|
#!/bin/bash |
|
#This is a script for setting up a small, debian based device that applies IP Blocklists to your internet connection. |
|
|
|
#prerequisites |
|
apt-get install --assume-yes iptables |
|
apt-get install --assume-yes bridge-utils |
|
apt-get install --assume-yes ipset |
|
apt-get install --assume-yes gcc |
|
apt-get install --assume-yes g++ |
|
|
|
cat << "ENI" > /etc/network/interfaces |
|
# Network Interface Config File |
|
# dudes don't let dudes use hotplug. |
|
# The loopback network interface |
|
auto lo |
|
iface lo inet loopback |
|
|
|
# The primary and secondary network interfaces |
|
iface eth0 inet manual |
|
iface eth1 inet manual |
|
iface eth2 inet manual |
|
iface eth3 inet manual |
|
|
|
iface br0 inet dhcp |
|
up /opt/filterbridge/ipset.setup.sh |
|
up /opt/filterbridge/tables/iptables.up.sh |
|
bridge_ports eth0 eth1 eth2 eth3 |
|
bridge_stp off |
|
bridge_maxwait 0 |
|
bridge_fd 0 |
|
post-up /etc/network/sysctlnet.sh |
|
post-up /sbin/ip link set br0 address `/sbin/ifconfig | grep 'eth0' | tr -s ' ' | cut -d ' ' -f5` |
|
post-down /opt/filterbridge/tables/iptables.flu.sh |
|
auto br0 |
|
ENI |
|
|
|
cat << "SCN" > /etc/network/sysctlnet.sh |
|
#!/bin/bash |
|
|
|
for F in /proc/sys/net/bridge/* ;do echo 1 > $F; done |
|
sysctl -w net.ipv4.ip_forward=1 |
|
SCN |
|
chmod +x /etc/network/sysctlnet.sh |
|
|
|
#PG2IPSET installation and default config |
|
mkdir /tmp/pg2ipset |
|
pushd /tmp/pg2ipset > /dev/null |
|
wget -c https://raw.github.com/ilikenwf/pg2ipset/master/pg2ipset.c -O /tmp/pg2ipset/pg2ipset.c |
|
gcc -O3 -o pg2ipset pg2ipset.c |
|
mv pg2ipset /usr/local/bin/pg2ipset |
|
chmod 755 /usr/local/bin/pg2ipset |
|
popd > /dev/null |
|
rm -rf /tmp/pg2ipset |
|
|
|
#BLM - Blocklist Merger installation |
|
mkdir /tmp/blm |
|
wget -c http://www.maeyanie.com/blm.tar.bz2 -O /tmp/blm.tar.bz2 |
|
pushd /tmp/ > /dev/null |
|
tar xvjf /tmp/blm.tar.bz2 |
|
pushd /tmp/blm > /dev/null |
|
g++ -O3 -o blm blm.cpp |
|
mv blm /usr/local/bin/blm |
|
chmod 755 /usr/local/bin/blm |
|
popd > /dev/null |
|
popd > /dev/null |
|
rm -rf /tmp/blm |
|
rm -rf /tmp/blm.tar.bz2 |
|
|
|
#default config and cache dirs |
|
mkdir -p /opt/filterbridge/lists/ |
|
mkdir -p /opt/filterbridge/cache/allow/ |
|
mkdir -p /opt/filterbridge/cache/block/ |
|
|
|
cat << "DLA" > /opt/filterbridge/lists/download-allow |
|
http://list.iblocklist.com/?list=steam&fileformat=p2p&archiveformat=gz |
|
http://list.iblocklist.com/?list=aphcqvpxuqgrkgufjruj&fileformat=p2p&archiveformat=gz |
|
http://list.iblocklist.com/?list=blizzard&fileformat=p2p&archiveformat=gz |
|
http://list.iblocklist.com/?list=soe&fileformat=p2p&archiveformat=gz |
|
http://list.iblocklist.com/?list=punkbuster&fileformat=p2p&archiveformat=gz |
|
http://list.iblocklist.com/?list=aevzidimyvwybzkletsg&fileformat=p2p&archiveformat=gz |
|
http://list.iblocklist.com/?list=nintendo&fileformat=p2p&archiveformat=gz |
|
http://list.iblocklist.com/?list=activision&fileformat=p2p&archiveformat=gz |
|
http://list.iblocklist.com/?list=ubisoft&fileformat=p2p&archiveformat=gz |
|
http://list.iblocklist.com/?list=nzldzlpkgrcncdomnttb&fileformat=p2p&archiveformat=gz |
|
DLA |
|
|
|
cat << "DLB" > /opt/filterbridge/lists/download-block |
|
http://list.iblocklist.com/?list=ijfqtofzixtwayqovmxn&fileformat=p2p&archiveformat=gz |
|
http://list.iblocklist.com/?list=bt_level1&fileformat=p2p&archiveformat=gz |
|
http://list.iblocklist.com/?list=bt_ads&fileformat=p2p&archiveformat=gz |
|
http://list.iblocklist.com/?list=bt_spyware&fileformat=p2p&archiveformat=gz |
|
DLB |
|
|
|
#https://support.leagueoflegends.com/entries/20749152-Server-IP-Addresses |
|
cat << "STA" > /opt/filterbridge/lists/static-allow.p2p |
|
LoL Oceania:192.64.169.1-192.64.169.254 |
|
LoL Oceania:59.100.95.128-59.100.95.254 |
|
LoL North America:64.7.194.1-64.7.194.254 |
|
LoL North America:66.150.148.1-66.150.148.254 |
|
LoL North America:192.64.168.1-192.64.168.254 |
|
LoL North America:192.64.169.1-192.64.169.254 |
|
LoL North America:192.64.170.1-192.64.170.254 |
|
LoL North America:216.133.234.1-216.133.234.254 |
|
STA |
|
|
|
cat << "STB" > /opt/filterbridge/lists/static-block.p2p |
|
STB |
|
|
|
#build the ipset cache, download remote lists, gzip local lists into the cache. |
|
cat << "IPU" > /opt/filterbridge/ipset.buildcache.sh |
|
#!/bin/bash |
|
pushd /opt/filterbridge/cache/ > /dev/null |
|
pushd ./allow > /dev/null |
|
wget -N `grep -v ^# /opt/filterbridge/lists/download-allow` #get the online lists |
|
gzip -c /opt/filterbridge/lists/static-allow.p2p > /opt/filterbridge/cache/allow/static-allow #zip up our static, local list |
|
popd > /dev/null |
|
|
|
pushd ./block > /dev/null |
|
wget -N `grep -v ^# /opt/filterbridge/lists/download-block` |
|
gzip -c /opt/filterbridge/lists/static-block.p2p > /opt/filterbridge/cache/block/static-block |
|
popd > /dev/null |
|
popd > /dev/null |
|
IPU |
|
chmod +x /opt/filterbridge/ipset.buildcache.sh |
|
|
|
#Setup IPSet from cached blocklists, this will always reload local lists into the cache. |
|
cat << "IPS" > /opt/filterbridge/ipset.setup.sh |
|
#!/bin/bash |
|
pushd /opt/filterbridge/cache/ > /dev/null |
|
|
|
pushd ./allow > /dev/null |
|
ipset create allowtemp hash:net family inet maxelem 4294967295 |
|
ipset create -exist allowlist hash:net family inet maxelem 4294967295 |
|
gzip -c /opt/filterbridge/lists/static-allow.p2p > /opt/filterbridge/cache/allow/static-allow #zip up our static, local list |
|
zcat * 2>/dev/null | blm 2>/dev/null | pg2ipset - - allowtemp 2>/dev/null | ipset -R |
|
ipset swap allowtemp allowlist |
|
ipset destroy allowtemp |
|
popd > /dev/null |
|
|
|
pushd ./block > /dev/null |
|
ipset create blocktemp hash:net family inet maxelem 4294967295 |
|
ipset create -exist blocklist hash:net family inet maxelem 4294967295 |
|
gzip -c /opt/filterbridge/lists/static-block.p2p > /opt/filterbridge/cache/block/static-block |
|
ipset flush blocklist |
|
zcat * 2>/dev/null | blm 2>/dev/null | pg2ipset - - blocktemp 2>/dev/null | ipset -R |
|
ipset swap blocktemp blocklist |
|
ipset destroy blocktemp |
|
popd > /dev/null |
|
popd > /dev/null |
|
IPS |
|
chmod +x /opt/filterbridge/ipset.setup.sh |
|
|
|
#store the iptables script to the "tables" folder. |
|
mkdir -p /opt/filterbridge/tables/ |
|
|
|
cat << "IPTF" > /opt/filterbridge/tables/iptables.flu.sh |
|
#!/bin/bash |
|
iptables -F |
|
iptables -t filter -F |
|
iptables -X |
|
iptables -t filter -X |
|
IPTF |
|
chmod +x /opt/filterbridge/tables/iptables.flu.sh |
|
|
|
cat << "IPTU" > /opt/filterbridge/tables/iptables.up.sh |
|
#!/bin/bash |
|
#Flush everything firewall related. |
|
/opt/filterbridge/tables/iptables.flu.sh |
|
|
|
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT |
|
iptables -A INPUT -i br0 -p icmp -j ACCEPT |
|
iptables -A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT |
|
iptables -A INPUT -i br0 -p tcp -m tcp --dport 22 -j ACCEPT |
|
iptables -A INPUT -j DROP |
|
|
|
#TABLE THAT LOGS AND DROPS PACKETS |
|
iptables -N LOGDROP |
|
iptables -A LOGDROP -m limit --limit 2/min -j LOG --log-prefix "IPT-Blocklist-Dropped: " --log-level 4 |
|
iptables -A LOGDROP -j DROP |
|
|
|
#TABLE THAT LOGS AND REJECTS PACKETS |
|
iptables -N LOGREJECT |
|
iptables -A LOGREJECT -m limit --limit 2/min -j LOG --log-prefix "IPT-Blocklist-Rejected: " --log-level 4 |
|
iptables -A LOGREJECT -j REJECT |
|
|
|
#allow rules - careful what you put here, all matches ignore any blocks. |
|
iptables -A FORWARD -i br0 -m set --match-set allowlist src -j ACCEPT #allow packets in from any address on the allowlist |
|
iptables -A FORWARD -i br0 -m set --match-set allowlist dst -j ACCEPT #allow packets out to any address on the allowlist |
|
|
|
#block rules - use the blocklist |
|
iptables -A FORWARD -i br0 -m set --match-set blocklist src -j LOGDROP #log and drop any packets from any address on the blocklist |
|
iptables -A FORWARD -i br0 -m set --match-set blocklist dst -j LOGREJECT #log and reject any packets to any address on the blocklist |
|
|
|
#forward everything else through the bridge, untouched. |
|
iptables -A FORWARD -i br0 -j ACCEPT |
|
IPTU |
|
chmod +x /opt/filterbridge/tables/iptables.up.sh |
|
|
|
cat << "CRONJOB" > /etc/cron.daily/filterbridge_update |
|
/opt/filterbridge/ipset.buildcache.sh |
|
/opt/filterbridge/ipset.setup.sh |
|
CRONJOB |
|
chmod 755 /etc/cron.daily/filterbridge_update |