2014-10-01 11:14:38 +00:00
|
|
|
#!/bin/sh
|
|
|
|
|
|
|
|
|
|
# IP blacklisting script for OpenWRT routers
|
|
|
|
|
# Pawel Krawczyk https://keybase.io/kravietz
|
|
|
|
|
#
|
|
|
|
|
# This script should be *only* used on OpenWRT as it relies on uci configuration framework
|
|
|
|
|
# specific to these routers.
|
|
|
|
|
#
|
|
|
|
|
# This file should be installed as /etc/firewall.user and then updated from crontab:
|
|
|
|
|
#
|
|
|
|
|
# 01 01 * * * sh /etc/firewall.user
|
|
|
|
|
#
|
|
|
|
|
|
|
|
|
|
# Emerging Threats lists offensive IPs such as botnet command servers
|
|
|
|
|
urls="http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt"
|
|
|
|
|
# Bogons lists IP addresses that should never appear on public Internet
|
|
|
|
|
# including RFC 1918 networks - this is why this script blocks packets only
|
|
|
|
|
# on WAN interface of an OpenWRT router
|
|
|
|
|
urls="$urls http://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt"
|
|
|
|
|
# Blocklist.de collects reports from fail2ban probes, listing password brute-forces, scanners and other offenders
|
|
|
|
|
urls="$urls https://www.blocklist.de/downloads/export-ips_all.txt"
|
|
|
|
|
|
|
|
|
|
blocklist_chain_name=blocklists
|
|
|
|
|
|
|
|
|
|
if [ ! -x /usr/sbin/ipset ]; then
|
|
|
|
|
echo "Cannot find ipset"
|
|
|
|
|
echo "Run: opkg update && opkg install ipset"
|
|
|
|
|
exit 1
|
|
|
|
|
fi
|
2014-10-01 11:20:45 +00:00
|
|
|
if [ ! -x /usr/bin/curl ]; then
|
|
|
|
|
echo "Cannot find curl"
|
|
|
|
|
echo "Run: opkg update && opkg install curl"
|
|
|
|
|
exit 1
|
|
|
|
|
fi
|
2014-10-01 11:14:38 +00:00
|
|
|
|
|
|
|
|
# create main blocklists chain
|
|
|
|
|
if ! iptables -L ${blocklist_chain_name}; then iptables -N ${blocklist_chain_name}; fi
|
|
|
|
|
|
|
|
|
|
# inject references to blocklist in the beginning of input and forward chains
|
2014-11-24 22:36:07 +00:00
|
|
|
if ! iptables -L input_rule |grep -q ${blocklist_chain_name}; then
|
|
|
|
|
iptables -I input_rule 1 -m state --state NEW,RELATED -j ${blocklist_chain_name}
|
2014-10-01 11:14:38 +00:00
|
|
|
fi
|
2014-11-24 22:36:07 +00:00
|
|
|
if ! iptables -L forward_rule |grep -q ${blocklist_chain_name}; then
|
|
|
|
|
iptables -I forward_rule 1 -m state --state NEW,RELATED -j ${blocklist_chain_name}
|
2014-10-01 11:14:38 +00:00
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
wan_iface=$(uci get network.wan.ifname)
|
|
|
|
|
if [ -z "$wan_iface" ]; then
|
|
|
|
|
echo "Cannot determine WAN interface"
|
|
|
|
|
exit 1
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
iptables -F ${blocklist_chain_name}
|
|
|
|
|
|
|
|
|
|
for url in $urls; do
|
|
|
|
|
tmp=$(mktemp)
|
|
|
|
|
tmp2=$(mktemp)
|
|
|
|
|
set_name=$(basename $url)
|
2014-11-24 22:36:07 +00:00
|
|
|
curl -s --compressed -k "$url" >"$tmp"
|
2014-10-01 11:14:38 +00:00
|
|
|
sort -u <"$tmp" | egrep "^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$" >"$tmp2"
|
2014-11-24 22:36:07 +00:00
|
|
|
ipset create ${set_name} hash:net
|
2014-10-01 11:14:38 +00:00
|
|
|
while read line; do
|
2014-11-24 22:36:07 +00:00
|
|
|
ipset -! add ${set_name} "$line"
|
2014-10-01 11:14:38 +00:00
|
|
|
done <"$tmp2"
|
|
|
|
|
iptables -A ${blocklist_chain_name} -i "${wan_iface}" -m set --match-set "${set_name}" src,dst -m limit --limit 10/minute -j LOG --log-prefix "BLOCK ${set_name} "
|
|
|
|
|
iptables -A ${blocklist_chain_name} -i "${wan_iface}" -m set --match-set "${set_name}" src,dst -j DROP
|
|
|
|
|
echo ${set_name} $(ipset list ${set_name} | wc -l)
|
|
|
|
|
done
|
|
|
|
|
|
