Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/sh
- #
- # p2partisan v1.8 (30/04/2014)
- #
- # <CONFIGURATION> ###########################################
- # Adjust location where the files are kept
- P2Parisandir=/cifs1/p2partisan
- #
- # Edit the file "blacklists" to customise if needed
- # Edit the "whitelist" to overwrite the blacklist if needed
- #
- #
- # Enable logging? Use only for troubleshooting. 0=off 1=on
- syslogs=1
- #Maximum number of logs to be recorded in a given 60 min
- # Consider set this very low (to 1 or 2) once your are happy
- # with the installation
- maxloghour=120
- # to troubleshoot blocked connection close all the secondary
- # traffic e.g. p2p and try a connection to the blocked
- # site/port you should find a reference in the logs.
- #
- # ports to be whitelisted. Whitelisted ports will never be
- # blocked no matter what the source/destination IP is.
- # This is very important if you're running a service like
- # e.g. SMTP/HTTP/IMAP/else. Separate value in the list below
- # with commas - NOTE: Leave 80 and 443 untouched, add custom ports only
- # you might want to add remote admin and VPN ports here if any
- whiteports="80,443,993,25,21"
- #
- # Fastrouting will process the IP classes very quickly but use
- # Lot of resources. If you disable the effect is transparent
- # but the full process will take minutes rather than seconds
- # 0=disabled 1=enabled
- fastroutine=1
- #
- #Schedule updates? (once a week is plenty)
- schedule="30 4 * * 1"
- #
- # </CONFIGURATION> ###########################################
- cd $P2Parisandir
- alias ipset='/usr/sbin/ipset'
- alias iptables='/usr/sbin/iptables'
- alias plog='logger -t P2PARTISAN -s'
- psoftstop() {
- ./iptables-del 2> /dev/null
- ./ipset-del /dev/null 2> /dev/null
- plog "Stopping P2Partisan"
- }
- pforcestop() {
- iptables -D INPUT -m state --state NEW -j P2PARTISAN 2> /dev/null
- iptables -F P2PARTISAN-DROP 2> /dev/null
- iptables -F P2PARTISAN 2> /dev/null
- iptables -X P2PARTISAN-DROP 2> /dev/null
- iptables -X P2PARTISAN 2> /dev/null
- ipset -F
- for i in `ipset --list | grep Name | cut -f2 -d ":" `; do
- ipset -X $i
- done
- rm ./iptables-del 2> /dev/null
- rm ./ipset-del 2> /dev/null
- plog "Stopping P2Partisan"
- }
- pstatus() {
- running=`iptables -L P2PARTISAN 2> /dev/null | grep -v target | grep -v Chain 2> /dev/null | wc -l`
- running1=`iptables -L P2PARTISAN-DROP 2> /dev/null | grep -v target | grep -v Chain 2> /dev/null | wc -l`
- running2=`iptables -L INPUT | grep P2PARTISAN 2> /dev/null | wc -l`
- if [[ $running -eq "0" ]] || [[ $running1 -eq "0" ]] || [[ $running2 -eq "0" ]]; then
- # echo "It appears like P2Partisan is already running"
- echo "
- P2Partisan running: NO
- "
- else
- echo "
- P2Partisan running: YES
- "
- fi
- }
- pscheduleset() {
- cru d P2Partisan-update
- cru a P2Partisan-update "$schedule $P2Parisandir/p2partisan.sh restart"
- }
- pscheduleunset() {
- cru d P2Partisan-update
- }
- pstart() {
- running=`iptables -L P2PARTISAN 2> /dev/null | grep -v target | grep -v Chain 2> /dev/null | wc -l`
- running1=`iptables -L P2PARTISAN-DROP 2> /dev/null | grep -v target | grep -v Chain 2> /dev/null | wc -l`
- running2=`iptables -L INPUT | grep P2PARTISAN 2> /dev/null | wc -l`
- if [[ $running -eq "0" ]] || [[ $running1 -eq "0" ]] || [[ $running2 -eq "0" ]]; then
- [ -f iptables-add ] && rm iptables-add
- [ -f iptables-del ] && rm iptables-del
- [ -f ipset-del ] && rm ipset-del
- echo "### PREPARATION ###"
- echo "loading modules"
- # Loading ipset modules
- lsmod | grep "ipt_set" > /dev/null 2>&1 || \
- for module in ip_set ip_set_iptreemap ipt_set
- do
- insmod $module
- done
- counter=0
- pos=1
- echo "loading ports $whiteports exemption"
- iptables -N P2PARTISAN 2> /dev/null
- iptables -N P2PARTISAN-DROP 2> /dev/null
- echo "iptables -N P2PARTISAN 2> /dev/null" >> iptables-add
- echo "iptables -N P2PARTISAN-DROP 2> /dev/null" >> iptables-add
- echo "iptables -F P2PARTISAN 2> /dev/null" >> iptables-add
- echo "iptables -F P2PARTISAN-DROP 2> /dev/null" >> iptables-add
- echo "iptables -D INPUT -m state --state NEW -j P2PARTISAN 2> /dev/null" >> iptables-del
- echo "iptables -F P2PARTISAN-DROP 2> /dev/null" >> iptables-del
- echo "iptables -F P2PARTISAN 2> /dev/null" >> iptables-del
- echo "iptables -X P2PARTISAN-DROP 2> /dev/null" >> iptables-del
- echo "iptables -X P2PARTISAN 2> /dev/null" >> iptables-del
- echo "iptables -A P2PARTISAN -p tcp --match multiport --sports $whiteports -j ACCEPT 2> /dev/null" >> iptables-add
- echo "iptables -A P2PARTISAN -p udp --match multiport --sports $whiteports -j ACCEPT 2> /dev/null" >> iptables-add
- echo "iptables -A P2PARTISAN -p tcp --match multiport --dports $whiteports -j ACCEPT 2> /dev/null" >> iptables-add
- echo "iptables -A P2PARTISAN -p udp --match multiport --dports $whiteports -j ACCEPT 2> /dev/null" >> iptables-add
- echo "### WHITELIST ###"
- echo "loading the whitelist"
- #Load the whitelist
- if [ "$(ipset --swap whitelist whitelist 2>&1 | grep 'Unknown set')" != "" ]
- then
- ipset --create whitelist iptreemap
- cat whitelist |
- (
- while read IP
- do
- echo "$IP" | grep "^#" >/dev/null 2>&1 && continue
- echo "$IP" | grep "^$" >/dev/null 2>&1 && continue
- ipset -A whitelist $IP
- done
- )
- fi
- echo "ipset -F
- ipset -X whitelist" >> ipset-del
- echo "Preparing the whitelist for the iptables"
- echo "iptables -A P2PARTISAN -m set --set whitelist src,dst -j ACCEPT 2> /dev/null" >> iptables-add
- if [ $syslogs -eq "1" ]; then
- echo "iptables -A P2PARTISAN-DROP -m limit --limit $maxloghour/hour -j LOG --log-prefix "Blacklist-Dropped: " --log-level 1 2> /dev/null" >> iptables-add
- fi
- echo "iptables -A P2PARTISAN-DROP -j DROP 2> /dev/null" >> iptables-add
- echo "### BLACKLISTs ###"
- cat blacklists |
- (
- while read line
- do
- echo "$line" | grep "^#" >/dev/null 2>&1 && continue
- echo "$line" | grep "^$" >/dev/null 2>&1 && continue
- counter=`expr $counter + 1`
- name=`echo $line |cut -d ' ' -f1`
- url=`echo $line |cut -d ' ' -f2`
- echo "loading blacklist #$counter --> ***$name***"
- if [[ $fastroutine -eq "1" ]]; then
- if [ "$(ipset --swap $name $name 2>&1 | grep 'Unknown set')" != "" ]
- then
- [ -e $name.gz ] || wget -q -O $name.gz "$url"
- { echo "-N $name iptreemap"
- gunzip -c $name.gz | \
- sed -e "/^[\t ]*#.*\|^[\t ]*$/d;s/^.*:/-A $name /"
- echo COMMIT
- } | ipset -R
- fi
- else
- if [ "$(ipset --swap $name $name 2>&1 | grep 'Unknown set')" != "" ]
- then
- ipset --create $name iptreemap
- [ -e $name.lst ] || wget -q -O - "$url" | gunzip | cut -d: -f2 | grep -E "^[-0-9.]+$" > $name.lst
- for IP in $(cat $name.lst)
- do
- ipset -A $name $IP
- done
- fi
- fi
- echo "ipset -X $name " >> ipset-del
- echo "iptables -A P2PARTISAN -m set --set $name src,dst -j P2PARTISAN-DROP 2> /dev/null" >> iptables-add
- done
- )
- input=`iptables -L INPUT | grep "P2PARTISAN" | wc -l`
- echo "iptables -I INPUT $pos -m state --state NEW -j P2PARTISAN 2> /dev/null" >> iptables-add
- chmod 777 ./iptables-*
- chmod 777 ./ipset-*
- ./iptables-add #protecting the LAN
- plog "Starting P2Partisan"
- else
- echo "
- It appears like P2Partisan is already running. Skipping...
- "
- fi
- }
- for p in $1
- do
- case "$p" in
- "start")
- pstart
- pscheduleset
- exit
- ;;
- "stop")
- pscheduleunset
- pforcestop
- exit
- ;;
- "restart")
- pscheduleunset
- psoftstop
- ;;
- "status")
- pstatus
- exit
- ;;
- "update")
- pscheduleunset
- pforcestop
- ;;
- "help")
- echo "
- P2Partisan parameters:
- help Display this text
- start Starts the process (this runs also if no option is provided)
- stop Stops P2Partisan and removes the custom iptables/ipset
- restart Soft restart that also forces a list update
- status Display whether P2Partisan is currently running or not
- update Hard restart that also forces a list update
- "
- exit
- ;;
- *)
- echo "parameter not valid. please run:
- p2partisan.sh help
- "
- exit
- ;;
- esac
- done
- pstart
- pscheduleset
- exit
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement