From 9b3a158b72ab7baffb14760d8112a38f64345b9f Mon Sep 17 00:00:00 2001 From: ChiefGyk Date: Wed, 29 Jun 2016 18:33:09 -0400 Subject: [PATCH] Added Dshield, to automatically block the top 20 malicious IP blocks each day. It is merged into blacklist which will run in cron.daily. So ipset blocks the majority of addresses from lists, and IPTables does the blocks. --- conf/blacklist/blacklist | 62 ++++++++++++++++++++++++++++++++++++++++ setup/dialog.sh | 2 +- 2 files changed, 63 insertions(+), 1 deletion(-) diff --git a/conf/blacklist/blacklist b/conf/blacklist/blacklist index 6ac7124f..e42c7cba 100644 --- a/conf/blacklist/blacklist +++ b/conf/blacklist/blacklist @@ -1,4 +1,9 @@ #!/bin/bash +IPTABLES=/sbin/iptables +URL=http://feeds.dshield.org/block.txt +FILE=/tmp/dshield_block.text +CHAIN=dshield + IP_TMP=/tmp/ip.tmp IP_BLACKLIST=/etc/ip-blacklist.conf IP_BLACKLIST_TMP=/tmp/ip-blacklist.tmp @@ -40,6 +45,63 @@ do ipset add blacklist $ip done +# Written by Onder Vincent Koc +# @url: https://github.com/koconder/dshield_automatic_iptables +# @credits: http://wiki.brokenpoet.org/wiki/Get_DShield_Blocklist +# +# Dshield Automatic Import to iptables +# Import Dshield Blocklist in a basic shell script which will run silently via cron +# and also use a seprate chain file to support other iptables rules without flushing +# i.e. fail2ban and ddosdeflate + + + +# check to see if the chain already exists +$IPTABLES -L $CHAIN -n + +# check to see if the chain already exists +if [ $? -eq 0 ]; then + + # flush the old rules + $IPTABLES -F $CHAIN + + echo "Flushed old rules. Applying updated dshield list...." + +else + + # create a new chain set + $IPTABLES -N $CHAIN + + # tie chain to input rules so it runs + $IPTABLES -A INPUT -j $CHAIN + + # don't allow this traffic through + $IPTABLES -A FORWARD -j $CHAIN + + echo "Chain not detected. Creating new chain and adding dshield list...." + +fi; + +# get a copy of the spam list +wget -qc $URL -O $FILE + +blocklist=$( cat $FILE | awk '/^[0-9]/' | awk '{print $1"/"$3}'| sort -n) +for IP in $blocklist +do + # add the ip address log rule to the chain + $IPTABLES -A $CHAIN -p 0 -s $IP -j LOG --log-prefix "[dshield BLOCK]" -m limit --limit 3/min --limit-burst 10 + + # add the ip address to the chain + $IPTABLES -A $CHAIN -p 0 -s $IP -j DROP + + echo $IP +done + +echo "Done!" + +# remove the spam list +unlink $FILE + # Persistence ipset save > /etc/ipset.up.rules iptables-save > /etc/iptables.up.rules diff --git a/setup/dialog.sh b/setup/dialog.sh index 808bdc62..0ae93bb2 100644 --- a/setup/dialog.sh +++ b/setup/dialog.sh @@ -25,7 +25,7 @@ CHOICE=$(dialog --clear \ clear case $CHOICE in 1) - echo "Bombing China" + echo "Ok Mr. Trump" echo iptables-persistent iptables-persistent/autosave_v4 boolean true | debconf-set-selections echo iptables-persistent iptables-persistent/autosave_v6 boolean true | debconf-set-selections cp conf/blacklist/china /etc/cron.weekly/china