ossec-blacklist/firewall.user

70 lines
2.6 KiB
Plaintext
Raw Normal View History

2014-10-01 11:14:38 +00:00
#!/bin/sh
# IP blacklisting script for OpenWRT routers
# Pawel Krawczyk https://keybase.io/kravietz
#
# This script should be *only* used on OpenWRT as it relies on uci configuration framework
# specific to these routers.
#
# This file should be installed as /etc/firewall.user and then updated from crontab:
#
# 01 01 * * * sh /etc/firewall.user
#
# Emerging Threats lists offensive IPs such as botnet command servers
urls="http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt"
# Bogons lists IP addresses that should never appear on public Internet
# including RFC 1918 networks - this is why this script blocks packets only
# on WAN interface of an OpenWRT router
urls="$urls http://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt"
# Blocklist.de collects reports from fail2ban probes, listing password brute-forces, scanners and other offenders
urls="$urls https://www.blocklist.de/downloads/export-ips_all.txt"
blocklist_chain_name=blocklists
if [ ! -x /usr/sbin/ipset ]; then
echo "Cannot find ipset"
echo "Run: opkg update && opkg install ipset"
exit 1
fi
2014-10-01 11:20:45 +00:00
if [ ! -x /usr/bin/curl ]; then
echo "Cannot find curl"
echo "Run: opkg update && opkg install curl"
exit 1
fi
2014-10-01 11:14:38 +00:00
# create main blocklists chain
if ! iptables -L ${blocklist_chain_name}; then iptables -N ${blocklist_chain_name}; fi
# inject references to blocklist in the beginning of input and forward chains
if ! iptables -L input|grep -q ${blocklist_chain_name}; then
iptables -I input 1 -m state --state NEW,RELATED -j ${blocklist_chain_name}
fi
if ! iptables -L forward|grep -q ${blocklist_chain_name}; then
iptables -I forward 1 -m state --state NEW,RELATED -j ${blocklist_chain_name}
fi
wan_iface=$(uci get network.wan.ifname)
if [ -z "$wan_iface" ]; then
echo "Cannot determine WAN interface"
exit 1
fi
iptables -F ${blocklist_chain_name}
for url in $urls; do
tmp=$(mktemp)
tmp2=$(mktemp)
set_name=$(basename $url)
curl --compressed -k "$url" >"$tmp"
sort -u <"$tmp" | egrep "^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$" >"$tmp2"
ipset -! create ${set_name} hash:net
while read line; do
ipset add ${set_name} "$line"
done <"$tmp2"
iptables -A ${blocklist_chain_name} -i "${wan_iface}" -m set --match-set "${set_name}" src,dst -m limit --limit 10/minute -j LOG --log-prefix "BLOCK ${set_name} "
iptables -A ${blocklist_chain_name} -i "${wan_iface}" -m set --match-set "${set_name}" src,dst -j DROP
echo ${set_name} $(ipset list ${set_name} | wc -l)
done