added block_range.sh and template_iptables.sh scripts

2018-05-28 23:59:02 +02:00 · 2018-05-28 23:59:02 +02:00 · fa5c044f39
commit fa5c044f39
parent 18feed1032
2 changed files with 195 additions and 0 deletions
--- a/block_range.sh
+++ b/block_range.sh
@ -0,0 +1,154 @@
 #!/bin/bash
 # This script downloads a list of foreign countries' IP address ranges and it marks these IP ranges via ipset command.
 # Author: bisco <bisco__AT__autistici__DOT_org>
 # ipset solution has been suggested by Matt Wilcox script: https://mattwilcox.net/web-development/unexpected-ddos-blocking-china-with-ipset-and-iptables
 set -e
 ### Variables
 URL="http://www.ipdeny.com/ipblocks/data/countries"
 ZONES="cn hk ru tw"
 SCRIPTDIR="/root/firewall"
 ZONEDIR="${SCRIPTDIR}/blocked_zones/"
 RULESFILE="/tmp/iptables_rules-$(date +'%s')"
 IPSET=$(which ipset)
 IPTR=$(which iptables-restore)
 IPTS=$(which iptables-save)
 RM=$(which rm)
 WGET=$(which wget)
 MKDIR=$(which mkdir)
 ### End Variables
 ### Code.
 ### Please don't edit below unless if you know what you're doing.
 ### check_error function
 ### Check if things went all done when exit
 check_error()
 {
    if [ ! $? = 0 ]; then
        echo "====> ERROR!"
        exit
    fi
 }
 ### trap built-in command
 ### Run "check_error" function on exit process status
 trap check_error EXIT
 ### usage function
 ### Show help and exits
 usage()
 {
    echo "Usage: $0 [option]"
    echo ""
    echo "-c | --check     : check all binaries and system are ok"
    echo "-d | --download  : download only the IP range lists"
    echo "-b | --block     : set the IP range lists into the ${ZONES} chain"
    echo "-h | --help      : show this help and exits"
    echo ""
 }
 ### check_binary function
 ### This function checks if all binaries are properly installed on target system
 check_binary()
 {
    if [ "${IPSET}" == "" ] || [ "${IPTR}" == "" ] || [ "${RM}" == "" ] || [ "${WGET}" == "" ] || [ "${MKDIR}" == "" ]; then
 	echo "Some binaries not found. Please install: ipset, iptables-restore, rm, wget"
 	exit 1;
    else
 	echo "All binaries are properly installed. Let's go on!"
    fi
 }
 ### prepare_system function
 ### This function handles all system operation needed.
 prepare_system()
 {
    # Create the $ZONEDIR directory. The "-p" flag to create the parents directories if needed and it doesn't show error if path exists.
    ${MKDIR} -p "${ZONEDIR}"
    ### Remove old country zone files.
    ### The ${VARIABLE:?} syntax is useful to avoid wrong file deletion, if the variable content is empty.
    ### Examples:
    ### rm -rf "${EMPTY_VAR}"/* executes rm -rf /*
    ### rm -rf "${EMPTY_VAR:?}"/* raises an error
    ${RM} -rf "${ZONEDIR:?}"/*
    ### Save current iptables rules on temporary file
    ${IPTS} > "${RULESFILE}"
 }    
 ### download_zones function
 ### This function downloads all the selected zones
 download_zones()
 {
    # Here there's a for cycle on an array of elements
    for zone in $(echo "${ZONES[*]}");
    do
 	echo "Downloading $zone.zone file";
 	${WGET} -P "${ZONEDIR}" "${URL}/$zone.zone";
    done
 }
 ### create_chains function
 ### Create one set per IP range, specifying the hash type to "net"
 create_chains()
 {
    for chain in $(echo "${ZONES[*]}");
    do
 	echo "Creating $chain chain";
 	${IPSET} create ${chain} hash:net;
    done
 }
 ### populate_chains
 ### This function insert the IP range lists into relative chain
 populate_chains()
 {
    for chain in $(echo "${ZONES[*]}");
    do
 	for ip in $(cat $ZONEDIR/$chain.zone);
 	do
 	    ${IPSET} add $chain $ip;
 	done;
    done
 }
 ### reload_rules function
 ### Reload iptables rules saved during the prepare_system function
 ### Without reloading iptables rules, new IP ranges won't loaded
 reload_rules()
 {
    echo "Reloading iptables rules"
    ${IPTR} < "${RULESFILE}"
 }
 ### Main function
 case $1 in
    -c | --check)
 	check_binary;;
    -d | --download)
 	check_binary;
 	prepare_system;
 	download_zones;;
    -b | --block)
 	check_binary;
 	prepare_system;
 	download_zones;
 	create_chains;
 	populate_chains;
 	reload_rules;;
    -h | --help | *)
 	usage;;
 esac		 
--- a/template_iptables.sh
+++ b/template_iptables.sh
@ -0,0 +1,41 @@
 #!/bin/bash
 set -e
 # Variables
 IPT=$(which iptables)
 IPCMD=$(which ip)
 MAINIP=$("${IPCMD}" -4 -o a | grep inet | grep -v "lo " | awk '{print $4}' | cut -d "/" -f 1)
 DPORTSIN="20:22,80,443"
 MOSHIN="60000:61000"
 # Trap errors
 check_error()
 {
   if [ "$?" = 0 ]; then
       echo "===> OK";
   else
       echo "===> ERROR!";
       exit
   fi
 }
 trap check_error EXIT
 # Flush rules and set default rules
 $IPT -F
 $IPT -P INPUT DROP
 $IPT -P FORWARD DROP
 $IPT -P OUTPUT ACCEPT
 # Set host sepcific rules
 ### Accept all data from "lo" interface
 $IPT -A INPUT -i lo -j ACCEPT
 ### Accept all connections after the three-way handshake
 $IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 ### Services rules
 ##### Allow connections to the server main ip for SSH, MOSH and psyBNC
 ##### Use multiports extension to set more ports in a oneline rule
 $IPT -A INPUT -p tcp -d $MAINIP -m multiport --dports $DPORTSIN -j ACCEPT
 $IPT -A INPUT -p udp -d $MAINIP -m multiport --dports $MOSHIN -j ACCEPT