merged with blacklist.sh
This commit is contained in:
parent
f2b54af727
commit
660d661551
@ -1,69 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
# IP blacklisting script for OpenWRT routers
|
||||
# Pawel Krawczyk https://keybase.io/kravietz
|
||||
#
|
||||
# This script should be *only* used on OpenWRT as it relies on uci configuration framework
|
||||
# specific to these routers.
|
||||
#
|
||||
# This file should be installed as /etc/firewall.user and then updated from crontab:
|
||||
#
|
||||
# 01 01 * * * sh /etc/firewall.user
|
||||
#
|
||||
|
||||
# Emerging Threats lists offensive IPs such as botnet command servers
|
||||
urls="http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt"
|
||||
# Bogons lists IP addresses that should never appear on public Internet
|
||||
# including RFC 1918 networks - this is why this script blocks packets only
|
||||
# on WAN interface of an OpenWRT router
|
||||
urls="$urls http://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt"
|
||||
# Blocklist.de collects reports from fail2ban probes, listing password brute-forces, scanners and other offenders
|
||||
urls="$urls https://www.blocklist.de/downloads/export-ips_all.txt"
|
||||
|
||||
blocklist_chain_name=blocklists
|
||||
|
||||
if [ ! -x /usr/sbin/ipset ]; then
|
||||
echo "Cannot find ipset"
|
||||
echo "Run: opkg update && opkg install ipset"
|
||||
exit 1
|
||||
fi
|
||||
if [ ! -x /usr/bin/curl ]; then
|
||||
echo "Cannot find curl"
|
||||
echo "Run: opkg update && opkg install curl"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# create main blocklists chain
|
||||
if ! iptables -L ${blocklist_chain_name}; then iptables -N ${blocklist_chain_name}; fi
|
||||
|
||||
# inject references to blocklist in the beginning of input and forward chains
|
||||
if ! iptables -L input_rule | grep -q ${blocklist_chain_name}; then
|
||||
iptables -I input_rule 1 -j ${blocklist_chain_name}
|
||||
fi
|
||||
if ! iptables -L forwarding_rule | grep -q ${blocklist_chain_name}; then
|
||||
iptables -I forwarding_rule 1 -j ${blocklist_chain_name}
|
||||
fi
|
||||
|
||||
wan_iface=$(uci get network.wan.ifname)
|
||||
if [ -z "$wan_iface" ]; then
|
||||
echo "Cannot determine WAN interface"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
iptables -F ${blocklist_chain_name}
|
||||
|
||||
for url in $urls; do
|
||||
tmp=$(mktemp)
|
||||
tmp2=$(mktemp)
|
||||
set_name=$(basename $url)
|
||||
curl -s -k "$url" >"$tmp"
|
||||
sort -u <"$tmp" | egrep "^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$" >"$tmp2"
|
||||
ipset -! create ${set_name} hash:net
|
||||
while read line; do
|
||||
ipset -! add ${set_name} "$line"
|
||||
done <"$tmp2"
|
||||
iptables -A ${blocklist_chain_name} -i "${wan_iface}" -m set --match-set "${set_name}" src,dst -m limit --limit 10/minute -j LOG --log-prefix "BLOCK ${set_name} "
|
||||
iptables -A ${blocklist_chain_name} -i "${wan_iface}" -m set --match-set "${set_name}" src,dst -j DROP
|
||||
echo ${set_name} $(ipset list ${set_name} | wc -l)
|
||||
done
|
||||
|
Loading…
Reference in New Issue
Block a user