1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

My IP block list script

Discussion in 'Tomato Firmware' started by yejun, Aug 22, 2008.

  1. yejun

    yejun Addicted to LI Member

    I am new to shell script. Please help me review the code. The script will load emerging threats IP drop list to iptables and check update everyday. There is currently 1716 IPs in the list, so it will take more than 10 minutes to load.

    Init
    Code:
    cat <<END >/tmp/update-et.sh
    #!/bin/sh
    ETV1="/tmp/ETrev"
    ETV2="/tmp/ETrev.tmp"
    if [ -f \$ETV2 ];then exit
    fi
    wget -q -O \$ETV2 http://www.emergingthreats.net/fwrules/FWrev
    if [ ! -f \$ETV2 ];then exit
    fi
    if [ \`cat \$ETV2\` -gt \`cat \$ETV1\` ]; then
    iptables -F ETIN
    iptables -F ETOUT
    wget -q -O - http://www.emergingthreats.net/fwrules/emerging-Block-IPs.txt|grep '^[0-9]\{1,3\}\.'|while read i;do
    iptables -A ETIN -s \$i -j DROP
    iptables -A ETOUT -d \$i -j DROP
    done
    mv -f \$ETV2 \$ETV1
    logger Block list is updated to \`cat \$ETV1\`
    else rm -f \$ETV2
    fi
    END
    chmod +x /tmp/update-et.sh
    cru a ETupdate "45 3 * * * /tmp/update-et.sh >/dev/null 2>&1"
    
    Firewall
    Code:
    iptables -N ETIN
    iptables -N ETOUT
    iptables -I wanin 1 -m state --state NEW -j ETIN
    iptables -I wanout 1 -m state --state NEW -j ETOUT
    echo "0">/tmp/ETrev
    /tmp/update-et.sh >/dev/null 2>&1
    
     
  2. yia_hara

    yia_hara LI Guru Member

    Does this work for you? I've been looking for a way to add a blocked IP list and have been using FWbuilder which is a convoluted way to do so. I haven't been able to find a good reference for writing scripts and debugging is not easy.
     
  3. yejun

    yejun Addicted to LI Member

    I think the script itself works, but the router will slow down with heavy p2p traffic such as DHT.
     
  4. me2az

    me2az Addicted to LI Member

    Works fine
     
  5. me2az

    me2az Addicted to LI Member

    Just found here extended version of this script.

    INIT
    Code:
    sleep 20
    cat <<END >/tmp/filtr_ns.sh
    #!/bin/sh
    iptables -F BOGONS
    iptables -F BOGONS
    wget -q -O - http://www.cymru.com/Documents/bogon-bn-nonagg.txt|grep '^[0-9]\{1,3\}\.'|while read i;do
    iptables -A BOGONSIN -s \$i -j DROP
    iptables -A BOGONSOUT -d \$i -j DROP
    done
    logger BOGONS list updated
    ETV1="/tmp/ETrev"
    ETV2="/tmp/ETrev.tmp"
    if [ -f \$ETV2 ];then exit
    fi
    wget -q -O \$ETV2 http://www.emergingthreats.net/fwrules/FWrev
    if [ ! -f \$ETV2 ];then exit
    fi
    if [ \`cat \$ETV2\` -gt \`cat \$ETV1\` ]; then
    iptables -F ETIN
    iptables -F ETOUT
    wget -q -O - http://www.emergingthreats.net/fwrules/emerging-Block-IPs.txt|grep '^[0-9]\{1,3\}\.'|while read i;do
    iptables -A ETIN -s \$i -j DROP
    iptables -A ETOUT -d \$i -j DROP
    done
    mv -f \$ETV2 \$ETV1
    logger EMERGING THREATS list updated to v\`cat \$ETV1\`
    else rm -f \$ETV2
    fi
    END
    chmod +x /tmp/filtr_ns.sh
    FIREWALL
    Code:
    #BOGONS
    iptables -N BOGONSIN
    iptables -N BOGONSOUT
    iptables -I wanin 1 -m state --state NEW -j BOGONSIN
    iptables -I wanout 1 -m state --state NEW -j BOGONSOUT
    
    #EMERGINGTHREATS
    iptables -N ETIN
    iptables -N ETOUT
    iptables -I wanin 1 -m state --state NEW -j ETIN
    iptables -I wanout 1 -m state --state NEW -j ETOUT
    echo "0">/tmp/ETrev
    /tmp/filtr_ns.sh >/dev/null 2>&1
     

Share This Page