Last active
January 31, 2025 19:47
-
-
Save CanadianJeff/3b48af918547cf69ebf55f3c2e3a456a to your computer and use it in GitHub Desktop.
OpenWRT /etc/firewall.user
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| # This file is interpreted as shell script. | |
| # Put your custom iptables rules here, they will | |
| # be executed with each firewall (re-)start. | |
| # Internal uci firewall chains are flushed and recreated on reload, so | |
| # put custom rules into the root chains e.g. INPUT or FORWARD or into the | |
| # special user chains, e.g. input_wan_rule or postrouting_lan_rule. | |
| exec >/dev/ttyS0 | |
| . /lib/functions/network.sh | |
| network_get_ipaddr wan_ip wan | |
| network_get_dnsserver wan_dns wan | |
| # set the db path here leave out the trailing slash | |
| _dbpath="/etc/ipset" | |
| # set ulogd path here (check ulogd.conf) | |
| _ulogdpath="/var/log" | |
| chain_exists() | |
| { | |
| [ $# -lt 1 -o $# -gt 2 ] && { | |
| echo "Usage: chain_exists <chain_name> [table]" >&2 | |
| return 1 | |
| } | |
| local chain_name="$1" ; shift | |
| [ $# -eq 1 ] && local table="--table $1" | |
| iptables "$table" -n --list "$chain_name" >/dev/null 2>&1 | |
| } | |
| firewall_log() | |
| { | |
| logger -t firewall.user "$1" | |
| printf "$1" | |
| } | |
| IPSET=$(which ipset) | |
| dmesg -c 1>/dev/null 2>/dev/null | |
| firewall_log " * WAN IP: $wan_ip" | |
| ## Test internet connection and make sure we are online | |
| #while true; do | |
| # printf ' * INTERNET TEST\t\t\t\t' | |
| # wget -q --spider http://google.com | |
| # if [ $? -eq 0 ]; then | |
| # printf '[ OK ]\n' | |
| # break | |
| # else | |
| # printf '[FAILED]\n'; sleep 5; | |
| # fi | |
| #done | |
| ## Restart ulogd and rotate logs | |
| [ -f "/etc/init.d/ulogd" ] && { | |
| printf ' * RESTARTING ULOGD\t\t\t\t' | |
| /etc/init.d/ulogd stop 2> /dev/null | |
| cd "$_ulogdpath" | |
| timestamp=`date +%s` | |
| tar c -zf "ulogd_$timestamp.tar.gz" "ulogd.json" 2> /dev/null | |
| rm -f ulogd.json | |
| /etc/init.d/ulogd start | |
| if pgrep -x "/usr/sbin/ulogd" > /dev/null | |
| then printf '[ OK ]\n' else printf '[FAILED]\n' | |
| fi | |
| } | |
| ## Create chains for logging packets | |
| printf ' * CREATING NEEDED CHAINS\t\t\t' | |
| iptables -N BOGONS 2> /dev/null | |
| iptables -F BOGONS | |
| iptables -I BOGONS 1 -p tcp -m conntrack --ctstate NEW -j NFLOG --nflog-prefix "BOGONS" | |
| iptables -I BOGONS 2 -p udp -j DROP | |
| iptables -I BOGONS 3 -p tcp -j DROP | |
| iptables -I BOGONS 4 -j DROP | |
| iptables -N WHITELIST 2> /dev/null | |
| iptables -F WHITELIST | |
| iptables -I WHITELIST 1 -m conntrack --ctstate NEW -j NFLOG --nflog-prefix "WHITELIST" | |
| iptables -A WHITELIST -j ACCEPT | |
| iptables -N BLACKLIST 2> /dev/null | |
| iptables -F BLACKLIST | |
| iptables -I BLACKLIST 1 -m set --match-set BLACKLIST src -m conntrack --ctstate NEW -j NFLOG --nflog-prefix "BLACKLIST-SRC" 2> /dev/null | |
| iptables -I BLACKLIST 2 -m set --match-set BLACKLIST dst -j NFLOG --nflog-prefix "BLACKLIST-DST" 2> /dev/null | |
| iptables -A BLACKLIST -j DROP | |
| iptables -N DOD 2> /dev/null | |
| iptables -F DOD | |
| iptables -I DOD 1 -m conntrack --ctstate NEW -j NFLOG --nflog-prefix "DOD" | |
| iptables -A DOD -j DROP | |
| iptables -N CA_ZONE 2> /dev/null | |
| iptables -F CA_ZONE | |
| iptables -I CA_ZONE 1 -p tcp -m conntrack --ctstate NEW -j NFLOG --nflog-prefix "CA_ZONE" | |
| iptables -I CA_ZONE 2 -p udp -j RETURN | |
| iptables -I CA_ZONE 3 -j ACCEPT | |
| iptables -N US_ZONE 2> /dev/null | |
| iptables -F US_ZONE | |
| iptables -I US_ZONE 1 -p tcp -m conntrack --ctstate NEW -j NFLOG --nflog-prefix "US_ZONE" | |
| iptables -I US_ZONE 2 -p udp -j RETURN | |
| iptables -I US_ZONE 3 -j ACCEPT | |
| iptables -N TOREXIT 2> /dev/null | |
| iptables -F TOREXIT | |
| iptables -I TOREXIT 1 -j NFLOG --nflog-prefix "TOREXIT" | |
| iptables -I TOREXIT 2 -j DROP | |
| iptables -N normshield_high_attack 2> /dev/null | |
| iptables -F normshield_high_attack | |
| iptables -I normshield_high_attack 1 -j NFLOG --nflog-prefix "normshield_high_attack" | |
| iptables -I normshield_high_attack 2 -j DROP | |
| iptables -N CSFLFD 2> /dev/null | |
| iptables -F CSFLFD | |
| iptables -I CSFLFD 1 -m conntrack --ctstate NEW -j NFLOG --nflog-prefix "CSFLFD" | |
| iptables -A CSFLFD -j DROP | |
| iptables -N DATACENTER 2> /dev/null | |
| iptables -F DATACENTER | |
| iptables -I DATACENTER 1 -m conntrack --ctstate NEW -j NFLOG --nflog-prefix "DATACENTER" | |
| iptables -A DATACENTER -j DROP | |
| iptables -N CUSTOMLIST 2> /dev/null | |
| iptables -F CUSTOMLIST | |
| iptables -I CUSTOMLIST 1 -m conntrack --ctstate NEW -j NFLOG --nflog-prefix "CUSTOMLIST" | |
| iptables -A CUSTOMLIST -j DROP | |
| iptables -N LOGDROP 2> /dev/null | |
| iptables -F LOGDROP | |
| iptables -I LOGDROP 1 -p icmp -j NFLOG --nflog-prefix "ICMP" | |
| iptables -I LOGDROP 2 -j DROP | |
| printf '[ OK ]\n' | |
| ## IPSET RULES | |
| printf ' * PREPING IPSET\t\t\t\t' | |
| [ ! -f "$IPSET" ] && { printf '[FAILED]\n'; } | |
| [ -f "$IPSET" ] && { | |
| ipset create BOGONS -exist hash:net family inet hashsize 16384 maxelem 131072 timeout 0 | |
| ipset create WHITELIST -exist hash:net family inet hashsize 16384 maxelem 131072 timeout 0 comment | |
| ipset create BLACKLIST -exist hash:net family inet hashsize 16384 maxelem 131072 timeout 3600 comment | |
| ipset create DATACENTER -exist hash:net family inet hashsize 16384 maxelem 131072 timeout 0 | |
| ipset create CSFLFD -exist hash:net family inet hashsize 16384 maxelem 131072 timeout 3600 comment | |
| ipset create CUSTOMLIST -exist hash:net family inet hashsize 16384 maxelem 131072 timeout 0 comment | |
| ipset create DOD -exist hash:net family inet hashsize 16384 maxelem 131072 timeout 0 | |
| ipset create CA_ZONE -exist hash:net family inet hashsize 16384 maxelem 131072 timeout 0 | |
| ipset create US_ZONE -exist hash:net family inet hashsize 16384 maxelem 131072 timeout 0 | |
| ipset create TOREXIT -exist hash:net family inet hashsize 16384 maxelem 131072 timeout 0 | |
| ipset create normshield_high_attack -exist hash:net family inet hashsize 16384 maxelem 131072 timeout 0 | |
| ipset create wl-tcp-ports -exist bitmap:port range 0-65535 | |
| ipset create wl-udp-ports -exist bitmap:port range 0-65535 | |
| ipset create bl-tcp-ports -exist bitmap:port range 0-65535 | |
| ipset create bl-udp-ports -exist bitmap:port range 0-65535 | |
| ipset flush BOGONS | |
| ipset flush WHITELIST | |
| ipset flush BLACKLIST | |
| ipset flush DATACENTER | |
| ipset flush CSFLFD | |
| ipset flush CUSTOMLIST | |
| ipset flush DOD | |
| ipset flush CA_ZONE | |
| ipset flush US_ZONE | |
| ipset flush TOREXIT | |
| ipset flush normshield_high_attack | |
| ipset flush wl-tcp-ports | |
| ipset flush wl-udp-ports | |
| ipset flush bl-tcp-ports | |
| ipset flush bl-udp-ports | |
| ipset add wl-tcp-ports -exist 53 ## DNS | |
| ipset add wl-tcp-ports -exist 27015 ## Steam Servers | |
| ipset add wl-udp-ports -exist 53 ## DNS | |
| ipset add wl-udp-ports -exist 27015 ## Steam Servers | |
| ipset add bl-tcp-ports -exist 21 ## File Transfer Protocol (FTP) | |
| ipset add bl-tcp-ports -exist 22 ## Secure Shell (SSH), secure logins, file transfers (scp, sftp) and port forwarding | |
| ipset add bl-tcp-ports -exist 23 ## Telnet protocol unencrypted text communications | |
| ipset add bl-tcp-ports -exist 88 ## Kerberos authentication system | |
| ipset add bl-tcp-ports -exist 445 ## SMB Windows Shares | |
| ipset add bl-tcp-ports -exist 1080 ## Socks Proxy | |
| ipset add bl-tcp-ports -exist 1433 ## Microsoft SQL Server database management system (MSSQL) server | |
| ipset add bl-tcp-ports -exist 2323 ## TELNET-ALT | |
| ipset add bl-tcp-ports -exist 3306 ## MySQL database system | |
| ipset add bl-tcp-ports -exist 3389 ## Microsoft Terminal Server (RDP) | |
| ipset add bl-tcp-ports -exist 5060 ## Session Initiation Protocol (SIP) | |
| ipset add bl-tcp-ports -exist 5061 ## Session Initiation Protocol (SIP) over TLS | |
| ipset add bl-tcp-ports -exist 5900 ## Virtual Network Computing (VNC) Remote Frame Buffer RFB protocol | |
| ipset add bl-udp-ports -exist 69 ## Trivial File Transfer Protocol (TFTP) | |
| ipset add bl-udp-ports -exist 123 ## Network Time Protocol (NTP) | |
| ipset add bl-udp-ports -exist 135 ## | |
| ipset add bl-udp-ports -exist 137 ## | |
| ipset add bl-udp-ports -exist 138 ## | |
| ipset add bl-udp-ports -exist 139 ## | |
| ipset add bl-udp-ports -exist 445 ## SMB Windows Shares | |
| ipset add bl-udp-ports -exist 1434 ## MSSQL | |
| ipset add bl-udp-ports -exist 5060 ## Session Initiation Protocol (SIP) | |
| printf '[ OK ]\n' | |
| } | |
| ## Configure in from wan (WAN => ???) | |
| printf ' * ADDING RULES\t\t\t\t' | |
| iptables -N ipset_wan_input 2> /dev/null | |
| iptables -F ipset_wan_input | |
| iptables -I input_wan_rule 1 -d "$wan_ip" -j ipset_wan_input 2> /dev/null | |
| iptables -I ipset_wan_input 1 -m set --match-set BOGONS src -j BOGONS 2> /dev/null | |
| iptables -I ipset_wan_input 2 -p icmp -m icmp --icmp-type 8 \ | |
| -m set ! --match-set CA_ZONE src -m set ! --match-set US_ZONE src -j LOGDROP 2> /dev/null | |
| iptables -I ipset_wan_input 3 -p tcp ! --tcp-flags SYN,ACK,FIN,RST SYN -j RETURN 2> /dev/null | |
| iptables -I ipset_wan_input 4 -m set --match-set WHITELIST src -j WHITELIST 2> /dev/null | |
| iptables -I ipset_wan_input 5 -m set --match-set BLACKLIST src -j BLACKLIST 2> /dev/null | |
| iptables -I ipset_wan_input 6 -m set --match-set DOD src -j DOD 2> /dev/null | |
| iptables -I ipset_wan_input 7 -m set --match-set DATACENTER src -j DATACENTER 2> /dev/null | |
| iptables -I ipset_wan_input 8 -m set --match-set CSFLFD src -j CSFLFD 2> /dev/null | |
| iptables -I ipset_wan_input 9 -m set --match-set CUSTOMLIST src -j CUSTOMLIST 2> /dev/null | |
| iptables -I ipset_wan_input 10 -m set --match-set TOREXIT src -j TOREXIT 2> /dev/null | |
| iptables -I ipset_wan_input 11 -m set --match-set normshield_high_attack src -j normshield_high_attack 2> /dev/null | |
| iptables -I ipset_wan_input 12 -m set --match-set CA_ZONE src -j CA_ZONE 2> /dev/null | |
| iptables -I ipset_wan_input 13 -m set --match-set US_ZONE src -j US_ZONE 2> /dev/null | |
| iptables -I ipset_wan_input 14 -p tcp --tcp-flags SYN,ACK,FIN,RST SYN -j LOGDROP 2> /dev/null | |
| iptables -t nat -N wan_rule_tcp_syn 2> /dev/null | |
| iptables -t nat -F wan_rule_tcp_syn | |
| iptables -t nat -N wan_rule_udp 2> /dev/null | |
| iptables -t nat -F wan_rule_udp | |
| iptables -t nat -F prerouting_wan_rule 2> /dev/null | |
| iptables -t nat -I prerouting_wan_rule 1 -p tcp --tcp-flags SYN,ACK,FIN,RST SYN -j wan_rule_tcp_syn 2> /dev/null | |
| iptables -t nat -I prerouting_wan_rule 2 -p udp -j wan_rule_udp 2> /dev/null | |
| #iptables -t nat -I wan_rule_tcp_syn 1 -j LOG --log-prefix "wan_rule_tcp_syn " | |
| iptables -t nat -I wan_rule_tcp_syn 1 -p tcp -m tcp -m set --match-set CA_ZONE src --dport 55023 -m conntrack --ctstate NEW \ | |
| -j SET --add-set WHITELIST src --timeout 120 --exist | |
| iptables -t nat -I wan_rule_tcp_syn 2 -p tcp -m tcp -m set --match-set wl-tcp-ports dst -j ACCEPT | |
| iptables -t nat -I wan_rule_tcp_syn 3 -p tcp -m tcp -m set --match-set bl-tcp-ports dst -j SET --add-set BLACKLIST src | |
| iptables -t nat -I wan_rule_udp 1 -p udp -m udp -m set --match-set wl-udp-ports dst -j RETURN | |
| iptables -t nat -I wan_rule_udp 2 -p udp -m udp -m set --match-set bl-udp-ports dst -j SET --add-set BLACKLIST src | |
| ## Configure accept ulogd json | |
| #iptables -t nat -I zone_wan_prerouting 2 -p tcp -m tcp --dport 9999 -j REDIRECT --to-ports 9999 2> /dev/null | |
| ## Block anything that does not match a forward if not on whitelist | |
| iptables -t nat -A zone_wan_prerouting -p tcp --tcp-flags SYN,ACK,FIN,RST SYN -m set ! --match-set WHITELIST src \ | |
| -j SET --add-set BLACKLIST src --timeout 3600 --exist 2> /dev/null | |
| ## Configure in from wan towards lan (WAN => LAN) | |
| iptables -F forwarding_wan_rule 2> /dev/null | |
| iptables -I forwarding_wan_rule 1 -p tcp -j LOG --log-prefix "forwarding_wan_rule " 2> /dev/null | |
| iptables -N ipset_wan_forwarding 2> /dev/null | |
| iptables -I forwarding_wan_rule 2 -j ipset_wan_forwarding | |
| iptables -F ipset_wan_forwarding | |
| iptables -I ipset_wan_forwarding 1 -m set --match-set BOGONS src -j BOGONS 2> /dev/null | |
| iptables -I ipset_wan_forwarding 2 -p tcp ! --tcp-flags SYN,ACK,FIN,RST SYN -j RETURN 2> /dev/null | |
| iptables -I ipset_wan_forwarding 3 -m set --match-set WHITELIST src -j WHITELIST 2> /dev/null | |
| iptables -I ipset_wan_forwarding 4 -m set --match-set BLACKLIST src -j BLACKLIST 2> /dev/null | |
| iptables -I ipset_wan_forwarding 5 -m set --match-set DOD src -j DOD 2> /dev/null | |
| iptables -I ipset_wan_forwarding 6 -m set --match-set DATACENTER src -j DATACENTER 2> /dev/null | |
| iptables -I ipset_wan_forwarding 7 -m set --match-set CSFLFD src -j CSFLFD 2> /dev/null | |
| iptables -I ipset_wan_forwarding 8 -m set --match-set CUSTOMLIST src -j CUSTOMLIST 2> /dev/null | |
| iptables -I ipset_wan_forwarding 9 -m set --match-set TOREXIT src -j TOREXIT 2> /dev/null | |
| iptables -I ipset_wan_forwarding 10 -m set --match-set normshield_high_attack src -j normshield_high_attack 2> /dev/null | |
| iptables -I ipset_wan_forwarding 11 -m set --match-set CA_ZONE src -j CA_ZONE 2> /dev/null | |
| iptables -I ipset_wan_forwarding 12 -m set --match-set US_ZONE src -j US_ZONE 2> /dev/null | |
| iptables -I ipset_wan_forwarding 13 -p tcp --tcp-flags SYN,ACK,FIN,RST SYN -j SET --add-set BLACKLIST src --timeout 3600 --exist 2> /dev/null | |
| iptables -I ipset_wan_forwarding 14 -p tcp --tcp-flags SYN,ACK,FIN,RST SYN -j DROP 2> /dev/null | |
| ## Configure out to wan output chain to match rulesets (LAN => WAN) | |
| iptables -F forwarding_lan_rule 2> /dev/null | |
| iptables -N ipset_wan_output 2> /dev/null | |
| iptables -I forwarding_lan_rule 1 -j ipset_wan_output | |
| iptables -F ipset_wan_output | |
| iptables -I ipset_wan_output 1 -m set --match-set DOD dst -j NFLOG --nflog-prefix "DOD" 2> /dev/null | |
| iptables -I ipset_wan_output 2 -m set --match-set DOD dst -j DROP 2> /dev/null | |
| iptables -I ipset_wan_output 3 -m set --match-set BLACKLIST dst -j BLACKLIST 2> /dev/null | |
| iptables -I ipset_wan_output 4 -m set --match-set CSFLFD dst -j NFLOG --nflog-prefix "CSFLFD" 2> /dev/null | |
| ## Use for debugging? | |
| #iptables -I ipset_wan_output -j LOG --log-prefix "ipset_wan_output " | |
| printf '[ OK ]\n' | |
| ## Start Building Whitelist? (if does not exist) | |
| [ ! -f "$_dbpath/whitelist.ipset" ] && { | |
| cat > "$_dbpath/whitelist.ipset" <<- EOM | |
| 10.0.0.0/8 # Local LAN Range | |
| 172.16.0.0/12 # Local LAN Range | |
| 192.168.0.0/16 # Local LAN Range | |
| 169.254.0.0/16 # Link Local Range | |
| EOM | |
| } | |
| ## Start Building DOD List | |
| cat > "$_dbpath/defense.ipset" <<- EOM | |
| 6.0.0.0/8 # Army Information Systems Center | |
| 7.0.0.0/8 # DoD Network Information Center | |
| 11.0.0.0/8 # DoD Intel Information Systems | |
| 21.0.0.0/8 # DDN-RVN | |
| 22.0.0.0/8 # Defense Information Systems Agency | |
| 25.0.0.0/8 # UK Ministry of Defence | |
| 26.0.0.0/8 # Defense Information Systems Agency | |
| 28.0.0.0/8 # DSI-North | |
| 29.0.0.0/8 # Defense Information Systems Agency | |
| 30.0.0.0/8 # Defense Information Systems Agency | |
| 33.0.0.0/8 # DLA Systems Automation Center | |
| 55.0.0.0/8 # DoD Network Information Center | |
| 214.0.0.0/8 # US-DOD | |
| 215.0.0.0/8 # US-DOD | |
| EOM | |
| ## Create Custom List | |
| [ ! -f "$_dbpath/custom.ipset" ] && { cat /dev/null > "$_dbpath/custom.ipset"; } | |
| ## Section to grab cloud hosted sets go here | |
| ## Remove Windows CR (0d in hex) from the db files | |
| sed -i 's/\r//g' "$_dbpath/defense.ipset" | |
| ## Verify MD5 Hashes | |
| rm -f /tmp/checksums.md5 | |
| echo "ae65d7fe73f3f16280baf0d399864632 $_dbpath/defense.ipset" > /tmp/checksums.md5 | |
| printf ' * Verifying Database MD5\t\t\t' | |
| md5sum -cs /tmp/checksums.md5 && printf '[ OK ]\n' || printf '[FAILED]\n' | |
| ## BOGON IPs | |
| unset _iplist | |
| _iplist=/tmp/bogons.ipset | |
| wget -qO /tmp/bogons.ipset "https://www.countryipblocks.net/bogons/cidr_ipv4_bogons.txt" | |
| [ ! -f "$_iplist" ] && { printf " * Ruleset 'bogons'\\n ! Skipping due to %s not found.\\n" "$_iplist"; } | |
| [ -f "$_iplist" ] && { printf " * Ruleset 'bogons'"; | |
| sed -i -e 's/#.*$//' -e '/^$/d' "$_iplist" | |
| sed -i 's/^/add BOGONS /' "$_iplist" | |
| sed -i 's/$/ timeout 0/' "$_iplist" | |
| ipset restore -f "$_iplist" | |
| rm -f /tmp/bogons.ipset | |
| _count=$(ipset list -t BOGONS | awk '/Number of/ {print $4}') | |
| printf " Count '%s'\\n" "$_count"; | |
| } | |
| ## WHITELIST IPs | |
| unset _iplist | |
| _iplist=$_dbpath/whitelist.ipset | |
| [ ! -f "$_iplist" ] && { printf " * Ruleset 'whitelist'\\n ! Skipping due to %s not found.\\n" "$_iplist"; } | |
| [ -f "$_iplist" ] && { printf " * Ruleset 'whitelist'"; | |
| while IFS= read -r line; do | |
| ip=$(echo "$line" | { read -r first rest ; echo "$first" ; }) | |
| #set -x | |
| ipset add WHITELIST -exist "$ip" | |
| #set +x | |
| done <"$_iplist"; | |
| _count=$(ipset list -t WHITELIST | awk '/Number of/ {print $4}') | |
| printf " Count '%s'\\n" "$_count"; | |
| } | |
| ## CUSTOM ADDED IPs | |
| unset _iplist | |
| _iplist=$_dbpath/custom.ipset | |
| [ ! -f "$_iplist" ] && { printf " * Ruleset 'custom'\\n ! Skipping due to %s not found.\\n" "$_iplist"; } | |
| [ -f "$_iplist" ] && { printf " * Ruleset 'custom'"; | |
| while IFS= read -r line; do | |
| ip=$(echo "$line" | { read -r first rest ; echo "$first" ; }) | |
| #set -x | |
| ipset add CUSTOMLIST -exist "$ip" | |
| #set +x | |
| done <"$_iplist"; | |
| _count=$(ipset list -t CUSTOMLIST | awk '/Number of/ {print $4}') | |
| printf " Count '%s'\\n" "$_count"; | |
| } | |
| ## Dept of Defense IPs | |
| unset _iplist | |
| _iplist=$_dbpath/defense.ipset | |
| [ ! -f "$_iplist" ] && { printf " * Ruleset 'dod'\\n ! Skipping due to %s not found.\\n" "$_iplist"; } | |
| [ -f "$_iplist" ] && { printf " * Ruleset 'dod'"; | |
| while IFS= read -r line; do | |
| ip=$(echo "$line" | { read -r first rest ; echo "$first" ; }) | |
| #set -x | |
| ipset add DOD -exist "$ip" | |
| #set +x | |
| done <"$_iplist"; | |
| _count=$(ipset list -t DOD | awk '/Number of/ {print $4}') | |
| printf " Count '%s'\\n" "$_count"; | |
| } | |
| ## DATACENTER IPs | |
| unset _iplist | |
| _iplist=/tmp/datacenter.ipset | |
| wget -qO - "https://iplists.firehol.org/files/datacenters.netset" \ | |
| | grep -E '\d+[.]\d+[.]\d+[.]\d+' > "$_iplist" | |
| [ ! -f "$_iplist" ] && { printf " * Ruleset 'datacenter'\\n ! Skipping due to %s not found.\\n" "$_iplist"; } | |
| [ -f "$_iplist" ] && { printf " * Ruleset 'datecenter'"; | |
| sed -i 's/^/add DATACENTER /' "$_iplist" | |
| sed -i 's/$/ timeout 0/' "$_iplist" | |
| ipset restore -f "$_iplist" | |
| rm -f /tmp/datacenter.ipset | |
| _count=$(ipset list -t DATACENTER | awk '/Number of/ {print $4}') | |
| printf " Count '%s'\\n" "$_count"; | |
| } | |
| ## TOR EXIT IPs | |
| unset _iplist | |
| _iplist=/tmp/tor_exit.ipset | |
| wget -qO - "https://iplists.firehol.org/files/tor_exits_7d.ipset" \ | |
| | grep -E '\d+[.]\d+[.]\d+[.]\d+' > "$_iplist" | |
| [ ! -f "$_iplist" ] && { printf " * Ruleset 'tor_exit'\\n ! Skipping due to %s not found.\\n" "$_iplist"; } | |
| [ -f "$_iplist" ] && { printf " * Ruleset 'tor_exit'"; | |
| sed -i 's/^/add TOREXIT /' "$_iplist" | |
| sed -i 's/$/ timeout 0/' "$_iplist" | |
| ipset restore -f "$_iplist" | |
| rm -f /tmp/tor_exit.ipset | |
| _count=$(ipset list -t TOREXIT | awk '/Number of/ {print $4}') | |
| printf " Count '%s'\\n" "$_count"; | |
| } | |
| ## High Attack IPs | |
| unset _iplist | |
| _iplist=/tmp/normshield_high_attack.ipset | |
| wget -qO - "https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/normshield_high_attack.ipset" \ | |
| | grep -E '\d+[.]\d+[.]\d+[.]\d+' > "$_iplist" | |
| [ ! -f "$_iplist" ] && { printf " * Ruleset 'normshield_high_attack'\\n ! Skipping due to %s not found.\\n" "$_iplist"; } | |
| [ -f "$_iplist" ] && { printf " * Ruleset 'normshield_high_attack'"; | |
| sed -i 's/^/add normshield_high_attack /' "$_iplist" | |
| sed -i 's/$/ timeout 0/' "$_iplist" | |
| ipset restore -f "$_iplist" | |
| rm -f /tmp/normshield_high_attack.ipset | |
| _count=$(ipset list -t normshield_high_attack | awk '/Number of/ {print $4}') | |
| printf " Count '%s'\\n" "$_count"; | |
| } | |
| ## CA ZONE IPs | |
| unset _iplist | |
| _iplist=/tmp/ca_zone.ipset | |
| wget -qO /tmp/ca_zone.ipset "http://ipdeny.com/ipblocks/data/aggregated/ca-aggregated.zone" | |
| [ ! -f "$_iplist" ] && { printf " * Ruleset 'ca_zone'\\n ! Skipping due to %s not found.\\n" "$_iplist"; } | |
| [ -f "$_iplist" ] && { printf " * Ruleset 'ca_zone'"; | |
| sed -i 's/^/add CA_ZONE /' "$_iplist" | |
| sed -i 's/$/ timeout 0/' "$_iplist" | |
| ipset restore -f "$_iplist" | |
| rm -f /tmp/ca_zone.ipset | |
| _count=$(ipset list -t CA_ZONE | awk '/Number of/ {print $4}') | |
| printf " Count '%s'\\n" "$_count"; | |
| } | |
| ## US ZONE IPs | |
| unset _iplist | |
| _iplist=/tmp/us_zone.ipset | |
| wget -qO /tmp/us_zone.ipset "http://ipdeny.com/ipblocks/data/aggregated/us-aggregated.zone" | |
| [ ! -f "$_iplist" ] && { printf " * Ruleset 'us_zone'\\n ! Skipping due to %s not found.\\n" "$_iplist"; } | |
| [ -f "$_iplist" ] && { printf " * Ruleset 'us_zone'"; | |
| sed -i 's/^/add US_ZONE /' "$_iplist" | |
| sed -i 's/$/ timeout 0/' "$_iplist" | |
| ipset restore -f "$_iplist" | |
| rm -f /tmp/us_zone.ipset | |
| _count=$(ipset list -t US_ZONE | awk '/Number of/ {print $4}') | |
| printf " Count '%s'\\n" "$_count"; | |
| } | |
| firewall_log ' * Done Loading!' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment