MartineauPASTEBIN

IPSET_Block.sh

Apr 12th, 2017
902
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/bin/sh
  2. VER="v3.05"
  3. #======================================================================================================= © 2016-2017 Martineau, v3.05
  4. #
  5. # Dynamically block unsolicited access attempts using IPSETs. Useful if you have opened ports >1024 as hopefully hackers will
  6. #             start their attempts at the more common ports e.g. 22,23 etc. so will be banned BEFORE they reach your port!
  7. #             NOTE: For ARM routers (IPSET v6.3) Blacklist entries are retained for 7 days unless arg HH:MM:SS is specified/hard-coded)
  8. #
  9. #     IPSET_Block   [help | -h] | [status [list]] [reset] [delete] [ban {'ip_addr'}] [unban {'ip_addr'}] [restore] [nolog]
  10. #                               { init [reset] ['hh:mm:ss'] [method1] }
  11. #
  12. #     IPSET_Block  
  13. #                   Displays the number of currently banned I/Ps and the number of banned IPs added since the last status request:
  14. #                       e.g. '  Summary Blacklist: 12882 IPs currently banned - 4 added since: Apr 16 15:27 (Entries auto-expire after 24:00:00)'
  15. #     IPSET_Block   status list
  16. #                   Display the contents of IPSETs Whitelist & Blacklist - beware there could be a lot!!!
  17. #     IPSET_Block   reset
  18. #                   Temporarily flush the IPSET Blacklist (It will be restored @BOOT or manually using the restore cmd)
  19. #     IPSET_Block   restore
  20. #                   Restore the IPSETs Whitelist & Blacklist from the current saved IPSETs.
  21. #                   (If 'delete' was used then you need to clone the 'backup' file before attempting the restore!)
  22. #     IPSET_Block   ban 12.34.56.7
  23. #                   Adds 12.34.56.7 to IPSET Blacklist
  24. #     IPSET_Block   unban 12.34.56.7
  25. #                   Removes 12.34.56.7 from IPSET Blacklist
  26. #     IPSET_Block   delete
  27. #                   Permanently flush the IPSET Blacklist (It cannot be restored @BOOT or using the restore cmd)
  28. #     IPSET_Block   init
  29. #                   If 'IPSET_Block.config' exists it will be used to restore IPSETs Blacklist and Whitelist,
  30. #                      otherwise the IPSETs are created empty - same as if 'init reset' was specified to override the auto-restore
  31. #     IPSET_Block   init reset 12:34:56 nolog
  32. #                   Empty IPSETs will be created with any added Blacklist entries auto-expiring after 12 hrs 34 mins and 56 secs!
  33. #                         (default expiry time is 168:00:00 = 7 Days)
  34. #                          NOTE: No 'Block =' messages will be generated.
  35. #
  36. # /jffs/scripts/init-start
  37. #      /usr/sbin/cru a IPSET_SAVE   "0 * * * * /jffs/scripts/IPSET_Block.sh save"    #Every hour
  38. #      /usr/sbin/cru a IPSET_BACKUP "0 5 * * * /jffs/scripts/IPSET_Block.sh backup"  #05:00 every day
  39. #
  40. # /jffs/scripts/firewall-start
  41. #      /jffs/scripts/IPSET_Block.sh init nolog
  42. #
  43. # NOTE: Whitelist will be automatically populated with local LAN subnet, but VLANs will need to be added manually e.g. 10.0.0.0/8 etc.
  44. #
  45. # Very good examples of using IPSETs for blocking dynamically! https://forums.gentoo.org/viewtopic-t-863121.html
  46.  
  47. # Print between line beginning with '#==' to first blank line inclusive
  48. ShowHelp() {
  49.     awk '/^#==/{f=1} f{print; if (!NF) exit}' $0
  50. }
  51.  
  52. Delete_IPSETs () {
  53.     iptables -D logdrop -m state --state NEW -j SET --add-set Blacklist src 2> /dev/null > /dev/null
  54.    
  55.     iptables -D INPUT -m set $IPT_MATCHSET Blacklist $BLK_DIMENSIONS -j DROP 2> /dev/null
  56.     iptables -D INPUT -m set $IPT_MATCHSET Whitelist $WHT_DIMENSIONS -j ACCEPT 2> /dev/null
  57.  
  58.     iptables -D INPUT -i $(nvram get wan0_ifname) -m state --state INVALID -j Blacklist  2> /dev/null       # WAN only
  59.     iptables -D INPUT                             -m state --state INVALID -j Blacklist  2> /dev/null       # ALL Interfaces
  60.     iptables -D INPUT -j Blacklist 2> /dev/null
  61.  
  62.     iptables -F Blacklist
  63.  
  64.     iptables -D INPUT   -m set $IPT_MATCHSET Whitelist src             -j logaccept 2> /dev/null
  65.     iptables -D INPUT   -m set $IPT_MATCHSET Whitelist src             -j ACCEPT    2> /dev/null
  66.    
  67.     iptables -D FORWARD -m set $IPT_MATCHSET Whitelist src             -j logaccept 2> /dev/null
  68.     iptables -D FORWARD -m set $IPT_MATCHSET Whitelist src             -j ACCEPT    2> /dev/null
  69.  
  70.    
  71.     iptables -D FORWARD -m set $IPT_MATCHSET Blacklist src            -j DROP      2> /dev/null
  72.  
  73.     ipset -q $FLUSH Blacklist
  74.     ipset -q $FLUSH Whitelist
  75.     ipset -q $FLUSH WhitelistSRCPort
  76.     ipset    $DESTROY Blacklist 2> /dev/null
  77.     ipset    $DESTROY Whitelist 2> /dev/null
  78.     rm $bannedips  2> /dev/null # Reset counter '0'
  79. }
  80. Convert_HHMMSS_to_SECS () {
  81.     echo $(echo $1 | awk -F':' '{print $1 * 60 * 60 + $2 * 60 + $3}')
  82. }
  83. Convert_SECS_to_HHMMSS() {
  84.     HH=$((${1}/3600))
  85.     MM=$((${1}%3600/60))
  86.     SS=$((${1}%60))
  87.     echo $(printf "%02d:%02d:%02d\n" $HH $MM $SS)
  88. }
  89. Chain_exists() {
  90.     # Args: {Chain_name} [table_name]
  91.     local chain_name="$1" ; shift
  92.     [ $# -eq 1 ] && local table="-t $1"
  93.     iptables $table -n --list $chain_name >/dev/null 2>&1
  94.     local RC=$?
  95.     if [ $RC -eq 1 ];then
  96.         echo "N"
  97.         return 1
  98.     else
  99.         echo "Y"
  100.         return 0
  101.     fi
  102. }
  103.  
  104. MYROUTER=$(nvram get computer_name)
  105.  
  106. ################################################Customise for local use #############################################
  107. if [ -d  "/tmp/mnt/"$MYROUTER ];then
  108.     DIR="/tmp/mnt/"$MYROUTER                # <== USB Location of IPSET save/restore configuration
  109. else
  110.     DIR="/tmp"                              #         NOTE: /TMP isn't permanent! ;-) but allows testing of save/restore
  111. fi
  112.  
  113. HHMMSS="168:00:00"                          # <== Specify retention period to keep Blacklist entries or passed via 'init reset' hh:mm:ss' invocation
  114.                                             #           e.g. 168 hrs = 7 days
  115. #####################################################################################################################
  116.  
  117. bannedips=$DIR"/IPSET_Blacklist_Count"      # Allows display of count of new blocked IPs after every implied/ explicit status request
  118.  
  119. # 380.63+ for ARM routers, IPSET v6  is available...Load appropriate IPSET modules
  120. case $(ipset -v | grep -o "v[4,6]") in
  121.   v6) MATCH_SET='--match-set'; LIST='list'; CREATE='create'; SAVE='save'; RESTORE='restore'; FLUSH='flush'; DESTROY='destroy'; ADD='add'; SWAP='swap'; IPHASH='hash:ip'; NETHASH='hash:net'; SETNOTFOUND='name does not exist'; TIMEOUT='timeout'
  122.       lsmod | grep -q "xt_set" || for module in ip_set ip_set_hash_net ip_set_hash_ip xt_set
  123.       do modprobe $module; done;;
  124.   v4) MATCH_SET='--set'; LIST='--list'; CREATE='--create'; SAVE='--save'; RESTORE='--restore'; FLUSH='--flush'; DESTROY='--destroy'; ADD='--add'; SWAP='--swap'; IPHASH='iphash'; NETHASH='nethash'; SETNOTFOUND='Unknown set'; TIMEOUT=; RETAIN_SECS=
  125.       lsmod | grep -q "ipt_set" || for module in ip_set ip_set_nethash ip_set_iphash ipt_set
  126.       do modprobe $module; done;;
  127.   *) logger -st "($(basename $0))" $$ "**ERROR** Unknown ipset version: $(ipset -v). Exiting." && (echo -e "\a";exit 99);;
  128. esac
  129.  
  130. # Same for IPTABLES :-(
  131. IPT_MATCHSET='--match-set'
  132. if [ -z "$(iptables -V | grep "v1.4")" ];then               # RT-N66U MIPS v1.3.8 ?...but does the Kernel support '-j SET --add-set' ??
  133.     IPT_MATCHSET='--set'
  134. fi
  135.  
  136. # Need assistance!???
  137. if [ "$1" == "help" ] || [ "$1" == "-h" ]; then
  138.     ShowHelp
  139.     exit 0
  140. fi
  141.  
  142. logger -st "($(basename $0))" $$ $VER "© 2016-2017 Martineau, Dynamic IPSET Blacklist banning request....."
  143.  
  144. # Check if logging messages are to be enabled/disabled (Allow it to be processed at any time rather than in the 'init' clause)
  145. NOLOG=0                                                             # Create Syslog "Block =" messages
  146. if [ "$1" != "init" ] && [ $(Chain_exists "Blacklist")  == "Y" ] && \
  147.                           [ $(iptables --line -L Blacklist | grep -c "state NEW LOG") -eq 0 ];then
  148.     NOLOG=1                                                         # Already suppressed, so leave it supressed until next reboot or 'init reset' issued
  149. else
  150.     if [ "$(echo $@ | grep -c 'nolog')" -gt 0 ];then
  151.         NOLOG=1                                                     # Suppress "Block =" messages from Syslog
  152.     fi
  153. fi
  154.  
  155.  
  156. # What is the action required?
  157. ACTION=$1
  158.  
  159.  
  160. # If the first arg is an I/P address or subnet then assume it is to be blocked.
  161. # TBA
  162.  
  163.  
  164. # status / ban / unban / reset / delete / save / ban / whitelist / backup / init
  165.  
  166. case $ACTION in
  167.     status)
  168.         echo -en "\n"
  169.         ipset -L Blacklist | head -n 7                                  # Sadly 'ipset -t Blacklist' to list only the IPSET header doesn't work on Asus
  170.         if [ "$2" == "list" ];then                                      # Verbose if 'status list'
  171.             ipset -L Blacklist                              | \
  172.                 grep -E "^[0-9]"                            | \
  173.                 sort -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4    | \
  174.                 awk ' {printf "%15s\t", $1;}'
  175.             echo -en "\n\n"
  176.             ipset -L Whitelist
  177.         fi
  178.         ;;
  179.     ban)
  180.         if [ -z $2 ];then
  181.             echo "Input IP Address"
  182.             read bannedip
  183.         else
  184.             bannedip=$2
  185.         fi
  186.         logger -st "($(basename $0))" $$  "Banning" $bannedip "- added to Blacklist....."
  187.         ipset -q $ADD Blacklist $bannedip
  188.         echo "$bannedip Is Now Banned"
  189.         ;;
  190.     unban)
  191.         if [ -z $2 ]; then
  192.             echo "Input IP Address To Unban"
  193.             read unbannedip
  194.         else
  195.             unbannedip=$2
  196.         fi
  197.         logger -st "($(basename $0))" $$  "Unbanning and removing" $unbannedip "from Blacklist......"
  198.         ipset $DELETE Blacklist $unbannedip
  199.         echo "`sed /$unbannedip/d $DIR/IPSET_Block.config`" > $DIR/IPSET_Block.config
  200.         echo $unbannedip "Is Now Unbanned"
  201.  
  202.         ;;
  203.     reset)
  204.         logger -st "($(basename $0))" $$  "Temporarily Allowing ALL ("$(cat $bannedips)") I/P's in Blacklist IPSET"
  205.         NOW=$(date +"%Y%m%d-%H%M%S")    # current date and time
  206.         mv  $DIR/IPSET_Block.config $DIR/IPSET_Block.config-$NOW            # Create restore backup
  207.         ipset $FLUSH Blacklist
  208.         ipset $SAVE Blacklist >  $DIR/IPSET_Block.config
  209.         ipset $SAVE Whitelist >> $DIR/IPSET_Block.config
  210.         rm $bannedips 2> /dev/null                      # Reset counter '0'
  211.         ;;
  212.     delete)
  213.         #expr `ipset -L Blacklist | grep -v -E "^[NTRHSM]" | wc -l` > $bannedips
  214.         logger -st "($(basename $0))" $$  "Permanently deleting ALL ("$(cat $bannedips)") I/Ps from Blacklist."
  215.         ipset $FLUSH Blacklist
  216.         ipset $SAVE Blacklist >  $DIR/IPSET_Block.config
  217.         ipset $SAVE Whitelist >> $DIR/IPSET_Block.config
  218.         rm $bannedips 2> /dev/null                      # Reset counter '0'
  219.         ;;
  220.     save)
  221.         logger -st "($(basename $0))" $$  "Saving IPSET Block rules to "$DIR"/IPSET_Block.config....."
  222.         # Only save the IPSETs associated with this script
  223.         ipset $SAVE Blacklist >  $DIR/IPSET_Block.config
  224.         ipset $SAVE Whitelist >> $DIR/IPSET_Block.config
  225.         ;;
  226.     restore)
  227.         logger -st "($(basename $0))" $$  "Restoring IPSET Block rules Whitelist & Blacklist from "$DIR"/IPSET_Block.config....."
  228.         #/jffs/scripts/$(basename $0) "init" &
  229.         # Rather than destroy the IPSETs, keep them live, and simply swap the restore!!
  230.         if [ ! -z "$(ipset $LIST -n | uniq | grep -oE "^Blacklist")" ];then
  231.             # Need to enforce the restore to temporary '_Blacklist' & '_Whitelist' IPSETs
  232.             cp $DIR/IPSET_Block.config $DIR/IPSET_Block.config.preEDIT                  # Save the config
  233.             sed -i 's/Blacklist/_Blacklist/g' $DIR/IPSET_Block.config                   # Change the IPSET names in the saved config
  234.             sed -i 's/Whitelist/_Whitelist/g' $DIR/IPSET_Block.config
  235.             ipset $DESTROY _Blacklist 2> /dev/null;ipset -X _Whitelist 2> /dev/null         # Make sure the temporary swap IPSETs don't exist
  236.             ipset $RESTORE -f  $DIR/IPSET_Block.config                                  # Do the restore.....
  237.             if [ $? -eq 0 ];then
  238.                 ipset $SWAP _Blacklist Blacklist;ipset swap _Whitelist Whitelist            # Perform the swap
  239.                 ipset $DESTROY _Blacklist 2> /dev/null;ipset -X _Whitelist 2> /dev/null     # Delete the temporary IPSETs
  240.             else
  241.                 echo -e "\aWhoops!!!"
  242.                 exit 99
  243.             fi
  244.             rm $DIR/IPSET_Block.config                                                  # Delete the edited temporary config
  245.             mv $DIR/IPSET_Block.config.preEDIT $DIR/IPSET_Block.config                  #    and recover the original config
  246.         else
  247.             ipset $RESTORE < $DIR/IPSET_Block.config
  248.         fi
  249.         ;;
  250.     whitelist)
  251.         echo "Input file location"                      # see /jffs/configs/IPSET_Whitelist
  252.         read WHITELISTFILE
  253.         for IP in `cat $WHITELISTFILE`
  254.             do
  255.                 ipset -q $ADD Whitelist $IP
  256.                 echo $IP
  257.             done
  258.  
  259.         ipset $SAVE Whitelist >  $DIR/IPSET_Block.config
  260.         ipset $SAVE Blacklist >> $DIR/IPSET_Block.config
  261.         ;;
  262.     backup)
  263.         logger -st "($(basename $0))" $$  "Creating IPSET rule backup to '"$DIR"/IPSET_Block.configbak'....."
  264.         cp -f $DIR/IPSET_Block.config $DIR/IPSET_Block.configbak
  265.         ;;
  266.     init)
  267.         # Usually called from firewall-start, but may be invoked manually at any time from command prompt
  268.  
  269.         # Optionally track which port is being targeted by the hacker
  270.         BLACKLIST_TYPE=$IPHASH
  271.         BLK_DIMENSIONS="src"                                # 1-dimension IPSET src='201.210.196.178'
  272.         if [ "$(echo $@ | grep -c 'port')" -gt 0 ];then                 # Port tracking requested?
  273.             BLACKLIST_TYPE='hash:ip,port'
  274.         fi
  275.  
  276.         WHITELIST_TYPE=$NETHASH
  277.         WHT_DIMENSIONS="src"
  278.  
  279.         # Check if original 'logdrop' chain is to be implemented. i.e. 1-logdrop; 0-Blacklist chain method
  280.         USE_LOGDROP=0                                                   # Use new Martineau non-logdrop custom Blacklist chain method
  281.         if [ "$(echo $@ | grep -c 'method1')" -gt 0 ];then              # Command arg override?
  282.             USE_LOGDROP=1                                               # Use original 'logdrop' chain method
  283.         fi
  284.  
  285.         # Calculate Blacklist retention period in seconds (if specified)
  286.         if [ "$1" == "init" ] && [ "$2" == "reset" ] && \
  287.                                   [ ! -z $3 ] && [ "$3" != "port" ] && [ "$3" != "nolog" ];then # Allow 'init reset HH:MM:SS' to specify retain period
  288.             HHMMSS=$3
  289.         fi
  290.        
  291.  
  292.         RETAIN_SECS=
  293.         if [ ! -z $TIMEOUT ];then
  294.             RETAIN_SECS=$(Convert_HHMMSS_to_SECS "$HHMMSS")
  295.         fi
  296.  
  297.         if [ $USE_LOGDROP -eq 1 ];then              # Original 'logdrop' chain method?
  298.             if [ "$(nvram get fw_log_x)" == "drop" ] || [ "$(nvram get fw_log_x)" == "both" ];then
  299.                 #logger -st "($(basename $0))" $$ "***DEBUG Correct use of 'logdrop' CHAIN Setting Detected"
  300.                 DUMMY=
  301.             else
  302.                
  303.                 logger -st "($(basename $0))" $$  "Setting 'Firewall logging=DROP' - will use 'logdrop' chain....."
  304.                 nvram set fw_log_x=drop
  305.                 nvram commit
  306.             fi
  307.         else
  308.             #logger -st "($(basename $0))" $$  "***DEBUG Skipping Setting 'Firewall logging=DROP' - will use 'Blacklist' chain"
  309.             DUMMY=
  310.         fi
  311.  
  312.         if [ "$(nvram get fw_enable_x)" == "1" ]
  313.         then
  314.             #logger -st "($(basename $0))" $$ "***DEBUG Correct 'Firewall=ENABLED' setting Detected."
  315.             DUMMY=
  316.         else
  317.             logger -st "($(basename $0))" $$ "Setting 'Firewall=ENABLED'....."
  318.             nvram set fw_enable_x=1
  319.             nvram commit
  320.         fi
  321.  
  322.         # Delete the Blacklist/Whitelist IPSETs to be deleted/restored (rather than swap!)
  323.         Delete_IPSETs
  324.  
  325.         if [ "$2" != "reset" ] && [ -s "${DIR}/IPSET_Block.config" ];then
  326.             logger -st "($(basename $0))" $$  "IPSET restore from '"$DIR"/IPSET_Block.config' starting....."
  327.             ipset $RESTORE  < $DIR/IPSET_Block.config
  328.         else
  329.             ipset $CREATE Whitelist $WHITELIST_TYPE
  330.             ipset $CREATE Blacklist $BLACKLIST_TYPE $TIMEOUT $RETAIN_SECS       # Entries are valid for say 86400 secs i.e. 24 hrs (IPSET v6.x only)
  331.             logger -st "($(basename $0))" $$  "IPSETs: 'Blacklist/Whitelist' created EMPTY....." [$1 $2]
  332.         fi
  333.        
  334.         XRETAIN_SECS=$(ipset $LIST Blacklist | head -n 4 | grep -E "^Header" | grep -oE "timeout.*" | cut -d" " -f2)
  335.         if [ ! -z XRETAIN_SECS ];then
  336.             RETAIN_SECS=XRETAIN_SECS                        # Report the actual timeout value in the restore file
  337.         fi
  338.  
  339.         RULENO=$(iptables -nvL INPUT --line | grep "lo " | awk '{print $1}')
  340.         RULENO=$(($RULENO+1))
  341.  
  342.         iptables -D INPUT -m set $IPT_MATCHSET Blacklist src -j DROP 2> /dev/null
  343.         iptables -D INPUT -m set $IPT_MATCHSET Whitelist src -j ACCEPT 2> /dev/null
  344.         iptables -I INPUT $RULENO -m set $IPT_MATCHSET Blacklist src -j DROP
  345.         iptables -I INPUT $RULENO -m set $IPT_MATCHSET Whitelist src -j ACCEPT
  346.         if [ "$?" -gt 0 ];then
  347.            RC=$?
  348.            logger -st "($(basename $0))" $$  "**ERROR** Unable to add - INPUT $MATCH_SET Whitelist RC="$RC
  349.            echo -e "\a`iptables -nvL INPUT --line >> /tmp/syslog.log`"
  350.         fi
  351.        
  352.         # Use original 'logdrop' chain or custom 'Blacklist' chain etc.
  353.         if [ $USE_LOGDROP -eq 1 ];then                                                      # Use 'logdrop' chain
  354.             iptables -D logdrop -m state --state NEW -j SET --add-set Blacklist src 2> /dev/null
  355.             iptables -I logdrop -m state --state NEW -j SET --add-set Blacklist src
  356.         else                                                                                    # Use 'Blacklist' chain
  357.             # Delete previous Blacklist rules
  358.             iptables -D INPUT -i $(nvram get wan0_ifname) -m state --state INVALID -j Blacklist 2> /dev/null        #WAN only
  359.             iptables -D INPUT                                -m state --state INVALID -j Blacklist 2> /dev/null
  360.             iptables -D INPUT -j Blacklist 2> /dev/null
  361.             iptables -D FORWARD -m set $IPT_MATCHSET Blacklist src -j DROP 2> /dev/null
  362.             iptables -D FORWARD ! -i br0 -o $(nvram get wan0_ifname) -j Blacklist 2> /dev/null
  363.             iptables -D FORWARD   -i $(nvram get wan0_ifname) -m state --state INVALID -j Blacklist  2> /dev/null
  364.  
  365.             # Use a custom CHAIN 'Blacklist' rather than 'logdrop'
  366.             iptables -F Blacklist
  367.             iptables -X Blacklist
  368.             iptables -N Blacklist
  369.             iptables -I Blacklist -m state --state NEW -j SET --add-set Blacklist src
  370.             if [ "$NOLOG" == "0" ];then                 # Suppress 'Block =' messages from syslog? 0-Create;1-Suppress
  371.                 iptables -A Blacklist -m state --state NEW -j LOG --log-prefix "Block " --log-tcp-sequence --log-tcp-options --log-ip-options
  372.             fi
  373.             # Let other following rule issue the actual DROP or not!!!???
  374.             #iptables -A Blacklist -j DROP
  375.            
  376.             RULELIST=
  377.  
  378.             RULENO=$( iptables --line -nvL INPUT | grep "state RELATED,ESTABLISHED" | cut -d" " -f1)
  379.             RULENO=$(($RULENO+1))
  380.  
  381.             # WAN only or ALL interfaces BRx / tun1x etc. ?
  382.             #if [ $WAN_ONLY ];then
  383.                 #iptables -I INPUT $RULENO -i $(nvram get wan0_ifname) -m state --state INVALID -j Blacklist        # WAN only
  384.             #else
  385.                 iptables -I INPUT $RULENO                             -m state --state INVALID -j Blacklist         # ALL interfaces
  386.             #fi
  387.  
  388.             RULELIST=$RULELIST""$RULENO" "
  389.  
  390.             RULENO=$(iptables --line -nvL INPUT | grep -cE "^[1-9]")            # Count of existing rules in INPUT chain
  391.             iptables -I INPUT $RULENO -j Blacklist                              # Penultimate in the INPUT chain
  392.  
  393.             RULELIST=$RULELIST""$RULENO" "
  394.  
  395.             #logger -st "($(basename $0))" $$ "***DEBUG Blacklist rules @"$RULELIST"inserted into INPUT chain"
  396.  
  397.             RULELIST=
  398.  
  399.             RULENO=$( iptables --line -nvL FORWARD | grep "DROP       all  --  !br0   eth0" | cut -d" " -f1)
  400.             iptables -I FORWARD $RULENO ! -i br0 -o $(nvram get wan0_ifname) -j Blacklist
  401.             iptables -I FORWARD $RULENO -m set $IPT_MATCHSET Blacklist src -j DROP
  402.  
  403.             RULELIST=$RULELIST""$RULENO" "
  404.  
  405.             RULENO=$(iptables --line -nvL FORWARD | grep "DROP       all  --  eth0   *" | cut -d" " -f1)
  406.             iptables -I FORWARD $RULENO -i $(nvram get wan0_ifname) -m state --state INVALID -j Blacklist
  407.  
  408.             RULELIST=$RULELIST""$RULENO" "
  409.  
  410.             #logger -st "($(basename $0))" $$ "***DEBUG Blacklist rules @"$RULELIST"inserted into FORWARD chain"
  411.  
  412.         fi
  413.  
  414.         # Add LAN subnet to Whitelist IPSET ?
  415.         ipset -q $ADD Whitelist `nvram get lan_ipaddr`/24
  416.        
  417.         # Remember to manually include all VLANs e.g. 10.0.0.0/8 see /jffs/configs/IPSET_Whitelist
  418.  
  419.  
  420.         logger -st "($(basename $0))" $$  "Dynamic IPSET Blacklist banning enabled."
  421.  
  422.         #if [ -f /jffs/scripts/HackerPorts.sh ]; then
  423.             #logger -st "($(basename $0))" $$ "Hacker Port Activity report scheduled every 06:05 daily"
  424.             #/usr/sbin/cru a HackerReport "5 6 * * * /jffs/scripts/HackerPorts.sh"
  425.         #fi
  426.  
  427. esac
  428.  
  429. # Allow dynamic Disable of Syslog messages
  430. if [ "$NOLOG" == "0" ];then                 # Suppress 'Block =' messages from syslog? 0-Create;1-Suppress
  431.     if [ "$1" != "init" -a -z "$(iptables --line -L Blacklist | grep "state NEW LOG")" ];then       # Enable if it doesn't exist
  432.         iptables -A Blacklist -m state --state NEW -j LOG --log-prefix "Block " --log-tcp-sequence --log-tcp-options --log-ip-options
  433.         echo -e "\a\tSyslog 'Block =' messages enabled\n"
  434.     fi
  435. else                                                                            # Suppress if it exists
  436.     if [ ! -z "$(iptables --line -L Blacklist | grep "state NEW LOG")" ];then
  437.         iptables -D Blacklist -m state --state NEW -j LOG --log-prefix "Block " --log-tcp-sequence --log-tcp-options --log-ip-options
  438.         echo -e "\a\n\tSyslog 'Block =' messages suppressed"
  439.     fi
  440. fi
  441.  
  442. # Summary
  443.  
  444. if [ ! -s "$bannedips" ]; then
  445.    OLDAMOUNT=0
  446.    LAST_MOD=
  447. else
  448.    LAST_MOD=$(ls -l $bannedips | grep -oE "root.*/tmp" | sed 's/root//' | sed 's/\/tmp//' | sed -e 's/^[ \t]*//' | cut -d' ' -f2-)
  449.    OLDAMOUNT=$(cat "$bannedips")
  450. fi
  451.  
  452. if [ $(ipset -L Blacklist | grep -E "^[0-9]" | wc -l) -gt 0 ]; then
  453.     ipset -L Blacklist | grep -E "^[0-9]" | wc -l > $bannedips
  454.     NEWAMOUNT=$(cat $bannedips)
  455. else
  456.     NEWAMOUNT=0
  457. fi
  458. DELTA=$(($NEWAMOUNT-$OLDAMOUNT))
  459. if [ $DELTA -lt 0 ];then
  460.     DELTA=$(echo "$DELTA" | sed 's/-//')
  461.     UP_DOWN="expired"
  462. else
  463.     UP_DOWN="added"
  464. fi
  465. INTERVAL=
  466. if [ ! -z "$LAST_MOD" ];then
  467.     INTERVAL="since: "$LAST_MOD
  468. fi
  469.  
  470. HITS=$(iptables --line -nvL INPUT | grep -E "set.*Blacklist" | awk '{print $2}')
  471. if [ -z $HITS ];then
  472.     HITS=0
  473. fi
  474.  
  475. TEXT="\033[00mSummary Blacklist: \e[42m$HITS Successful blocks!\033[00m ( \e[41m$OLDAMOUNT IPs currently banned - $DELTA $UP_DOWN\033[00m $INTERVAL)\033[00m"
  476. TEXT2="Summary Blacklist: $HITS Successful blocks! ( $OLDAMOUNT IPs currently banned - $DELTA $UP_DOWN $INTERVAL)"
  477.  
  478. XRETAIN_SECS=$(ipset $LIST Blacklist | head -n 4 | grep -E "^Header" | grep -oE "timeout.*" | cut -d" " -f2)
  479. if [ ! -z "$XRETAIN_SECS" ];then   
  480.     TEXT=$TEXT", Entries auto-expire after "$(Convert_SECS_to_HHMMSS $XRETAIN_SECS)" hrs"
  481. fi
  482.  
  483. echo -e "\n\t"$TEXT"\n"
  484. logger -t "($(basename $0))" $$ $TEXT2
  485.  
  486. if [ -f /jffs/scripts/HackerPorts.sh ]; then
  487.     /jffs/scripts/HackerPorts.sh num=3                      # Requires HackerPorts v2.xx
  488. fi
  489.  
  490. exit 0
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×