From 8f6fd8354d1a2678fe5ec08d066ce19bc9d0cd50 Mon Sep 17 00:00:00 2001 From: Christoph Date: Thu, 19 Apr 2018 17:38:44 +0200 Subject: [PATCH] Support external file containing IPs/Networks to ban. --- conf/ban_ipv4.list.sample | 22 +++++ ipt-firewall-gateway | 182 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 204 insertions(+) create mode 100644 conf/ban_ipv4.list.sample diff --git a/conf/ban_ipv4.list.sample b/conf/ban_ipv4.list.sample new file mode 100644 index 0000000..10b7da3 --- /dev/null +++ b/conf/ban_ipv4.list.sample @@ -0,0 +1,22 @@ +# - IPv4 addresses listet here will be completly banned by the firewall +# - +# - - Line beginning with '#' will be ignored. +# - - Blank lines will be ignored +# - - Only the first entry (until space sign or end of line) of each line will be considered. +# - +# - Valid values are: +# - complete IPv4 adresses like 1.2.3.4 (will be converted to 1.2.3.0/32) +# - partial IPv4 addresses like 1.2.3 (will be converted to 1.2.3.0/24) +# - network/nn CIDR notation like 1.2.3.0/27 +# - network/netmask notaions like 1.2.3.0/255.255.255.0 +# - network/partial_netmask like 1.2.3.4/255 +# - +# - Note: +# - - wrong addresses like 1.2.3.256 or 1.2.3.4/33 will be ignored +# - +# - Example: +# - 79.171.81.0/24 +# - 79.171.81.0/255.255.255.0 +# - 79.171.81.0/255.255.255 +# - 79.171.81 + diff --git a/ipt-firewall-gateway b/ipt-firewall-gateway index 778ecb9..223a537 100755 --- a/ipt-firewall-gateway +++ b/ipt-firewall-gateway @@ -610,6 +610,188 @@ done echo_done # Block IPs / Networks / Interfaces.. + +# --- +# - Block IPs/Netwoks reading from file 'ban_ipv4.list'" +# --- + +echononl "\tBlock IPs/Netwoks reading from file 'ban_ipv4.list' .." + +if [[ -f "${ipt_conf_dir}/ban_ipv4.list" ]] ; then + + declare -a octets + declare -i index + + while IFS='' read -r _line || [[ -n $_line ]] ; do + + is_valid_ipv4=true + is_valid_mask=true + ipv4="" + mask="" + + # Ignore comment lines + # + [[ $_line =~ ^[[:space:]]{0,}# ]] && continue + + # Ignore blank lines + # + [[ $_line =~ ^[[:space:]]*$ ]] && continue + + # Remove leading whitespace characters + # + _line="${_line#"${_line%%[![:space:]]*}"}" + + + # Catch IPv4 Address + # + given_ipv4="$(echo $_line | cut -d ' ' -f1)" + + + # Splitt Ipv4 address from possible given CIDR number + # + IFS='/' read -ra _addr <<< "$given_ipv4" + _ipv4="${_addr[0]}" + + if [[ -n "${_addr[1]}" ]] ; then + _mask="${_addr[1]}" + test_netmask=false + + # Is 'mask' a valid CIDR number? If not, test agains a valid netmask + # + if $(test -z "${_mask##*[!0-9]*}" > /dev/null 2>&1) ; then + + # Its not a vaild mask number, but naybe a valit netmask. + # + test_netmask=true + else + if [[ $_mask -gt 32 ]]; then + + # Its not a vaild cidr number, but naybe a valit netmask. + # + test_netmask=true + else + + # OK, we have a vaild cidr number between '0' and '32' + # + mask=$_mask + fi + fi + + # Test if given '_mask' is a valid netmask. + # + if $test_netmask ; then + octets=( ${_mask//\./ } ) + + # Complete netmask if necessary + # + while [[ ${#octets[@]} -lt 4 ]]; do + octets+=(0) + done + + [[ ${#octets[@]} -gt 4 ]] && is_valid_mask=false + + index=0 + for octet in ${octets[@]} ; do + if [[ ${octet} =~ ^[0-9]{1,3}$ ]] ; then + if [[ $octet -gt 255 ]] ; then + is_valid_mask=false + fi + if [[ $index -gt 0 ]] ; then + mask="${mask}.${octet}" + else + mask="${octet}" + fi + + else + is_valid_mask=false + fi + + ((index++)) + done + fi + + adjust_mask=false + else + mask=32 + adjust_mask=true + fi + + # Splitt given address into their octets + # + octets=( ${_ipv4//\./ } ) + + # Complete IPv4 address if necessary + # + while [[ ${#octets[@]} -lt 4 ]]; do + octets+=(0) + + # Only adjust CIDR number if not given + # + if $adjust_mask ; then + mask="$(expr $mask - 8)" + fi + done + + # Pre-check if given IPv4 Address seems to be a valid address + # + [[ ${#octets[@]} -gt 4 ]] && is_valid_ipv4=false + + # Check if given IPv4 Address is a valid address + # + if $is_valid_ipv4 ; then + index=0 + for octet in ${octets[@]} ; do + if [[ ${octet} =~ ^[0-9]{1,3}$ ]] ; then + if [[ $octet -gt 255 ]] ; then + is_valid_ipv4=false + fi + if [[ $index -gt 0 ]] ; then + ipv4="${ipv4}.${octet}" + else + ipv4="${octet}" + fi + + else + is_valid_ipv4=false + fi + + ((index++)) + done + fi + + if $is_valid_ipv4 && $is_valid_mask; then + + _ip="${ipv4}/${mask}" + + for _dev in ${ext_if_arr[@]} ; do + if $log_blocked_ip || $log_all ; then + $ipt -A INPUT -i $_dev -s $_ip -j LOG --log-prefix "$log_prefix Blocked ${_ip}: " --log-level $log_level + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -i $_dev -s $_ip -j LOG --log-prefix "$log_prefix Blocked ${_ip}: " --log-level $log_level + fi + fi + $ipt -A INPUT -i $_dev -s $_ip -j DROP + if $kernel_activate_forwarding ; then + $ipt -A FORWARD -i $_dev -s $_ip -j DROP + fi + done + + + else + msg="$msg '${given_ipv4}'" + fi + + done < "${ipt_conf_dir}/ban_ipv4.list" + echo_done + + if [[ -n "$msg" ]]; then + warn "Ignored:$msg" + fi +else + echo_skipped +fi + + # --- # - Allow Forwarding certain private Addresses # ---