Add support for IPv6 ban list.
This commit is contained in:
parent
1a57a304e6
commit
6e60791d3c
20
ban_ipv6.list.sample
Normal file
20
ban_ipv6.list.sample
Normal file
@ -0,0 +1,20 @@
|
||||
# - IPv6 addresses listet here will be completly banned by the firewall
|
||||
# -
|
||||
# - - Line beginning with '#' will be ignored.
|
||||
# - - Blank lines will be ignored
|
||||
# - - Only the first entry (until space sign or end of line) of each line will be considered.
|
||||
# -
|
||||
# - Valid values are:
|
||||
# - complete IPv6 adresses like 240e:1ec0:4ab1:feba:e8b4:4fb1:7984:4c
|
||||
# - network/nn CIDR notation like 240e:1ec0:4ab1:feba:e8b4:4fb1:7984:4c/56
|
||||
# -
|
||||
# -
|
||||
# - Note:
|
||||
# - - If no mask is given mask will be set to '64'
|
||||
# - - wrong addresses like '2g01::1' or '2a01::1/129' will be ignored
|
||||
# -
|
||||
# - Example:
|
||||
# - 240e:ec:4ab1:feba:e8b4:4fb1:7984:4c
|
||||
# - 2a01:30:0:13:5054:ff::1
|
||||
# - 2a01:30:0:13:5054:ff::1/56
|
||||
|
||||
@ -10,7 +10,8 @@
|
||||
# Short-Description: IPv6 Firewall
|
||||
### END INIT INFO
|
||||
|
||||
CONFIG_FILE=/etc/ipt-firewall/ip6t-firewall-server.conf
|
||||
CONFIG_DIR="/etc/ipt-firewall"
|
||||
CONFIG_FILE="${CONFIG_DIR}/ip6t-firewall-server.conf"
|
||||
|
||||
if [[ -z "$fail2ban_client" ]]; then
|
||||
fail2ban_client="$(which fail2ban-client)"
|
||||
@ -260,6 +261,130 @@ done
|
||||
echo_done # Block IPs / Networks / Interfaces..
|
||||
|
||||
|
||||
|
||||
# ---
|
||||
# - Block IPs/Netwoks reading from file 'ban_ipv6.list'"
|
||||
# ---
|
||||
|
||||
echononl "\tBlock IPs/Netwoks reading from file 'ban_ipv6.list' .."
|
||||
|
||||
if [[ -f "${CONFIG_DIR}/ban_ipv6.list" ]] ; then
|
||||
|
||||
declare -a ban_ipv6_arr=()
|
||||
declare -a no_valid_ipv6=()
|
||||
declare -i index
|
||||
|
||||
# Regex valid ipv6 address
|
||||
#
|
||||
_regex_ipv6='^([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}$'
|
||||
|
||||
while IFS='' read -r _line || [[ -n $_line ]] ; do
|
||||
|
||||
is_valid_ipv6=false
|
||||
is_valid_mask=false
|
||||
ipv6=""
|
||||
mask=""
|
||||
|
||||
# Ignore comment lines
|
||||
#
|
||||
[[ $_line =~ ^[[:space:]]{0,}# ]] && continue
|
||||
|
||||
# Ignore blank lines
|
||||
#
|
||||
[[ $_line =~ ^[[:space:]]*$ ]] && continue
|
||||
|
||||
# Remove leading whitespace characters
|
||||
#
|
||||
_line="${_line#"${_line%%[![:space:]]*}"}"
|
||||
|
||||
|
||||
# Catch ipv6 Address
|
||||
#
|
||||
given_ipv6="$(echo $_line | cut -d ' ' -f1)"
|
||||
|
||||
|
||||
# Splitt ipv6 address from possible given CIDR number
|
||||
#
|
||||
IFS='/' read -ra _addr <<< "$given_ipv6"
|
||||
ipv6="${_addr[0]}"
|
||||
|
||||
# Test mask if given
|
||||
#
|
||||
if [[ -n "${_addr[1]}" ]] ; then
|
||||
mask="${_addr[1]}"
|
||||
|
||||
# Is 'mask' a valid CIDR number? If not, test agains a valid netmask
|
||||
#
|
||||
if $(test -z "${mask##*[!0-9]*}" > /dev/null 2>&1) ; then
|
||||
|
||||
# Its not a vaild mask number, but naybe a valit netmask.
|
||||
#
|
||||
no_valid_ipv6_arr+=("$given_ipv6")
|
||||
|
||||
else
|
||||
if [[ $mask -gt 128 ]]; then
|
||||
|
||||
# Its not a vaild cidr number, but naybe a valit netmask.
|
||||
#
|
||||
no_valid_ipv6_arr+=("$given_ipv6")
|
||||
else
|
||||
is_valid_mask=true
|
||||
fi
|
||||
fi
|
||||
else
|
||||
mask=64
|
||||
is_valid_mask=true
|
||||
fi
|
||||
|
||||
# Check if given ipv6 address is valif
|
||||
if [[ "$ipv6" =~ ${_regex_ipv6} ]]; then
|
||||
is_valid_ipv6=true
|
||||
fi
|
||||
|
||||
|
||||
if $is_valid_ipv6 && $is_valid_mask; then
|
||||
|
||||
_ip="${ipv6}/${mask}"
|
||||
|
||||
if containsElement "$_ip" "${ban_ipv6_arr[@]}" ; then
|
||||
continue
|
||||
fi
|
||||
|
||||
echo "$_ip"
|
||||
|
||||
for _dev in ${ext_if_arr[@]} ; do
|
||||
if $log_blocked_ip || $log_all ; then
|
||||
$ip6t -A INPUT -i $_dev -s $_ip -j LOG --log-prefix "$log_prefix Blocked ${_ip}: " --log-level $log_level
|
||||
if $kernel_activate_forwarding ; then
|
||||
$ip6t -A FORWARD -i $_dev -s $_ip -j LOG --log-prefix "$log_prefix Blocked ${_ip}: " --log-level $log_level
|
||||
fi
|
||||
fi
|
||||
|
||||
$ip6t -A INPUT -i $_dev -s $_ip -j DROP
|
||||
if $kernel_activate_forwarding ; then
|
||||
$ip6t -A FORWARD -i $_dev -s $_ip -j DROP
|
||||
fi
|
||||
done
|
||||
|
||||
ban_ipv6_arr+=("$_ip")
|
||||
|
||||
else
|
||||
if ! containsElement "$given_ipv6" "${no_valid_ipv6_arr[@]}" ; then
|
||||
no_valid_ipv6_arr+=("$given_ipv6")
|
||||
fi
|
||||
fi
|
||||
|
||||
done < "${CONFIG_DIR}/ban_ipv6.list"
|
||||
echo_done
|
||||
|
||||
if [[ ${#no_valid_ipv6_arr[@]} -gt 0 ]]; then
|
||||
warn "Ignored: ${no_valid_ipv6_arr[@]}"
|
||||
fi
|
||||
else
|
||||
echo_skipped
|
||||
fi
|
||||
|
||||
|
||||
# ---
|
||||
# - Allow Forwarding certain private Addresses
|
||||
# ---
|
||||
|
||||
@ -778,6 +778,34 @@ echo_skipped() {
|
||||
echo -e "\033[75G[ \033[33m\033[1mskipped\033[m ]"
|
||||
}
|
||||
|
||||
|
||||
fatal (){
|
||||
echo ""
|
||||
echo -e "fatal Error: $*"
|
||||
echo ""
|
||||
echo -e "\t\033[31m\033[1mScript will be interrupted..\033[m\033[m"
|
||||
echo ""
|
||||
exit 1
|
||||
}
|
||||
|
||||
error(){
|
||||
echo ""
|
||||
echo -e "\t[ \033[31m\033[1mFehler\033[m ]: $*"
|
||||
echo ""
|
||||
}
|
||||
|
||||
warn (){
|
||||
echo ""
|
||||
echo -e "\t[ \033[33m\033[1mWarning\033[m ]: $*"
|
||||
echo ""
|
||||
}
|
||||
|
||||
info (){
|
||||
echo ""
|
||||
echo -e "\t[ \033[32m\033[1mInfo\033[m ]: $*"
|
||||
echo ""
|
||||
}
|
||||
|
||||
## - Check if a given array (parameter 2) contains a given string (parameter 1)
|
||||
## -
|
||||
containsElement () {
|
||||
|
||||
Loading…
Reference in New Issue
Block a user