/ipset_em.sh
Secret
Last active Jun 22, 2017
Update emerging fwrules ipset
| #!/bin/bash | |
| # | |
| # Update emerging fwrules ipset | |
| # | |
| # * creates local statefile with fwrev | |
| # * checks online for newer fwrev | |
| # * downloads new ip list only if the online fwrev is not the local one | |
| # * ensures that 2 ipsets (IPSET_BLACKLIST_HOST / IPSET_BLACKLIST_NET) exist | |
| # * generates ipset --restore file with temporary ipsets | |
| # * swaps temporary ipsets with current ipsets | |
| # * delets temporary ipsets | |
| # | |
| # Changelog: | |
| # 10 May 2014 / 1.1 by Lin Song | |
| # 08 Dec 2009 / 1.0 thomas@chaschperli.ch initial version | |
| # | |
| # This program is free software: you can redistribute it and/or modify it under | |
| # the terms of the GNU General Public License as published by the Free Software | |
| # Foundation, either version 3 of the License, or (at your option) any later version. | |
| # | |
| # This program is distributed in the hope that it will be useful, but WITHOUT ANY | |
| # WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A | |
| # PARTICULAR PURPOSE. See the GNU General Public License for more details. | |
| # | |
| # You should have received a copy of the GNU General Public License along with | |
| # this program. If not, see http://www.gnu.org/licenses/. | |
| IPSET_BLACKLIST_HOST=blacklist | |
| IPSET_BLACKLIST_NET=blacklistnet | |
| IPSET_RESTOREFILE=$(mktemp -t emerging-ipset-update-ipsetrestorefile.XXX) | |
| ET_FWREV_STATEFILE="/var/run/emerging-ipset-update.fwrev" | |
| ET_FWREV_URL="https://rules.emergingthreats.net/fwrules/FWrev" | |
| ET_FWREV_TEMP=$(mktemp -t emerging-ipset-update-fwrevtemp.XXX) | |
| ET_FWREV_LOCAL="0" | |
| ET_FWREV_ONLINE="0" | |
| ET_FWRULES="https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt" | |
| ET_FWRULES_TEMP=$(mktemp -t emerging-ipset-update-fwrules.XXXX) | |
| SYSLOG_TAG="EMERGING-IPSET-UPDATE" | |
| WGET="/usr/bin/wget" | |
| IPSET="/usr/sbin/ipset" | |
| [ -f /sbin/ipset ] && [ ! -f /usr/sbin/ipset ] && ln -s /sbin/ipset /usr/sbin/ipset | |
| do_log () { | |
| local PRIO=$1; shift; | |
| echo "$PRIO: $*" | |
| echo "$*" | logger -p "$PRIO" -t "$SYSLOG_TAG" | |
| } | |
| # check executables | |
| for i in "$WGET" "$IPSET" | |
| do | |
| if ! [ -x "$i" ] | |
| then | |
| do_log error "$i does not exist or is not executable" | |
| exit 1 | |
| fi | |
| done | |
| # Create statefile if not exists | |
| if ! [ -f "$ET_FWREV_STATEFILE" ]; | |
| then | |
| echo 0 >"$ET_FWREV_STATEFILE" | |
| fi | |
| # check files | |
| for i in "$IPSET_RESTOREFILE" "$ET_FWREV_STATEFILE" "$ET_FWREV_TEMP" "$ET_FWRULES_TEMP" | |
| do | |
| if ! [ -w "$i" ] | |
| then | |
| do_log error "$i does not exist or is not writeable" | |
| exit 1 | |
| fi | |
| done | |
| # get fwrev online | |
| if ! $WGET -O "$ET_FWREV_TEMP" -q "$ET_FWREV_URL"; | |
| then | |
| do_log error "can't download $ET_FWREV_URL to $ET_FWREV_TEMP" | |
| exit 1 | |
| fi | |
| ET_FWREV_ONLINE=$(cat $ET_FWREV_TEMP) | |
| ET_FWREV_LOCAL=$(cat $ET_FWREV_STATEFILE) | |
| if [ "$ET_FWREV_ONLINE" != "$ET_FWREV_LOCAL" ] | |
| then | |
| do_log notice "Local fwrev $ET_FWREV_LOCAL does not match online fwrev $ET_FWREV_ONLINE. start update" | |
| if ! "$WGET" -O "$ET_FWRULES_TEMP" -q "$ET_FWRULES" | |
| then | |
| do_log error "can't download $ET_FWRULES to $ET_FWREV_TEMP" | |
| fi | |
| # ensure that ipsets exist | |
| $IPSET -N $IPSET_BLACKLIST_HOST iphash --hashsize 26244 >/dev/null 2>&1 | |
| $IPSET -N $IPSET_BLACKLIST_NET nethash --hashsize 3456 >/dev/null 2>&1 | |
| # ensure that temp sets do not exist | |
| $IPSET --destroy "${IPSET_BLACKLIST_HOST}_TEMP" >/dev/null 2>&1 | |
| $IPSET --destroy "${IPSET_BLACKLIST_NET}_TEMP" >/dev/null 2>&1 | |
| # Host IP Adresses | |
| echo "-N ${IPSET_BLACKLIST_HOST}_TEMP iphash --hashsize 26244" >>$IPSET_RESTOREFILE | |
| for i in $(egrep '^[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}$' "$ET_FWRULES_TEMP") | |
| do | |
| echo "-A ${IPSET_BLACKLIST_HOST}_TEMP $i" >>$IPSET_RESTOREFILE | |
| done | |
| # NET addresses | |
| echo "-N ${IPSET_BLACKLIST_NET}_TEMP nethash --hashsize 3456" >>$IPSET_RESTOREFILE | |
| for i in $(egrep '^[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}/[[:digit:]]{1,2}$' "$ET_FWRULES_TEMP") | |
| do | |
| echo "-A ${IPSET_BLACKLIST_NET}_TEMP $i" >>$IPSET_RESTOREFILE | |
| done | |
| TMPFILE=$(mktemp --tmpdir tmp.XXXXXXXXXX) || exit 1 | |
| awk '!x[$0]++' $IPSET_RESTOREFILE > $TMPFILE && mv $TMPFILE $IPSET_RESTOREFILE | |
| # needed for ipset --restore | |
| echo "COMMIT" >>$IPSET_RESTOREFILE | |
| if ! ipset --restore <$IPSET_RESTOREFILE | |
| then | |
| do_log error "ipset restore failed. restorefile is $IPSET_RESTOREFILE"; exit 1; | |
| fi | |
| # swap sets | |
| ipset --swap ${IPSET_BLACKLIST_HOST} ${IPSET_BLACKLIST_HOST}_TEMP | |
| ipset --swap ${IPSET_BLACKLIST_NET} ${IPSET_BLACKLIST_NET}_TEMP | |
| # remove temp sets | |
| ipset --destroy ${IPSET_BLACKLIST_HOST}_TEMP | |
| ipset --destroy ${IPSET_BLACKLIST_NET}_TEMP | |
| if ! echo $ET_FWREV_ONLINE >$ET_FWREV_STATEFILE | |
| then | |
| do_log error "failed to write to fwrev statefile $ET_FWREV_STATEFILE"; exit 1; | |
| fi | |
| fi | |
| rm -f "$IPSET_RESTOREFILE" "$ET_FWRULES_TEMP" "$ET_FWREV_TEMP" | |
| iptables -nL INPUT | grep "blacklist src" &>/dev/null | |
| if [[ $? -ne 0 ]]; then | |
| iptables -I INPUT -m set --match-set blacklistnet src -j DROP | |
| iptables -I INPUT -m set --match-set blacklist src -j DROP | |
| iptables -I INPUT -s YOUR_IP_ADDRESS -j ACCEPT | |
| fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment