Skip to content

Instantly share code, notes, and snippets.

@lazerl0rd
Last active December 31, 2023 18:52
Show Gist options
  • Save lazerl0rd/fa996681b3adefcf3d2c64d7562e332b to your computer and use it in GitHub Desktop.
Save lazerl0rd/fa996681b3adefcf3d2c64d7562e332b to your computer and use it in GitHub Desktop.
An IP Feed subscriber that adds rules via nft.
#! /usr/bin/env bash
# This script requires GNU Sed, Curl, Bash >= 4.0, and Unix tr.
feedArr=(
'dshield-v4.txt' '"https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/dshield.netset"' 'DShield'
'spamhaus-drop-v4.txt' '"https://www.spamhaus.org/drop/drop.txt"' 'Spamhaus DROP'
'spamhaus-edrop-v4.txt' '"https://www.spamhaus.org/drop/edrop.txt"' 'Spamhaus EDROP'
'spamhaus-drop-v6.txt' '"https://www.spamhaus.org/drop/dropv6.txt"' 'Spamhaus DROP'
'iblocklist-level1-v4.txt' '-L "https://list.iblocklist.com/?list=ydxerpxkpcfqjaybcssw&fileformat=cidr&archiveformat=gz" | gzip -d' 'iBlocklist Level 1'
)
feedArrLen="$((${#feedArr[@]} - 3))"
for (( i=0; i<=$feedArrLen; i+=3 )); do
curlComm="curl -s "${feedArr[$(($i + 1))]}" > /etc/ipfeeds/${feedArr[$i]}"
if ! eval "$curlComm"; then
echo "Failed to retrieve the feed lists."
nft flush chain inet blackhole input
exit 1
fi
done
for (( i=0; i<=$feedArrLen; i+=3 )); do
# Remove all single-line comments.
sed '/^#/d' -i "/etc/ipfeeds/${feedArr[$i]}"
sed '/^;/d' -i "/etc/ipfeeds/${feedArr[$i]}"
# Remove all inline comments.
sed 's/#.*$//g' -i "/etc/ipfeeds/${feedArr[$i]}"
sed 's/;.*$//g' -i "/etc/ipfeeds/${feedArr[$i]}"
# Remove trailing spaces.
sed 's/[ \t]*$//' -i "/etc/ipfeeds/${feedArr[$i]}"
# Remove empty lines.
sed '/^$/d' -i "/etc/ipfeeds/${feedArr[$i]}"
# Add ", " to every line.
sed 's/$/, /' -i "/etc/ipfeeds/${feedArr[$i]}"
# Replace last ", " with " ".
sed '$ s/.$//' -i "/etc/ipfeeds/${feedArr[$i]}"
sed '$ s/.$/ /' -i "/etc/ipfeeds/${feedArr[$i]}"
# Prepend a "{ " line to the file.
sed '1s/^/{ \n/' -i "/etc/ipfeeds/${feedArr[$i]}"
# Add a "}" to the end.
sed -e '$a}' -i "/etc/ipfeeds/${feedArr[$i]}"
# Remove all but the last newline.
sed ':a;N;$!ba;s/\n//g' -i "/etc/ipfeeds/${feedArr[$i]}"
done
nft flush chain inet blackhole input
echo -e "table inet blackhole {\n\tchain input {\n\t\ttype filter hook input priority security; policy accept;" > "/etc/ipfeeds/nftables.conf"
for (( i=0; i<=$feedArrLen; i+=3 )); do
if [[ /etc/ipfeeds/${feedArr[$i]} == *-v4.txt ]]; then
addrFamily="ip"
commAppend="IPv4"
elif [[ /etc/ipfeeds/${feedArr[$i]} == *-v6.txt ]]; then
addrFamily="ip6"
commAppend="IPv6"
else
echo "Unknown text file found in configuration path (/etc/ipfeeds)."
nft flush chain inet blackhole input
exit 1
fi
echo -n -e "\t\t$addrFamily saddr " >> "/etc/ipfeeds/nftables.conf"
cat "/etc/ipfeeds/${feedArr[$i]}" | tr -d '\n' >> "/etc/ipfeeds/nftables.conf"
echo " counter drop comment \"[Blackhole] Blocked by the ${feedArr[$(($i + 2))]} feed ($commAppend).\"" >> "/etc/ipfeeds/nftables.conf"
done
echo -e "\t}\n}" >> "/etc/ipfeeds/nftables.conf"
if ! nft -f "/etc/ipfeeds/nftables.conf"; then
echo "The firewall could not be applied."
nft flush chain inet blackhole input
exit 1
fi
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment