#!/bin/sh

# IP blacklisting script for OpenWRT routers
# Pawel Krawczyk https://keybase.io/kravietz
#
# This script should be *only* used on OpenWRT as it relies on uci configuration framework
# specific to these routers. 
#
# This file should be installed as /etc/firewall.user and then updated from crontab:
#
# 01 01 * * * sh /etc/firewall.user
#

# Emerging Threats lists offensive IPs such as botnet command servers
urls="http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt"
# Bogons lists IP addresses that should never appear on public Internet
# including RFC 1918 networks - this is why this script blocks packets only
# on WAN interface of an OpenWRT router
urls="$urls http://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt"
# Blocklist.de collects reports from fail2ban probes, listing password brute-forces, scanners and other offenders
urls="$urls https://www.blocklist.de/downloads/export-ips_all.txt"

blocklist_chain_name=blocklists

if [ ! -x /usr/sbin/ipset ]; then
    echo "Cannot find ipset"
    echo "Run: opkg update && opkg install ipset"
    exit 1
fi
if [ ! -x /usr/bin/curl ]; then
    echo "Cannot find curl"
    echo "Run: opkg update && opkg install curl"
    exit 1
fi

# create main blocklists chain
if ! iptables -L ${blocklist_chain_name}; then iptables -N ${blocklist_chain_name}; fi

# inject references to blocklist in the beginning of input and forward chains
if ! iptables -L input_rule | grep -q ${blocklist_chain_name}; then
  iptables -I input_rule 1 -m state --state NEW,RELATED -j ${blocklist_chain_name}
fi
if ! iptables -L forwarding_rule | grep -q ${blocklist_chain_name}; then
  iptables -I forwarding_rule 1 -m state --state NEW,RELATED -j ${blocklist_chain_name}
fi                                                                 

wan_iface=$(uci get network.wan.ifname)
if [ -z "$wan_iface" ]; then
    echo "Cannot determine WAN interface"
    exit 1
fi

iptables -F ${blocklist_chain_name}
                                                                      
for url in $urls; do
    tmp=$(mktemp)
    tmp2=$(mktemp)
    set_name=$(basename $url)
    curl -s -k "$url" >"$tmp"
    sort -u <"$tmp" | egrep "^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$" >"$tmp2"
    ipset -! create ${set_name} hash:net
    while read line; do
        ipset -! add ${set_name} "$line"
    done <"$tmp2"
    iptables -A ${blocklist_chain_name} -i "${wan_iface}" -m set --match-set "${set_name}" src,dst -m limit --limit 10/minute -j LOG --log-prefix "BLOCK ${set_name} "
    iptables -A ${blocklist_chain_name} -i "${wan_iface}" -m set --match-set "${set_name}" src,dst -j DROP
    echo ${set_name} $(ipset list ${set_name} | wc -l)
done