From e4bc132f20a91d490f6a15eabb3ed8ee7779e507 Mon Sep 17 00:00:00 2001 From: Pawel Krawczyk Date: Wed, 1 Oct 2014 12:14:38 +0100 Subject: [PATCH] initial version --- firewall.user | 64 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 64 insertions(+) create mode 100644 firewall.user diff --git a/firewall.user b/firewall.user new file mode 100644 index 0000000..3c7b922 --- /dev/null +++ b/firewall.user @@ -0,0 +1,64 @@ +#!/bin/sh + +# IP blacklisting script for OpenWRT routers +# Pawel Krawczyk https://keybase.io/kravietz +# +# This script should be *only* used on OpenWRT as it relies on uci configuration framework +# specific to these routers. +# +# This file should be installed as /etc/firewall.user and then updated from crontab: +# +# 01 01 * * * sh /etc/firewall.user +# + +# Emerging Threats lists offensive IPs such as botnet command servers +urls="http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt" +# Bogons lists IP addresses that should never appear on public Internet +# including RFC 1918 networks - this is why this script blocks packets only +# on WAN interface of an OpenWRT router +urls="$urls http://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt" +# Blocklist.de collects reports from fail2ban probes, listing password brute-forces, scanners and other offenders +urls="$urls https://www.blocklist.de/downloads/export-ips_all.txt" + +blocklist_chain_name=blocklists + +if [ ! -x /usr/sbin/ipset ]; then + echo "Cannot find ipset" + echo "Run: opkg update && opkg install ipset" + exit 1 +fi + +# create main blocklists chain +if ! iptables -L ${blocklist_chain_name}; then iptables -N ${blocklist_chain_name}; fi + +# inject references to blocklist in the beginning of input and forward chains +if ! iptables -L input|grep -q ${blocklist_chain_name}; then + iptables -I input 1 -m state --state NEW,RELATED -j ${blocklist_chain_name} +fi +if ! iptables -L forward|grep -q ${blocklist_chain_name}; then + iptables -I forward 1 -m state --state NEW,RELATED -j ${blocklist_chain_name} +fi + +wan_iface=$(uci get network.wan.ifname) +if [ -z "$wan_iface" ]; then + echo "Cannot determine WAN interface" + exit 1 +fi + +iptables -F ${blocklist_chain_name} + +for url in $urls; do + tmp=$(mktemp) + tmp2=$(mktemp) + set_name=$(basename $url) + curl --compressed -k "$url" >"$tmp" + sort -u <"$tmp" | egrep "^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$" >"$tmp2" + ipset -! create ${set_name} hash:net + while read line; do + ipset add ${set_name} "$line" + done <"$tmp2" + iptables -A ${blocklist_chain_name} -i "${wan_iface}" -m set --match-set "${set_name}" src,dst -m limit --limit 10/minute -j LOG --log-prefix "BLOCK ${set_name} " + iptables -A ${blocklist_chain_name} -i "${wan_iface}" -m set --match-set "${set_name}" src,dst -j DROP + echo ${set_name} $(ipset list ${set_name} | wc -l) +done +