p2partisan 1.08

1. #!/bin/sh
2. #
3. # p2partisan v1.8 (30/04/2014)
4. #
5. # <CONFIGURATION> ###########################################
6. # Adjust location where the files are kept
7. P2Parisandir=/cifs1/p2partisan
8. #
9. # Edit the file "blacklists" to customise if needed
10. # Edit the "whitelist" to overwrite the blacklist if needed
11. #
12. #
13. # Enable logging? Use only for troubleshooting. 0=off 1=on
14. syslogs=1
15. #Maximum number of logs to be recorded in a given 60 min
16. # Consider set this very low (to 1 or 2) once your are happy
17. # with the installation
18. maxloghour=120
19. # to troubleshoot blocked connection close all the secondary
20. # traffic e.g. p2p and try a connection to the blocked
21. # site/port you should find a reference in the logs.
22. #
23. # ports to be whitelisted. Whitelisted ports will never be
24. # blocked no matter what the source/destination IP is.
25. # This is very important if you're running a service like
26. # e.g. SMTP/HTTP/IMAP/else. Separate value in the list below
27. # with commas - NOTE: Leave 80 and 443 untouched, add custom ports only
28. # you might want to add remote admin and VPN ports here if any
29. whiteports="80,443,993,25,21"
30. #
31. # Fastrouting will process the IP classes very quickly but use
32. # Lot of resources. If you disable the effect is transparent
33. # but the full process will take minutes rather than seconds
34. # 0=disabled 1=enabled
35. fastroutine=1
36. #
37. #Schedule updates? (once a week is plenty)
38. schedule="30 4 * * 1"
39. #
40. # </CONFIGURATION> ###########################################
41. cd $P2Parisandir
42.  
43. alias ipset='/usr/sbin/ipset'
44. alias iptables='/usr/sbin/iptables'
45. alias plog='logger -t P2PARTISAN -s'
46.  
47.  
48.  
49. psoftstop() {
50. ./iptables-del 2> /dev/null
51. ./ipset-del /dev/null 2> /dev/null
52. plog "Stopping P2Partisan"
53. }
54.  
55. pforcestop() {
56. iptables -D INPUT -m state --state NEW -j P2PARTISAN 2> /dev/null
57. iptables -F P2PARTISAN-DROP 2> /dev/null
58. iptables -F P2PARTISAN 2> /dev/null
59. iptables -X P2PARTISAN-DROP 2> /dev/null
60. iptables -X P2PARTISAN 2> /dev/null
61. ipset -F
62. for i in `ipset --list | grep Name | cut -f2 -d ":" `; do
63. ipset -X $i
64. done
65. rm ./iptables-del 2> /dev/null
66. rm ./ipset-del 2> /dev/null
67. plog "Stopping P2Partisan"
68. }
69.  
70. pstatus() {
71. running=`iptables -L P2PARTISAN  2> /dev/null | grep -v target | grep -v Chain 2> /dev/null | wc -l`
72. running1=`iptables -L P2PARTISAN-DROP  2> /dev/null | grep -v target | grep -v Chain 2> /dev/null | wc -l`
73. running2=`iptables -L INPUT | grep P2PARTISAN  2> /dev/null | wc -l`
74. if [[ $running -eq "0" ]] || [[ $running1 -eq "0" ]] || [[ $running2 -eq "0" ]]; then
75.     # echo "It appears like P2Partisan is already running"
76.     echo "
77.     P2Partisan running: NO
78.     "
79. else
80.     echo "
81.     P2Partisan running: YES
82.     "
83. fi
84. }
85.  
86. pscheduleset() {
87. cru d P2Partisan-update
88. cru a P2Partisan-update "$schedule $P2Parisandir/p2partisan.sh restart"
89. }
90.  
91. pscheduleunset() {
92. cru d P2Partisan-update
93. }
94.  
95. pstart() {
96. running=`iptables -L P2PARTISAN 2> /dev/null | grep -v target | grep -v Chain 2> /dev/null | wc -l`
97. running1=`iptables -L P2PARTISAN-DROP 2> /dev/null  | grep -v target | grep -v Chain 2> /dev/null | wc -l`
98. running2=`iptables -L INPUT | grep P2PARTISAN 2> /dev/null | wc -l`
99. if [[ $running -eq "0" ]] || [[ $running1 -eq "0" ]] || [[ $running2 -eq "0" ]]; then
100.  
101.     [ -f iptables-add ] && rm iptables-add
102.     [ -f iptables-del ] && rm iptables-del
103.     [ -f ipset-del ] && rm ipset-del
104.      
105. echo "### PREPARATION ###"
106. echo "loading modules"
107. # Loading ipset modules
108. lsmod | grep "ipt_set" > /dev/null 2>&1 || \
109. for module in ip_set ip_set_iptreemap ipt_set
110.         do
111.         insmod $module
112.         done
113.  
114. counter=0
115. pos=1
116.  
117. echo "loading ports $whiteports exemption"
118.  
119.  
120. iptables -N P2PARTISAN 2> /dev/null
121. iptables -N P2PARTISAN-DROP 2> /dev/null
122.  
123. echo "iptables -N P2PARTISAN 2> /dev/null" >> iptables-add
124. echo "iptables -N P2PARTISAN-DROP 2> /dev/null" >> iptables-add
125. echo "iptables -F P2PARTISAN 2> /dev/null" >> iptables-add
126. echo "iptables -F P2PARTISAN-DROP 2> /dev/null" >> iptables-add
127. echo "iptables -D INPUT -m state --state NEW -j P2PARTISAN 2> /dev/null" >> iptables-del
128. echo "iptables -F P2PARTISAN-DROP  2> /dev/null" >> iptables-del
129. echo "iptables -F P2PARTISAN  2> /dev/null" >> iptables-del
130. echo "iptables -X P2PARTISAN-DROP  2> /dev/null" >> iptables-del
131. echo "iptables -X P2PARTISAN  2> /dev/null" >> iptables-del
132.  
133.  
134. echo "iptables -A P2PARTISAN -p tcp --match multiport --sports $whiteports -j ACCEPT 2> /dev/null" >> iptables-add
135. echo "iptables -A P2PARTISAN -p udp --match multiport --sports $whiteports -j ACCEPT 2> /dev/null" >> iptables-add
136. echo "iptables -A P2PARTISAN -p tcp --match multiport --dports $whiteports -j ACCEPT 2> /dev/null" >> iptables-add
137. echo "iptables -A P2PARTISAN -p udp --match multiport --dports $whiteports -j ACCEPT 2> /dev/null" >> iptables-add
138.  
139. echo "### WHITELIST ###"
140. echo "loading the whitelist"
141. #Load the whitelist
142. if [ "$(ipset --swap whitelist whitelist 2>&1 | grep 'Unknown set')" != "" ]
143.     then
144.     ipset --create whitelist iptreemap
145.     cat whitelist |
146.     (
147.     while read IP
148.     do
149.             echo "$IP" | grep "^#" >/dev/null 2>&1 && continue
150.             echo "$IP" | grep "^$" >/dev/null 2>&1 && continue
151.                     ipset -A whitelist $IP
152.             done
153.     )
154. fi
155. echo "ipset -F
156. ipset -X whitelist" >> ipset-del
157.  
158.     echo "Preparing the whitelist for the iptables"
159.     echo "iptables -A P2PARTISAN -m set --set whitelist src,dst -j ACCEPT 2> /dev/null" >> iptables-add
160.  
161. if [ $syslogs -eq "1" ]; then        
162.     echo "iptables -A P2PARTISAN-DROP -m limit --limit $maxloghour/hour -j LOG --log-prefix "Blacklist-Dropped: " --log-level 1 2> /dev/null" >> iptables-add
163. fi
164. echo "iptables -A P2PARTISAN-DROP -j DROP 2> /dev/null"  >> iptables-add
165.  
166.  
167. echo "### BLACKLISTs ###"
168. cat blacklists |
169.    (
170.     while read line
171.     do
172.             echo "$line" | grep "^#" >/dev/null 2>&1 && continue
173.             echo "$line" | grep "^$" >/dev/null 2>&1 && continue
174.             counter=`expr $counter + 1`
175.             name=`echo $line |cut -d ' ' -f1`
176.             url=`echo $line |cut -d ' ' -f2`
177.             echo "loading blacklist #$counter --> ***$name***"
178.      
179.     if [[ $fastroutine -eq "1" ]]; then
180.      
181.     if [ "$(ipset --swap $name $name 2>&1 | grep 'Unknown set')" != "" ]
182.       then
183.       [ -e $name.gz ] || wget -q -O $name.gz "$url"
184.       { echo "-N $name iptreemap"
185.         gunzip -c  $name.gz | \
186.         sed -e "/^[\t ]*#.*\|^[\t ]*$/d;s/^.*:/-A $name /"
187.         echo COMMIT
188.       } | ipset -R
189.     fi
190.      
191.     else
192.      
193.         if [ "$(ipset --swap $name $name 2>&1 | grep 'Unknown set')" != "" ]
194.             then
195.             ipset --create $name iptreemap
196.             [ -e $name.lst ] || wget -q -O - "$url" | gunzip | cut -d: -f2 | grep -E "^[-0-9.]+$" > $name.lst
197.             for IP in $(cat $name.lst)
198.                     do
199.                     ipset -A $name $IP
200.                     done
201.             fi
202.              
203.     fi
204.  
205.         echo "ipset -X $name " >> ipset-del
206.         echo "iptables -A P2PARTISAN -m set --set $name src,dst -j P2PARTISAN-DROP 2> /dev/null" >> iptables-add
207.     done
208.     )
209.  
210.  
211. input=`iptables -L INPUT | grep "P2PARTISAN" | wc -l`
212. echo "iptables -I INPUT $pos -m state --state NEW -j P2PARTISAN 2> /dev/null" >> iptables-add
213.  
214. chmod 777 ./iptables-*
215. chmod 777 ./ipset-*
216. ./iptables-add  #protecting the LAN
217.  
218. plog "Starting P2Partisan"
219. else
220. echo "
221.     It appears like P2Partisan is already running. Skipping...
222. "
223. fi
224. }
225.  
226.  
227. for p in $1
228. do
229. case "$p" in
230.         "start")
231.                 pstart
232.                 pscheduleset
233.                 exit
234.                 ;;     
235.         "stop")
236.                 pscheduleunset
237.                 pforcestop
238.                 exit
239.                 ;;
240.         "restart")
241.                 pscheduleunset
242.                 psoftstop
243.                 ;;
244.         "status")
245.                 pstatus
246.                 exit               
247.                 ;;     
248.         "update")
249.                 pscheduleunset
250.                 pforcestop
251.                 ;;
252.         "help")
253.                 echo " 
254. P2Partisan parameters:
255.                
256.     help        Display this text      
257.     start       Starts the process (this runs also if no option is provided)
258.     stop        Stops P2Partisan and removes the custom iptables/ipset
259.     restart     Soft restart that also forces a list update
260.     status      Display whether P2Partisan is currently running or not
261.     update      Hard restart that also forces a list update
262.                 "
263.                 exit
264.                 ;;
265.         *)
266.                 echo "parameter not valid. please run:
267.                
268.     p2partisan.sh help
269.     "
270.                 exit
271.             ;;
272.  
273. esac
274. done
275.  
276. pstart
277. pscheduleset
278.  
279. exit