initial version
This commit is contained in:
parent
70bcae47f1
commit
e4bc132f20
64
firewall.user
Normal file
64
firewall.user
Normal file
@ -0,0 +1,64 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
# IP blacklisting script for OpenWRT routers
|
||||||
|
# Pawel Krawczyk https://keybase.io/kravietz
|
||||||
|
#
|
||||||
|
# This script should be *only* used on OpenWRT as it relies on uci configuration framework
|
||||||
|
# specific to these routers.
|
||||||
|
#
|
||||||
|
# This file should be installed as /etc/firewall.user and then updated from crontab:
|
||||||
|
#
|
||||||
|
# 01 01 * * * sh /etc/firewall.user
|
||||||
|
#
|
||||||
|
|
||||||
|
# Emerging Threats lists offensive IPs such as botnet command servers
|
||||||
|
urls="http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt"
|
||||||
|
# Bogons lists IP addresses that should never appear on public Internet
|
||||||
|
# including RFC 1918 networks - this is why this script blocks packets only
|
||||||
|
# on WAN interface of an OpenWRT router
|
||||||
|
urls="$urls http://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt"
|
||||||
|
# Blocklist.de collects reports from fail2ban probes, listing password brute-forces, scanners and other offenders
|
||||||
|
urls="$urls https://www.blocklist.de/downloads/export-ips_all.txt"
|
||||||
|
|
||||||
|
blocklist_chain_name=blocklists
|
||||||
|
|
||||||
|
if [ ! -x /usr/sbin/ipset ]; then
|
||||||
|
echo "Cannot find ipset"
|
||||||
|
echo "Run: opkg update && opkg install ipset"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
# create main blocklists chain
|
||||||
|
if ! iptables -L ${blocklist_chain_name}; then iptables -N ${blocklist_chain_name}; fi
|
||||||
|
|
||||||
|
# inject references to blocklist in the beginning of input and forward chains
|
||||||
|
if ! iptables -L input|grep -q ${blocklist_chain_name}; then
|
||||||
|
iptables -I input 1 -m state --state NEW,RELATED -j ${blocklist_chain_name}
|
||||||
|
fi
|
||||||
|
if ! iptables -L forward|grep -q ${blocklist_chain_name}; then
|
||||||
|
iptables -I forward 1 -m state --state NEW,RELATED -j ${blocklist_chain_name}
|
||||||
|
fi
|
||||||
|
|
||||||
|
wan_iface=$(uci get network.wan.ifname)
|
||||||
|
if [ -z "$wan_iface" ]; then
|
||||||
|
echo "Cannot determine WAN interface"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
iptables -F ${blocklist_chain_name}
|
||||||
|
|
||||||
|
for url in $urls; do
|
||||||
|
tmp=$(mktemp)
|
||||||
|
tmp2=$(mktemp)
|
||||||
|
set_name=$(basename $url)
|
||||||
|
curl --compressed -k "$url" >"$tmp"
|
||||||
|
sort -u <"$tmp" | egrep "^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$" >"$tmp2"
|
||||||
|
ipset -! create ${set_name} hash:net
|
||||||
|
while read line; do
|
||||||
|
ipset add ${set_name} "$line"
|
||||||
|
done <"$tmp2"
|
||||||
|
iptables -A ${blocklist_chain_name} -i "${wan_iface}" -m set --match-set "${set_name}" src,dst -m limit --limit 10/minute -j LOG --log-prefix "BLOCK ${set_name} "
|
||||||
|
iptables -A ${blocklist_chain_name} -i "${wan_iface}" -m set --match-set "${set_name}" src,dst -j DROP
|
||||||
|
echo ${set_name} $(ipset list ${set_name} | wc -l)
|
||||||
|
done
|
||||||
|
|
Loading…
Reference in New Issue
Block a user