source the config file instead of reading line by line

2016-01-18 18:17:58 +00:00
parent a93e2b606d
commit f408072a81
1 changed files with 29 additions and 26 deletions
--- a/blacklist.sh
+++ b/blacklist.sh
@@ -9,33 +9,39 @@

 config_file="/etc/ip-blacklist.conf"
 if [ -f "${config_file}" ]; then
-    exec <"${config_file}"
-    read line
-    while [ "$line" ]; do
-        if ! echo "$line" | egrep -q '(^#|^$)'; then
-            urls="${urls} $line"
-        fi
-        read line
-    done
+    source ${config_file}
 else
    # if no config file is available, load default set of blacklists
+    # URLs for further blocklists are appended using the classical
+    # shell syntax:  "$URLS new_url"

    # Emerging Threats lists offensive IPs such as botnet command servers
-    urls="http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt"
-
-    # URLs for further blocklists are appeneded below using the typical
-    # shell syntax:  "$urls new_url"
+    URLS="http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt"

    # Blocklist.de collects reports from fail2ban probes, listing password brute-forces, scanners and other offenders
-    urls="$urls https://www.blocklist.de/downloads/export-ips_all.txt"
+    URLS="$URLS https://www.blocklist.de/downloads/export-ips_all.txt"

    # badips.com, from score 2 up
-    urls="$urls http://www.badips.com/get/list/ssh/2"
+    URLS="$URLS http://www.badips.com/get/list/ssh/2"

    # iblocklist.com is also supported
-    # urls="$urls http://list.iblocklist.com/?list=srzondksmjuwsvmgdbhi&fileformat=p2p&archiveformat=gz&username=USERNAMEx$&pin=PIN"
+    # URLS="$URLS http://list.iblocklist.com/?list=srzondksmjuwsvmgdbhi&fileformat=p2p&archiveformat=gz&username=USERNAMEx$&pin=PIN"
+
+    # by default all incoming/forwarding traffic is blocked
+    # if this parameter is specified, only the specified ports will be blocked
+    PORTS="22/tcp"
+
+    # iptables logging limit
+    LIMIT="10/minute"
 fi

+function link_set {
+    if [ "$3" = "log" ]; then
+        iptables -A "$1" -m set --match-set "$2" src,dst -m limit --limit "$LIMIT" -j LOG --log-prefix "BLOCK $2 "
+    fi
+    iptables -A "$1" -m set --match-set "$2" src -j DROP
+    iptables -A "$1" -m set --match-set "$2" dst -j DROP
+}

 # This is how it will look like on the server

@@ -51,18 +57,19 @@ fi
 #     0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set www.badips.com dst
 blocklist_chain_name=blocklists

+# check for dependencies - ipset and curl
 if [ -z "$(which ipset 2>/dev/null)" ]; then
    echo "Cannot find ipset"
    echo "Run \"apt-get install ipset\" or \"yum install ipset\""
    exit 1
 fi
-
 if [ -z "$(which curl 2>/dev/null)" ]; then
    echo "Cannot find curl"
    echo "Run \"apt-get install curl\" or \"yum install curl\""
    exit 1
 fi

+# check if we are on OpenWRT
 if [ "$(which uci 2>/dev/null)" ]; then
    # we're on OpenWRT
    wan_iface=$(uci get network.wan.ifname)
@@ -94,14 +101,15 @@ fi
 iptables -F ${blocklist_chain_name}

 # create the "manual" blacklist set
+# this can be populated manually using ipset command:
+# ipset add manual-blacklist a.b.c.d
 set_name="manual-blacklist"
 if ! ipset list | grep -q "Name: ${set_name}"; then
    ipset create "${set_name}" hash:net
 fi
-iptables -A ${blocklist_chain_name} -m set --match-set "${set_name}" src,dst -m limit --limit 10/minute -j LOG --log-prefix "BLOCK ${set_name} "
-iptables -A ${blocklist_chain_name} -m set --match-set "${set_name}" src,dst -j DROP
+link_set("${blocklist_chain_name}", "${blocklist_chain_name}", "$3")
                                                                      
-# now process the dynamic blacklists
+# download and process the dynamic blacklists
 for url in $urls; do
    # initialize temp files
    unsorted_blocklist=$(mktemp)
@@ -168,12 +176,7 @@ for url in $urls; do
    # actually execute the set update
    ipset -! -q restore < "${new_set_file}"
    
-    if [ "$1" = "log" ]; then
-        iptables -A ${blocklist_chain_name} -m set --match-set "${set_name}" src -m limit --limit 10/minute -j LOG --log-prefix "BLOCK src ${set_name} "
-        iptables -A ${blocklist_chain_name} -m set --match-set "${set_name}" dst -m limit --limit 10/minute -j LOG --log-prefix "BLOCK dst ${set_name} "
-    fi
-    iptables -A ${blocklist_chain_name} -m set --match-set "${set_name}" src -j DROP
-    iptables -A ${blocklist_chain_name} -m set --match-set "${set_name}" dst -j DROP
+    link_set("${blocklist_chain_name}", "${blocklist_chain_name}", "$3")

    # clean up temp files
    rm "${unsorted_blocklist}" "${sorted_blocklist}" "${new_set_file}" "${headers}"