IPSET_Block.sh

#!/bin/sh
VER="v3.05"
#======================================================================================================= © 2016-2017 Martineau, v3.05
#
# Dynamically block unsolicited access attempts using IPSETs. Useful if you have opened ports >1024 as hopefully hackers will
#             start their attempts at the more common ports e.g. 22,23 etc. so will be banned BEFORE they reach your port!
#             NOTE: For ARM routers (IPSET v6.3) Blacklist entries are retained for 7 days unless arg HH:MM:SS is specified/hard-coded)
#
#     IPSET_Block   [help | -h] | [status [list]] [reset] [delete] [ban {'ip_addr'}] [unban {'ip_addr'}] [restore] [nolog]
#                               { init [reset] ['hh:mm:ss'] [method1] }
#
#     IPSET_Block
#                   Displays the number of currently banned I/Ps and the number of banned IPs added since the last status request:
#                       e.g. '  Summary Blacklist: 12882 IPs currently banned - 4 added since: Apr 16 15:27 (Entries auto-expire after 24:00:00)'
#     IPSET_Block   status list
#                   Display the contents of IPSETs Whitelist & Blacklist - beware there could be a lot!!!
#     IPSET_Block   reset
#                   Temporarily flush the IPSET Blacklist (It will be restored @BOOT or manually using the restore cmd)
#     IPSET_Block   restore
#                   Restore the IPSETs Whitelist & Blacklist from the current saved IPSETs.
#                   (If 'delete' was used then you need to clone the 'backup' file before attempting the restore!)
#     IPSET_Block   ban 12.34.56.7
#                   Adds 12.34.56.7 to IPSET Blacklist
#     IPSET_Block   unban 12.34.56.7
#                   Removes 12.34.56.7 from IPSET Blacklist
#     IPSET_Block   delete
#                   Permanently flush the IPSET Blacklist (It cannot be restored @BOOT or using the restore cmd)
#     IPSET_Block   init
#                   If 'IPSET_Block.config' exists it will be used to restore IPSETs Blacklist and Whitelist,
#                      otherwise the IPSETs are created empty - same as if 'init reset' was specified to override the auto-restore
#     IPSET_Block   init reset 12:34:56 nolog
#                   Empty IPSETs will be created with any added Blacklist entries auto-expiring after 12 hrs 34 mins and 56 secs!
#                         (default expiry time is 168:00:00 = 7 Days)
#                          NOTE: No 'Block =' messages will be generated.
#
# /jffs/scripts/init-start
#      /usr/sbin/cru a IPSET_SAVE   "0 * * * * /jffs/scripts/IPSET_Block.sh save"    #Every hour
#      /usr/sbin/cru a IPSET_BACKUP "0 5 * * * /jffs/scripts/IPSET_Block.sh backup"  #05:00 every day
#
# /jffs/scripts/firewall-start
#      /jffs/scripts/IPSET_Block.sh init nolog
#
# NOTE: Whitelist will be automatically populated with local LAN subnet, but VLANs will need to be added manually e.g. 10.0.0.0/8 etc.
#
# Very good examples of using IPSETs for blocking dynamically! https://forums.gentoo.org/viewtopic-t-863121.html

# Print between line beginning with '#==' to first blank line inclusive
ShowHelp() {
    awk '/^#==/{f=1} f{print; if (!NF) exit}' $0
}

Delete_IPSETs () {
    iptables -D logdrop -m state --state NEW -j SET --add-set Blacklist src 2> /dev/null > /dev/null

    iptables -D INPUT -m set $IPT_MATCHSET Blacklist $BLK_DIMENSIONS -j DROP 2> /dev/null
    iptables -D INPUT -m set $IPT_MATCHSET Whitelist $WHT_DIMENSIONS -j ACCEPT 2> /dev/null

    iptables -D INPUT -i $(nvram get wan0_ifname) -m state --state INVALID -j Blacklist  2> /dev/null       # WAN only
    iptables -D INPUT                             -m state --state INVALID -j Blacklist  2> /dev/null       # ALL Interfaces
    iptables -D INPUT -j Blacklist 2> /dev/null

    iptables -F Blacklist

    iptables -D INPUT   -m set $IPT_MATCHSET Whitelist src             -j logaccept 2> /dev/null
    iptables -D INPUT   -m set $IPT_MATCHSET Whitelist src             -j ACCEPT    2> /dev/null

    iptables -D FORWARD -m set $IPT_MATCHSET Whitelist src             -j logaccept 2> /dev/null
    iptables -D FORWARD -m set $IPT_MATCHSET Whitelist src             -j ACCEPT    2> /dev/null


    iptables -D FORWARD -m set $IPT_MATCHSET Blacklist src            -j DROP      2> /dev/null

    ipset -q $FLUSH Blacklist
    ipset -q $FLUSH Whitelist
    ipset -q $FLUSH WhitelistSRCPort
    ipset    $DESTROY Blacklist 2> /dev/null
    ipset    $DESTROY Whitelist 2> /dev/null
    rm $bannedips  2> /dev/null # Reset counter '0'
}
Convert_HHMMSS_to_SECS () {
    echo $(echo $1 | awk -F':' '{print $1 * 60 * 60 + $2 * 60 + $3}')
}
Convert_SECS_to_HHMMSS() {
    HH=$((${1}/3600))
    MM=$((${1}%3600/60))
    SS=$((${1}%60))
    echo $(printf "%02d:%02d:%02d\n" $HH $MM $SS)
}
Chain_exists() {
    # Args: {Chain_name} [table_name]
    local chain_name="$1" ; shift
    [ $# -eq 1 ] && local table="-t $1"
    iptables $table -n --list $chain_name >/dev/null 2>&1
    local RC=$?
    if [ $RC -eq 1 ];then
        echo "N"
        return 1
    else
        echo "Y"
        return 0
    fi
}

MYROUTER=$(nvram get computer_name)

################################################Customise for local use #############################################
if [ -d  "/tmp/mnt/"$MYROUTER ];then
    DIR="/tmp/mnt/"$MYROUTER                # <== USB Location of IPSET save/restore configuration
else
    DIR="/tmp"                              #         NOTE: /TMP isn't permanent! ;-) but allows testing of save/restore
fi

HHMMSS="168:00:00"                          # <== Specify retention period to keep Blacklist entries or passed via 'init reset' hh:mm:ss' invocation
                                            #           e.g. 168 hrs = 7 days
#####################################################################################################################

bannedips=$DIR"/IPSET_Blacklist_Count"      # Allows display of count of new blocked IPs after every implied/ explicit status request

# 380.63+ for ARM routers, IPSET v6  is available...Load appropriate IPSET modules
case $(ipset -v | grep -o "v[4,6]") in
  v6) MATCH_SET='--match-set'; LIST='list'; CREATE='create'; SAVE='save'; RESTORE='restore'; FLUSH='flush'; DESTROY='destroy'; ADD='add'; SWAP='swap'; IPHASH='hash:ip'; NETHASH='hash:net'; SETNOTFOUND='name does not exist'; TIMEOUT='timeout'
      lsmod | grep -q "xt_set" || for module in ip_set ip_set_hash_net ip_set_hash_ip xt_set
      do modprobe $module; done;;
  v4) MATCH_SET='--set'; LIST='--list'; CREATE='--create'; SAVE='--save'; RESTORE='--restore'; FLUSH='--flush'; DESTROY='--destroy'; ADD='--add'; SWAP='--swap'; IPHASH='iphash'; NETHASH='nethash'; SETNOTFOUND='Unknown set'; TIMEOUT=; RETAIN_SECS=
      lsmod | grep -q "ipt_set" || for module in ip_set ip_set_nethash ip_set_iphash ipt_set
      do modprobe $module; done;;
  *) logger -st "($(basename $0))" $$ "**ERROR** Unknown ipset version: $(ipset -v). Exiting." && (echo -e "\a";exit 99);;
esac

# Same for IPTABLES :-(
IPT_MATCHSET='--match-set'
if [ -z "$(iptables -V | grep "v1.4")" ];then               # RT-N66U MIPS v1.3.8 ?...but does the Kernel support '-j SET --add-set' ??
    IPT_MATCHSET='--set'
fi

# Need assistance!???
if [ "$1" == "help" ] || [ "$1" == "-h" ]; then
    ShowHelp
    exit 0
fi

logger -st "($(basename $0))" $$ $VER "© 2016-2017 Martineau, Dynamic IPSET Blacklist banning request....."

# Check if logging messages are to be enabled/disabled (Allow it to be processed at any time rather than in the 'init' clause)
NOLOG=0                                                             # Create Syslog "Block =" messages
if [ "$1" != "init" ] && [ $(Chain_exists "Blacklist")  == "Y" ] && \
                          [ $(iptables --line -L Blacklist | grep -c "state NEW LOG") -eq 0 ];then
    NOLOG=1                                                         # Already suppressed, so leave it supressed until next reboot or 'init reset' issued
else
    if [ "$(echo $@ | grep -c 'nolog')" -gt 0 ];then
        NOLOG=1                                                     # Suppress "Block =" messages from Syslog
    fi
fi


# What is the action required?
ACTION=$1


# If the first arg is an I/P address or subnet then assume it is to be blocked.
# TBA


# status / ban / unban / reset / delete / save / ban / whitelist / backup / init

case $ACTION in
    status)
        echo -en "\n"
        ipset -L Blacklist | head -n 7                                  # Sadly 'ipset -t Blacklist' to list only the IPSET header doesn't work on Asus
        if [ "$2" == "list" ];then                                      # Verbose if 'status list'
            ipset -L Blacklist                              | \
                grep -E "^[0-9]"                            | \
                sort -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4    | \
                awk ' {printf "%15s\t", $1;}'
            echo -en "\n\n"
            ipset -L Whitelist
        fi
        ;;
    ban)
        if [ -z $2 ];then
            echo "Input IP Address"
            read bannedip
        else
            bannedip=$2
        fi
        logger -st "($(basename $0))" $$  "Banning" $bannedip "- added to Blacklist....."
        ipset -q $ADD Blacklist $bannedip
        echo "$bannedip Is Now Banned"
        ;;
    unban)
        if [ -z $2 ]; then
            echo "Input IP Address To Unban"
            read unbannedip
        else
            unbannedip=$2
        fi
        logger -st "($(basename $0))" $$  "Unbanning and removing" $unbannedip "from Blacklist......"
        ipset $DELETE Blacklist $unbannedip
        echo "`sed /$unbannedip/d $DIR/IPSET_Block.config`" > $DIR/IPSET_Block.config
        echo $unbannedip "Is Now Unbanned"

        ;;
    reset)
        logger -st "($(basename $0))" $$  "Temporarily Allowing ALL ("$(cat $bannedips)") I/P's in Blacklist IPSET"
        NOW=$(date +"%Y%m%d-%H%M%S")    # current date and time
        mv  $DIR/IPSET_Block.config $DIR/IPSET_Block.config-$NOW            # Create restore backup
        ipset $FLUSH Blacklist
        ipset $SAVE Blacklist >  $DIR/IPSET_Block.config
        ipset $SAVE Whitelist >> $DIR/IPSET_Block.config
        rm $bannedips 2> /dev/null                      # Reset counter '0'
        ;;
    delete)
        #expr `ipset -L Blacklist | grep -v -E "^[NTRHSM]" | wc -l` > $bannedips
        logger -st "($(basename $0))" $$  "Permanently deleting ALL ("$(cat $bannedips)") I/Ps from Blacklist."
        ipset $FLUSH Blacklist
        ipset $SAVE Blacklist >  $DIR/IPSET_Block.config
        ipset $SAVE Whitelist >> $DIR/IPSET_Block.config
        rm $bannedips 2> /dev/null                      # Reset counter '0'
        ;;
    save)
        logger -st "($(basename $0))" $$  "Saving IPSET Block rules to "$DIR"/IPSET_Block.config....."
        # Only save the IPSETs associated with this script
        ipset $SAVE Blacklist >  $DIR/IPSET_Block.config
        ipset $SAVE Whitelist >> $DIR/IPSET_Block.config
        ;;
    restore)
        logger -st "($(basename $0))" $$  "Restoring IPSET Block rules Whitelist & Blacklist from "$DIR"/IPSET_Block.config....."
        #/jffs/scripts/$(basename $0) "init" &
        # Rather than destroy the IPSETs, keep them live, and simply swap the restore!!
        if [ ! -z "$(ipset $LIST -n | uniq | grep -oE "^Blacklist")" ];then
            # Need to enforce the restore to temporary '_Blacklist' & '_Whitelist' IPSETs
            cp $DIR/IPSET_Block.config $DIR/IPSET_Block.config.preEDIT                  # Save the config
            sed -i 's/Blacklist/_Blacklist/g' $DIR/IPSET_Block.config                   # Change the IPSET names in the saved config
            sed -i 's/Whitelist/_Whitelist/g' $DIR/IPSET_Block.config
            ipset $DESTROY _Blacklist 2> /dev/null;ipset -X _Whitelist 2> /dev/null         # Make sure the temporary swap IPSETs don't exist
            ipset $RESTORE -f  $DIR/IPSET_Block.config                                  # Do the restore.....
            if [ $? -eq 0 ];then
                ipset $SWAP _Blacklist Blacklist;ipset swap _Whitelist Whitelist            # Perform the swap
                ipset $DESTROY _Blacklist 2> /dev/null;ipset -X _Whitelist 2> /dev/null     # Delete the temporary IPSETs
            else
                echo -e "\aWhoops!!!"
                exit 99
            fi
            rm $DIR/IPSET_Block.config                                                  # Delete the edited temporary config
            mv $DIR/IPSET_Block.config.preEDIT $DIR/IPSET_Block.config                  #    and recover the original config
        else
            ipset $RESTORE < $DIR/IPSET_Block.config
        fi
        ;;
    whitelist)
        echo "Input file location"                      # see /jffs/configs/IPSET_Whitelist
        read WHITELISTFILE
        for IP in `cat $WHITELISTFILE`
            do
                ipset -q $ADD Whitelist $IP
                echo $IP
            done

        ipset $SAVE Whitelist >  $DIR/IPSET_Block.config
        ipset $SAVE Blacklist >> $DIR/IPSET_Block.config
        ;;
    backup)
        logger -st "($(basename $0))" $$  "Creating IPSET rule backup to '"$DIR"/IPSET_Block.configbak'....."
        cp -f $DIR/IPSET_Block.config $DIR/IPSET_Block.configbak
        ;;
    init)
        # Usually called from firewall-start, but may be invoked manually at any time from command prompt

        # Optionally track which port is being targeted by the hacker
        BLACKLIST_TYPE=$IPHASH
        BLK_DIMENSIONS="src"                                # 1-dimension IPSET src='201.210.196.178'
        if [ "$(echo $@ | grep -c 'port')" -gt 0 ];then                 # Port tracking requested?
            BLACKLIST_TYPE='hash:ip,port'
        fi

        WHITELIST_TYPE=$NETHASH
        WHT_DIMENSIONS="src"

        # Check if original 'logdrop' chain is to be implemented. i.e. 1-logdrop; 0-Blacklist chain method
        USE_LOGDROP=0                                                   # Use new Martineau non-logdrop custom Blacklist chain method
        if [ "$(echo $@ | grep -c 'method1')" -gt 0 ];then              # Command arg override?
            USE_LOGDROP=1                                               # Use original 'logdrop' chain method
        fi

        # Calculate Blacklist retention period in seconds (if specified)
        if [ "$1" == "init" ] && [ "$2" == "reset" ] && \
                                  [ ! -z $3 ] && [ "$3" != "port" ] && [ "$3" != "nolog" ];then # Allow 'init reset HH:MM:SS' to specify retain period
            HHMMSS=$3
        fi


        RETAIN_SECS=
        if [ ! -z $TIMEOUT ];then
            RETAIN_SECS=$(Convert_HHMMSS_to_SECS "$HHMMSS")
        fi

        if [ $USE_LOGDROP -eq 1 ];then              # Original 'logdrop' chain method?
            if [ "$(nvram get fw_log_x)" == "drop" ] || [ "$(nvram get fw_log_x)" == "both" ];then
                #logger -st "($(basename $0))" $$ "***DEBUG Correct use of 'logdrop' CHAIN Setting Detected"
                DUMMY=
            else

                logger -st "($(basename $0))" $$  "Setting 'Firewall logging=DROP' - will use 'logdrop' chain....."
                nvram set fw_log_x=drop
                nvram commit
            fi
        else
            #logger -st "($(basename $0))" $$  "***DEBUG Skipping Setting 'Firewall logging=DROP' - will use 'Blacklist' chain"
            DUMMY=
        fi

        if [ "$(nvram get fw_enable_x)" == "1" ]
        then
            #logger -st "($(basename $0))" $$ "***DEBUG Correct 'Firewall=ENABLED' setting Detected."
            DUMMY=
        else
            logger -st "($(basename $0))" $$ "Setting 'Firewall=ENABLED'....."
            nvram set fw_enable_x=1
            nvram commit
        fi

        # Delete the Blacklist/Whitelist IPSETs to be deleted/restored (rather than swap!)
        Delete_IPSETs

        if [ "$2" != "reset" ] && [ -s "${DIR}/IPSET_Block.config" ];then
            logger -st "($(basename $0))" $$  "IPSET restore from '"$DIR"/IPSET_Block.config' starting....."
            ipset $RESTORE  < $DIR/IPSET_Block.config
        else
            ipset $CREATE Whitelist $WHITELIST_TYPE
            ipset $CREATE Blacklist $BLACKLIST_TYPE $TIMEOUT $RETAIN_SECS       # Entries are valid for say 86400 secs i.e. 24 hrs (IPSET v6.x only)
            logger -st "($(basename $0))" $$  "IPSETs: 'Blacklist/Whitelist' created EMPTY....." [$1 $2]
        fi

        XRETAIN_SECS=$(ipset $LIST Blacklist | head -n 4 | grep -E "^Header" | grep -oE "timeout.*" | cut -d" " -f2)
        if [ ! -z XRETAIN_SECS ];then
            RETAIN_SECS=XRETAIN_SECS                        # Report the actual timeout value in the restore file
        fi

        RULENO=$(iptables -nvL INPUT --line | grep "lo " | awk '{print $1}')
        RULENO=$(($RULENO+1))

        iptables -D INPUT -m set $IPT_MATCHSET Blacklist src -j DROP 2> /dev/null
        iptables -D INPUT -m set $IPT_MATCHSET Whitelist src -j ACCEPT 2> /dev/null
        iptables -I INPUT $RULENO -m set $IPT_MATCHSET Blacklist src -j DROP
        iptables -I INPUT $RULENO -m set $IPT_MATCHSET Whitelist src -j ACCEPT
        if [ "$?" -gt 0 ];then
           RC=$?
           logger -st "($(basename $0))" $$  "**ERROR** Unable to add - INPUT $MATCH_SET Whitelist RC="$RC
           echo -e "\a`iptables -nvL INPUT --line >> /tmp/syslog.log`"
        fi

        # Use original 'logdrop' chain or custom 'Blacklist' chain etc.
        if [ $USE_LOGDROP -eq 1 ];then                                                      # Use 'logdrop' chain
            iptables -D logdrop -m state --state NEW -j SET --add-set Blacklist src 2> /dev/null
            iptables -I logdrop -m state --state NEW -j SET --add-set Blacklist src
        else                                                                                    # Use 'Blacklist' chain
            # Delete previous Blacklist rules
            iptables -D INPUT -i $(nvram get wan0_ifname) -m state --state INVALID -j Blacklist 2> /dev/null        #WAN only
            iptables -D INPUT                                -m state --state INVALID -j Blacklist 2> /dev/null
            iptables -D INPUT -j Blacklist 2> /dev/null
            iptables -D FORWARD -m set $IPT_MATCHSET Blacklist src -j DROP 2> /dev/null
            iptables -D FORWARD ! -i br0 -o $(nvram get wan0_ifname) -j Blacklist 2> /dev/null
            iptables -D FORWARD   -i $(nvram get wan0_ifname) -m state --state INVALID -j Blacklist  2> /dev/null

            # Use a custom CHAIN 'Blacklist' rather than 'logdrop'
            iptables -F Blacklist
            iptables -X Blacklist
            iptables -N Blacklist
            iptables -I Blacklist -m state --state NEW -j SET --add-set Blacklist src
            if [ "$NOLOG" == "0" ];then                 # Suppress 'Block =' messages from syslog? 0-Create;1-Suppress
                iptables -A Blacklist -m state --state NEW -j LOG --log-prefix "Block " --log-tcp-sequence --log-tcp-options --log-ip-options
            fi
            # Let other following rule issue the actual DROP or not!!!???
            #iptables -A Blacklist -j DROP

            RULELIST=

            RULENO=$( iptables --line -nvL INPUT | grep "state RELATED,ESTABLISHED" | cut -d" " -f1)
            RULENO=$(($RULENO+1))

            # WAN only or ALL interfaces BRx / tun1x etc. ?
            #if [ $WAN_ONLY ];then
                #iptables -I INPUT $RULENO -i $(nvram get wan0_ifname) -m state --state INVALID -j Blacklist        # WAN only
            #else
                iptables -I INPUT $RULENO                             -m state --state INVALID -j Blacklist         # ALL interfaces
            #fi

            RULELIST=$RULELIST""$RULENO" "

            RULENO=$(iptables --line -nvL INPUT | grep -cE "^[1-9]")            # Count of existing rules in INPUT chain
            iptables -I INPUT $RULENO -j Blacklist                              # Penultimate in the INPUT chain

            RULELIST=$RULELIST""$RULENO" "

            #logger -st "($(basename $0))" $$ "***DEBUG Blacklist rules @"$RULELIST"inserted into INPUT chain"

            RULELIST=

            RULENO=$( iptables --line -nvL FORWARD | grep "DROP       all  --  !br0   eth0" | cut -d" " -f1)
            iptables -I FORWARD $RULENO ! -i br0 -o $(nvram get wan0_ifname) -j Blacklist
            iptables -I FORWARD $RULENO -m set $IPT_MATCHSET Blacklist src -j DROP

            RULELIST=$RULELIST""$RULENO" "

            RULENO=$(iptables --line -nvL FORWARD | grep "DROP       all  --  eth0   *" | cut -d" " -f1)
            iptables -I FORWARD $RULENO -i $(nvram get wan0_ifname) -m state --state INVALID -j Blacklist

            RULELIST=$RULELIST""$RULENO" "

            #logger -st "($(basename $0))" $$ "***DEBUG Blacklist rules @"$RULELIST"inserted into FORWARD chain"

        fi

        # Add LAN subnet to Whitelist IPSET ?
        ipset -q $ADD Whitelist `nvram get lan_ipaddr`/24

        # Remember to manually include all VLANs e.g. 10.0.0.0/8 see /jffs/configs/IPSET_Whitelist


        logger -st "($(basename $0))" $$  "Dynamic IPSET Blacklist banning enabled."

        #if [ -f /jffs/scripts/HackerPorts.sh ]; then
            #logger -st "($(basename $0))" $$ "Hacker Port Activity report scheduled every 06:05 daily"
            #/usr/sbin/cru a HackerReport "5 6 * * * /jffs/scripts/HackerPorts.sh"
        #fi

esac

# Allow dynamic Disable of Syslog messages
if [ "$NOLOG" == "0" ];then                 # Suppress 'Block =' messages from syslog? 0-Create;1-Suppress
    if [ "$1" != "init" -a -z "$(iptables --line -L Blacklist | grep "state NEW LOG")" ];then       # Enable if it doesn't exist
        iptables -A Blacklist -m state --state NEW -j LOG --log-prefix "Block " --log-tcp-sequence --log-tcp-options --log-ip-options
        echo -e "\a\tSyslog 'Block =' messages enabled\n"
    fi
else                                                                            # Suppress if it exists
    if [ ! -z "$(iptables --line -L Blacklist | grep "state NEW LOG")" ];then
        iptables -D Blacklist -m state --state NEW -j LOG --log-prefix "Block " --log-tcp-sequence --log-tcp-options --log-ip-options
        echo -e "\a\n\tSyslog 'Block =' messages suppressed"
    fi
fi

# Summary

if [ ! -s "$bannedips" ]; then
   OLDAMOUNT=0
   LAST_MOD=
else
   LAST_MOD=$(ls -l $bannedips | grep -oE "root.*/tmp" | sed 's/root//' | sed 's/\/tmp//' | sed -e 's/^[ \t]*//' | cut -d' ' -f2-)
   OLDAMOUNT=$(cat "$bannedips")
fi

if [ $(ipset -L Blacklist | grep -E "^[0-9]" | wc -l) -gt 0 ]; then
    ipset -L Blacklist | grep -E "^[0-9]" | wc -l > $bannedips
    NEWAMOUNT=$(cat $bannedips)
else
    NEWAMOUNT=0
fi
DELTA=$(($NEWAMOUNT-$OLDAMOUNT))
if [ $DELTA -lt 0 ];then
    DELTA=$(echo "$DELTA" | sed 's/-//')
    UP_DOWN="expired"
else
    UP_DOWN="added"
fi
INTERVAL=
if [ ! -z "$LAST_MOD" ];then
    INTERVAL="since: "$LAST_MOD
fi

HITS=$(iptables --line -nvL INPUT | grep -E "set.*Blacklist" | awk '{print $2}')
if [ -z $HITS ];then
    HITS=0
fi

TEXT="\033[00mSummary Blacklist: \e[42m$HITS Successful blocks!\033[00m ( \e[41m$OLDAMOUNT IPs currently banned - $DELTA $UP_DOWN\033[00m $INTERVAL)\033[00m"
TEXT2="Summary Blacklist: $HITS Successful blocks! ( $OLDAMOUNT IPs currently banned - $DELTA $UP_DOWN $INTERVAL)"

XRETAIN_SECS=$(ipset $LIST Blacklist | head -n 4 | grep -E "^Header" | grep -oE "timeout.*" | cut -d" " -f2)
if [ ! -z "$XRETAIN_SECS" ];then
    TEXT=$TEXT", Entries auto-expire after "$(Convert_SECS_to_HHMMSS $XRETAIN_SECS)" hrs"
fi

echo -e "\n\t"$TEXT"\n"
logger -t "($(basename $0))" $$ $TEXT2

if [ -f /jffs/scripts/HackerPorts.sh ]; then
    /jffs/scripts/HackerPorts.sh num=3                      # Requires HackerPorts v2.xx
fi

exit 0