p2partisan 2.30

1. #!/bin/sh
2. #
3. # p2partisan v2.30 (20/05/2014)
4. #
5. # <CONFIGURATION> ###########################################
6. # Adjust location where the files are kept
7. P2Partisandir=/cifs1/p2partisan
8. #
9. # Edit the file "blacklists" to customise if needed
10. # Edit the "whitelist" to overwrite the blacklist if needed
11. #
12. #
13. # Enable logging? Use only for troubleshooting. 0=off 1=on
14. syslogs=1
15. # Maximum number of logs to be recorded in a given 60 min
16. # Consider set this very low (like 3 or 6) once your are
17. # happy with the installation. To troubleshoot blocked
18. # connection close all the secondary traffic e.g. p2p
19. # and try a connection to the blocked site/port you should
20. # find a reference in the logs.
21. maxloghour=1
22. #
23. # What do you want to block?
24. # 1) Input (Router only, does your generate P2P traffic?)
25. # 2) LAN (LAN clients only)
26. # 3) Both *default
27. protection=3
28. #
29. # ports to be whitelisted. Whitelisted ports will never be
30. # blocked no matter what the source/destination IP is.
31. # This is very important if you're running a service like
32. # e.g. SMTP/HTTP/IMAP/else. Separate value in the list below
33. # with commas - NOTE: Leave 80 and 443 untouched, add custom ports only
34. # you might want to add remote admin and VPN ports here if any.
35. # Standard iptables syntax, number divided by "," or ":" for a range
36. # e.g. 80,443,2100:21300
37. whiteports="21,25,53,80,123,443,993,1194:1196"
38. #
39. # Fastrouting will process the IP classes very quickly but use
40. # Lot of resources. If you disable the effect is transparent
41. # but the full process will take minutes rather than seconds
42. # 0=disabled 1=enabled
43. fastroutine=1
44. #
45. # Schedule updates? (once a week is plenty)
46. schedule="30 4 * * 1"
47. #
48. testip="8.8.8.8"
49. # </CONFIGURATION> ###########################################
50.  
51. pidfile=/var/run/p2partisan.pid
52. cd $P2Partisandir
53.  
54.  
55. alias ipset='/bin/nice -n19 /usr/sbin/ipset'
56. alias sed='/bin/nice -n19 /bin/sed'
57. alias iptables='/usr/sbin/iptables'
58. alias service='/sbin/service'
59. alias plog='logger -t P2PARTISAN -s'
60. now=`date +"%H:%M:%S - %d/%m/%y"`
61. wanif=`nvram get wan_ifname`
62.  
63.  
64. psoftstop() {
65.     ./iptables-del 2> /dev/null
66.     plog "Stopping P2Partisan"
67.     [ -f $pidfile ] && rm -f "$pidfile" 2> /dev/null
68. }
69.  
70. pblock() {
71.     plog "P2PArtisan: Applying paranoia block"
72.     iptables -N PARANOIA-DROP 2> /dev/null
73.     iptables -A PARANOIA-DROP -p tcp --match multiport --sports $whiteports -j ACCEPT 2> /dev/null
74.     iptables -A PARANOIA-DROP -p udp --match multiport --sports $whiteports -j ACCEPT 2> /dev/null
75.     iptables -A PARANOIA-DROP -p tcp --match multiport --dports $whiteports -j ACCEPT 2> /dev/null
76.     iptables -A PARANOIA-DROP -p udp --match multiport --dports $whiteports -j ACCEPT 2> /dev/null
77.     iptables -A PARANOIA-DROP -m limit --limit $maxloghour/hour --limit-burst 5 -j LOG --log-prefix "P2Partisan Dropped (paranoia): " --log-level 1 2> /dev/null
78.     iptables -A PARANOIA-DROP -j DROP 2> /dev/null
79.     iptables -I wanin 1 -i $wanif -m state --state NEW -j PARANOIA-DROP 2> /dev/null
80.     iptables -I wanout 1 -o $wanif -m state --state NEW -j PARANOIA-DROP 2> /dev/null
81.     iptables -I INPUT 1 -i $wanif -m state --state NEW -j PARANOIA-DROP 2> /dev/null
82.     iptables -I OUTPUT 1 -o $wanif -m state --state NEW -j PARANOIA-DROP 2> /dev/null
83. }
84.  
85. punblock() {
86.     while iptables -L wanin 2> /dev/null | grep "PARANOIA-DROP"
87.     do
88.         iptables -D wanin -i $wanif -m state --state NEW -j PARANOIA-DROP 2> /dev/null
89.     done
90.     while iptables -L wanout 2> /dev/null | grep "PARANOIA-DROP"
91.     do
92.         iptables -D wanout -o $wanif -m state --state NEW -j PARANOIA-DROP 2> /dev/null
93.     done
94.     while iptables -L INPUT 2> /dev/null | grep "PARANOIA-DROP"
95.     do
96.         iptables -D INPUT -i $wanif -m state --state NEW -j PARANOIA-DROP 2> /dev/null
97.     done
98.     while iptables -L OUTPUT 2> /dev/null | grep "PARANOIA-DROP"
99.     do
100.         iptables -D OUTPUT -o $wanif -m state --state NEW -j PARANOIA-DROP 2> /dev/null
101.     done
102.     iptables -F PARANOIA-DROP 2> /dev/null && plog "P2PArtisan: Removing paranoia block"
103.     iptables -X PARANOIA-DROP 2> /dev/null
104. }
105.  
106. pforcestop() {
107.     while iptables -L wanin 2> /dev/null | grep P2PARTISAN-IN
108.     do
109.         iptables -D wanin -i $wanif -m state --state NEW -j P2PARTISAN-IN 2> /dev/null
110.     done
111.     while iptables -L wanout 2> /dev/null | grep P2PARTISAN-OUT
112.     do
113.         iptables -D wanout -o $wanif -m state --state NEW -j P2PARTISAN-OUT 2> /dev/null
114.     done
115.     while iptables -L INPUT | grep P2PARTISAN-IN
116.     do
117.         iptables -D INPUT -i $wanif -m state --state NEW -j P2PARTISAN-IN 2> /dev/null
118.     done
119.     while iptables -L OUTPUT | grep P2PARTISAN-OUT
120.     do
121.         iptables -D OUTPUT -o $wanif -m state --state NEW -j P2PARTISAN-OUT 2> /dev/null
122.     done
123.     iptables -F P2PARTISAN-DROP 2> /dev/null
124.     iptables -F P2PARTISAN-IN 2> /dev/null
125.     iptables -F P2PARTISAN-OUT 2> /dev/null
126.     iptables -X P2PARTISAN-DROP 2> /dev/null   
127.     iptables -X P2PARTISAN-IN 2> /dev/null
128.     iptables -X P2PARTISAN-OUT 2> /dev/null
129.     ipset -F
130.     for i in `ipset --list | grep Name | cut -f2 -d ":" `; do
131.         ipset -X $i
132.     done
133.     [ -f iptables-add ] && rm iptables-add
134.     [ -f iptables-del ] && rm iptables-del
135.     [ -f ipset-del ] && rm ipset-del
136.     [ -f $pidfile ] && rm -f "$pidfile" 2> /dev/null
137. plog "Unloading ipset modules"
138.     lsmod | grep "ipt_set" > /dev/null 2>&1 && sleep 2 ; rmmod -f ipt_set 2> /dev/null
139.     lsmod | grep "ip_set_iptreemap" > /dev/null 2>&1 && sleep 2 ; rmmod -f ip_set_iptreemap 2> /dev/null
140.     lsmod | grep "ip_set" > /dev/null 2>&1 && sleep 2 ; rmmod -f ip_set 2> /dev/null
141. plog "Stopping P2Partisan"
142. }
143.  
144. pstatus() {
145.     running3=`iptables -L | grep P2PARTISAN-IN  2> /dev/null | wc -l`
146.     running4=`[ -f $pidfile ] && echo 1 || echo 0`
147.     running5=`nvram get script_fire | grep p2partisan >/dev/null && echo Yes || echo No`
148.     running6=`cru l | grep P2Partisan-update >/dev/null && echo Yes || echo No`
149.     running7=`tail -200 /var/log/messages | grep Dropped | tail -1`
150.    
151.     from=`head -1 ./iptables-add 2> /dev/null | cut -c3-`
152.     drop_packet_count=`iptables -vL P2PARTISAN-DROP 2> /dev/null| grep " DROP " | awk '{print $1}'`
153.    
154.     if [[ $running3 -eq "0" ]] && [[ $running4 -eq "0" ]]; then
155.         running8=No
156.     elif [[ $running3 -eq "0" ]] && [[ $running4 -eq "1" ]]; then
157.         running8=Loading...
158.     elif [[ $running3 -gt "0" ]] && [[ $running4 -eq "0" ]]; then
159.         running8=Not quite... try to run \"p2partisan.sh update\"
160.     else
161.         running8=Yes
162.     fi
163.    
164.     echo "################# P2Partisan status #####################
165. #   P2Partisan running:   $running8
166. #   P2Partisan autorun:   $running5
167. #   P2Partisan scheduled: $running6
168. #########################################################
169. #   P2Partisan activity since $from
170. #   Dropped connections: $drop_packet_count
171. ################# Last log recorded #####################
172. #   Remember your max logs per hour is set to: $maxloghour
173. $running7
174. #########################################################"
175. }
176.  
177. pautorunset() {
178.     p=`nvram get script_fire | grep "p2partisan.sh restart" | wc -l`
179.     if [ $p -eq "0" ] ; then
180.     t=`nvram get script_fire`; t=`printf "$t\n$P2Partisandir/p2partisan.sh restart\n"` ; nvram set "script_fire=$t"
181.     fi
182.     plog "P2Partisan AUTORUN is ON"
183.     nvram commit
184. }
185.  
186. pautorununset() {
187.     p=`nvram get script_fire | grep "p2partisan.sh restart"| wc -l`
188.     if [ $p -eq "1" ]; then
189.     t=`nvram get script_fire`; t=`printf "$t\n$P2Partisandir/p2partisan.sh\n" | grep -v p2partisan` ; nvram set "script_fire=$t"
190.     fi
191.     plog "P2Partisan AUTORUN is OFF"
192.     nvram commit
193. }
194.  
195. pscheduleset() {
196.     cru d P2Partisan-update
197.     cru a P2Partisan-update "$schedule $P2Partisandir/p2partisan.sh paranoia-update"
198.     pp=`nvram get script_fire | grep "p2partisan.sh restart"| wc -l`
199.     p=`nvram get script_fire | grep "cru a P2Partisan-update" | wc -l`
200.     if [ $p -eq "0" ] ; then
201.         if [ $pp -eq "0" ]; then
202.         t=`nvram get script_fire`; t=`printf "$t\ncru a P2Partisan-update \"$schedule $P2Partisandir/p2partisan.sh paranoia-update\"\n"` ; nvram set "script_fire=$t"
203.         else
204.         pautorununset
205.         t=`nvram get script_fire`; t=`printf "$t\ncru a P2Partisan-update \"$schedule $P2Partisandir/p2partisan.sh paranoia-update\"\n"` ; nvram set "script_fire=$t"
206.         pautorunset
207.         fi
208.     fi
209.     plog "P2Partisan AUTO UPDATE is ON"
210.     nvram commit
211. }
212.  
213. pscheduleunset() {
214.     cru d P2Partisan-update
215.     p=`nvram get script_fire | grep "cru a P2Partisan-update" | wc -l`
216.     if [ $p -eq "1" ] ; then
217.     t=`nvram get script_fire`; t=`printf "$t\ncru a P2Partisan-update \"$schedule $P2Partisandir/p2partisan.sh paranoia-update\"\n" | grep -v "cru a P2Partisan-update"` ; nvram set "script_fire=$t"
218.     fi
219.     plog "P2Partisan AUTO UPDATE is OFF"
220.     nvram commit
221. }
222.  
223. pstart() {
224.     # Wait until Internet is available
225.     while :
226.     do
227.         ping -c 3 $testip >/dev/null 2>&1
228.         if [ $? = 0 ]; then
229.             break
230.         fi
231.         sleep 2
232.     done
233.  
234.     running4=`[ -f $pidfile ] && echo 1 || echo 0`
235.     if [ $running4 -eq "0" ]; then
236.  
237.     echo $$ > $pidfile
238.  
239.     sleep 2
240.    
241.     [ -f iptables-add ] && rm iptables-add
242.     [ -f iptables-del ] && rm iptables-del
243.     [ -f ipset-del ] && rm ipset-del
244.      
245.     echo "### PREPARATION ###"
246.     echo "Loading the ipset modules"
247.     lsmod | grep "ip_set" > /dev/null 2>&1 || insmod ip_set
248.     lsmod | grep "ip_set_iptreemap" > /dev/null 2>&1 || insmod ip_set_iptreemap
249.     lsmod | grep "ipt_set" > /dev/null 2>&1 || insmod ipt_set
250.  
251. counter=0
252. pos=1
253.         echo "loading ports $whiteports exemption"
254.  
255.    
256.         echo "# $now
257. iptables -N P2PARTISAN-IN 2> /dev/null
258. iptables -N P2PARTISAN-OUT 2> /dev/null
259. iptables -N P2PARTISAN-DROP 2> /dev/null
260. iptables -F P2PARTISAN-IN 2> /dev/null
261. iptables -F P2PARTISAN-OUT 2> /dev/null
262. iptables -F P2PARTISAN-DROP 2> /dev/null
263. iptables -A P2PARTISAN-IN -p tcp --match multiport --sports $whiteports -j ACCEPT 2> /dev/null
264. iptables -A P2PARTISAN-IN -p udp --match multiport --sports $whiteports -j ACCEPT 2> /dev/null
265. iptables -A P2PARTISAN-IN -p tcp --match multiport --dports $whiteports -j ACCEPT 2> /dev/null
266. iptables -A P2PARTISAN-IN -p udp --match multiport --dports $whiteports -j ACCEPT 2> /dev/null
267. iptables -A P2PARTISAN-OUT -p tcp --match multiport --sports $whiteports -j ACCEPT 2> /dev/null
268. iptables -A P2PARTISAN-OUT -p udp --match multiport --sports $whiteports -j ACCEPT 2> /dev/null
269. iptables -A P2PARTISAN-OUT -p tcp --match multiport --dports $whiteports -j ACCEPT 2> /dev/null
270. iptables -A P2PARTISAN-OUT -p udp --match multiport --dports $whiteports -j ACCEPT 2> /dev/null" >> iptables-add
271.  
272.  
273.         echo "# $now
274. iptables -D wanin -i $wanif -m state --state NEW -j P2PARTISAN-IN 2> /dev/null
275. iptables -D wanout -o $wanif -m state --state NEW -j P2PARTISAN-OUT 2> /dev/null
276. iptables -D INPUT -i $wanif -m state --state NEW -j P2PARTISAN-IN 2> /dev/null
277. iptables -D OUTPUT -o $wanif -m state --state NEW -j P2PARTISAN-OUT 2> /dev/null
278. iptables -F P2PARTISAN-DROP 2> /dev/null
279. iptables -F P2PARTISAN-IN 2> /dev/null
280. iptables -F P2PARTISAN-OUT 2> /dev/null
281. iptables -X P2PARTISAN-IN 2> /dev/null
282. iptables -X P2PARTISAN-OUT 2> /dev/null
283. iptables -X P2PARTISAN-DROP 2> /dev/null" >> iptables-del
284.  
285.  
286. echo "### WHITELIST ###"
287. echo "loading the whitelist"
288. #Load the whitelist
289. if [ "$(ipset --swap whitelist whitelist 2>&1 | grep 'Unknown set')" != "" ]
290.     then
291.     ipset --create whitelist iptreemap
292.     cat whitelist | grep -v "^10." | grep -v "^172.16." | grep -v "^192.168." |
293.     (
294.     while read IP
295.     do
296.             echo "$IP" | grep "^#" >/dev/null 2>&1 && continue
297.             echo "$IP" | grep "^$" >/dev/null 2>&1 && continue
298.                     ipset -A whitelist $IP
299.             done
300.     )
301. fi
302.         echo "# $now
303. ipset -F
304. ipset -X whitelist" > ipset-del
305.  
306.             echo "Preparing the whitelist for the iptables"
307.             echo "iptables -A P2PARTISAN-IN -m set --set whitelist src -j ACCEPT 2> /dev/null
308. iptables -A P2PARTISAN-OUT -m set --set whitelist dst -j ACCEPT 2> /dev/null" >> iptables-add
309.  
310.         if [ $syslogs -eq "1" ]; then        
311.             echo "iptables -A P2PARTISAN-DROP -m limit --limit $maxloghour/hour --limit-burst 1 -j LOG --log-prefix \"P2Partisan Dropped: \" --log-level 1 2> /dev/null" >> iptables-add
312.         fi
313.         echo "iptables -A P2PARTISAN-DROP -j DROP 2> /dev/null"  >> iptables-add
314.  
315.  
316. echo "### BLACKLISTs ###"
317. cat blacklists |
318.    (
319.     while read line
320.     do
321.             echo "$line" | grep "^#" >/dev/null 2>&1 && continue
322.             echo "$line" | grep "^$" >/dev/null 2>&1 && continue
323.             counter=`expr $counter + 1`
324.             name=`echo $line |cut -d ' ' -f1`
325.             url=`echo $line |cut -d ' ' -f2`
326.             echo "loading blacklist #$counter --> ***$name***"
327.      
328.     if [ $fastroutine -eq "1" ]; then
329.      
330.     if [ "$(ipset --swap $name $name 2>&1 | grep 'Unknown set')" != "" ]
331.       then
332.       [ -e $name.gz ] || wget -q -O $name.gz "$url"
333.       { echo "-N $name iptreemap"
334.         gunzip -c  $name.gz | \
335.         sed -e "/^[\t ]*#.*\|^[\t ]*$/d;s/^.*:/-A $name /"
336.         echo COMMIT
337.       } | ipset -R
338.     fi
339.      
340.     else
341.      
342.         if [ "$(ipset --swap $name $name 2>&1 | grep 'Unknown set')" != "" ]
343.             then
344.             ipset --create $name iptreemap
345.             [ -e $name.lst ] || wget -q -O - "$url" | gunzip | cut -d: -f2 | grep -E "^[-0-9.]+$" > $name.lst
346.             for IP in $(cat $name.lst)
347.                     do
348.                     ipset -A $name $IP
349.                     done
350.             fi
351.              
352.     fi
353.  
354.                 echo "ipset -X $name " >> ipset-del
355.                 echo "iptables -A P2PARTISAN-IN -m set --set $name src -j P2PARTISAN-DROP 2> /dev/null
356. iptables -A P2PARTISAN-OUT -m set --set $name dst -j P2PARTISAN-DROP 2> /dev/null" >> iptables-add 
357.             done
358.     )
359.  
360.  
361.         if [ $protection -eq "1" ]; then
362.             echo "iptables -I INPUT $pos -i $wanif -m state --state NEW -j P2PARTISAN-IN 2> /dev/null
363. iptables -I OUTPUT $pos -o $wanif -m state --state NEW -j P2PARTISAN-OUT 2> /dev/null" >> iptables-add
364.         elif [ $protection -eq "2" ]; then
365.             echo "iptables -I wanin $pos -i $wanif -m state --state NEW -j P2PARTISAN-IN 2> /dev/null
366. iptables -I wanout $pos -o $wanif -m state --state NEW -j P2PARTISAN-OUT 2> /dev/null" >> iptables-add
367.         elif [ $protection -eq "3" ]; then
368.             echo "iptables -I INPUT $pos -i $wanif -m state --state NEW -j P2PARTISAN-IN 2> /dev/null
369. iptables -I OUTPUT $pos -o $wanif -m state --state NEW -j P2PARTISAN-OUT 2> /dev/null
370. iptables -I wanin $pos -i $wanif -m state --state NEW -j P2PARTISAN-IN 2> /dev/null
371. iptables -I wanout $pos -o $wanif -m state --state NEW -j P2PARTISAN-OUT 2> /dev/null" >> iptables-add
372.         fi
373.  
374. chmod 777 ./iptables-*
375. chmod 777 ./ipset-*
376. ./iptables-add  #protecting
377.  
378. plog "... P2Partisan started."
379.  
380. p=`nvram get dnsmasq_custom | grep log-async | wc -l`
381. if [ $p -eq "1" ]; then
382.     plog "log-async found under dnsmasq -> OK"
383. else
384.     plog "
385. It appears like you don't have a log-async parameter
386. in your dnsmasq config. This is strongly suggested
387. due to the amount of logs involved. please consider
388. adding the following command under Advanced/DHCP/DNS
389. /Dnsmasq Custom configuration
390.  
391. log-async=10
392. "
393. fi
394.  
395. punblock  #remove paranoia DROPs if any
396.  
397. else
398.         echo "
399.     It appears like P2Partisan is already running. Skipping...
400.            
401.     If this is not what you expected? Try:
402.     p2partisan.sh update
403.         "
404.     fi
405. }
406.  
407.  
408. for p in $1
409. do
410. case "$p" in
411.         "start")
412.                 pstart
413.                 exit
414.                 ;;     
415.         "stop")
416.                 pforcestop
417.                 exit
418.                 ;;
419.         "restart")
420.                 pscheduleunset
421.                 psoftstop
422.                 pscheduleset
423.                 ;;
424.         "status")
425.                 pstatus
426.                 exit               
427.                 ;;     
428.         "update")
429.                 pscheduleunset
430.                 pforcestop
431.                 pscheduleset
432.                 ;;
433.         "paranoia-update")
434.                 pscheduleunset
435.                 pblock
436.                 pforcestop
437.                 pscheduleset
438.                 ;;
439.         "autorun-on")
440.                 pautorunset
441.                 exit
442.                 ;;
443.         "autorun-off")
444.                 pautorununset
445.                 exit
446.                 ;;
447.         "autoupdate-on")
448.                 pscheduleset
449.                 exit
450.                 ;;
451.         "autoupdate-off")
452.                 pscheduleunset
453.                 exit
454.                 ;;
455.         "help")
456.                 echo " 
457. P2Partisan parameters:
458.                
459.     help        Display this text      
460.     start       Starts the process (this runs also if no option
461.             is provided)
462.     stop        Stops P2Partisan
463.     restart     Soft restart, quick, updates iptables only
464.     update      Hard restart, slow removes p2partisan, updates
465.             the lists and does a fresh start
466.     paranoia-update Like update but blocks any new connection until
467.             P2Partisan is running again
468.     status      Display P2Partisan running status + extra info
469.     autorun-on  Sets P2Partisan to boot with the router
470.     autorun-off Sets P2Partisan not to boot with the router
471.     autoupdate-on   Sets automatic updates on
472.     autoupdate-off  Sets automatic updates off
473.                 "
474.                 exit
475.                 ;;
476.         *)
477.                 echo "parameter not valid. please run:
478.                
479.     p2partisan.sh help
480.     "
481.                 exit
482.             ;;
483.  
484. esac
485. done
486.  
487. pstart
488.  
489.  
490. exit