Skip to content

Instantly share code, notes, and snippets.

@CanadianJeff

CanadianJeff/firewall.user

Last active March 7, 2022 03:42
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save CanadianJeff/79ff2797af73c7764805cb8002dc0941 to your computer and use it in GitHub Desktop.
Save CanadianJeff/79ff2797af73c7764805cb8002dc0941 to your computer and use it in GitHub Desktop.
Download ZIP
NEW FIREWALL
Raw
firewall.user
#!/bin/sh
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
. /lib/functions/network.sh
network_get_ipaddr wan_ip wan
network_get_dnsserver wan_dns wan
# set the db path here leave out the trailing slash
_dbpath="/etc/ipset"
# set ulogd path here (check ulogd.conf)
_ulogdpath="/var/log"
chain_exists()
{
[ $# -lt 1 -o $# -gt 2 ] && {
echo "Usage: chain_exists <chain_name> [table]" >&2
return 1
}
local chain_name="$1" ; shift
[ $# -eq 1 ] && local table="--table $1"
iptables "$table" -n --list "$chain_name" >/dev/null 2>&1
}
firewall_log()
{
logger -t firewall.user "$1"
printf "\n$1\n"
printf "\n$1\n" > /dev/ttyS1
}
IPSET=$(which ipset)
# Check if networking is ready
if [ -z "$wan_ip" ]; then
firewall_log ' *** USER FIREWALL NO WAN'
exit
else
firewall_log " * WAN IP: $wan_ip";
fi
## Test internet/dns and make sure we are online
printf ' * DNS TEST\n'
#wget --spider http://google.com --timeout=5 --tries=2
if [ $? -eq 0 ]; then
printf '\n[ OK ]\n'
else
printf '\n[FAILED]\n';
fi
## Restart ulogd and rotate logs
[ -f "/etc/init.d/ulogd" ] && {
printf ' * RESTARTING ULOGD\t\t\t\t'
/etc/init.d/ulogd stop 2> /dev/null
cd "$_ulogdpath"
if [ -s ulogd.json ]
then
timestamp=`date +%s`
#tar c -zf "ulogd_$timestamp.tar.gz" "ulogd.json" 2> /dev/null
fi
rm -f ulogd.json
rm -f ulogd.pcap
## Create a named pipe so we can offload the json logs to a logging server
#mknod ulogd.json p
## Start pushing log data using netcat
#nc honeywrt.org 64738 < ulogd.json &
/etc/init.d/ulogd start
if pgrep -x "/usr/sbin/ulogd" > /dev/null
then printf '[ OK ]\n' else printf '[FAILED]\n'
fi
}
## Create chains for logging packets
printf ' * CREATING NEEDED CHAINS\t\t\t'
iptables -N WHITELIST 2> /dev/null
iptables -F WHITELIST
iptables -I WHITELIST 1 -m conntrack --ctstate NEW -j NFLOG --nflog-prefix "WHITELIST"
iptables -A WHITELIST -j ACCEPT
iptables -N BLACKLIST 2> /dev/null
iptables -F BLACKLIST
iptables -I BLACKLIST 1 -m conntrack --ctstate NEW -j NFLOG --nflog-prefix "BLACKLIST"
iptables -A BLACKLIST -j DROP
iptables -N DOD 2> /dev/null
iptables -F DOD
iptables -I DOD 1 -m conntrack --ctstate NEW -j NFLOG --nflog-prefix "DOD"
iptables -I DOD 2 -j DROP
iptables -N ipset_custom 2> /dev/null
iptables -F ipset_custom
iptables -N LOGDROP 2> /dev/null
iptables -F LOGDROP
iptables -I LOGDROP 1 -p icmp -j NFLOG --nflog-prefix "ICMP"
iptables -I LOGDROP 2 -j DROP
printf '[ OK ]\n'
## IPSET RULES
printf ' * PREPING IPSET\t\t\t\t'
[ ! -f "$IPSET" ] && { printf '[FAILED]\n'; }
[ -f "$IPSET" ] && {
ipset create WHITELIST-IP -exist hash:ip family inet hashsize 16384 maxelem 131072 timeout 0 comment
ipset create WHITELIST-NET -exist hash:net family inet hashsize 16384 maxelem 131072 timeout 0 comment
ipset create BLACKLIST-IP -exist hash:ip family inet hashsize 16384 maxelem 131072 timeout 3600 comment
ipset create BLACKLIST-NET -exist hash:net family inet hashsize 16384 maxelem 131072 timeout 3600 comment
ipset create DOD -exist hash:net family inet hashsize 16384 maxelem 131072 timeout 0
ipset create wl-tcp-ports -exist bitmap:port range 0-65535
ipset create wl-udp-ports -exist bitmap:port range 0-65535
ipset create bl-tcp-ports -exist bitmap:port range 0-65535
ipset create bl-udp-ports -exist bitmap:port range 0-65535
ipset flush WHITELIST-IP
ipset flush WHITELIST-NET
ipset flush BLACKLIST-IP
ipset flush BLACKLIST-NET
ipset flush DOD
ipset flush wl-tcp-ports
ipset flush wl-udp-ports
ipset flush bl-tcp-ports
ipset flush bl-udp-ports
ipset add wl-tcp-ports -exist 53 ## DNS
ipset add wl-tcp-ports -exist 27015 ## Steam Servers
ipset add wl-udp-ports -exist 53 ## DNS
ipset add wl-udp-ports -exist 27015 ## Steam Servers
ipset add bl-tcp-ports -exist 21 ## File Transfer Protocol (FTP)
ipset add bl-tcp-ports -exist 22 ## Secure Shell (SSH), secure logins, file transfers (scp, sftp) and port forwarding
ipset add bl-tcp-ports -exist 23 ## Telnet protocol unencrypted text communications
ipset add bl-tcp-ports -exist 88 ## Kerberos authentication system
ipset add bl-tcp-ports -exist 445 ## SMB Windows Shares
ipset add bl-tcp-ports -exist 1080 ## Socks Proxy
ipset add bl-tcp-ports -exist 1433 ## Microsoft SQL Server database management system (MSSQL) server
ipset add bl-tcp-ports -exist 2323 ## TELNET-ALT
ipset add bl-tcp-ports -exist 3306 ## MySQL database system
ipset add bl-tcp-ports -exist 3389 ## Microsoft Terminal Server (RDP)
ipset add bl-tcp-ports -exist 5060 ## Session Initiation Protocol (SIP)
ipset add bl-tcp-ports -exist 5061 ## Session Initiation Protocol (SIP) over TLS
ipset add bl-tcp-ports -exist 5900 ## Virtual Network Computing (VNC) Remote Frame Buffer RFB protocol
ipset add bl-udp-ports -exist 69 ## Trivial File Transfer Protocol (TFTP)
ipset add bl-udp-ports -exist 123 ## Network Time Protocol (NTP)
ipset add bl-udp-ports -exist 135 ##
ipset add bl-udp-ports -exist 137 ##
ipset add bl-udp-ports -exist 138 ##
ipset add bl-udp-ports -exist 139 ##
ipset add bl-udp-ports -exist 177 ## X Display Manager Control Protocol
ipset add bl-udp-ports -exist 445 ## SMB Windows Shares
ipset add bl-udp-ports -exist 1434 ## MSSQL
ipset add bl-udp-ports -exist 1900 ## Simple Service Discovery Protocol
ipset add bl-udp-ports -exist 5060 ## Session Initiation Protocol (SIP)
printf '[ OK ]\n'
}
## Configure in from wan (WAN => ???)
printf ' * ADDING RULES\t\t\t\t'
iptables -N ipset_wan_input 2> /dev/null
iptables -F ipset_wan_input
iptables -I input_wan_rule 1 -d "$wan_ip" -j ipset_wan_input 2> /dev/null
iptables -I ipset_wan_input 1 -p icmp -m icmp --icmp-type 8 \
-m set ! --match-set CA_ZONE src_ip -m set ! --match-set US_ZONE src_ip -j LOGDROP 2> /dev/null
iptables -I ipset_wan_input 2 -p tcp ! --tcp-flags SYN,ACK,FIN,RST SYN -j RETURN 2> /dev/null
iptables -I ipset_wan_input 3 -p tcp --tcp-flags SYN,ACK,FIN,RST SYN \
-m set ! --match-set CA_ZONE src_ip -m set ! --match-set US_ZONE src_ip -j DROP 2> /dev/null
iptables -I ipset_wan_input 4 -m set --match-set WHITELIST-IP src_ip -j WHITELIST 2> /dev/null
iptables -I ipset_wan_input 5 -m set --match-set WHITELIST-NET src_net -j WHITELIST 2> /dev/null
iptables -I ipset_wan_input 6 -m set --match-set BLACKLIST-IP src_ip -j BLACKLIST 2> /dev/null
iptables -I ipset_wan_input 7 -m set --match-set BLACKLIST-NET src_net -j BLACKLIST 2> /dev/null
iptables -I ipset_wan_input 8 -m set --match-set DOD src_ip -j DOD 2> /dev/null
iptables -I ipset_wan_input 9 -j ipset_custom 2> /dev/null
iptables -I ipset_wan_input 10 -p tcp --tcp-flags SYN,ACK,FIN,RST SYN -j LOGDROP 2> /dev/null
iptables -t nat -N wan_rule_tcp_syn 2> /dev/null
iptables -t nat -F wan_rule_tcp_syn
iptables -t nat -N wan_rule_udp 2> /dev/null
iptables -t nat -F wan_rule_udp
iptables -t nat -F prerouting_wan_rule 2> /dev/null
iptables -t nat -I prerouting_wan_rule 1 -p tcp --tcp-flags SYN,ACK,FIN,RST SYN -j wan_rule_tcp_syn 2> /dev/null
iptables -t nat -I prerouting_wan_rule 2 -p udp -j wan_rule_udp 2> /dev/null
iptables -t nat -F wan_rule_tcp_syn
#iptables -t nat -I wan_rule_tcp_syn 1 -j LOG --log-prefix "wan_rule_tcp_syn "
iptables -t nat -I wan_rule_tcp_syn 1 -p tcp -m tcp -m set --match-set CA_ZONE src_ip --dport 55023 \
-m conntrack --ctstate NEW -j SET --add-set WHITELIST-IP src_ip --timeout 43200 --exist
iptables -t nat -I wan_rule_tcp_syn 2 -p tcp -m tcp -m set --match-set wl-tcp-ports dst -j ACCEPT
iptables -t nat -I wan_rule_tcp_syn 3 -p tcp -m tcp -m set --match-set bl-tcp-ports dst -j SET --add-set BLACKLIST-IP src
iptables -t nat -F wan_rule_udp
iptables -t nat -I wan_rule_udp 1 -p udp -m udp -m set --match-set wl-udp-ports dst -j RETURN
iptables -t nat -I wan_rule_udp 2 -p udp -m udp -m set --match-set bl-udp-ports dst -j SET --add-set BLACKLIST-IP src
## Block anything that does not match a forward if not on whitelist
iptables -t nat -A zone_wan_prerouting -p tcp --tcp-flags SYN,ACK,FIN,RST SYN \
-m set ! --match-set WHITELIST-IP src_ip -m set ! --match-set WHITELIST-NET src_net \
-j SET --add-set BLACKLIST-IP src_ip --timeout 43200 --exist 2> /dev/null
## Configure in from wan towards lan (WAN => LAN)
iptables -F forwarding_wan_rule 2> /dev/null
#iptables -I forwarding_wan_rule 1 -p tcp -m conntrack --ctstate NEW -j LOG --log-prefix "forwarding_wan_rule " 2> /dev/null
iptables -N ipset_wan_forwarding 2> /dev/null
iptables -I forwarding_wan_rule 1 -j ipset_wan_forwarding
iptables -F ipset_wan_forwarding
iptables -I ipset_wan_forwarding 1 -p tcp ! --tcp-flags SYN,ACK,FIN,RST SYN -j RETURN 2> /dev/null
iptables -I ipset_wan_forwarding 2 -m set --match-set WHITELIST-IP src_ip -j WHITELIST 2> /dev/null
iptables -I ipset_wan_forwarding 3 -m set --match-set WHITELIST-NET src_net -j WHITELIST 2> /dev/null
iptables -I ipset_wan_forwarding 4 -m set --match-set BLACKLIST-IP src_ip -j BLACKLIST 2> /dev/null
iptables -I ipset_wan_forwarding 5 -m set --match-set BLACKLIST-NET src_net -j BLACKLIST 2> /dev/null
iptables -I ipset_wan_forwarding 6 -m set --match-set DOD src_ip -j DOD 2> /dev/null
iptables -I ipset_wan_forwarding 7 -j ipset_custom 2> /dev/null
iptables -I ipset_wan_forwarding 8 -p tcp --tcp-flags SYN,ACK,FIN,RST SYN -j DROP 2> /dev/null
## Configure out from lan towards wan (LAN => WAN)
iptables -F forwarding_lan_rule 2> /dev/null
iptables -N ipset_wan_output 2> /dev/null
iptables -I forwarding_lan_rule 1 -j ipset_wan_output
iptables -F ipset_wan_output
iptables -I ipset_wan_output 1 -m set --match-set DOD dst_ip -j NFLOG --nflog-prefix "DOD" 2> /dev/null
iptables -I ipset_wan_output 2 -m set --match-set DOD dst_ip -j DROP 2> /dev/null
iptables -I ipset_wan_output 3 -m set --match-set BLACKLIST-IP dst_ip -j BLACKLIST 2> /dev/null
iptables -I ipset_wan_output 4 -m set --match-set BLACKLIST-NET dst_net -j BLACKLIST 2> /dev/null
## Use for debugging?
#iptables -I ipset_wan_output -j LOG --log-prefix "ipset_wan_output "
## Configure out from router towards wan (ROUTER => WAN)
iptables -F output_wan_rule
iptables -I output_wan_rule 1 -m set --match-set BLACKLIST-IP dst_ip -j BLACKLIST 2> /dev/null
iptables -I output_wan_rule 2 -m set --match-set BLACKLIST-NET dst_net -j BLACKLIST 2> /dev/null
printf '[ OK ]\n'
## WHITELIST IPs
[ ! -f "$_iplist" ] && { printf " * Ruleset 'whitelist-net'\\n ! Skipping due to %s not found.\\n" "$_iplist"; }
[ -f "$_iplist" ] && { printf " * Ruleset 'whitelist-net'";
while IFS= read -r line; do
ip=$(echo "$line" | { read -r first rest ; echo "$first" ; })
#set -x
ipset add WHITELIST-NET -exist "$ip"
#set +x
done <"$_iplist";
_count=$(ipset list -t WHITELIST-NET | awk '/Number of/ {print $4}')
printf " Count '%s'\\n" "$_count";
}
## Section to grab custom / cloud hosted sets go here
/etc/sbin/ipset.sh start </dev/null &>/dev/null &
## Extra Logging For Bad Guys
iptables -I INPUT 1 -i eth0 -p tcp -m conntrack --ctstate NEW -m set --match-set BLACKLIST-IP src_ip \
-j LOG --log-prefix "FILTER=IN IPSET=BLACKLIST "
iptables -I INPUT 2 -m set --match-set BLACKLIST-IP src_ip -m set ! --match-set WHITELIST-IP src_ip -j DROP
iptables -I forwarding_rule 1 -i eth0 -m set --match-set BLACKLIST-IP src_ip \
-j LOG --log-prefix "FILTER=FWD IPSET=BLACKLIST "
iptables -I forwarding_rule 2 -m set --match-set BLACKLIST-IP src_ip -m set ! --match-set WHITELIST-IP src_ip -j DROP
iptables -I forwarding_rule 3 -i br-lan -m set --match-set BLACKLIST-IP dst_ip \
-j LOG --log-prefix "FILTER=FWD IPSET=BLACKLIST "
iptables -I forwarding_rule 4 -m set --match-set BLACKLIST-IP dst_ip -m set ! --match-set WHITELIST-IP dst_ip -j DROP
iptables -I OUTPUT 1 -o eth0 -m set --match-set BLACKLIST-IP dst_ip \
-j LOG --log-prefix "FILTER=OUT IPSET=BLACKLIST "
iptables -I OUTPUT 2 -m set --match-set BLACKLIST-IP dst_ip -m set ! --match-set WHITELIST-IP dst_ip -j DROP
firewall_log ' * Done firewall.user!'
Raw
ipset-config
config source 'bogons'
option ipset_src 'https://www.countryipblocks.net/bogons/cidr_ipv4_bogons.txt'
option nflog_enabled '1'
option nflog_prefix 'BOGONS'
option target 'DROP'
option timeout '0'
option enabled '1'
config source 'normshield_high_attack'
option ipset_src 'https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/normshi'
option nflog_enabled '1'
option nflog_prefix 'normshield_high_attack'
option target 'DROP'
option timeout '0'
option enabled '1'
config source 'vulnscanners'
option ipset_src 'https://www.honeywrt.org/iplists/vulnscanners.ipset'
option nflog_enabled '1'
option nflog_prefix 'vulnscanners'
option target 'DROP'
option timeout '0'
option enabled '1'
config source 'torexit'
option ipset_src 'https://iplists.firehol.org/files/tor_exits_7d.ipset'
option nflog_enabled '1'
option nflog_prefix 'TOREXIT'
option target 'DROP'
option timeout '0'
option enabled '1'
config source 'datacenter'
option ipset_src 'https://iplists.firehol.org/files/datacenters.netset'
option nflog_enabled '1'
option nflog_prefix 'DATACENTER'
option target 'DROP'
option timeout '0'
option enabled '1'
config source 'CA_ZONE'
option ipset_src 'http://ipdeny.com/ipblocks/data/aggregated/ca-aggregated.zone'
option nflog_enabled '0'
option nflog_prefix 'CA_ZONE'
option target 'ACCEPT'
option timeout '0'
option enabled '1'
config source 'US_ZONE'
option ipset_src 'http://ipdeny.com/ipblocks/data/aggregated/us-aggregated.zone'
option nflog_enabled '0'
option nflog_prefix 'US_ZONE'
option target 'ACCEPT'
option timeout '0'
option enabled '1'
config source 'MX_ZONE'
option ipset_src 'http://ipdeny.com/ipblocks/data/aggregated/mx-aggregated.zone'
option nflog_enabled '0'
option nflog_prefix 'MX_ZONE'
option target 'DROP'
option timeout '0'
option enabled '1'
config source ''
option ipset_src ''
option nflog_enabled ''
option nflog_prefix ''
option target ''
option timeout ''
option enabled ''
Raw
ipset.sh
#!/bin/sh
# user downloaded ipset lists
# written by Jeffery Wilkins (dev@honeywrt.org)
# This is free software, licensed under the GNU General Public License v3.
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# set initial defaults
#
LC_ALL=C
PATH="/usr/sbin:/usr/bin:/sbin:/bin"
ipset_ver="1.0"
ipset_sysver="unknown"
ipset_enabled=1
ipset_debug=1
ipset_whitelist="/etc/ipset/whitelist.ipset"
ipset_cnt=""
ipset_rc=0
ipset_action="${1:-"start"}"
ipset_pidfile="/var/run/ipset.pid"
# load adblock environment
#
f_envload()
{
f_log "debug" "f_envload ::: start"
# parse 'global' and 'extra' section by callback
#
config_cb()
{
local type="${1}"
if [ "${type}" = "ipset" ]
then
option_cb()
{
local option="${1}"
local value="${2}"
eval "${option}=\"${value}\""
}
else
reset_cb
fi
}
# parse 'source' typed sections
#
parse_config()
{
local value opt section="${1}" options="enabled ipset_src nflog_enabled nflog_prefi"
eval "ipset_sources=\"${ipset_sources} ${section}\""
for opt in ${options}
do
config_get value "${section}" "${opt}"
if [ -n "${value}" ]
then
eval "${opt}_${section}=\"${value}\""
fi
done
}
# load ipset config
#
config_load ipset
config_foreach parse_config source
# check ipset status
#
if [ ${ipset_enabled} -eq 0 ]
then
f_jsnup "disabled"
f_log "info" "ipset is currently disabled, please set adb_enabled to '1' to use thi"
exit 0
fi
}
# check environment
#
f_envcheck()
{
local ssl_lib
# startup message
#
f_log "info" "ipset instance started ::: action: ${ipset_action}, priority: ${ipset_nice:-""
#f_jsnup "running"
}
# commit uci changes
#
f_uci()
{
local change config="${1}"
if [ -n "${config}" ]
then
change="$(uci -q changes "${config}" | awk '{ORS=" "; print $0}')"
if [ -n "${change}" ]
then
uci_commit "${config}"
case "${config}" in
firewall)
/etc/init.d/firewall reload >/dev/null 2>&1
;;
*)
/etc/init.d/"${adb_dns}" reload >/dev/null 2>&1
;;
esac
fi
fi
f_log "debug" "f_uci ::: config: ${config}, change: ${change}"
}
# update runtime information
#
f_jsnup()
{
local run_time bg_pid status="${1:-"enabled"}" mode="normal mode" no_mail=0
if [ ${ipset_rc} -gt 0 ]
then
status="error"
run_time="$(/bin/date "+%d.%m.%Y %H:%M:%S")"
fi
if [ "${status}" = "enabled" ]
then
run_time="$(/bin/date "+%d.%m.%Y %H:%M:%S")"
fi
if [ "${status}" = "suspend" ]
then
status="paused"
fi
if [ "${status}" = "resume" ]
then
no_mail=1
status="enabled"
fi
if [ ${ipset_backup_mode} -eq 1 ]
then
mode="backup mode"
fi
if [ -z "${run_time}" ]
then
json_get_var run_time "last_rundate"
fi
json_add_string "ipset_status" "${status}"
json_add_string "ipset_version" "${ipset_ver}"
json_add_string "fetch_utility" "${ipset_fetchinfo:-"-"}"
json_add_string "last_rundate" "${run_time:-"-"}"
json_dump > "${ipset_rtfile}"
}
# write to syslog
#
f_log()
{
local class="${1}" log_msg="${2}"
if [ -n "${log_msg}" ] && ([ "${class}" != "debug" ] || [ ${ipset_debug} -eq 1 ])
then
printf "${log_msg}\n"
logger -p "${class}" -t "ipset-${ipset_ver}[${$}]" "${log_msg}"
if [ "${class}" = "err" ]
then
f_jsnup
logger -p "${class}" -t "ipset-${ipset_ver}[${$}]" "Please also check ''"
exit 1
fi
fi
}
# main function for ipset list processing
#
f_main()
{
local src_name src_url src_timeout src_nflog src_nflog_prefix mem_total mem_free enabled cn1
mem_total="$(awk '/^MemTotal/ {print int($2/1000)}' "/proc/meminfo" 2>/dev/null)"
mem_free="$(awk '/^MemFree/ {print int($2/1000)}' "/proc/meminfo" 2>/dev/null)"
iptables -F ipset_custom
# main loop
#
for src_name in ${ipset_sources}
do
enabled="$(eval printf '%s' \"\${enabled_${src_name}\}\")"
src_url="$(eval printf '%s' \"\${ipset_src_${src_name}\}\")"
src_timeout="$(eval printf '%s' \"\${timeout_${src_name}\}\")"
src_nflog="$(eval printf '%s' \"\${nflog_enabled_${src_name}\}\")"
src_nflog_prefix="$(eval printf '%s' \"\${nflog_prefix_${src_name}\}\")"
src_target="$(eval printf '%s' \"\${target_${src_name}\}\")"
# basic pre-checks
#
f_log "debug" "f_main ::: name: ${src_name}, url: ${src_url}, enabled: ${enabled}"
if [ "${enabled}" != "1" ] || [ -z "${src_url}" ]
then
continue
fi
# download list
#
_iplist="/tmp/${src_name}.ipset"
wget -qO - "${src_url}" | grep -E '\d+[.]\d+[.]\d+[.]\d+' > "$_iplist"
# cleanup and parse list for loading
#
sed -i -e 's/#.*$//' -e '/^$/d' "$_iplist"
sed -i "s/^/add ${src_name} /" "$_iplist"
sed -i "s/$/ timeout ${src_timeout}/" "$_iplist"
# create ipset and firewall table for use
iptables -N "${src_name}" 2> /dev/null
iptables -F "${src_name}"
ipset create "${src_name}" -exist hash:net family inet hashsize 16384 maxelem 13107"
ipset flush "${src_name}"
iptables -A "${src_name}" -j "${src_target}"
if [ "${src_nflog}" = "1" ]
then
# here we log all NEW packets
f_log "debug" "f_main ::: name: ${src_name}, logprefix: ${src_nflog_prefix}"
iptables -I "${src_name}" 1 -m conntrack --ctstate NEW -j NFLOG --nflog-pre"
fi
iptables -A ipset_custom -m set --match-set "${src_name}" src -j "${src_name}" 2> /l
# create/restore list
#
f_log "debug" "f_main ::: $_iplist ready for restore"
ipset restore -f "$_iplist"
# basic post-checks
#
_count=$(ipset list -t "${src_name}" | awk '/Number of/ {print $4}')
f_log "debug" "f_main ::: name: ${src_name}, count: ${_count}"
done
}
# source required system libraries
#
if [ -r "/lib/functions.sh" ] && [ -r "/usr/share/libubox/jshn.sh" ]
then
. "/lib/functions.sh"
. "/usr/share/libubox/jshn.sh"
else
f_log "err" "system libraries not found"
fi
# handle different adblock actions
#
f_envload
case "${ipset_action}" in
stop)
f_fwflush
;;
restart)
f_envcheck
f_main
;;
suspend)
f_fw suspend
;;
resume)
f_fw resume
;;
start|reload)
f_envcheck
f_main
;;
esac
Raw
opkg.sh
opkg install \
ca-certificates \
htop \
iftop \
ipset \
iptables-mod-conntrack-extra \
iptables-mod-nflog \
libustream-openssl \
nano \
ncat \
openssh-sftp-server \
strace \
tcpdump \
ulogd \
ulogd-mod-extra \
ulogd-mod-json \
ulogd-mod-mysql \
ulogd-mod-nfct \
ulogd-mod-nflog \
ulogd-mod-pcap \
ulogd-mod-syslog \
Raw
ulog2csv
#!/bin/sh
jq --raw-output '[."oob.time.sec", .dvc, ."oob.prefix", .src_ip, .src_port, .dest_ip, .dest_port, .n
usage()
{
printf "Usage: ulogd2csv [-h][-si][-dp]\n\nFilter Logs and Output To CSV\n"
printf ""
}
while [ "$1" != "" ]; do
case $1 in
-si | --src-ip ) shift
src_ip=$1
;;
-dp | --dest-port ) shift
dest_port=$1
;;
-h | --help ) usage
exit
;;
* ) usage
exit 1
esac
shift
done
Raw
ulogd.conf
[global]
logfile="/var/log/ulogd.log"
loglevel=1
rmem=131071
bufsize=150000
plugin="/usr/lib/ulogd/ulogd_inppkt_NFLOG.so"
plugin="/usr/lib/ulogd/ulogd_inpflow_NFCT.so"
plugin="/usr/lib/ulogd/ulogd_filter_IFINDEX.so"
plugin="/usr/lib/ulogd/ulogd_filter_IP2STR.so"
#plugin="/usr/lib/ulogd/ulogd_filter_IP2BIN.so"
#plugin="/usr/lib/ulogd/ulogd_filter_IP2HBIN.so"
plugin="/usr/lib/ulogd/ulogd_filter_PRINTPKT.so"
plugin="/usr/lib/ulogd/ulogd_filter_HWHDR.so"
plugin="/usr/lib/ulogd/ulogd_filter_PRINTFLOW.so"
#plugin="/usr/lib/ulogd/ulogd_filter_MARK.so"
#plugin="/usr/lib/ulogd/ulogd_output_LOGEMU.so"
plugin="/usr/lib/ulogd/ulogd_output_SYSLOG.so"
#plugin="/usr/lib/ulogd/ulogd_output_SQLITE3.so"
plugin="/usr/lib/ulogd/ulogd_output_PCAP.so"
#plugin="/usr/lib/ulogd/ulogd_output_MYSQL.so"
plugin="/usr/lib/ulogd/ulogd_raw2packet_BASE.so"
plugin="/usr/lib/ulogd/ulogd_output_JSON.so"
#stack=ct1:NFCT,ip2str1:IP2STR,print1:PRINTFLOW,sys1:SYSLOG
#stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU
stack=log1:NFLOG,base1:BASE,pcap1:PCAP
#stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2bin1:IP2BIN,mac2str1:HWHDR,mysql1:MYSQL
#stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,json1:JSON
stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,mac2str1:HWHDR,json1:JSON
#stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,sys2:SYSLOG
#stack=log1:NFLOG,sqlite3_pkt:SQLITE3
[ct1]
#netlink_socket_buffer_size=217088
#netlink_socket_buffer_maxsize=1085440
#netlink_resync_timeout=60 # seconds to wait to perform resynchronization
#pollinterval=10 # use poll-based logging instead of event-driven
# If pollinterval is not set, NFCT plugin will work in event mode
# In this case, you can use the following filters on events:
#accept_src_filter=192.168.1.0/24,1:2::/64 # source ip of connection must belong to these networks
#accept_src_filter=172.18.0.0/24
#accept_dst_filter=192.168.1.0/24 # destination ip of connection must belong to these networks
#accept_proto_filter=tcp,sctp # layer 4 proto of connections
hash_enable=0
[ct2]
#netlink_socket_buffer_size=217088
#netlink_socket_buffer_maxsize=1085440
#reliable=1 # enable reliable flow-based logging (may drop packets)
hash_enable=0
# Logging of system packet through NFLOG
[log1]
group=0
netlink_socket_buffer_size=217088
netlink_socket_buffer_maxsize=1085440
#netlink_qthreshold=1
#netlink_qtimeout=100
[log2]
group=1 # Group has to be different from the one use in log1
netlink_socket_buffer_size=217088
netlink_socket_buffer_maxsize=1085440
bind=1
numeric_label=1
[emu1]
file="/var/log/ulogd_syslogemu.log"
sync=1
[json1]
sync=0
file="/var/log/ulogd.json"
timestamp=0
device="APU2-SHAWSECURE"
boolean_label=1
[pcap1]
file="/var/log/ulogd.pcap"
sync=1
[sqlite3_ct]
#table="ulog_ct"
#db="/var/log/ulogd.sqlite3db"
#buffer=200
[sqlite3_pkt]
table="ulog_pkt"
db="/var/log/ulogd.sqlite3db"
buffer=200
[sys2]
facility=LOG_LOCAL2
[mark1]
mark = 1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment