Update emerging fwrules ipset
#!/bin/bash | |
# | |
# Update emerging fwrules ipset | |
# | |
# * creates local statefile with fwrev | |
# * checks online for newer fwrev | |
# * downloads new ip list only if the online fwrev is not the local one | |
# * ensures that 2 ipsets (IPSET_BLACKLIST_HOST / IPSET_BLACKLIST_NET) exist | |
# * generates ipset --restore file with temporary ipsets | |
# * swaps temporary ipsets with current ipsets | |
# * delets temporary ipsets | |
# | |
# Changelog: | |
# 10 May 2014 / 1.1 by Lin Song | |
# 08 Dec 2009 / 1.0 thomas@chaschperli.ch initial version | |
# | |
# This program is free software: you can redistribute it and/or modify it under | |
# the terms of the GNU General Public License as published by the Free Software | |
# Foundation, either version 3 of the License, or (at your option) any later version. | |
# | |
# This program is distributed in the hope that it will be useful, but WITHOUT ANY | |
# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A | |
# PARTICULAR PURPOSE. See the GNU General Public License for more details. | |
# | |
# You should have received a copy of the GNU General Public License along with | |
# this program. If not, see http://www.gnu.org/licenses/. | |
IPSET_BLACKLIST_HOST=blacklist | |
IPSET_BLACKLIST_NET=blacklistnet | |
IPSET_RESTOREFILE=$(mktemp -t emerging-ipset-update-ipsetrestorefile.XXX) | |
ET_FWREV_STATEFILE="/var/run/emerging-ipset-update.fwrev" | |
ET_FWREV_URL="https://rules.emergingthreats.net/fwrules/FWrev" | |
ET_FWREV_TEMP=$(mktemp -t emerging-ipset-update-fwrevtemp.XXX) | |
ET_FWREV_LOCAL="0" | |
ET_FWREV_ONLINE="0" | |
ET_FWRULES="https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt" | |
ET_FWRULES_TEMP=$(mktemp -t emerging-ipset-update-fwrules.XXXX) | |
SYSLOG_TAG="EMERGING-IPSET-UPDATE" | |
WGET="/usr/bin/wget" | |
IPSET="/usr/sbin/ipset" | |
[ -f /sbin/ipset ] && [ ! -f /usr/sbin/ipset ] && ln -s /sbin/ipset /usr/sbin/ipset | |
do_log () { | |
local PRIO=$1; shift; | |
echo "$PRIO: $*" | |
echo "$*" | logger -p "$PRIO" -t "$SYSLOG_TAG" | |
} | |
# check executables | |
for i in "$WGET" "$IPSET" | |
do | |
if ! [ -x "$i" ] | |
then | |
do_log error "$i does not exist or is not executable" | |
exit 1 | |
fi | |
done | |
# Create statefile if not exists | |
if ! [ -f "$ET_FWREV_STATEFILE" ]; | |
then | |
echo 0 >"$ET_FWREV_STATEFILE" | |
fi | |
# check files | |
for i in "$IPSET_RESTOREFILE" "$ET_FWREV_STATEFILE" "$ET_FWREV_TEMP" "$ET_FWRULES_TEMP" | |
do | |
if ! [ -w "$i" ] | |
then | |
do_log error "$i does not exist or is not writeable" | |
exit 1 | |
fi | |
done | |
# get fwrev online | |
if ! $WGET -O "$ET_FWREV_TEMP" -q "$ET_FWREV_URL"; | |
then | |
do_log error "can't download $ET_FWREV_URL to $ET_FWREV_TEMP" | |
exit 1 | |
fi | |
ET_FWREV_ONLINE=$(cat $ET_FWREV_TEMP) | |
ET_FWREV_LOCAL=$(cat $ET_FWREV_STATEFILE) | |
if [ "$ET_FWREV_ONLINE" != "$ET_FWREV_LOCAL" ] | |
then | |
do_log notice "Local fwrev $ET_FWREV_LOCAL does not match online fwrev $ET_FWREV_ONLINE. start update" | |
if ! "$WGET" -O "$ET_FWRULES_TEMP" -q "$ET_FWRULES" | |
then | |
do_log error "can't download $ET_FWRULES to $ET_FWREV_TEMP" | |
fi | |
# ensure that ipsets exist | |
$IPSET -N $IPSET_BLACKLIST_HOST iphash --hashsize 26244 >/dev/null 2>&1 | |
$IPSET -N $IPSET_BLACKLIST_NET nethash --hashsize 3456 >/dev/null 2>&1 | |
# ensure that temp sets do not exist | |
$IPSET --destroy "${IPSET_BLACKLIST_HOST}_TEMP" >/dev/null 2>&1 | |
$IPSET --destroy "${IPSET_BLACKLIST_NET}_TEMP" >/dev/null 2>&1 | |
# Host IP Adresses | |
echo "-N ${IPSET_BLACKLIST_HOST}_TEMP iphash --hashsize 26244" >>$IPSET_RESTOREFILE | |
for i in $(egrep '^[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}$' "$ET_FWRULES_TEMP") | |
do | |
echo "-A ${IPSET_BLACKLIST_HOST}_TEMP $i" >>$IPSET_RESTOREFILE | |
done | |
# NET addresses | |
echo "-N ${IPSET_BLACKLIST_NET}_TEMP nethash --hashsize 3456" >>$IPSET_RESTOREFILE | |
for i in $(egrep '^[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}/[[:digit:]]{1,2}$' "$ET_FWRULES_TEMP") | |
do | |
echo "-A ${IPSET_BLACKLIST_NET}_TEMP $i" >>$IPSET_RESTOREFILE | |
done | |
TMPFILE=$(mktemp --tmpdir tmp.XXXXXXXXXX) || exit 1 | |
awk '!x[$0]++' $IPSET_RESTOREFILE > $TMPFILE && mv $TMPFILE $IPSET_RESTOREFILE | |
# needed for ipset --restore | |
echo "COMMIT" >>$IPSET_RESTOREFILE | |
if ! ipset --restore <$IPSET_RESTOREFILE | |
then | |
do_log error "ipset restore failed. restorefile is $IPSET_RESTOREFILE"; exit 1; | |
fi | |
# swap sets | |
ipset --swap ${IPSET_BLACKLIST_HOST} ${IPSET_BLACKLIST_HOST}_TEMP | |
ipset --swap ${IPSET_BLACKLIST_NET} ${IPSET_BLACKLIST_NET}_TEMP | |
# remove temp sets | |
ipset --destroy ${IPSET_BLACKLIST_HOST}_TEMP | |
ipset --destroy ${IPSET_BLACKLIST_NET}_TEMP | |
if ! echo $ET_FWREV_ONLINE >$ET_FWREV_STATEFILE | |
then | |
do_log error "failed to write to fwrev statefile $ET_FWREV_STATEFILE"; exit 1; | |
fi | |
fi | |
rm -f "$IPSET_RESTOREFILE" "$ET_FWRULES_TEMP" "$ET_FWREV_TEMP" | |
iptables -nL INPUT | grep "blacklist src" &>/dev/null | |
if [[ $? -ne 0 ]]; then | |
iptables -I INPUT -m set --match-set blacklistnet src -j DROP | |
iptables -I INPUT -m set --match-set blacklist src -j DROP | |
iptables -I INPUT -s YOUR_IP_ADDRESS -j ACCEPT | |
fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment