diff --git a/conf/blacklist b/conf/blacklist index b34f3fe8..0a3b88b0 100644 --- a/conf/blacklist +++ b/conf/blacklist @@ -1,5 +1,9 @@ # I found this script somewhere a long time ago and modified it #!/bin/bash +IPTABLES=/sbin/iptables +URL=http://feeds.dshield.org/block.txt +FILE=/tmp/dshield_block.text +CHAIN=dshield IP_TMP=/tmp/ip.tmp IP_BLACKLIST=/etc/ip-blacklist.conf IP_BLACKLIST_TMP=/tmp/ip-blacklist.tmp @@ -42,5 +46,63 @@ do ipset add blacklist $ip done +# Written by Onder Vincent Koc +# @url: https://github.com/koconder/dshield_automatic_iptables +# @credits: http://wiki.brokenpoet.org/wiki/Get_DShield_Blocklist +# +# Dshield Automatic Import to iptables +# Import Dshield Blocklist in a basic shell script which will run silently via cron +# and also use a seprate chain file to support other iptables rules without flushing +# i.e. fail2ban and ddosdeflate + + + +# check to see if the chain already exists +$IPTABLES -L $CHAIN -n + +# check to see if the chain already exists +if [ $? -eq 0 ]; then + + # flush the old rules + $IPTABLES -F $CHAIN + + echo "Flushed old rules. Applying updated dshield list...." + +else + + # create a new chain set + $IPTABLES -N $CHAIN + + # tie chain to input rules so it runs + $IPTABLES -A INPUT -j $CHAIN + + # don't allow this traffic through + $IPTABLES -A FORWARD -j $CHAIN + + echo "Chain not detected. Creating new chain and adding dshield list...." + +fi; + +# get a copy of the spam list +wget -qc $URL -O $FILE + +blocklist=$( cat $FILE | awk '/^[0-9]/' | awk '{print $1"/"$3}'| sort -n) +for IP in $blocklist +do + # add the ip address log rule to the chain + $IPTABLES -A $CHAIN -p 0 -s $IP -j LOG --log-prefix "[dshield BLOCK]" -m limit --limit 3/min --limit-burst 10 + + # add the ip address to the chain + $IPTABLES -A $CHAIN -p 0 -s $IP -j DROP + + echo $IP +done + +echo "Done!" + +# remove the spam list +unlink $FILE + +# Persistence ipset save > /etc/ipset.up.rules iptables-save > /etc/iptables.up.rules \ No newline at end of file