p2partisan 2.31

1. #!/bin/sh
2. #
3. # p2partisan v2.31 (26/05/2014)
4. #
5. # <CONFIGURATION> ###########################################
6. # Adjust location where the files are kept
7. P2Partisandir=/cifs1/p2partisan
8. #
9. # Edit the file "blacklists" to customise if needed
10. # Edit the "whitelist" to overwrite the blacklist if needed
11. #
12. #
13. # Enable logging? Use only for troubleshooting. 0=off 1=on
14. syslogs=1
15. # Maximum number of logs to be recorded in a given 60 min
16. # Consider set this very low (like 3 or 6) once your are
17. # happy with the installation. To troubleshoot blocked
18. # connection close all the secondary traffic e.g. p2p
19. # and try a connection to the blocked site/port you should
20. # find a reference in the logs.
21. maxloghour=1
22. #
23. # What do you want to block?
24. # 1) Input (Router only, does your generate P2P traffic?)
25. # 2) LAN (LAN clients only)
26. # 3) Both *default
27. protection=3
28. #
29. # ports to be whitelisted. Whitelisted ports will never be
30. # blocked no matter what the source/destination IP is.
31. # This is very important if you're running a service like
32. # e.g. SMTP/HTTP/IMAP/else. Separate value in the list below
33. # with commas - NOTE: Leave 80 and 443 untouched, add custom ports only
34. # you might want to add remote admin and VPN ports here if any.
35. # Standard iptables syntax, number divided by "," or ":" for a range
36. # e.g. 80,443,2100:21300
37. whiteports="21,25,53,80,123,443,993,1194:1196"
38. #
39. # Fastrouting will process the IP classes very quickly but use
40. # Lot of resources. If you disable the effect is transparent
41. # but the full process will take minutes rather than seconds
42. # 0=disabled 1=enabled
43. fastroutine=1
44. #
45. # Schedule updates? (once a week is plenty)
46. schedule="30 4 * * 1"
47. #
48. testip="8.8.8.8"
49. # </CONFIGURATION> ###########################################
50.  
51. # Wait until Internet is available
52.     while :
53.     do
54.         ping -c 3 $testip >/dev/null 2>&1
55.         if [ $? = 0 ]; then
56.             break
57.         fi
58.         sleep 2
59.     done
60.  
61. pidfile=/var/run/p2partisan.pid
62. cd $P2Partisandir
63. version=`head -3 ./p2partisan.sh | tail -1 | cut -f 3- -d " "`
64.  
65. alias ipset='/bin/nice -n19 /usr/sbin/ipset'
66. alias sed='/bin/nice -n19 /bin/sed'
67. alias iptables='/usr/sbin/iptables'
68. alias service='/sbin/service'
69. alias plog='logger -t P2PARTISAN -s'
70. now=`date +"%H:%M:%S - %d/%m/%y"`
71. wanif=`nvram get wan_ifname`
72.  
73.  
74. psoftstop() {
75.     ./iptables-del 2> /dev/null
76.     plog "Stopping P2Partisan"
77.     [ -f $pidfile ] && rm -f "$pidfile" 2> /dev/null
78. }
79.  
80. pblock() {
81.     plog "P2PArtisan: Applying paranoia block"
82.     iptables -N PARANOIA-DROP 2> /dev/null
83.     iptables -A PARANOIA-DROP -p tcp --match multiport --sports $whiteports -j ACCEPT 2> /dev/null
84.     iptables -A PARANOIA-DROP -p udp --match multiport --sports $whiteports -j ACCEPT 2> /dev/null
85.     iptables -A PARANOIA-DROP -p tcp --match multiport --dports $whiteports -j ACCEPT 2> /dev/null
86.     iptables -A PARANOIA-DROP -p udp --match multiport --dports $whiteports -j ACCEPT 2> /dev/null
87.     iptables -A PARANOIA-DROP -m limit --limit $maxloghour/hour --limit-burst 5 -j LOG --log-prefix "P2Partisan Dropped (paranoia): " --log-level 1 2> /dev/null
88.     iptables -A PARANOIA-DROP -j DROP 2> /dev/null
89.     iptables -I wanin 1 -i $wanif -m state --state NEW -j PARANOIA-DROP 2> /dev/null
90.     iptables -I wanout 1 -o $wanif -m state --state NEW -j PARANOIA-DROP 2> /dev/null
91.     iptables -I INPUT 1 -i $wanif -m state --state NEW -j PARANOIA-DROP 2> /dev/null
92.     iptables -I OUTPUT 1 -o $wanif -m state --state NEW -j PARANOIA-DROP 2> /dev/null
93. }
94.  
95. punblock() {
96.     while iptables -L wanin 2> /dev/null | grep "PARANOIA-DROP"
97.     do
98.         iptables -D wanin -i $wanif -m state --state NEW -j PARANOIA-DROP 2> /dev/null
99.     done
100.     while iptables -L wanout 2> /dev/null | grep "PARANOIA-DROP"
101.     do
102.         iptables -D wanout -o $wanif -m state --state NEW -j PARANOIA-DROP 2> /dev/null
103.     done
104.     while iptables -L INPUT 2> /dev/null | grep "PARANOIA-DROP"
105.     do
106.         iptables -D INPUT -i $wanif -m state --state NEW -j PARANOIA-DROP 2> /dev/null
107.     done
108.     while iptables -L OUTPUT 2> /dev/null | grep "PARANOIA-DROP"
109.     do
110.         iptables -D OUTPUT -o $wanif -m state --state NEW -j PARANOIA-DROP 2> /dev/null
111.     done
112.     iptables -F PARANOIA-DROP 2> /dev/null && plog "P2PArtisan: Removing paranoia block"
113.     iptables -X PARANOIA-DROP 2> /dev/null
114. }
115.  
116. pforcestop() {
117.     while iptables -L wanin 2> /dev/null | grep P2PARTISAN-IN
118.     do
119.         iptables -D wanin -i $wanif -m state --state NEW -j P2PARTISAN-IN 2> /dev/null
120.     done
121.     while iptables -L wanout 2> /dev/null | grep P2PARTISAN-OUT
122.     do
123.         iptables -D wanout -o $wanif -m state --state NEW -j P2PARTISAN-OUT 2> /dev/null
124.     done
125.     while iptables -L INPUT | grep P2PARTISAN-IN
126.     do
127.         iptables -D INPUT -i $wanif -m state --state NEW -j P2PARTISAN-IN 2> /dev/null
128.     done
129.     while iptables -L OUTPUT | grep P2PARTISAN-OUT
130.     do
131.         iptables -D OUTPUT -o $wanif -m state --state NEW -j P2PARTISAN-OUT 2> /dev/null
132.     done
133.     iptables -F P2PARTISAN-DROP 2> /dev/null
134.     iptables -F P2PARTISAN-IN 2> /dev/null
135.     iptables -F P2PARTISAN-OUT 2> /dev/null
136.     iptables -X P2PARTISAN-DROP 2> /dev/null   
137.     iptables -X P2PARTISAN-IN 2> /dev/null
138.     iptables -X P2PARTISAN-OUT 2> /dev/null
139.     ipset -F
140.     for i in `ipset --list | grep Name | cut -f2 -d ":" `; do
141.         ipset -X $i
142.     done
143.     chmod 777 ./*.gz
144.     [ -f iptables-add ] && rm iptables-add
145.     [ -f iptables-del ] && rm iptables-del
146.     [ -f ipset-del ] && rm ipset-del
147.     [ -f $pidfile ] && rm -f "$pidfile" 2> /dev/null
148. plog "Unloading ipset modules"
149.     lsmod | grep "ipt_set" > /dev/null 2>&1 && sleep 2 ; rmmod -f ipt_set 2> /dev/null
150.     lsmod | grep "ip_set_iptreemap" > /dev/null 2>&1 && sleep 2 ; rmmod -f ip_set_iptreemap 2> /dev/null
151.     lsmod | grep "ip_set" > /dev/null 2>&1 && sleep 2 ; rmmod -f ip_set 2> /dev/null
152. plog "Stopping P2Partisan"
153. }
154.  
155. pstatus() {
156.     running3=`iptables -L | grep P2PARTISAN-IN  2> /dev/null | wc -l`
157.     running4=`[ -f $pidfile ] && echo 1 || echo 0`
158.     running5=`nvram get script_fire | grep p2partisan >/dev/null && echo Yes || echo No`
159.     running6=`cru l | grep P2Partisan-update >/dev/null && echo Yes || echo No`
160.     running7=`tail -200 /var/log/messages | grep Dropped | tail -1`
161.    
162.     from=`head -1 ./iptables-add 2> /dev/null | cut -c3-`
163.     drop_packet_count=`iptables -vL P2PARTISAN-DROP 2> /dev/null| grep " DROP " | awk '{print $1}'`
164.    
165.     if [[ $running3 -eq "0" ]] && [[ $running4 -eq "0" ]]; then
166.         running8=No
167.     elif [[ $running3 -eq "0" ]] && [[ $running4 -eq "1" ]]; then
168.         running8=Loading...
169.     elif [[ $running3 -gt "0" ]] && [[ $running4 -eq "0" ]]; then
170.         running8=Not quite... try to run \"p2partisan.sh update\"
171.     else
172.         running8=Yes
173.     fi
174.    
175.     echo "################### P2Partisan ##########################
176. #   Release version: $version
177. ################# P2Partisan status #####################
178. #   P2Partisan running:   $running8
179. #   P2Partisan autorun:   $running5
180. #   P2Partisan scheduled: $running6
181. #########################################################
182. #   P2Partisan activity since: $from
183. #   Dropped connections: $drop_packet_count
184. ################# Last log recorded #####################
185. #   Remember your max logs per hour is set to: $maxloghour
186. $running7
187. #########################################################"
188. }
189.  
190. pautorunset() {
191.     p=`nvram get script_fire | grep "p2partisan.sh" | grep -v cru | wc -l`
192.     if [ $p -eq "0" ] ; then
193.     t=`nvram get script_fire`; t=`printf "$t\n$P2Partisandir/p2partisan.sh\n"` ; nvram set "script_fire=$t"
194.     fi
195.     plog "P2Partisan AUTO RUN is ON"
196.     nvram commit
197. }
198.  
199. pautorununset() {
200.     p=`nvram get script_fire | grep "p2partisan.sh" | grep -v cru | wc -l`
201.     if [ $p -eq "1" ]; then
202.     t=`nvram get script_fire`; t=`printf "$t\n$P2Partisandir/p2partisan.sh\n" | grep -v p2partisan` ; nvram set "script_fire=$t"
203.     fi
204.     plog "P2Partisan AUTO RUN is OFF"
205.     nvram commit
206. }
207.  
208. pscheduleset() {
209.     cru d P2Partisan-update
210.     cru a P2Partisan-update "$schedule $P2Partisandir/p2partisan.sh paranoia-update"
211.     pp=`nvram get script_fire | grep "p2partisan.sh" | grep -v cru | wc -l`
212.     p=`nvram get script_fire | grep "cru a P2Partisan-update" | wc -l`
213.     if [ $p -eq "0" ] ; then
214.         if [ $pp -eq "0" ]; then
215.         t=`nvram get script_fire`; t=`printf "$t\ncru a P2Partisan-update \"$schedule $P2Partisandir/p2partisan.sh paranoia-update\"\n"` ; nvram set "script_fire=$t"
216.         else
217.         pautorununset
218.         t=`nvram get script_fire`; t=`printf "$t\ncru a P2Partisan-update \"$schedule $P2Partisandir/p2partisan.sh paranoia-update\"\n"` ; nvram set "script_fire=$t"
219.         pautorunset
220.         fi
221.     fi
222.     plog "P2Partisan AUTO UPDATE is ON"
223.     nvram commit
224. }
225.  
226. pscheduleunset() {
227.     cru d P2Partisan-update
228.     p=`nvram get script_fire | grep "cru a P2Partisan-update" | wc -l`
229.     if [ $p -eq "1" ] ; then
230.     t=`nvram get script_fire`; t=`printf "$t\ncru a P2Partisan-update \"$schedule $P2Partisandir/p2partisan.sh paranoia-update\"\n" | grep -v "cru a P2Partisan-update"` ; nvram set "script_fire=$t"
231.     fi
232.     plog "P2Partisan AUTO UPDATE is OFF"
233.     nvram commit
234. }
235.  
236. pstart() {
237.     running4=`[ -f $pidfile ] && echo 1 || echo 0`
238.     if [ $running4 -eq "0" ]; then
239.  
240.     echo $$ > $pidfile
241.  
242.     sleep 2
243.    
244.     [ -f iptables-add ] && rm iptables-add
245.     [ -f iptables-del ] && rm iptables-del
246.     [ -f ipset-del ] && rm ipset-del
247.      
248.     echo "### PREPARATION ###"
249.     echo "Loading the ipset modules"
250.     lsmod | grep "ip_set" > /dev/null 2>&1 || insmod ip_set
251.     lsmod | grep "ip_set_iptreemap" > /dev/null 2>&1 || insmod ip_set_iptreemap
252.     lsmod | grep "ipt_set" > /dev/null 2>&1 || insmod ipt_set
253.  
254. counter=0
255. pos=1
256.         echo "loading ports $whiteports exemption"
257.  
258.    
259.         echo "# $now
260. iptables -N P2PARTISAN-IN 2> /dev/null
261. iptables -N P2PARTISAN-OUT 2> /dev/null
262. iptables -N P2PARTISAN-DROP 2> /dev/null
263. iptables -F P2PARTISAN-IN 2> /dev/null
264. iptables -F P2PARTISAN-OUT 2> /dev/null
265. iptables -F P2PARTISAN-DROP 2> /dev/null
266. iptables -A P2PARTISAN-IN -p tcp --match multiport --sports $whiteports -j ACCEPT 2> /dev/null
267. iptables -A P2PARTISAN-IN -p udp --match multiport --sports $whiteports -j ACCEPT 2> /dev/null
268. iptables -A P2PARTISAN-IN -p tcp --match multiport --dports $whiteports -j ACCEPT 2> /dev/null
269. iptables -A P2PARTISAN-IN -p udp --match multiport --dports $whiteports -j ACCEPT 2> /dev/null
270. iptables -A P2PARTISAN-OUT -p tcp --match multiport --sports $whiteports -j ACCEPT 2> /dev/null
271. iptables -A P2PARTISAN-OUT -p udp --match multiport --sports $whiteports -j ACCEPT 2> /dev/null
272. iptables -A P2PARTISAN-OUT -p tcp --match multiport --dports $whiteports -j ACCEPT 2> /dev/null
273. iptables -A P2PARTISAN-OUT -p udp --match multiport --dports $whiteports -j ACCEPT 2> /dev/null" >> iptables-add
274.  
275.  
276.         echo "# $now
277. iptables -D wanin -i $wanif -m state --state NEW -j P2PARTISAN-IN 2> /dev/null
278. iptables -D wanout -o $wanif -m state --state NEW -j P2PARTISAN-OUT 2> /dev/null
279. iptables -D INPUT -i $wanif -m state --state NEW -j P2PARTISAN-IN 2> /dev/null
280. iptables -D OUTPUT -o $wanif -m state --state NEW -j P2PARTISAN-OUT 2> /dev/null
281. iptables -F P2PARTISAN-DROP 2> /dev/null
282. iptables -F P2PARTISAN-IN 2> /dev/null
283. iptables -F P2PARTISAN-OUT 2> /dev/null
284. iptables -X P2PARTISAN-IN 2> /dev/null
285. iptables -X P2PARTISAN-OUT 2> /dev/null
286. iptables -X P2PARTISAN-DROP 2> /dev/null" >> iptables-del
287.  
288.  
289. echo "### WHITELIST ###"
290. echo "loading the whitelist"
291. #Load the whitelist
292. if [ "$(ipset --swap whitelist whitelist 2>&1 | grep 'Unknown set')" != "" ]
293.     then
294.     ipset --create whitelist iptreemap
295.     cat whitelist | grep -v "^10." | grep -v "^172.16." | grep -v "^192.168." |
296.     (
297.     while read IP
298.     do
299.             echo "$IP" | grep "^#" >/dev/null 2>&1 && continue
300.             echo "$IP" | grep "^$" >/dev/null 2>&1 && continue
301.                     ipset -A whitelist $IP
302.             done
303.     )
304. fi
305.         echo "# $now
306. ipset -F
307. ipset -X whitelist" > ipset-del
308.  
309.             echo "Preparing the whitelist for the iptables"
310.             echo "iptables -A P2PARTISAN-IN -m set --set whitelist src -j ACCEPT 2> /dev/null
311. iptables -A P2PARTISAN-OUT -m set --set whitelist dst -j ACCEPT 2> /dev/null" >> iptables-add
312.  
313.         if [ $syslogs -eq "1" ]; then        
314.             echo "iptables -A P2PARTISAN-DROP -m limit --limit $maxloghour/hour --limit-burst 1 -j LOG --log-prefix \"P2Partisan Dropped: \" --log-level 1 2> /dev/null" >> iptables-add
315.         fi
316.         echo "iptables -A P2PARTISAN-DROP -j DROP 2> /dev/null"  >> iptables-add
317.  
318.  
319. echo "### BLACKLISTs ###"
320.  
321.  
322.    
323. cat blacklists |
324.    (
325.     while read line
326.     do
327.             echo "$line" | grep "^#" >/dev/null 2>&1 && continue
328.             echo "$line" | grep "^$" >/dev/null 2>&1 && continue
329.             counter=`expr $counter + 1`
330.             name=`echo $line |cut -d ' ' -f1`
331.             url=`echo $line |cut -d ' ' -f2`
332.             echo "loading blacklist #$counter --> ***$name***"
333.      
334.     if [ $fastroutine -eq "1" ]; then
335.      
336.     if [ "$(ipset --swap $name $name 2>&1 | grep 'Unknown set')" != "" ]
337.       then
338.       [ -e $name.gz ] || wget -q -O $name.gz "$url"
339.       { echo "-N $name iptreemap"
340.         gunzip -c  $name.gz | \
341.         sed -e "/^[\t ]*#.*\|^[\t ]*$/d;s/^.*:/-A $name /"
342.         echo COMMIT
343.       } | ipset -R
344.     fi
345.      
346.     else
347.      
348.         if [ "$(ipset --swap $name $name 2>&1 | grep 'Unknown set')" != "" ]
349.             then
350.             ipset --create $name iptreemap
351.             [ -e $name.lst ] || wget -q -O - "$url" | gunzip | cut -d: -f2 | grep -E "^[-0-9.]+$" > $name.lst
352.             for IP in $(cat $name.lst)
353.                     do
354.                     ipset -A $name $IP
355.                     done
356.             fi
357.              
358.     fi
359.  
360.                 echo "ipset -X $name " >> ipset-del
361.                 echo "iptables -A P2PARTISAN-IN -m set --set $name src -j P2PARTISAN-DROP 2> /dev/null
362. iptables -A P2PARTISAN-OUT -m set --set $name dst -j P2PARTISAN-DROP 2> /dev/null" >> iptables-add 
363.             done
364.     )
365.  
366.  
367.         if [ $protection -eq "1" ]; then
368.             echo "iptables -I INPUT $pos -i $wanif -m state --state NEW -j P2PARTISAN-IN 2> /dev/null
369. iptables -I OUTPUT $pos -o $wanif -m state --state NEW -j P2PARTISAN-OUT 2> /dev/null" >> iptables-add
370.         elif [ $protection -eq "2" ]; then
371.             echo "iptables -I wanin $pos -i $wanif -m state --state NEW -j P2PARTISAN-IN 2> /dev/null
372. iptables -I wanout $pos -o $wanif -m state --state NEW -j P2PARTISAN-OUT 2> /dev/null" >> iptables-add
373.         elif [ $protection -eq "3" ]; then
374.             echo "iptables -I INPUT $pos -i $wanif -m state --state NEW -j P2PARTISAN-IN 2> /dev/null
375. iptables -I OUTPUT $pos -o $wanif -m state --state NEW -j P2PARTISAN-OUT 2> /dev/null
376. iptables -I wanin $pos -i $wanif -m state --state NEW -j P2PARTISAN-IN 2> /dev/null
377. iptables -I wanout $pos -o $wanif -m state --state NEW -j P2PARTISAN-OUT 2> /dev/null" >> iptables-add
378.         fi
379.  
380. chmod 777 ./iptables-*
381. chmod 777 ./ipset-*
382. ./iptables-add  #protecting
383.  
384. plog "... P2Partisan started."
385.  
386. p=`nvram get dnsmasq_custom | grep log-async | wc -l`
387. if [ $p -eq "1" ]; then
388.     plog "log-async found under dnsmasq -> OK"
389. else
390.     plog "
391. It appears like you don't have a log-async parameter
392. in your dnsmasq config. This is strongly suggested
393. due to the amount of logs involved. please consider
394. adding the following command under Advanced/DHCP/DNS
395. /Dnsmasq Custom configuration
396.  
397. log-async=10
398. "
399. fi
400.  
401. punblock  #remove paranoia DROPs if any
402.  
403. else
404.         echo "
405.     It appears like P2Partisan is already running. Skipping...
406.            
407.     If this is not what you expected? Try:
408.     p2partisan.sh update
409.         "
410.     fi
411. }
412.  
413.  
414. for p in $1
415. do
416. case "$p" in
417.         "start")
418.                 pstart
419.                 exit
420.                 ;;     
421.         "stop")
422.                 pforcestop
423.                 exit
424.                 ;;
425.         "restart")
426.                 pscheduleunset
427.                 psoftstop
428.                 pscheduleset
429.                 ;;
430.         "status")
431.                 pstatus
432.                 exit               
433.                 ;;     
434.         "update")
435.                 pscheduleunset
436.                 pforcestop
437.                 pscheduleset
438.                 ;;
439.         "paranoia-update")
440.                 pscheduleunset
441.                 pblock
442.                 pforcestop
443.                 pscheduleset
444.                 ;;
445.         "autorun-on")
446.                 pautorunset
447.                 exit
448.                 ;;
449.         "autorun-off")
450.                 pautorununset
451.                 exit
452.                 ;;
453.         "autoupdate-on")
454.                 pscheduleset
455.                 exit
456.                 ;;
457.         "autoupdate-off")
458.                 pscheduleunset
459.                 exit
460.                 ;;
461.         "help")
462.                 echo " 
463. P2Partisan parameters:
464.                
465.     help        Display this text      
466.     start       Starts the process (this runs also if no option
467.             is provided)
468.     stop        Stops P2Partisan
469.     restart     Soft restart, quick, updates iptables only
470.     update      Hard restart, slow removes p2partisan, updates
471.             the lists and does a fresh start
472.     paranoia-update Like update but blocks any new connection until
473.             P2Partisan is running again
474.     status      Display P2Partisan running status + extra info
475.     autorun-on  Sets P2Partisan to boot with the router
476.     autorun-off Sets P2Partisan not to boot with the router
477.     autoupdate-on   Sets automatic updates on
478.     autoupdate-off  Sets automatic updates off
479.                 "
480.                 exit
481.                 ;;
482.         *)
483.                 echo "parameter not valid. please run:
484.                
485.     p2partisan.sh help
486.     "
487.                 exit
488.             ;;
489.  
490. esac
491. done
492.  
493. pstart
494.  
495. exit