Support banning IPs/Network reading from file 'ban_ipv4.list'.

ban_ipv4.list.sample

@@ -0,0 +1,22 @@
+# - IPv4 addresses listet here will be completly banned by the firewall
+# -
+# -    - Line beginning with '#' will be ignored.
+# -    - Blank lines will be ignored
+# -    - Only the first entry (until space sign or end of line) of each line will be considered.
+# -
+# - Valid values are:
+# -    complete IPv4 adresses like 1.2.3.4 (will be converted to 1.2.3.0/32)
+# -    partial IPv4 addresses like 1.2.3 (will be converted to 1.2.3.0/24)
+# -    network/nn CIDR notation like 1.2.3.0/27
+# -    network/netmask notaions like 1.2.3.0/255.255.255.0
+# -    network/partial_netmask  like 1.2.3.4/255
+# -
+# - Note: 
+# -    - wrong addresses like 1.2.3.256 or 1.2.3.4/33 will be ignored
+# -
+# - Example:
+# -    79.171.81.0/24
+# -    79.171.81.0/255.255.255.0
+# -    79.171.81.0/255.255.255
+# -    79.171.81
+

ipt-firewall-server

@@ -10,7 +10,8 @@
 # Short-Description: IPv4 Firewall
 ### END INIT INFO
 
-CONFIG_FILE=/etc/ipt-firewall/ipt-firewall-server.conf
+CONFIG_DIR="/etc/ipt-firewall"
+CONFIG_FILE="${CONFIG_DIR}/ipt-firewall-server.conf"
 
 if [[ -z "$fail2ban_client" ]]; then
    fail2ban_client="$(which fail2ban-client)"
@@ -327,6 +328,188 @@ done
 echo_done # Block IPs / Networks / Interfaces..
 
 
+
+# ---
+# - Block IPs/Netwoks reading from file 'ban_ipv4.list'"
+# ---
+
+echononl "\tBlock IPs/Netwoks reading from file 'ban_ipv4.list' .."
+
+if [[ -f "${CONFIG_DIR}/ban_ipv4.list" ]] ; then
+
+   declare -a octets
+   declare -i index
+
+   while IFS='' read -r _line || [[ -n $_line ]] ; do
+
+      is_valid_ipv4=true
+      is_valid_mask=true
+      ipv4=""
+      mask=""
+      
+      # Ignore comment lines
+      #
+      [[ $_line =~ ^[[:space:]]{0,}# ]] && continue
+
+      # Ignore blank lines
+      #
+      [[ $_line =~ ^[[:space:]]*$ ]] && continue
+
+      # Remove leading whitespace characters
+      #
+      _line="${_line#"${_line%%[![:space:]]*}"}"
+
+
+      # Catch IPv4 Address
+      #
+      given_ipv4="$(echo  $_line | cut -d ' ' -f1)"
+
+
+      # Splitt Ipv4 address from possible given CIDR number
+      #
+      IFS='/' read -ra _addr <<< "$given_ipv4"
+      _ipv4="${_addr[0]}"
+
+      if [[ -n "${_addr[1]}" ]] ; then
+         _mask="${_addr[1]}"
+         test_netmask=false
+
+         # Is 'mask' a valid CIDR number? If not, test agains a valid netmask
+         #
+         if $(test -z "${_mask##*[!0-9]*}" > /dev/null 2>&1) ; then
+
+            # Its not a vaild mask number, but naybe a valit netmask.
+            # 
+            test_netmask=true
+         else
+            if [[ $_mask -gt 32 ]]; then
+
+               # Its not a vaild cidr number, but naybe a valit netmask.
+               # 
+               test_netmask=true
+            else
+
+               # OK, we have a vaild cidr number between '0' and '32'
+               #
+               mask=$_mask
+            fi
+         fi
+
+         # Test if given '_mask' is a valid netmask.
+         #
+         if $test_netmask ; then
+            octets=( ${_mask//\./ } )
+
+            # Complete netmask if necessary
+            #
+            while [[ ${#octets[@]} -lt 4 ]]; do
+               octets+=(0)
+            done
+
+            [[ ${#octets[@]} -gt 4 ]] && is_valid_mask=false
+
+            index=0
+            for octet in ${octets[@]} ; do
+               if [[ ${octet} =~ ^[0-9]{1,3}$ ]] ; then
+                  if [[ $octet -gt 255 ]] ; then
+                     is_valid_mask=false
+                  fi
+                  if [[ $index -gt 0 ]] ; then
+                     mask="${mask}.${octet}"
+                  else
+                     mask="${octet}"
+                  fi
+                  
+               else
+                  is_valid_mask=false
+               fi
+
+               ((index++))
+            done
+         fi
+
+         adjust_mask=false
+      else
+         mask=32
+         adjust_mask=true
+      fi
+
+      # Splitt given address into their octets
+      #
+      octets=( ${_ipv4//\./ } )
+
+      # Complete IPv4 address if necessary
+      #
+      while [[ ${#octets[@]} -lt 4 ]]; do
+         octets+=(0)
+
+         # Only adjust CIDR number if not given
+         #
+         if $adjust_mask ; then
+            mask="$(expr $mask - 8)"
+         fi
+      done
+
+      # Pre-check if given IPv4 Address seems to be a valid address
+      #
+      [[ ${#octets[@]} -gt 4 ]] && is_valid_ipv4=false
+
+      # Check if given IPv4 Address is a valid address
+      #
+      if $is_valid_ipv4 ; then
+         index=0
+         for octet in ${octets[@]} ; do
+            if [[ ${octet} =~ ^[0-9]{1,3}$ ]] ; then
+               if [[ $octet -gt 255 ]] ; then
+                  is_valid_ipv4=false
+               fi
+               if [[ $index -gt 0 ]] ; then
+                  ipv4="${ipv4}.${octet}"
+               else
+                  ipv4="${octet}"
+               fi
+               
+            else
+               is_valid_ipv4=false
+            fi
+
+            ((index++))
+         done
+      fi
+
+      if $is_valid_ipv4 && $is_valid_mask; then
+
+         _ip="${ipv4}/${mask}"
+
+         for _dev in ${ext_if_arr[@]} ; do
+            if $log_blocked_ip || $log_all ; then
+               $ipt -A INPUT -i $_dev -s $_ip -j LOG --log-prefix "$log_prefix Blocked ${_ip}: " --log-level $log_level
+               if $kernel_activate_forwarding ; then
+                  $ipt -A FORWARD -i $_dev -s $_ip -j LOG --log-prefix "$log_prefix Blocked ${_ip}: " --log-level $log_level
+               fi
+            fi
+            $ipt -A INPUT -i $_dev -s $_ip -j DROP
+            if $kernel_activate_forwarding ; then
+               $ipt -A FORWARD -i $_dev -s $_ip -j DROP
+            fi
+         done
+
+
+      else
+         msg="$msg '${given_ipv4}'"
+      fi
+
+   done < "${ipt_conf_dir}/ban_ipv4.list"
+   echo_done
+
+   if [[ -n "$msg" ]]; then
+      warn "Ignored:$msg"
+   fi
+else
+   echo_skipped
+fi
+
+
 # ---
 # - Allow Forwarding certain private Addresses
 # ---