From 660d6615519642d91005908e4dd12610dab438a8 Mon Sep 17 00:00:00 2001
From: Pawel Krawczyk <p.krawczyk@kainos.com>
Date: Wed, 7 Jan 2015 10:57:16 +0000
Subject: [PATCH] merged with blacklist.sh

---
 firewall.user | 69 ---------------------------------------------------
 1 file changed, 69 deletions(-)
 delete mode 100755 firewall.user

diff --git a/firewall.user b/firewall.user
deleted file mode 100755
index f67d9b4..0000000
--- a/firewall.user
+++ /dev/null
@@ -1,69 +0,0 @@
-#!/bin/sh
-
-# IP blacklisting script for OpenWRT routers
-# Pawel Krawczyk https://keybase.io/kravietz
-#
-# This script should be *only* used on OpenWRT as it relies on uci configuration framework
-# specific to these routers. 
-#
-# This file should be installed as /etc/firewall.user and then updated from crontab:
-#
-# 01 01 * * * sh /etc/firewall.user
-#
-
-# Emerging Threats lists offensive IPs such as botnet command servers
-urls="http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt"
-# Bogons lists IP addresses that should never appear on public Internet
-# including RFC 1918 networks - this is why this script blocks packets only
-# on WAN interface of an OpenWRT router
-urls="$urls http://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt"
-# Blocklist.de collects reports from fail2ban probes, listing password brute-forces, scanners and other offenders
-urls="$urls https://www.blocklist.de/downloads/export-ips_all.txt"
-
-blocklist_chain_name=blocklists
-
-if [ ! -x /usr/sbin/ipset ]; then
-    echo "Cannot find ipset"
-    echo "Run: opkg update && opkg install ipset"
-    exit 1
-fi
-if [ ! -x /usr/bin/curl ]; then
-    echo "Cannot find curl"
-    echo "Run: opkg update && opkg install curl"
-    exit 1
-fi
-
-# create main blocklists chain
-if ! iptables -L ${blocklist_chain_name}; then iptables -N ${blocklist_chain_name}; fi
-
-# inject references to blocklist in the beginning of input and forward chains
-if ! iptables -L input_rule | grep -q ${blocklist_chain_name}; then
-  iptables -I input_rule 1 -j ${blocklist_chain_name}
-fi
-if ! iptables -L forwarding_rule | grep -q ${blocklist_chain_name}; then
-  iptables -I forwarding_rule 1 -j ${blocklist_chain_name}
-fi                                                                 
-
-wan_iface=$(uci get network.wan.ifname)
-if [ -z "$wan_iface" ]; then
-    echo "Cannot determine WAN interface"
-    exit 1
-fi
-
-iptables -F ${blocklist_chain_name}
-                                                                      
-for url in $urls; do
-    tmp=$(mktemp)
-    tmp2=$(mktemp)
-    set_name=$(basename $url)
-    curl -s -k "$url" >"$tmp"
-    sort -u <"$tmp" | egrep "^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$" >"$tmp2"
-    ipset -! create ${set_name} hash:net
-    while read line; do
-        ipset -! add ${set_name} "$line"
-    done <"$tmp2"
-    iptables -A ${blocklist_chain_name} -i "${wan_iface}" -m set --match-set "${set_name}" src,dst -m limit --limit 10/minute -j LOG --log-prefix "BLOCK ${set_name} "
-    iptables -A ${blocklist_chain_name} -i "${wan_iface}" -m set --match-set "${set_name}" src,dst -j DROP
-    echo ${set_name} $(ipset list ${set_name} | wc -l)
-done
-