ossec-blacklist/firewall.user

#!/bin/sh

# IP blacklisting script for OpenWRT routers
# Pawel Krawczyk https://keybase.io/kravietz
#
# This script should be *only* used on OpenWRT as it relies on uci configuration framework
# specific to these routers. 
#
# This file should be installed as /etc/firewall.user and then updated from crontab:
#
# 01 01 * * * sh /etc/firewall.user
#

# Emerging Threats lists offensive IPs such as botnet command servers
urls="http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt"
# Bogons lists IP addresses that should never appear on public Internet
# including RFC 1918 networks - this is why this script blocks packets only
# on WAN interface of an OpenWRT router
urls="$urls http://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt"
# Blocklist.de collects reports from fail2ban probes, listing password brute-forces, scanners and other offenders
urls="$urls https://www.blocklist.de/downloads/export-ips_all.txt"

blocklist_chain_name=blocklists

if [ ! -x /usr/sbin/ipset ]; then
    echo "Cannot find ipset"
    echo "Run: opkg update && opkg install ipset"
    exit 1
fi
if [ ! -x /usr/bin/curl ]; then
    echo "Cannot find curl"
    echo "Run: opkg update && opkg install curl"
    exit 1
fi

# create main blocklists chain
if ! iptables -L ${blocklist_chain_name}; then iptables -N ${blocklist_chain_name}; fi

# inject references to blocklist in the beginning of input and forward chains
if ! iptables -L input|grep -q ${blocklist_chain_name}; then
  iptables -I input 1 -m state --state NEW,RELATED -j ${blocklist_chain_name}
fi
if ! iptables -L forward|grep -q ${blocklist_chain_name}; then
  iptables -I forward 1 -m state --state NEW,RELATED -j ${blocklist_chain_name}
fi                                                                 

wan_iface=$(uci get network.wan.ifname)
if [ -z "$wan_iface" ]; then
    echo "Cannot determine WAN interface"
    exit 1
fi

iptables -F ${blocklist_chain_name}
                                                                      
for url in $urls; do
    tmp=$(mktemp)
    tmp2=$(mktemp)
    set_name=$(basename $url)
    curl --compressed -k "$url" >"$tmp"
    sort -u <"$tmp" | egrep "^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$" >"$tmp2"
    ipset -! create ${set_name} hash:net
    while read line; do
        ipset add ${set_name} "$line"
    done <"$tmp2"
    iptables -A ${blocklist_chain_name} -i "${wan_iface}" -m set --match-set "${set_name}" src,dst -m limit --limit 10/minute -j LOG --log-prefix "BLOCK ${set_name} "
    iptables -A ${blocklist_chain_name} -i "${wan_iface}" -m set --match-set "${set_name}" src,dst -j DROP
    echo ${set_name} $(ipset list ${set_name} | wc -l)
done
initial version 2014-10-01 11:14:38 +00:00			`#!/bin/sh`

			`# IP blacklisting script for OpenWRT routers`
			`# Pawel Krawczyk https://keybase.io/kravietz`
			`#`
			`# This script should be only used on OpenWRT as it relies on uci configuration framework`
			`# specific to these routers.`
			`#`
			`# This file should be installed as /etc/firewall.user and then updated from crontab:`
			`#`
			`# 01 01 * * * sh /etc/firewall.user`
			`#`

			`# Emerging Threats lists offensive IPs such as botnet command servers`
			`urls="http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt"`
			`# Bogons lists IP addresses that should never appear on public Internet`
			`# including RFC 1918 networks - this is why this script blocks packets only`
			`# on WAN interface of an OpenWRT router`
			`urls="$urls http://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt"`
			`# Blocklist.de collects reports from fail2ban probes, listing password brute-forces, scanners and other offenders`
			`urls="$urls https://www.blocklist.de/downloads/export-ips_all.txt"`

			`blocklist_chain_name=blocklists`

			`if [ ! -x /usr/sbin/ipset ]; then`
			`echo "Cannot find ipset"`
			`echo "Run: opkg update && opkg install ipset"`
			`exit 1`
			`fi`
check for curl 2014-10-01 11:20:45 +00:00			`if [ ! -x /usr/bin/curl ]; then`
			`echo "Cannot find curl"`
			`echo "Run: opkg update && opkg install curl"`
			`exit 1`
			`fi`
initial version 2014-10-01 11:14:38 +00:00
			`# create main blocklists chain`
			`if ! iptables -L ${blocklist_chain_name}; then iptables -N ${blocklist_chain_name}; fi`

			`# inject references to blocklist in the beginning of input and forward chains`
			`if ! iptables -L input\|grep -q ${blocklist_chain_name}; then`
			`iptables -I input 1 -m state --state NEW,RELATED -j ${blocklist_chain_name}`
			`fi`
			`if ! iptables -L forward\|grep -q ${blocklist_chain_name}; then`
			`iptables -I forward 1 -m state --state NEW,RELATED -j ${blocklist_chain_name}`
			`fi`

			`wan_iface=$(uci get network.wan.ifname)`
			`if [ -z "$wan_iface" ]; then`
			`echo "Cannot determine WAN interface"`
			`exit 1`
			`fi`

			`iptables -F ${blocklist_chain_name}`

			`for url in $urls; do`
			`tmp=$(mktemp)`
			`tmp2=$(mktemp)`
			`set_name=$(basename $url)`
			`curl --compressed -k "$url" >"$tmp"`
			`sort -u <"$tmp" \| egrep "^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$" >"$tmp2"`
			`ipset -! create ${set_name} hash:net`
			`while read line; do`
			`ipset add ${set_name} "$line"`
			`done <"$tmp2"`
			`iptables -A ${blocklist_chain_name} -i "${wan_iface}" -m set --match-set "${set_name}" src,dst -m limit --limit 10/minute -j LOG --log-prefix "BLOCK ${set_name} "`
			`iptables -A ${blocklist_chain_name} -i "${wan_iface}" -m set --match-set "${set_name}" src,dst -j DROP`
			`echo ${set_name} $(ipset list ${set_name} \| wc -l)`
			`done`