                 pscheduleunset
402.                 pforcestop
403.                 pscheduleset
404.                 ;;
405.         "paranoia-update")
406.                 pscheduleunset
407.                 pblock
408.                 pforcestop
409.                 pscheduleset
410.                 ;;
411.         "autorun-on")
412.                 pautorunset
413.                 exit
414.                 ;;
415.         "autorun-off")
416.                 pautorununset
417.                 exit
418.                 ;;
419.         "autoupdate-on")
420.                 pscheduleset
421.                 exit
422.                 ;;
423.         "autoupdate-off")
424.                 pscheduleunset
425.                 exit
426.                 ;;
427.         "help")
428.                 echo " 
429. P2Partisan parameters:
430.                
431.     help        Display this text      
432.     start       Starts the process (this runs also if no option
433.             is provided)
434.     stop        Stops P2Partisan
435.     restart     Soft restart, quick, updates iptables only
436.     update      Hard restart, slow removes p2partisan, updates
437.             the lists and does a fresh start
438.     paranoia-update Like update but blocks any new connection until
439.             P2Partisan is running again
440.     status      Display P2Partisan running status + extra info
441.     autorun-on  Sets P2Partisan to boot with the router
442.     autorun-off Sets P2Partisan not to boot with the router
443.     autoupdate-on   Sets automatic updates on
444.     autoupdate-off  Sets automatic updates off
445.                 "
446.                 exit
447.                 ;;
448.         *)
449.                 echo "parameter not valid. please run:
450.                
451.     p2partisan.sh help
452.     "
453.                 exit
454.             ;;
455.  
456. esac
457. done
458.  
459. pstart
460.  
461.  
462. exit