Last active
December 31, 2023 18:52
-
-
Save lazerl0rd/fa996681b3adefcf3d2c64d7562e332b to your computer and use it in GitHub Desktop.
An IP Feed subscriber that adds rules via nft.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#! /usr/bin/env bash | |
# This script requires GNU Sed, Curl, Bash >= 4.0, and Unix tr. | |
feedArr=( | |
'dshield-v4.txt' '"https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/dshield.netset"' 'DShield' | |
'spamhaus-drop-v4.txt' '"https://www.spamhaus.org/drop/drop.txt"' 'Spamhaus DROP' | |
'spamhaus-edrop-v4.txt' '"https://www.spamhaus.org/drop/edrop.txt"' 'Spamhaus EDROP' | |
'spamhaus-drop-v6.txt' '"https://www.spamhaus.org/drop/dropv6.txt"' 'Spamhaus DROP' | |
'iblocklist-level1-v4.txt' '-L "https://list.iblocklist.com/?list=ydxerpxkpcfqjaybcssw&fileformat=cidr&archiveformat=gz" | gzip -d' 'iBlocklist Level 1' | |
) | |
feedArrLen="$((${#feedArr[@]} - 3))" | |
for (( i=0; i<=$feedArrLen; i+=3 )); do | |
curlComm="curl -s "${feedArr[$(($i + 1))]}" > /etc/ipfeeds/${feedArr[$i]}" | |
if ! eval "$curlComm"; then | |
echo "Failed to retrieve the feed lists." | |
nft flush chain inet blackhole input | |
exit 1 | |
fi | |
done | |
for (( i=0; i<=$feedArrLen; i+=3 )); do | |
# Remove all single-line comments. | |
sed '/^#/d' -i "/etc/ipfeeds/${feedArr[$i]}" | |
sed '/^;/d' -i "/etc/ipfeeds/${feedArr[$i]}" | |
# Remove all inline comments. | |
sed 's/#.*$//g' -i "/etc/ipfeeds/${feedArr[$i]}" | |
sed 's/;.*$//g' -i "/etc/ipfeeds/${feedArr[$i]}" | |
# Remove trailing spaces. | |
sed 's/[ \t]*$//' -i "/etc/ipfeeds/${feedArr[$i]}" | |
# Remove empty lines. | |
sed '/^$/d' -i "/etc/ipfeeds/${feedArr[$i]}" | |
# Add ", " to every line. | |
sed 's/$/, /' -i "/etc/ipfeeds/${feedArr[$i]}" | |
# Replace last ", " with " ". | |
sed '$ s/.$//' -i "/etc/ipfeeds/${feedArr[$i]}" | |
sed '$ s/.$/ /' -i "/etc/ipfeeds/${feedArr[$i]}" | |
# Prepend a "{ " line to the file. | |
sed '1s/^/{ \n/' -i "/etc/ipfeeds/${feedArr[$i]}" | |
# Add a "}" to the end. | |
sed -e '$a}' -i "/etc/ipfeeds/${feedArr[$i]}" | |
# Remove all but the last newline. | |
sed ':a;N;$!ba;s/\n//g' -i "/etc/ipfeeds/${feedArr[$i]}" | |
done | |
nft flush chain inet blackhole input | |
echo -e "table inet blackhole {\n\tchain input {\n\t\ttype filter hook input priority security; policy accept;" > "/etc/ipfeeds/nftables.conf" | |
for (( i=0; i<=$feedArrLen; i+=3 )); do | |
if [[ /etc/ipfeeds/${feedArr[$i]} == *-v4.txt ]]; then | |
addrFamily="ip" | |
commAppend="IPv4" | |
elif [[ /etc/ipfeeds/${feedArr[$i]} == *-v6.txt ]]; then | |
addrFamily="ip6" | |
commAppend="IPv6" | |
else | |
echo "Unknown text file found in configuration path (/etc/ipfeeds)." | |
nft flush chain inet blackhole input | |
exit 1 | |
fi | |
echo -n -e "\t\t$addrFamily saddr " >> "/etc/ipfeeds/nftables.conf" | |
cat "/etc/ipfeeds/${feedArr[$i]}" | tr -d '\n' >> "/etc/ipfeeds/nftables.conf" | |
echo " counter drop comment \"[Blackhole] Blocked by the ${feedArr[$(($i + 2))]} feed ($commAppend).\"" >> "/etc/ipfeeds/nftables.conf" | |
done | |
echo -e "\t}\n}" >> "/etc/ipfeeds/nftables.conf" | |
if ! nft -f "/etc/ipfeeds/nftables.conf"; then | |
echo "The firewall could not be applied." | |
nft flush chain inet blackhole input | |
exit 1 | |
fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment