Skip to content

Instantly share code, notes, and snippets.

@h4rm0n1c

h4rm0n1c/wheezy_bridge_ipblock.md

Last active October 15, 2016 17:43
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save h4rm0n1c/6666427 to your computer and use it in GitHub Desktop.
Save h4rm0n1c/6666427 to your computer and use it in GitHub Desktop.
Download ZIP
This is a script for setting up a small, debian based device that applies IP Blocklists to your internet connection.
Raw
wheezy_bridge_ipblock.md

This is a script for setting up a small, debian based device that applies IP Blocklists to your internet connection.

This device is intended to operate transparently and quietly, entirely on your local network. it is NOT designed to be exposed to the internet. it works best plugged straight into your FIREWALLED, NATTED modem.

Plug eth0 into your router/modem/cablebox/pidgeon, eth1-3 can go to your clients. This device should require little to no config once set up. P2P style blocklists that are gzipped are downloaded, merged with any cached or local blocklists, and then swapped out with the existing lists once a day. I used Debian Wheezy (7.1) for this, it works EXTREMELY WELL. The firewall entries for this are minimal, most traffic just goes straight through the bridge.

pg2ipset and blm programs are from http://maeyanie.com

http://www.maeyanie.com/2009/08/blocklist-merging-on-linux/

http://www.maeyanie.com/2008/12/efficient-iptables-peerguardian-blocklist/

Improved version of pg2ipset from https://github.com/ilikenwf/pg2ipset

Comments are welcome.

Raw
wheezy_bridge_ipblock.sh
#!/bin/bash
#This is a script for setting up a small, debian based device that applies IP Blocklists to your internet connection.
#prerequisites
apt-get install --assume-yes iptables
apt-get install --assume-yes bridge-utils
apt-get install --assume-yes ipset
apt-get install --assume-yes gcc
apt-get install --assume-yes g++
cat << "ENI" > /etc/network/interfaces
# Network Interface Config File
# dudes don't let dudes use hotplug.
# The loopback network interface
auto lo
iface lo inet loopback
# The primary and secondary network interfaces
iface eth0 inet manual
iface eth1 inet manual
iface eth2 inet manual
iface eth3 inet manual
iface br0 inet dhcp
up /opt/filterbridge/ipset.setup.sh
up /opt/filterbridge/tables/iptables.up.sh
bridge_ports eth0 eth1 eth2 eth3
bridge_stp off
bridge_maxwait 0
bridge_fd 0
post-up /etc/network/sysctlnet.sh
post-up /sbin/ip link set br0 address `/sbin/ifconfig | grep 'eth0' | tr -s ' ' | cut -d ' ' -f5`
post-down /opt/filterbridge/tables/iptables.flu.sh
auto br0
ENI
cat << "SCN" > /etc/network/sysctlnet.sh
#!/bin/bash
for F in /proc/sys/net/bridge/* ;do echo 1 > $F; done
sysctl -w net.ipv4.ip_forward=1
SCN
chmod +x /etc/network/sysctlnet.sh
#PG2IPSET installation and default config
mkdir /tmp/pg2ipset
pushd /tmp/pg2ipset > /dev/null
wget -c https://raw.github.com/ilikenwf/pg2ipset/master/pg2ipset.c -O /tmp/pg2ipset/pg2ipset.c
gcc -O3 -o pg2ipset pg2ipset.c
mv pg2ipset /usr/local/bin/pg2ipset
chmod 755 /usr/local/bin/pg2ipset
popd > /dev/null
rm -rf /tmp/pg2ipset
#BLM - Blocklist Merger installation
mkdir /tmp/blm
wget -c http://www.maeyanie.com/blm.tar.bz2 -O /tmp/blm.tar.bz2
pushd /tmp/ > /dev/null
tar xvjf /tmp/blm.tar.bz2
pushd /tmp/blm > /dev/null
g++ -O3 -o blm blm.cpp
mv blm /usr/local/bin/blm
chmod 755 /usr/local/bin/blm
popd > /dev/null
popd > /dev/null
rm -rf /tmp/blm
rm -rf /tmp/blm.tar.bz2
#default config and cache dirs
mkdir -p /opt/filterbridge/lists/
mkdir -p /opt/filterbridge/cache/allow/
mkdir -p /opt/filterbridge/cache/block/
cat << "DLA" > /opt/filterbridge/lists/download-allow
http://list.iblocklist.com/?list=steam&fileformat=p2p&archiveformat=gz
http://list.iblocklist.com/?list=aphcqvpxuqgrkgufjruj&fileformat=p2p&archiveformat=gz
http://list.iblocklist.com/?list=blizzard&fileformat=p2p&archiveformat=gz
http://list.iblocklist.com/?list=soe&fileformat=p2p&archiveformat=gz
http://list.iblocklist.com/?list=punkbuster&fileformat=p2p&archiveformat=gz
http://list.iblocklist.com/?list=aevzidimyvwybzkletsg&fileformat=p2p&archiveformat=gz
http://list.iblocklist.com/?list=nintendo&fileformat=p2p&archiveformat=gz
http://list.iblocklist.com/?list=activision&fileformat=p2p&archiveformat=gz
http://list.iblocklist.com/?list=ubisoft&fileformat=p2p&archiveformat=gz
http://list.iblocklist.com/?list=nzldzlpkgrcncdomnttb&fileformat=p2p&archiveformat=gz
DLA
cat << "DLB" > /opt/filterbridge/lists/download-block
http://list.iblocklist.com/?list=ijfqtofzixtwayqovmxn&fileformat=p2p&archiveformat=gz
http://list.iblocklist.com/?list=bt_level1&fileformat=p2p&archiveformat=gz
http://list.iblocklist.com/?list=bt_ads&fileformat=p2p&archiveformat=gz
http://list.iblocklist.com/?list=bt_spyware&fileformat=p2p&archiveformat=gz
DLB
#https://support.leagueoflegends.com/entries/20749152-Server-IP-Addresses
cat << "STA" > /opt/filterbridge/lists/static-allow.p2p
LoL Oceania:192.64.169.1-192.64.169.254
LoL Oceania:59.100.95.128-59.100.95.254
LoL North America:64.7.194.1-64.7.194.254
LoL North America:66.150.148.1-66.150.148.254
LoL North America:192.64.168.1-192.64.168.254
LoL North America:192.64.169.1-192.64.169.254
LoL North America:192.64.170.1-192.64.170.254
LoL North America:216.133.234.1-216.133.234.254
STA
cat << "STB" > /opt/filterbridge/lists/static-block.p2p
STB
#build the ipset cache, download remote lists, gzip local lists into the cache.
cat << "IPU" > /opt/filterbridge/ipset.buildcache.sh
#!/bin/bash
pushd /opt/filterbridge/cache/ > /dev/null
pushd ./allow > /dev/null
wget -N `grep -v ^# /opt/filterbridge/lists/download-allow` #get the online lists
gzip -c /opt/filterbridge/lists/static-allow.p2p > /opt/filterbridge/cache/allow/static-allow #zip up our static, local list
popd > /dev/null
pushd ./block > /dev/null
wget -N `grep -v ^# /opt/filterbridge/lists/download-block`
gzip -c /opt/filterbridge/lists/static-block.p2p > /opt/filterbridge/cache/block/static-block
popd > /dev/null
popd > /dev/null
IPU
chmod +x /opt/filterbridge/ipset.buildcache.sh
#Setup IPSet from cached blocklists, this will always reload local lists into the cache.
cat << "IPS" > /opt/filterbridge/ipset.setup.sh
#!/bin/bash
pushd /opt/filterbridge/cache/ > /dev/null
pushd ./allow > /dev/null
ipset create allowtemp hash:net family inet maxelem 4294967295
ipset create -exist allowlist hash:net family inet maxelem 4294967295
gzip -c /opt/filterbridge/lists/static-allow.p2p > /opt/filterbridge/cache/allow/static-allow #zip up our static, local list
zcat * 2>/dev/null | blm 2>/dev/null | pg2ipset - - allowtemp 2>/dev/null | ipset -R
ipset swap allowtemp allowlist
ipset destroy allowtemp
popd > /dev/null
pushd ./block > /dev/null
ipset create blocktemp hash:net family inet maxelem 4294967295
ipset create -exist blocklist hash:net family inet maxelem 4294967295
gzip -c /opt/filterbridge/lists/static-block.p2p > /opt/filterbridge/cache/block/static-block
ipset flush blocklist
zcat * 2>/dev/null | blm 2>/dev/null | pg2ipset - - blocktemp 2>/dev/null | ipset -R
ipset swap blocktemp blocklist
ipset destroy blocktemp
popd > /dev/null
popd > /dev/null
IPS
chmod +x /opt/filterbridge/ipset.setup.sh
#store the iptables script to the "tables" folder.
mkdir -p /opt/filterbridge/tables/
cat << "IPTF" > /opt/filterbridge/tables/iptables.flu.sh
#!/bin/bash
iptables -F
iptables -t filter -F
iptables -X
iptables -t filter -X
IPTF
chmod +x /opt/filterbridge/tables/iptables.flu.sh
cat << "IPTU" > /opt/filterbridge/tables/iptables.up.sh
#!/bin/bash
#Flush everything firewall related.
/opt/filterbridge/tables/iptables.flu.sh
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i br0 -p icmp -j ACCEPT
iptables -A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT
iptables -A INPUT -i br0 -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -j DROP
#TABLE THAT LOGS AND DROPS PACKETS
iptables -N LOGDROP
iptables -A LOGDROP -m limit --limit 2/min -j LOG --log-prefix "IPT-Blocklist-Dropped: " --log-level 4
iptables -A LOGDROP -j DROP
#TABLE THAT LOGS AND REJECTS PACKETS
iptables -N LOGREJECT
iptables -A LOGREJECT -m limit --limit 2/min -j LOG --log-prefix "IPT-Blocklist-Rejected: " --log-level 4
iptables -A LOGREJECT -j REJECT
#allow rules - careful what you put here, all matches ignore any blocks.
iptables -A FORWARD -i br0 -m set --match-set allowlist src -j ACCEPT #allow packets in from any address on the allowlist
iptables -A FORWARD -i br0 -m set --match-set allowlist dst -j ACCEPT #allow packets out to any address on the allowlist
#block rules - use the blocklist
iptables -A FORWARD -i br0 -m set --match-set blocklist src -j LOGDROP #log and drop any packets from any address on the blocklist
iptables -A FORWARD -i br0 -m set --match-set blocklist dst -j LOGREJECT #log and reject any packets to any address on the blocklist
#forward everything else through the bridge, untouched.
iptables -A FORWARD -i br0 -j ACCEPT
IPTU
chmod +x /opt/filterbridge/tables/iptables.up.sh
cat << "CRONJOB" > /etc/cron.daily/filterbridge_update
/opt/filterbridge/ipset.buildcache.sh
/opt/filterbridge/ipset.setup.sh
CRONJOB
chmod 755 /etc/cron.daily/filterbridge_update
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment