Periodically update an ipset used in a running firewall to block bogons.
#! /bin/bash | |
# /usr/local/sbin/fullbogons-ipv4 | |
# BoneKracker | |
# Rev. 11 October 2012 | |
# Tested with ipset 6.13 | |
# Purpose: Periodically update an ipset used in a running firewall to block | |
# bogons. Bogons are addresses that nobody should be using on the public | |
# Internet because they are either private, not to be assigned, or have | |
# not yet been assigned. | |
# | |
# Notes: Call this from crontab. Feed updated every 4 hours. | |
target="http://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt" | |
# Alternative source: https://files.pfsense.org/lists/fullbogons-ipv4.txt | |
ipset_params="hash:net" | |
filename=$(basename ${target}) | |
firewall_ipset=${filename%.*} # ipset will be filename minus ext | |
data_dir="/var/tmp/${firewall_ipset}" # data directory will be same | |
data_file="${data_dir}/${filename}" | |
# if data directory does not exist, create it | |
mkdir -pm 0750 ${data_dir} | |
# function to get modification time of the file in log-friendly format | |
get_timestamp() { | |
date -r $1 +%m/%d' '%R | |
} | |
# file modification time on server is preserved during wget download | |
[ -w ${data_file} ] && old_timestamp=$(get_timestamp ${data_file}) | |
# fetch file only if newer than the version we already have | |
wget -qNP ${data_dir} ${target} | |
if [ "$?" -ne "0" ]; then | |
logger -p cron.err "IPSet: ${firewall_ipset} wget failed." | |
exit 1 | |
fi | |
timestamp=$(get_timestamp ${data_file}) | |
# compare timestamps because wget returns success even if no newer file | |
if [ "${timestamp}" != "${old_timestamp}" ]; then | |
temp_ipset="${firewall_ipset}_temp" | |
ipset create ${temp_ipset} ${ipset_params} | |
#sed -i '/^#/d' ${data_file} # strip comments | |
sed -ri '/^[#< \t]|^$/d' ${data_file} # occasionally the file has been xhtml | |
while read network; do | |
ipset add ${temp_ipset} ${network} | |
done < ${data_file} | |
# if ipset does not exist, create it | |
ipset create -exist ${firewall_ipset} ${ipset_params} | |
# swap the temp ipset for the live one | |
ipset swap ${temp_ipset} ${firewall_ipset} | |
ipset destroy ${temp_ipset} | |
# log the file modification time for use in minimizing lag in cron schedule | |
logger -p cron.notice "IPSet: ${firewall_ipset} updated (as of: ${timestamp})." | |
fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment