p2partisan 1.04

1. #!/bin/sh
2. #
3. # p2partisan v1.4 (14/10/2013)
4. #
5. #########################################################
6. # Adjust location where the files are kept
7. cd /cifs1/p2partisan
8. #
9. # Edit the file "blacklists" to customise if needed
10. # Edit the "whitelist" to overwrite the blacklist if needed
11. #
12. #Maximum number of logs to be recorded in a given 60 sec
13. maxloghour=120
14. # to troubleshoot blocked connection close all the secondary
15. # traffic e.g. p2p and try a connection to the blocked
16. # site/port you should find a reference in the logs.
17. #
18. # ports to be whitelisted, very important if you're running
19. # a service like SMTP/HTTP/IMAP/else. Separate value with
20. #commas - NOTE: 80,443 are always white listed
21. whiteports="993,25,21"
22. #
23. # Fastrouting will process the IP classes very quickly but use
24. # Lot of resources. If you disable the effect is transparent
25. # but the full process will take minutes rather than seconds
26. # 0=disabled 1=enabled
27. fastroutine=1
28. #########################################################
29.  
30. [ -f iptables-add ] && rm iptables-add
31. [ -f iptables-del ] && rm iptables-del
32. [ -f ipset-del ] && rm ipset-del
33.  
34.  
35. echo "loading modules"
36. # Loading ipset modules
37. lsmod | grep "ipt_set" > /dev/null 2>&1 || \
38. for module in ip_set ip_set_iptreemap ipt_set
39.     do
40.     insmod $module
41.     done
42.  
43. counter=0
44.  
45. echo "loading ports 80,443,$whiteports exemption"
46. iptabweb=`iptables -L FORWARD | grep "ports www,https" | wc -l`
47. if [ $iptabweb -eq 0 ]; then
48.     echo "iptables -I FORWARD 2 -p tcp --match multiport --sports 80,443,$whiteports -j ACCEPT
49.     iptables -I FORWARD 2 -p tcp --match multiport --dports 80,443,$whiteports -j ACCEPT" >> iptables-add
50.  
51.     elif [ $iptabweb -ne 2 ]; then
52.         echo "iptables -D FORWARD -p tcp --match multiport --sports 80,443,$whiteports -j ACCEPT
53.     iptables -D FORWARD -p tcp --match multiport --dports 80,443,$whiteports -j ACCEPT" >> iptables-add
54. fi
55. echo "iptables -D FORWARD -p tcp --match multiport --sports 80,443,$whiteports -j ACCEPT
56.       iptables -D FORWARD -p tcp --match multiport --dports 80,443,$whiteports -j ACCEPT" >> iptables-del
57.    
58. echo "loading the whitelist"
59. #Load the whitelist
60. if [ "$(ipset --swap whitelist whitelist 2>&1 | grep 'Unknown set')" != "" ]
61.     then
62.     ipset --create whitelist iptreemap
63. cat whitelist |
64. (
65. while read IP
66. do
67.     echo "$IP" | grep "^#" >/dev/null 2>&1 && continue
68.     echo "$IP" | grep "^$" >/dev/null 2>&1 && continue
69.         ipset -A whitelist $IP
70.     done
71. )
72. fi
73.     echo "ipset -X whitelist" >> ipset-del
74.  
75. iptabwhite=`iptables -L FORWARD | grep whitelist | wc -l`
76. if [ $iptabwhite -eq 0 ]; then
77.     echo "Setting whitelist iptables"
78.     echo "iptables -I FORWARD 5 -m set --set whitelist src,dst -j ACCEPT" >> iptables-add
79.  
80.     elif [ $iptabwhite -gt 1 ]; then
81.     echo "Re-setting whitelist iptables"
82.     echo "iptables -D FORWARD -m set --set whitelist src,dst -j ACCEPT" >> iptables-add
83. fi
84.     echo "iptables -D FORWARD -m set --set whitelist src,dst -j ACCEPT" >> iptables-del
85.    
86. # set iptables to log blacklisted related drops
87. logging=`iptables -L | grep "Chain LOGGING" | wc -l`
88. if [ $logging = 0 ]; then
89.     echo "iptables -N LOGGING " >> iptables-add
90. fi
91. echo "iptables -F LOGGING
92. iptables -A LOGGING -m limit --limit $maxloghour/hour -j LOG --log-prefix "Blacklist-Dropped: " --log-level 1
93. iptables -A LOGGING -j DROP" >> iptables-add
94.  
95. cat blacklists |
96. (
97. while read line
98. do
99.     echo "$line" | grep "^#" >/dev/null 2>&1 && continue
100.     echo "$line" | grep "^$" >/dev/null 2>&1 && continue
101.     counter=`expr $counter + 1`
102.     name=`echo $line |cut -d ' ' -f1`
103.     url=`echo $line |cut -d ' ' -f2`
104.     echo "loading blacklist $counter - $name"
105.  
106. if [[ $fastroutine -eq 1 ]]; then
107.  
108. if [ "$(ipset --swap $name $name 2>&1 | grep 'Unknown set')" != "" ]
109.   then
110.   [ -e $name.gz ] || wget -q -O $name.gz "$url"
111.   { echo "-N $name iptreemap"
112.     gunzip -c  $name.gz | \
113.     sed -e "/^[\t ]*#.*\|^[\t ]*$/d;s/^.*:/-A $name /"
114.     echo COMMIT
115.   } | ipset -R
116. fi
117.  
118. else
119.  
120. if [ "$(ipset --swap $name $name 2>&1 | grep 'Unknown set')" != "" ]
121.     then
122.     ipset --create $name iptreemap
123.     [ -e $name.lst ] || wget -q -O - "$url" | gunzip | cut -d: -f2 | grep -E "^[-0-9.]+$" > $name.lst
124.     for IP in $(cat $name.lst)
125.         do
126.         ipset -A $name $IP
127.         done
128. fi
129.  
130. fi
131.  
132. echo "ipset -X $name " >> ipset-del
133.  
134. iptabin=`iptables -L FORWARD | grep $name | wc -l`
135. pos=`expr 13 + $counter`
136. if [ $iptabin -eq 0 ]; then
137.     echo "Setting FORWARD iptables"
138.     echo "iptables -I FORWARD $pos -m set --set $name src,dst -j LOGGING" >> iptables-add
139. elif [ $iptabin -gt 1 ]; then
140.     echo "Re-setting FORWARD iptables"
141.     echo "iptables -D FORWARD -m set --set $name src,dst -j LOGGING" >> iptables-add
142. fi
143.     echo "iptables -D FORWARD -m set --set $name src,dst -j LOGGING" >> iptables-del
144. done
145.  
146. )
147. echo "iptables -F LOGGING " >> iptables-del
148. echo "iptables -X LOGGING " >> iptables-del
149. chmod 777 ./iptables-*
150. chmod 777 ./ipset-*
151. ./iptables-add