From 6e60791d3c54131da194f26728fc2a01ca4043c4 Mon Sep 17 00:00:00 2001
From: Christoph <ckubu@oopen.de>
Date: Sat, 20 Oct 2018 02:33:46 +0200
Subject: [PATCH] Add support for IPv6 ban list.

---
 ban_ipv6.list.sample             |  20 +++++
 ip6t-firewall-server             | 127 ++++++++++++++++++++++++++++++-
 ip6t-firewall-server.conf.sample |  28 +++++++
 3 files changed, 174 insertions(+), 1 deletion(-)
 create mode 100644 ban_ipv6.list.sample

diff --git a/ban_ipv6.list.sample b/ban_ipv6.list.sample
new file mode 100644
index 0000000..bbc3a73
--- /dev/null
+++ b/ban_ipv6.list.sample
@@ -0,0 +1,20 @@
+# - IPv6 addresses listet here will be completly banned by the firewall
+# -
+# -    - Line beginning with '#' will be ignored.
+# -    - Blank lines will be ignored
+# -    - Only the first entry (until space sign or end of line) of each line will be considered.
+# -
+# - Valid values are:
+# -    complete IPv6 adresses like 240e:1ec0:4ab1:feba:e8b4:4fb1:7984:4c
+# -    network/nn CIDR notation like 240e:1ec0:4ab1:feba:e8b4:4fb1:7984:4c/56
+# -
+# -
+# - Note: 
+# -    - If no mask is given mask will be set to '64'
+# -    - wrong addresses like '2g01::1' or '2a01::1/129' will be ignored
+# -
+# - Example:
+# -    240e:ec:4ab1:feba:e8b4:4fb1:7984:4c
+# -    2a01:30:0:13:5054:ff::1
+# -    2a01:30:0:13:5054:ff::1/56
+
diff --git a/ip6t-firewall-server b/ip6t-firewall-server
index e2694ed..e3aefd8 100755
--- a/ip6t-firewall-server
+++ b/ip6t-firewall-server
@@ -10,7 +10,8 @@
 # Short-Description: IPv6 Firewall
 ### END INIT INFO
 
-CONFIG_FILE=/etc/ipt-firewall/ip6t-firewall-server.conf
+CONFIG_DIR="/etc/ipt-firewall"
+CONFIG_FILE="${CONFIG_DIR}/ip6t-firewall-server.conf"
 
 if [[ -z "$fail2ban_client" ]]; then
    fail2ban_client="$(which fail2ban-client)"
@@ -260,6 +261,130 @@ done
 echo_done # Block IPs / Networks / Interfaces..
 
 
+
+# ---
+# - Block IPs/Netwoks reading from file 'ban_ipv6.list'"
+# ---
+
+echononl "\tBlock IPs/Netwoks reading from file 'ban_ipv6.list' .."
+
+if [[ -f "${CONFIG_DIR}/ban_ipv6.list" ]] ; then
+
+	declare -a ban_ipv6_arr=()
+   declare -a no_valid_ipv6=()
+   declare -i index
+
+	# Regex valid ipv6 address
+	#
+	_regex_ipv6='^([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}$'
+
+   while IFS='' read -r _line || [[ -n $_line ]] ; do
+
+		is_valid_ipv6=false
+		is_valid_mask=false
+      ipv6=""
+      mask=""
+ 
+      # Ignore comment lines
+      #
+      [[ $_line =~ ^[[:space:]]{0,}# ]] && continue
+
+      # Ignore blank lines
+      #
+      [[ $_line =~ ^[[:space:]]*$ ]] && continue
+
+      # Remove leading whitespace characters
+      #
+      _line="${_line#"${_line%%[![:space:]]*}"}"
+
+
+      # Catch ipv6 Address
+      #
+      given_ipv6="$(echo  $_line | cut -d ' ' -f1)"
+
+
+      # Splitt ipv6 address from possible given CIDR number
+      #
+      IFS='/' read -ra _addr <<< "$given_ipv6"
+      ipv6="${_addr[0]}"
+
+		# Test mask if given
+		# 
+      if [[ -n "${_addr[1]}" ]] ; then
+         mask="${_addr[1]}"
+
+         # Is 'mask' a valid CIDR number? If not, test agains a valid netmask
+         #
+         if $(test -z "${mask##*[!0-9]*}" > /dev/null 2>&1) ; then
+
+            # Its not a vaild mask number, but naybe a valit netmask.
+            #
+				no_valid_ipv6_arr+=("$given_ipv6")
+            
+         else
+            if [[ $mask -gt 128 ]]; then
+
+               # Its not a vaild cidr number, but naybe a valit netmask.
+               #
+					no_valid_ipv6_arr+=("$given_ipv6")
+				else
+					is_valid_mask=true
+            fi
+         fi
+      else
+         mask=64
+			is_valid_mask=true
+      fi
+
+		# Check if given ipv6 address is valif
+		if [[ "$ipv6" =~ ${_regex_ipv6} ]]; then
+			is_valid_ipv6=true
+		fi
+
+		
+		if $is_valid_ipv6 && $is_valid_mask; then
+
+         _ip="${ipv6}/${mask}"
+
+			if containsElement "$_ip"  "${ban_ipv6_arr[@]}" ; then
+				continue
+			fi
+
+         echo "$_ip"
+
+         for _dev in ${ext_if_arr[@]} ; do
+            if $log_blocked_ip || $log_all ; then
+               $ip6t -A INPUT -i $_dev -s $_ip -j LOG --log-prefix "$log_prefix Blocked ${_ip}: " --log-level $log_level
+               if $kernel_activate_forwarding ; then
+                  $ip6t -A FORWARD -i $_dev -s $_ip -j LOG --log-prefix "$log_prefix Blocked ${_ip}: " --log-level $log_level
+               fi
+            fi
+
+            $ip6t -A INPUT -i $_dev -s $_ip -j DROP
+            if $kernel_activate_forwarding ; then
+               $ip6t -A FORWARD -i $_dev -s $_ip -j DROP
+            fi
+         done
+
+			ban_ipv6_arr+=("$_ip")
+
+      else
+			if ! containsElement "$given_ipv6"  "${no_valid_ipv6_arr[@]}" ; then
+         	no_valid_ipv6_arr+=("$given_ipv6")
+			fi
+      fi
+
+   done < "${CONFIG_DIR}/ban_ipv6.list"
+   echo_done
+
+   if [[ ${#no_valid_ipv6_arr[@]} -gt 0  ]]; then
+      warn "Ignored: ${no_valid_ipv6_arr[@]}"
+   fi
+else
+   echo_skipped
+fi
+
+
 # ---
 # - Allow Forwarding certain private Addresses
 # ---
diff --git a/ip6t-firewall-server.conf.sample b/ip6t-firewall-server.conf.sample
index 720d3bf..4fc97af 100644
--- a/ip6t-firewall-server.conf.sample
+++ b/ip6t-firewall-server.conf.sample
@@ -778,6 +778,34 @@ echo_skipped() {
    echo -e "\033[75G[ \033[33m\033[1mskipped\033[m ]"
 }
 
+
+fatal (){
+   echo ""
+   echo -e "fatal Error: $*"
+   echo ""
+   echo -e "\t\033[31m\033[1mScript will be interrupted..\033[m\033[m"
+   echo ""
+   exit 1
+}
+
+error(){
+   echo ""
+   echo -e "\t[ \033[31m\033[1mFehler\033[m ]: $*"
+   echo ""
+}
+
+warn (){
+   echo ""
+   echo -e "\t[ \033[33m\033[1mWarning\033[m ]: $*"
+   echo ""
+}
+
+info (){
+   echo ""
+   echo -e "\t[ \033[32m\033[1mInfo\033[m ]: $*"
+   echo ""
+}
+
 ## - Check if a given array (parameter 2) contains a given string (parameter 1)
 ## -
 containsElement () {