Last active
March 7, 2022 03:42
-
-
Save CanadianJeff/79ff2797af73c7764805cb8002dc0941 to your computer and use it in GitHub Desktop.
NEW FIREWALL
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
# This file is interpreted as shell script. | |
# Put your custom iptables rules here, they will | |
# be executed with each firewall (re-)start. | |
# Internal uci firewall chains are flushed and recreated on reload, so | |
# put custom rules into the root chains e.g. INPUT or FORWARD or into the | |
# special user chains, e.g. input_wan_rule or postrouting_lan_rule. | |
. /lib/functions/network.sh | |
network_get_ipaddr wan_ip wan | |
network_get_dnsserver wan_dns wan | |
# set the db path here leave out the trailing slash | |
_dbpath="/etc/ipset" | |
# set ulogd path here (check ulogd.conf) | |
_ulogdpath="/var/log" | |
chain_exists() | |
{ | |
[ $# -lt 1 -o $# -gt 2 ] && { | |
echo "Usage: chain_exists <chain_name> [table]" >&2 | |
return 1 | |
} | |
local chain_name="$1" ; shift | |
[ $# -eq 1 ] && local table="--table $1" | |
iptables "$table" -n --list "$chain_name" >/dev/null 2>&1 | |
} | |
firewall_log() | |
{ | |
logger -t firewall.user "$1" | |
printf "\n$1\n" | |
printf "\n$1\n" > /dev/ttyS1 | |
} | |
IPSET=$(which ipset) | |
# Check if networking is ready | |
if [ -z "$wan_ip" ]; then | |
firewall_log ' *** USER FIREWALL NO WAN' | |
exit | |
else | |
firewall_log " * WAN IP: $wan_ip"; | |
fi | |
## Test internet/dns and make sure we are online | |
printf ' * DNS TEST\n' | |
#wget --spider http://google.com --timeout=5 --tries=2 | |
if [ $? -eq 0 ]; then | |
printf '\n[ OK ]\n' | |
else | |
printf '\n[FAILED]\n'; | |
fi | |
## Restart ulogd and rotate logs | |
[ -f "/etc/init.d/ulogd" ] && { | |
printf ' * RESTARTING ULOGD\t\t\t\t' | |
/etc/init.d/ulogd stop 2> /dev/null | |
cd "$_ulogdpath" | |
if [ -s ulogd.json ] | |
then | |
timestamp=`date +%s` | |
#tar c -zf "ulogd_$timestamp.tar.gz" "ulogd.json" 2> /dev/null | |
fi | |
rm -f ulogd.json | |
rm -f ulogd.pcap | |
## Create a named pipe so we can offload the json logs to a logging server | |
#mknod ulogd.json p | |
## Start pushing log data using netcat | |
#nc honeywrt.org 64738 < ulogd.json & | |
/etc/init.d/ulogd start | |
if pgrep -x "/usr/sbin/ulogd" > /dev/null | |
then printf '[ OK ]\n' else printf '[FAILED]\n' | |
fi | |
} | |
## Create chains for logging packets | |
printf ' * CREATING NEEDED CHAINS\t\t\t' | |
iptables -N WHITELIST 2> /dev/null | |
iptables -F WHITELIST | |
iptables -I WHITELIST 1 -m conntrack --ctstate NEW -j NFLOG --nflog-prefix "WHITELIST" | |
iptables -A WHITELIST -j ACCEPT | |
iptables -N BLACKLIST 2> /dev/null | |
iptables -F BLACKLIST | |
iptables -I BLACKLIST 1 -m conntrack --ctstate NEW -j NFLOG --nflog-prefix "BLACKLIST" | |
iptables -A BLACKLIST -j DROP | |
iptables -N DOD 2> /dev/null | |
iptables -F DOD | |
iptables -I DOD 1 -m conntrack --ctstate NEW -j NFLOG --nflog-prefix "DOD" | |
iptables -I DOD 2 -j DROP | |
iptables -N ipset_custom 2> /dev/null | |
iptables -F ipset_custom | |
iptables -N LOGDROP 2> /dev/null | |
iptables -F LOGDROP | |
iptables -I LOGDROP 1 -p icmp -j NFLOG --nflog-prefix "ICMP" | |
iptables -I LOGDROP 2 -j DROP | |
printf '[ OK ]\n' | |
## IPSET RULES | |
printf ' * PREPING IPSET\t\t\t\t' | |
[ ! -f "$IPSET" ] && { printf '[FAILED]\n'; } | |
[ -f "$IPSET" ] && { | |
ipset create WHITELIST-IP -exist hash:ip family inet hashsize 16384 maxelem 131072 timeout 0 comment | |
ipset create WHITELIST-NET -exist hash:net family inet hashsize 16384 maxelem 131072 timeout 0 comment | |
ipset create BLACKLIST-IP -exist hash:ip family inet hashsize 16384 maxelem 131072 timeout 3600 comment | |
ipset create BLACKLIST-NET -exist hash:net family inet hashsize 16384 maxelem 131072 timeout 3600 comment | |
ipset create DOD -exist hash:net family inet hashsize 16384 maxelem 131072 timeout 0 | |
ipset create wl-tcp-ports -exist bitmap:port range 0-65535 | |
ipset create wl-udp-ports -exist bitmap:port range 0-65535 | |
ipset create bl-tcp-ports -exist bitmap:port range 0-65535 | |
ipset create bl-udp-ports -exist bitmap:port range 0-65535 | |
ipset flush WHITELIST-IP | |
ipset flush WHITELIST-NET | |
ipset flush BLACKLIST-IP | |
ipset flush BLACKLIST-NET | |
ipset flush DOD | |
ipset flush wl-tcp-ports | |
ipset flush wl-udp-ports | |
ipset flush bl-tcp-ports | |
ipset flush bl-udp-ports | |
ipset add wl-tcp-ports -exist 53 ## DNS | |
ipset add wl-tcp-ports -exist 27015 ## Steam Servers | |
ipset add wl-udp-ports -exist 53 ## DNS | |
ipset add wl-udp-ports -exist 27015 ## Steam Servers | |
ipset add bl-tcp-ports -exist 21 ## File Transfer Protocol (FTP) | |
ipset add bl-tcp-ports -exist 22 ## Secure Shell (SSH), secure logins, file transfers (scp, sftp) and port forwarding | |
ipset add bl-tcp-ports -exist 23 ## Telnet protocol unencrypted text communications | |
ipset add bl-tcp-ports -exist 88 ## Kerberos authentication system | |
ipset add bl-tcp-ports -exist 445 ## SMB Windows Shares | |
ipset add bl-tcp-ports -exist 1080 ## Socks Proxy | |
ipset add bl-tcp-ports -exist 1433 ## Microsoft SQL Server database management system (MSSQL) server | |
ipset add bl-tcp-ports -exist 2323 ## TELNET-ALT | |
ipset add bl-tcp-ports -exist 3306 ## MySQL database system | |
ipset add bl-tcp-ports -exist 3389 ## Microsoft Terminal Server (RDP) | |
ipset add bl-tcp-ports -exist 5060 ## Session Initiation Protocol (SIP) | |
ipset add bl-tcp-ports -exist 5061 ## Session Initiation Protocol (SIP) over TLS | |
ipset add bl-tcp-ports -exist 5900 ## Virtual Network Computing (VNC) Remote Frame Buffer RFB protocol | |
ipset add bl-udp-ports -exist 69 ## Trivial File Transfer Protocol (TFTP) | |
ipset add bl-udp-ports -exist 123 ## Network Time Protocol (NTP) | |
ipset add bl-udp-ports -exist 135 ## | |
ipset add bl-udp-ports -exist 137 ## | |
ipset add bl-udp-ports -exist 138 ## | |
ipset add bl-udp-ports -exist 139 ## | |
ipset add bl-udp-ports -exist 177 ## X Display Manager Control Protocol | |
ipset add bl-udp-ports -exist 445 ## SMB Windows Shares | |
ipset add bl-udp-ports -exist 1434 ## MSSQL | |
ipset add bl-udp-ports -exist 1900 ## Simple Service Discovery Protocol | |
ipset add bl-udp-ports -exist 5060 ## Session Initiation Protocol (SIP) | |
printf '[ OK ]\n' | |
} | |
## Configure in from wan (WAN => ???) | |
printf ' * ADDING RULES\t\t\t\t' | |
iptables -N ipset_wan_input 2> /dev/null | |
iptables -F ipset_wan_input | |
iptables -I input_wan_rule 1 -d "$wan_ip" -j ipset_wan_input 2> /dev/null | |
iptables -I ipset_wan_input 1 -p icmp -m icmp --icmp-type 8 \ | |
-m set ! --match-set CA_ZONE src_ip -m set ! --match-set US_ZONE src_ip -j LOGDROP 2> /dev/null | |
iptables -I ipset_wan_input 2 -p tcp ! --tcp-flags SYN,ACK,FIN,RST SYN -j RETURN 2> /dev/null | |
iptables -I ipset_wan_input 3 -p tcp --tcp-flags SYN,ACK,FIN,RST SYN \ | |
-m set ! --match-set CA_ZONE src_ip -m set ! --match-set US_ZONE src_ip -j DROP 2> /dev/null | |
iptables -I ipset_wan_input 4 -m set --match-set WHITELIST-IP src_ip -j WHITELIST 2> /dev/null | |
iptables -I ipset_wan_input 5 -m set --match-set WHITELIST-NET src_net -j WHITELIST 2> /dev/null | |
iptables -I ipset_wan_input 6 -m set --match-set BLACKLIST-IP src_ip -j BLACKLIST 2> /dev/null | |
iptables -I ipset_wan_input 7 -m set --match-set BLACKLIST-NET src_net -j BLACKLIST 2> /dev/null | |
iptables -I ipset_wan_input 8 -m set --match-set DOD src_ip -j DOD 2> /dev/null | |
iptables -I ipset_wan_input 9 -j ipset_custom 2> /dev/null | |
iptables -I ipset_wan_input 10 -p tcp --tcp-flags SYN,ACK,FIN,RST SYN -j LOGDROP 2> /dev/null | |
iptables -t nat -N wan_rule_tcp_syn 2> /dev/null | |
iptables -t nat -F wan_rule_tcp_syn | |
iptables -t nat -N wan_rule_udp 2> /dev/null | |
iptables -t nat -F wan_rule_udp | |
iptables -t nat -F prerouting_wan_rule 2> /dev/null | |
iptables -t nat -I prerouting_wan_rule 1 -p tcp --tcp-flags SYN,ACK,FIN,RST SYN -j wan_rule_tcp_syn 2> /dev/null | |
iptables -t nat -I prerouting_wan_rule 2 -p udp -j wan_rule_udp 2> /dev/null | |
iptables -t nat -F wan_rule_tcp_syn | |
#iptables -t nat -I wan_rule_tcp_syn 1 -j LOG --log-prefix "wan_rule_tcp_syn " | |
iptables -t nat -I wan_rule_tcp_syn 1 -p tcp -m tcp -m set --match-set CA_ZONE src_ip --dport 55023 \ | |
-m conntrack --ctstate NEW -j SET --add-set WHITELIST-IP src_ip --timeout 43200 --exist | |
iptables -t nat -I wan_rule_tcp_syn 2 -p tcp -m tcp -m set --match-set wl-tcp-ports dst -j ACCEPT | |
iptables -t nat -I wan_rule_tcp_syn 3 -p tcp -m tcp -m set --match-set bl-tcp-ports dst -j SET --add-set BLACKLIST-IP src | |
iptables -t nat -F wan_rule_udp | |
iptables -t nat -I wan_rule_udp 1 -p udp -m udp -m set --match-set wl-udp-ports dst -j RETURN | |
iptables -t nat -I wan_rule_udp 2 -p udp -m udp -m set --match-set bl-udp-ports dst -j SET --add-set BLACKLIST-IP src | |
## Block anything that does not match a forward if not on whitelist | |
iptables -t nat -A zone_wan_prerouting -p tcp --tcp-flags SYN,ACK,FIN,RST SYN \ | |
-m set ! --match-set WHITELIST-IP src_ip -m set ! --match-set WHITELIST-NET src_net \ | |
-j SET --add-set BLACKLIST-IP src_ip --timeout 43200 --exist 2> /dev/null | |
## Configure in from wan towards lan (WAN => LAN) | |
iptables -F forwarding_wan_rule 2> /dev/null | |
#iptables -I forwarding_wan_rule 1 -p tcp -m conntrack --ctstate NEW -j LOG --log-prefix "forwarding_wan_rule " 2> /dev/null | |
iptables -N ipset_wan_forwarding 2> /dev/null | |
iptables -I forwarding_wan_rule 1 -j ipset_wan_forwarding | |
iptables -F ipset_wan_forwarding | |
iptables -I ipset_wan_forwarding 1 -p tcp ! --tcp-flags SYN,ACK,FIN,RST SYN -j RETURN 2> /dev/null | |
iptables -I ipset_wan_forwarding 2 -m set --match-set WHITELIST-IP src_ip -j WHITELIST 2> /dev/null | |
iptables -I ipset_wan_forwarding 3 -m set --match-set WHITELIST-NET src_net -j WHITELIST 2> /dev/null | |
iptables -I ipset_wan_forwarding 4 -m set --match-set BLACKLIST-IP src_ip -j BLACKLIST 2> /dev/null | |
iptables -I ipset_wan_forwarding 5 -m set --match-set BLACKLIST-NET src_net -j BLACKLIST 2> /dev/null | |
iptables -I ipset_wan_forwarding 6 -m set --match-set DOD src_ip -j DOD 2> /dev/null | |
iptables -I ipset_wan_forwarding 7 -j ipset_custom 2> /dev/null | |
iptables -I ipset_wan_forwarding 8 -p tcp --tcp-flags SYN,ACK,FIN,RST SYN -j DROP 2> /dev/null | |
## Configure out from lan towards wan (LAN => WAN) | |
iptables -F forwarding_lan_rule 2> /dev/null | |
iptables -N ipset_wan_output 2> /dev/null | |
iptables -I forwarding_lan_rule 1 -j ipset_wan_output | |
iptables -F ipset_wan_output | |
iptables -I ipset_wan_output 1 -m set --match-set DOD dst_ip -j NFLOG --nflog-prefix "DOD" 2> /dev/null | |
iptables -I ipset_wan_output 2 -m set --match-set DOD dst_ip -j DROP 2> /dev/null | |
iptables -I ipset_wan_output 3 -m set --match-set BLACKLIST-IP dst_ip -j BLACKLIST 2> /dev/null | |
iptables -I ipset_wan_output 4 -m set --match-set BLACKLIST-NET dst_net -j BLACKLIST 2> /dev/null | |
## Use for debugging? | |
#iptables -I ipset_wan_output -j LOG --log-prefix "ipset_wan_output " | |
## Configure out from router towards wan (ROUTER => WAN) | |
iptables -F output_wan_rule | |
iptables -I output_wan_rule 1 -m set --match-set BLACKLIST-IP dst_ip -j BLACKLIST 2> /dev/null | |
iptables -I output_wan_rule 2 -m set --match-set BLACKLIST-NET dst_net -j BLACKLIST 2> /dev/null | |
printf '[ OK ]\n' | |
## WHITELIST IPs | |
[ ! -f "$_iplist" ] && { printf " * Ruleset 'whitelist-net'\\n ! Skipping due to %s not found.\\n" "$_iplist"; } | |
[ -f "$_iplist" ] && { printf " * Ruleset 'whitelist-net'"; | |
while IFS= read -r line; do | |
ip=$(echo "$line" | { read -r first rest ; echo "$first" ; }) | |
#set -x | |
ipset add WHITELIST-NET -exist "$ip" | |
#set +x | |
done <"$_iplist"; | |
_count=$(ipset list -t WHITELIST-NET | awk '/Number of/ {print $4}') | |
printf " Count '%s'\\n" "$_count"; | |
} | |
## Section to grab custom / cloud hosted sets go here | |
/etc/sbin/ipset.sh start </dev/null &>/dev/null & | |
## Extra Logging For Bad Guys | |
iptables -I INPUT 1 -i eth0 -p tcp -m conntrack --ctstate NEW -m set --match-set BLACKLIST-IP src_ip \ | |
-j LOG --log-prefix "FILTER=IN IPSET=BLACKLIST " | |
iptables -I INPUT 2 -m set --match-set BLACKLIST-IP src_ip -m set ! --match-set WHITELIST-IP src_ip -j DROP | |
iptables -I forwarding_rule 1 -i eth0 -m set --match-set BLACKLIST-IP src_ip \ | |
-j LOG --log-prefix "FILTER=FWD IPSET=BLACKLIST " | |
iptables -I forwarding_rule 2 -m set --match-set BLACKLIST-IP src_ip -m set ! --match-set WHITELIST-IP src_ip -j DROP | |
iptables -I forwarding_rule 3 -i br-lan -m set --match-set BLACKLIST-IP dst_ip \ | |
-j LOG --log-prefix "FILTER=FWD IPSET=BLACKLIST " | |
iptables -I forwarding_rule 4 -m set --match-set BLACKLIST-IP dst_ip -m set ! --match-set WHITELIST-IP dst_ip -j DROP | |
iptables -I OUTPUT 1 -o eth0 -m set --match-set BLACKLIST-IP dst_ip \ | |
-j LOG --log-prefix "FILTER=OUT IPSET=BLACKLIST " | |
iptables -I OUTPUT 2 -m set --match-set BLACKLIST-IP dst_ip -m set ! --match-set WHITELIST-IP dst_ip -j DROP | |
firewall_log ' * Done firewall.user!' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
config source 'bogons' | |
option ipset_src 'https://www.countryipblocks.net/bogons/cidr_ipv4_bogons.txt' | |
option nflog_enabled '1' | |
option nflog_prefix 'BOGONS' | |
option target 'DROP' | |
option timeout '0' | |
option enabled '1' | |
config source 'normshield_high_attack' | |
option ipset_src 'https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/normshi' | |
option nflog_enabled '1' | |
option nflog_prefix 'normshield_high_attack' | |
option target 'DROP' | |
option timeout '0' | |
option enabled '1' | |
config source 'vulnscanners' | |
option ipset_src 'https://www.honeywrt.org/iplists/vulnscanners.ipset' | |
option nflog_enabled '1' | |
option nflog_prefix 'vulnscanners' | |
option target 'DROP' | |
option timeout '0' | |
option enabled '1' | |
config source 'torexit' | |
option ipset_src 'https://iplists.firehol.org/files/tor_exits_7d.ipset' | |
option nflog_enabled '1' | |
option nflog_prefix 'TOREXIT' | |
option target 'DROP' | |
option timeout '0' | |
option enabled '1' | |
config source 'datacenter' | |
option ipset_src 'https://iplists.firehol.org/files/datacenters.netset' | |
option nflog_enabled '1' | |
option nflog_prefix 'DATACENTER' | |
option target 'DROP' | |
option timeout '0' | |
option enabled '1' | |
config source 'CA_ZONE' | |
option ipset_src 'http://ipdeny.com/ipblocks/data/aggregated/ca-aggregated.zone' | |
option nflog_enabled '0' | |
option nflog_prefix 'CA_ZONE' | |
option target 'ACCEPT' | |
option timeout '0' | |
option enabled '1' | |
config source 'US_ZONE' | |
option ipset_src 'http://ipdeny.com/ipblocks/data/aggregated/us-aggregated.zone' | |
option nflog_enabled '0' | |
option nflog_prefix 'US_ZONE' | |
option target 'ACCEPT' | |
option timeout '0' | |
option enabled '1' | |
config source 'MX_ZONE' | |
option ipset_src 'http://ipdeny.com/ipblocks/data/aggregated/mx-aggregated.zone' | |
option nflog_enabled '0' | |
option nflog_prefix 'MX_ZONE' | |
option target 'DROP' | |
option timeout '0' | |
option enabled '1' | |
config source '' | |
option ipset_src '' | |
option nflog_enabled '' | |
option nflog_prefix '' | |
option target '' | |
option timeout '' | |
option enabled '' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
# user downloaded ipset lists | |
# written by Jeffery Wilkins (dev@honeywrt.org) | |
# This is free software, licensed under the GNU General Public License v3. | |
# You should have received a copy of the GNU General Public License | |
# along with this program. If not, see <http://www.gnu.org/licenses/>. | |
# set initial defaults | |
# | |
LC_ALL=C | |
PATH="/usr/sbin:/usr/bin:/sbin:/bin" | |
ipset_ver="1.0" | |
ipset_sysver="unknown" | |
ipset_enabled=1 | |
ipset_debug=1 | |
ipset_whitelist="/etc/ipset/whitelist.ipset" | |
ipset_cnt="" | |
ipset_rc=0 | |
ipset_action="${1:-"start"}" | |
ipset_pidfile="/var/run/ipset.pid" | |
# load adblock environment | |
# | |
f_envload() | |
{ | |
f_log "debug" "f_envload ::: start" | |
# parse 'global' and 'extra' section by callback | |
# | |
config_cb() | |
{ | |
local type="${1}" | |
if [ "${type}" = "ipset" ] | |
then | |
option_cb() | |
{ | |
local option="${1}" | |
local value="${2}" | |
eval "${option}=\"${value}\"" | |
} | |
else | |
reset_cb | |
fi | |
} | |
# parse 'source' typed sections | |
# | |
parse_config() | |
{ | |
local value opt section="${1}" options="enabled ipset_src nflog_enabled nflog_prefi" | |
eval "ipset_sources=\"${ipset_sources} ${section}\"" | |
for opt in ${options} | |
do | |
config_get value "${section}" "${opt}" | |
if [ -n "${value}" ] | |
then | |
eval "${opt}_${section}=\"${value}\"" | |
fi | |
done | |
} | |
# load ipset config | |
# | |
config_load ipset | |
config_foreach parse_config source | |
# check ipset status | |
# | |
if [ ${ipset_enabled} -eq 0 ] | |
then | |
f_jsnup "disabled" | |
f_log "info" "ipset is currently disabled, please set adb_enabled to '1' to use thi" | |
exit 0 | |
fi | |
} | |
# check environment | |
# | |
f_envcheck() | |
{ | |
local ssl_lib | |
# startup message | |
# | |
f_log "info" "ipset instance started ::: action: ${ipset_action}, priority: ${ipset_nice:-"" | |
#f_jsnup "running" | |
} | |
# commit uci changes | |
# | |
f_uci() | |
{ | |
local change config="${1}" | |
if [ -n "${config}" ] | |
then | |
change="$(uci -q changes "${config}" | awk '{ORS=" "; print $0}')" | |
if [ -n "${change}" ] | |
then | |
uci_commit "${config}" | |
case "${config}" in | |
firewall) | |
/etc/init.d/firewall reload >/dev/null 2>&1 | |
;; | |
*) | |
/etc/init.d/"${adb_dns}" reload >/dev/null 2>&1 | |
;; | |
esac | |
fi | |
fi | |
f_log "debug" "f_uci ::: config: ${config}, change: ${change}" | |
} | |
# update runtime information | |
# | |
f_jsnup() | |
{ | |
local run_time bg_pid status="${1:-"enabled"}" mode="normal mode" no_mail=0 | |
if [ ${ipset_rc} -gt 0 ] | |
then | |
status="error" | |
run_time="$(/bin/date "+%d.%m.%Y %H:%M:%S")" | |
fi | |
if [ "${status}" = "enabled" ] | |
then | |
run_time="$(/bin/date "+%d.%m.%Y %H:%M:%S")" | |
fi | |
if [ "${status}" = "suspend" ] | |
then | |
status="paused" | |
fi | |
if [ "${status}" = "resume" ] | |
then | |
no_mail=1 | |
status="enabled" | |
fi | |
if [ ${ipset_backup_mode} -eq 1 ] | |
then | |
mode="backup mode" | |
fi | |
if [ -z "${run_time}" ] | |
then | |
json_get_var run_time "last_rundate" | |
fi | |
json_add_string "ipset_status" "${status}" | |
json_add_string "ipset_version" "${ipset_ver}" | |
json_add_string "fetch_utility" "${ipset_fetchinfo:-"-"}" | |
json_add_string "last_rundate" "${run_time:-"-"}" | |
json_dump > "${ipset_rtfile}" | |
} | |
# write to syslog | |
# | |
f_log() | |
{ | |
local class="${1}" log_msg="${2}" | |
if [ -n "${log_msg}" ] && ([ "${class}" != "debug" ] || [ ${ipset_debug} -eq 1 ]) | |
then | |
printf "${log_msg}\n" | |
logger -p "${class}" -t "ipset-${ipset_ver}[${$}]" "${log_msg}" | |
if [ "${class}" = "err" ] | |
then | |
f_jsnup | |
logger -p "${class}" -t "ipset-${ipset_ver}[${$}]" "Please also check ''" | |
exit 1 | |
fi | |
fi | |
} | |
# main function for ipset list processing | |
# | |
f_main() | |
{ | |
local src_name src_url src_timeout src_nflog src_nflog_prefix mem_total mem_free enabled cn1 | |
mem_total="$(awk '/^MemTotal/ {print int($2/1000)}' "/proc/meminfo" 2>/dev/null)" | |
mem_free="$(awk '/^MemFree/ {print int($2/1000)}' "/proc/meminfo" 2>/dev/null)" | |
iptables -F ipset_custom | |
# main loop | |
# | |
for src_name in ${ipset_sources} | |
do | |
enabled="$(eval printf '%s' \"\${enabled_${src_name}\}\")" | |
src_url="$(eval printf '%s' \"\${ipset_src_${src_name}\}\")" | |
src_timeout="$(eval printf '%s' \"\${timeout_${src_name}\}\")" | |
src_nflog="$(eval printf '%s' \"\${nflog_enabled_${src_name}\}\")" | |
src_nflog_prefix="$(eval printf '%s' \"\${nflog_prefix_${src_name}\}\")" | |
src_target="$(eval printf '%s' \"\${target_${src_name}\}\")" | |
# basic pre-checks | |
# | |
f_log "debug" "f_main ::: name: ${src_name}, url: ${src_url}, enabled: ${enabled}" | |
if [ "${enabled}" != "1" ] || [ -z "${src_url}" ] | |
then | |
continue | |
fi | |
# download list | |
# | |
_iplist="/tmp/${src_name}.ipset" | |
wget -qO - "${src_url}" | grep -E '\d+[.]\d+[.]\d+[.]\d+' > "$_iplist" | |
# cleanup and parse list for loading | |
# | |
sed -i -e 's/#.*$//' -e '/^$/d' "$_iplist" | |
sed -i "s/^/add ${src_name} /" "$_iplist" | |
sed -i "s/$/ timeout ${src_timeout}/" "$_iplist" | |
# create ipset and firewall table for use | |
iptables -N "${src_name}" 2> /dev/null | |
iptables -F "${src_name}" | |
ipset create "${src_name}" -exist hash:net family inet hashsize 16384 maxelem 13107" | |
ipset flush "${src_name}" | |
iptables -A "${src_name}" -j "${src_target}" | |
if [ "${src_nflog}" = "1" ] | |
then | |
# here we log all NEW packets | |
f_log "debug" "f_main ::: name: ${src_name}, logprefix: ${src_nflog_prefix}" | |
iptables -I "${src_name}" 1 -m conntrack --ctstate NEW -j NFLOG --nflog-pre" | |
fi | |
iptables -A ipset_custom -m set --match-set "${src_name}" src -j "${src_name}" 2> /l | |
# create/restore list | |
# | |
f_log "debug" "f_main ::: $_iplist ready for restore" | |
ipset restore -f "$_iplist" | |
# basic post-checks | |
# | |
_count=$(ipset list -t "${src_name}" | awk '/Number of/ {print $4}') | |
f_log "debug" "f_main ::: name: ${src_name}, count: ${_count}" | |
done | |
} | |
# source required system libraries | |
# | |
if [ -r "/lib/functions.sh" ] && [ -r "/usr/share/libubox/jshn.sh" ] | |
then | |
. "/lib/functions.sh" | |
. "/usr/share/libubox/jshn.sh" | |
else | |
f_log "err" "system libraries not found" | |
fi | |
# handle different adblock actions | |
# | |
f_envload | |
case "${ipset_action}" in | |
stop) | |
f_fwflush | |
;; | |
restart) | |
f_envcheck | |
f_main | |
;; | |
suspend) | |
f_fw suspend | |
;; | |
resume) | |
f_fw resume | |
;; | |
start|reload) | |
f_envcheck | |
f_main | |
;; | |
esac |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
opkg install \ | |
ca-certificates \ | |
htop \ | |
iftop \ | |
ipset \ | |
iptables-mod-conntrack-extra \ | |
iptables-mod-nflog \ | |
libustream-openssl \ | |
nano \ | |
ncat \ | |
openssh-sftp-server \ | |
strace \ | |
tcpdump \ | |
ulogd \ | |
ulogd-mod-extra \ | |
ulogd-mod-json \ | |
ulogd-mod-mysql \ | |
ulogd-mod-nfct \ | |
ulogd-mod-nflog \ | |
ulogd-mod-pcap \ | |
ulogd-mod-syslog \ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
jq --raw-output '[."oob.time.sec", .dvc, ."oob.prefix", .src_ip, .src_port, .dest_ip, .dest_port, .n | |
usage() | |
{ | |
printf "Usage: ulogd2csv [-h][-si][-dp]\n\nFilter Logs and Output To CSV\n" | |
printf "" | |
} | |
while [ "$1" != "" ]; do | |
case $1 in | |
-si | --src-ip ) shift | |
src_ip=$1 | |
;; | |
-dp | --dest-port ) shift | |
dest_port=$1 | |
;; | |
-h | --help ) usage | |
exit | |
;; | |
* ) usage | |
exit 1 | |
esac | |
shift | |
done |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[global] | |
logfile="/var/log/ulogd.log" | |
loglevel=1 | |
rmem=131071 | |
bufsize=150000 | |
plugin="/usr/lib/ulogd/ulogd_inppkt_NFLOG.so" | |
plugin="/usr/lib/ulogd/ulogd_inpflow_NFCT.so" | |
plugin="/usr/lib/ulogd/ulogd_filter_IFINDEX.so" | |
plugin="/usr/lib/ulogd/ulogd_filter_IP2STR.so" | |
#plugin="/usr/lib/ulogd/ulogd_filter_IP2BIN.so" | |
#plugin="/usr/lib/ulogd/ulogd_filter_IP2HBIN.so" | |
plugin="/usr/lib/ulogd/ulogd_filter_PRINTPKT.so" | |
plugin="/usr/lib/ulogd/ulogd_filter_HWHDR.so" | |
plugin="/usr/lib/ulogd/ulogd_filter_PRINTFLOW.so" | |
#plugin="/usr/lib/ulogd/ulogd_filter_MARK.so" | |
#plugin="/usr/lib/ulogd/ulogd_output_LOGEMU.so" | |
plugin="/usr/lib/ulogd/ulogd_output_SYSLOG.so" | |
#plugin="/usr/lib/ulogd/ulogd_output_SQLITE3.so" | |
plugin="/usr/lib/ulogd/ulogd_output_PCAP.so" | |
#plugin="/usr/lib/ulogd/ulogd_output_MYSQL.so" | |
plugin="/usr/lib/ulogd/ulogd_raw2packet_BASE.so" | |
plugin="/usr/lib/ulogd/ulogd_output_JSON.so" | |
#stack=ct1:NFCT,ip2str1:IP2STR,print1:PRINTFLOW,sys1:SYSLOG | |
#stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU | |
stack=log1:NFLOG,base1:BASE,pcap1:PCAP | |
#stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2bin1:IP2BIN,mac2str1:HWHDR,mysql1:MYSQL | |
#stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,json1:JSON | |
stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,mac2str1:HWHDR,json1:JSON | |
#stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,sys2:SYSLOG | |
#stack=log1:NFLOG,sqlite3_pkt:SQLITE3 | |
[ct1] | |
#netlink_socket_buffer_size=217088 | |
#netlink_socket_buffer_maxsize=1085440 | |
#netlink_resync_timeout=60 # seconds to wait to perform resynchronization | |
#pollinterval=10 # use poll-based logging instead of event-driven | |
# If pollinterval is not set, NFCT plugin will work in event mode | |
# In this case, you can use the following filters on events: | |
#accept_src_filter=192.168.1.0/24,1:2::/64 # source ip of connection must belong to these networks | |
#accept_src_filter=172.18.0.0/24 | |
#accept_dst_filter=192.168.1.0/24 # destination ip of connection must belong to these networks | |
#accept_proto_filter=tcp,sctp # layer 4 proto of connections | |
hash_enable=0 | |
[ct2] | |
#netlink_socket_buffer_size=217088 | |
#netlink_socket_buffer_maxsize=1085440 | |
#reliable=1 # enable reliable flow-based logging (may drop packets) | |
hash_enable=0 | |
# Logging of system packet through NFLOG | |
[log1] | |
group=0 | |
netlink_socket_buffer_size=217088 | |
netlink_socket_buffer_maxsize=1085440 | |
#netlink_qthreshold=1 | |
#netlink_qtimeout=100 | |
[log2] | |
group=1 # Group has to be different from the one use in log1 | |
netlink_socket_buffer_size=217088 | |
netlink_socket_buffer_maxsize=1085440 | |
bind=1 | |
numeric_label=1 | |
[emu1] | |
file="/var/log/ulogd_syslogemu.log" | |
sync=1 | |
[json1] | |
sync=0 | |
file="/var/log/ulogd.json" | |
timestamp=0 | |
device="APU2-SHAWSECURE" | |
boolean_label=1 | |
[pcap1] | |
file="/var/log/ulogd.pcap" | |
sync=1 | |
[sqlite3_ct] | |
#table="ulog_ct" | |
#db="/var/log/ulogd.sqlite3db" | |
#buffer=200 | |
[sqlite3_pkt] | |
table="ulog_pkt" | |
db="/var/log/ulogd.sqlite3db" | |
buffer=200 | |
[sys2] | |
facility=LOG_LOCAL2 | |
[mark1] | |
mark = 1 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment