2023-05-04 22:40:48 +02:00
|
|
|
# banIP - ban incoming and outgoing IPs via named nftables Sets
|
2024-01-07 18:10:49 +01:00
|
|
|
# Copyright (c) 2018-2024 Dirk Brenken (dev@brenken.org)
|
2018-11-10 11:01:45 +01:00
|
|
|
# This is free software, licensed under the GNU General Public License v3.
|
|
|
|
|
|
|
|
include $(TOPDIR)/rules.mk
|
|
|
|
|
|
|
|
PKG_NAME:=banip
|
banip: release 0.9.5-1
* added a DDoS protection rules in a new pre-routing chain to prevent common ICMP, UDP and SYN flood attacks and drop spoofed tcp flags & invalid conntrack packets, flood tresholds are configured via 'ban_icmplimit' (default 10/s), 'ban_synlimit' (default 10/s) and 'ban_udplimit' (default 100/s)
* the new pre-routing rules are tracked via named nft counters and are part of the standard reporting, set 'ban_logprerouting' accordingly
* block countries dynamically by Regional Internet Registry (RIR)/regions, e.g. all countries related to ARIN. Supported service regions are: AFRINIC, ARIN, APNIC, LACNIC and RIPE, set 'ban_region' accordingly
* it's now possible to always allow certain protocols/destination ports in wan-input and wan-forward chains, set 'ban_allowflag' accordingly - e.g. ' tcp 80 443-445'
* filter/convert possible windows line endings of external feeds during processing
* the cpu core autodetection is now limited to max. 16 cores in parallel, set 'ban_cores' manually to overrule this limitation
* set the default nft priority to -100 for banIP input/forward chains (pre-routing is set to -150)
* update readme
* a couple of bugfixes & performance improvements
* removed abandoned feeds: darklist, ipblackhole
* added new feeds: becyber, ipsum, pallebone, debl (changed URL)
* requires a LuCI frontend update as well (separate PR/commit)
Signed-off-by: Dirk Brenken <dev@brenken.org>
2024-04-19 22:09:29 +02:00
|
|
|
PKG_VERSION:=0.9.5
|
2024-04-21 21:57:17 +02:00
|
|
|
PKG_RELEASE:=2
|
2019-09-02 15:15:08 +02:00
|
|
|
PKG_LICENSE:=GPL-3.0-or-later
|
2018-11-10 11:01:45 +01:00
|
|
|
PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org>
|
|
|
|
|
|
|
|
include $(INCLUDE_DIR)/package.mk
|
|
|
|
|
|
|
|
define Package/banip
|
|
|
|
SECTION:=net
|
|
|
|
CATEGORY:=Network
|
2023-05-04 22:40:48 +02:00
|
|
|
TITLE:=banIP blocks IPs via named nftables Sets
|
2023-11-05 09:19:55 +01:00
|
|
|
DEPENDS:=+jshn +jsonfilter +firewall4 +ca-bundle +rpcd +rpcd-mod-rpcsys
|
2018-11-10 11:01:45 +01:00
|
|
|
PKGARCH:=all
|
|
|
|
endef
|
|
|
|
|
|
|
|
define Package/banip/description
|
2023-05-04 22:40:48 +02:00
|
|
|
banIP blocks IPs via named nftables Sets.
|
banip: release 0.8.0 (nft rewrite)
- complete rewrite of banIP to support nftables
- all sets are handled in a separate nft table/namespace 'banIP'
- for incoming blocking it uses the inet input hook, for outgoing blocking it uses the inet forward hook
- full IPv4 and IPv6 support
- supports nft atomic set loading
- supports blocking by ASN numbers and by iso country codes
- 42 preconfigured external feeds are available, plus local allow- and blocklist
- supports local allow- and blocklist (IPv4, IPv6, CIDR notation or domain names)
- auto-add the uplink subnet to the local allowlist
- provides a small background log monitor to ban unsuccessful login attempts in real-time
- the logterms for the log monitor service can be freely defined via regex
- auto-add unsuccessful LuCI, nginx, Asterisk or ssh login attempts to the local blocklist
- fast feed processing as they are handled in parallel as background jobs
- per feed it can be defined whether the input chain or the forward chain should be blocked (default: both chains)
- automatic blocklist backup & restore, the backups will be used in case of download errors or during startup
- automatically selects one of the following download utilities with ssl support: aria2c, curl, uclient-fetch or wget
- supports a 'allowlist only' mode, this option restricts internet access from/to a small number of secure websites/IPs
- provides comprehensive runtime information
- provides a detailed set report
- provides a set search engine for certain IPs
- feed parsing by fast & flexible regex rulesets
- minimal status & error logging to syslog, enable debug logging to receive more output
- procd based init system support (start/stop/restart/reload/status/report/search)
- procd network interface trigger support
- ability to add new banIP feeds on your own
- add a readme with all available options/feeds to customize your installation to your needs
- a new LuCI frontend will be available in due course
Signed-off-by: Dirk Brenken <dev@brenken.org>
2023-02-13 17:56:57 +01:00
|
|
|
banIP supports many IP blocklist feeds and provides a log service to block suspicious IPs in realtime.
|
2018-11-10 11:01:45 +01:00
|
|
|
Please see https://github.com/openwrt/packages/blob/master/net/banip/files/README.md for further information.
|
|
|
|
|
|
|
|
endef
|
|
|
|
|
|
|
|
define Package/banip/conffiles
|
|
|
|
/etc/config/banip
|
banip: release 0.8.0 (nft rewrite)
- complete rewrite of banIP to support nftables
- all sets are handled in a separate nft table/namespace 'banIP'
- for incoming blocking it uses the inet input hook, for outgoing blocking it uses the inet forward hook
- full IPv4 and IPv6 support
- supports nft atomic set loading
- supports blocking by ASN numbers and by iso country codes
- 42 preconfigured external feeds are available, plus local allow- and blocklist
- supports local allow- and blocklist (IPv4, IPv6, CIDR notation or domain names)
- auto-add the uplink subnet to the local allowlist
- provides a small background log monitor to ban unsuccessful login attempts in real-time
- the logterms for the log monitor service can be freely defined via regex
- auto-add unsuccessful LuCI, nginx, Asterisk or ssh login attempts to the local blocklist
- fast feed processing as they are handled in parallel as background jobs
- per feed it can be defined whether the input chain or the forward chain should be blocked (default: both chains)
- automatic blocklist backup & restore, the backups will be used in case of download errors or during startup
- automatically selects one of the following download utilities with ssl support: aria2c, curl, uclient-fetch or wget
- supports a 'allowlist only' mode, this option restricts internet access from/to a small number of secure websites/IPs
- provides comprehensive runtime information
- provides a detailed set report
- provides a set search engine for certain IPs
- feed parsing by fast & flexible regex rulesets
- minimal status & error logging to syslog, enable debug logging to receive more output
- procd based init system support (start/stop/restart/reload/status/report/search)
- procd network interface trigger support
- ability to add new banIP feeds on your own
- add a readme with all available options/feeds to customize your installation to your needs
- a new LuCI frontend will be available in due course
Signed-off-by: Dirk Brenken <dev@brenken.org>
2023-02-13 17:56:57 +01:00
|
|
|
/etc/banip/banip.allowlist
|
|
|
|
/etc/banip/banip.blocklist
|
2023-04-23 22:03:09 +02:00
|
|
|
/etc/banip/banip.custom.feeds
|
2018-11-10 11:01:45 +01:00
|
|
|
endef
|
|
|
|
|
|
|
|
define Build/Prepare
|
|
|
|
endef
|
|
|
|
|
|
|
|
define Build/Configure
|
|
|
|
endef
|
|
|
|
|
|
|
|
define Build/Compile
|
|
|
|
endef
|
|
|
|
|
|
|
|
define Package/banip/install
|
|
|
|
$(INSTALL_DIR) $(1)/usr/bin
|
banip: release 0.8.0 (nft rewrite)
- complete rewrite of banIP to support nftables
- all sets are handled in a separate nft table/namespace 'banIP'
- for incoming blocking it uses the inet input hook, for outgoing blocking it uses the inet forward hook
- full IPv4 and IPv6 support
- supports nft atomic set loading
- supports blocking by ASN numbers and by iso country codes
- 42 preconfigured external feeds are available, plus local allow- and blocklist
- supports local allow- and blocklist (IPv4, IPv6, CIDR notation or domain names)
- auto-add the uplink subnet to the local allowlist
- provides a small background log monitor to ban unsuccessful login attempts in real-time
- the logterms for the log monitor service can be freely defined via regex
- auto-add unsuccessful LuCI, nginx, Asterisk or ssh login attempts to the local blocklist
- fast feed processing as they are handled in parallel as background jobs
- per feed it can be defined whether the input chain or the forward chain should be blocked (default: both chains)
- automatic blocklist backup & restore, the backups will be used in case of download errors or during startup
- automatically selects one of the following download utilities with ssl support: aria2c, curl, uclient-fetch or wget
- supports a 'allowlist only' mode, this option restricts internet access from/to a small number of secure websites/IPs
- provides comprehensive runtime information
- provides a detailed set report
- provides a set search engine for certain IPs
- feed parsing by fast & flexible regex rulesets
- minimal status & error logging to syslog, enable debug logging to receive more output
- procd based init system support (start/stop/restart/reload/status/report/search)
- procd network interface trigger support
- ability to add new banIP feeds on your own
- add a readme with all available options/feeds to customize your installation to your needs
- a new LuCI frontend will be available in due course
Signed-off-by: Dirk Brenken <dev@brenken.org>
2023-02-13 17:56:57 +01:00
|
|
|
$(INSTALL_BIN) ./files/banip-service.sh $(1)/usr/bin
|
2018-11-10 11:01:45 +01:00
|
|
|
|
|
|
|
$(INSTALL_DIR) $(1)/etc/init.d
|
|
|
|
$(INSTALL_BIN) ./files/banip.init $(1)/etc/init.d/banip
|
|
|
|
|
banip: release 0.8.0 (nft rewrite)
- complete rewrite of banIP to support nftables
- all sets are handled in a separate nft table/namespace 'banIP'
- for incoming blocking it uses the inet input hook, for outgoing blocking it uses the inet forward hook
- full IPv4 and IPv6 support
- supports nft atomic set loading
- supports blocking by ASN numbers and by iso country codes
- 42 preconfigured external feeds are available, plus local allow- and blocklist
- supports local allow- and blocklist (IPv4, IPv6, CIDR notation or domain names)
- auto-add the uplink subnet to the local allowlist
- provides a small background log monitor to ban unsuccessful login attempts in real-time
- the logterms for the log monitor service can be freely defined via regex
- auto-add unsuccessful LuCI, nginx, Asterisk or ssh login attempts to the local blocklist
- fast feed processing as they are handled in parallel as background jobs
- per feed it can be defined whether the input chain or the forward chain should be blocked (default: both chains)
- automatic blocklist backup & restore, the backups will be used in case of download errors or during startup
- automatically selects one of the following download utilities with ssl support: aria2c, curl, uclient-fetch or wget
- supports a 'allowlist only' mode, this option restricts internet access from/to a small number of secure websites/IPs
- provides comprehensive runtime information
- provides a detailed set report
- provides a set search engine for certain IPs
- feed parsing by fast & flexible regex rulesets
- minimal status & error logging to syslog, enable debug logging to receive more output
- procd based init system support (start/stop/restart/reload/status/report/search)
- procd network interface trigger support
- ability to add new banIP feeds on your own
- add a readme with all available options/feeds to customize your installation to your needs
- a new LuCI frontend will be available in due course
Signed-off-by: Dirk Brenken <dev@brenken.org>
2023-02-13 17:56:57 +01:00
|
|
|
$(INSTALL_DIR) $(1)/usr/lib
|
|
|
|
$(INSTALL_CONF) ./files/banip-functions.sh $(1)/usr/lib
|
|
|
|
|
2018-11-10 11:01:45 +01:00
|
|
|
$(INSTALL_DIR) $(1)/etc/config
|
|
|
|
$(INSTALL_CONF) ./files/banip.conf $(1)/etc/config/banip
|
|
|
|
|
|
|
|
$(INSTALL_DIR) $(1)/etc/banip
|
banip: release 0.8.0 (nft rewrite)
- complete rewrite of banIP to support nftables
- all sets are handled in a separate nft table/namespace 'banIP'
- for incoming blocking it uses the inet input hook, for outgoing blocking it uses the inet forward hook
- full IPv4 and IPv6 support
- supports nft atomic set loading
- supports blocking by ASN numbers and by iso country codes
- 42 preconfigured external feeds are available, plus local allow- and blocklist
- supports local allow- and blocklist (IPv4, IPv6, CIDR notation or domain names)
- auto-add the uplink subnet to the local allowlist
- provides a small background log monitor to ban unsuccessful login attempts in real-time
- the logterms for the log monitor service can be freely defined via regex
- auto-add unsuccessful LuCI, nginx, Asterisk or ssh login attempts to the local blocklist
- fast feed processing as they are handled in parallel as background jobs
- per feed it can be defined whether the input chain or the forward chain should be blocked (default: both chains)
- automatic blocklist backup & restore, the backups will be used in case of download errors or during startup
- automatically selects one of the following download utilities with ssl support: aria2c, curl, uclient-fetch or wget
- supports a 'allowlist only' mode, this option restricts internet access from/to a small number of secure websites/IPs
- provides comprehensive runtime information
- provides a detailed set report
- provides a set search engine for certain IPs
- feed parsing by fast & flexible regex rulesets
- minimal status & error logging to syslog, enable debug logging to receive more output
- procd based init system support (start/stop/restart/reload/status/report/search)
- procd network interface trigger support
- ability to add new banIP feeds on your own
- add a readme with all available options/feeds to customize your installation to your needs
- a new LuCI frontend will be available in due course
Signed-off-by: Dirk Brenken <dev@brenken.org>
2023-02-13 17:56:57 +01:00
|
|
|
$(INSTALL_CONF) ./files/banip.tpl $(1)/etc/banip
|
|
|
|
$(INSTALL_CONF) ./files/banip.allowlist $(1)/etc/banip
|
|
|
|
$(INSTALL_CONF) ./files/banip.blocklist $(1)/etc/banip
|
2023-02-26 08:16:15 +01:00
|
|
|
$(INSTALL_CONF) ./files/banip.countries $(1)/etc/banip
|
banip: release 0.8.0 (nft rewrite)
- complete rewrite of banIP to support nftables
- all sets are handled in a separate nft table/namespace 'banIP'
- for incoming blocking it uses the inet input hook, for outgoing blocking it uses the inet forward hook
- full IPv4 and IPv6 support
- supports nft atomic set loading
- supports blocking by ASN numbers and by iso country codes
- 42 preconfigured external feeds are available, plus local allow- and blocklist
- supports local allow- and blocklist (IPv4, IPv6, CIDR notation or domain names)
- auto-add the uplink subnet to the local allowlist
- provides a small background log monitor to ban unsuccessful login attempts in real-time
- the logterms for the log monitor service can be freely defined via regex
- auto-add unsuccessful LuCI, nginx, Asterisk or ssh login attempts to the local blocklist
- fast feed processing as they are handled in parallel as background jobs
- per feed it can be defined whether the input chain or the forward chain should be blocked (default: both chains)
- automatic blocklist backup & restore, the backups will be used in case of download errors or during startup
- automatically selects one of the following download utilities with ssl support: aria2c, curl, uclient-fetch or wget
- supports a 'allowlist only' mode, this option restricts internet access from/to a small number of secure websites/IPs
- provides comprehensive runtime information
- provides a detailed set report
- provides a set search engine for certain IPs
- feed parsing by fast & flexible regex rulesets
- minimal status & error logging to syslog, enable debug logging to receive more output
- procd based init system support (start/stop/restart/reload/status/report/search)
- procd network interface trigger support
- ability to add new banIP feeds on your own
- add a readme with all available options/feeds to customize your installation to your needs
- a new LuCI frontend will be available in due course
Signed-off-by: Dirk Brenken <dev@brenken.org>
2023-02-13 17:56:57 +01:00
|
|
|
$(INSTALL_CONF) ./files/banip.feeds $(1)/etc/banip
|
2023-04-23 22:03:09 +02:00
|
|
|
$(INSTALL_CONF) ./files/banip.custom.feeds $(1)/etc/banip
|
2023-12-11 17:35:13 +01:00
|
|
|
|
|
|
|
$(INSTALL_DIR) $(1)/www/cgi-bin
|
|
|
|
$(INSTALL_BIN) ./files/banip.cgi $(1)/www/cgi-bin/banip
|
2018-11-10 11:01:45 +01:00
|
|
|
endef
|
|
|
|
|
|
|
|
$(eval $(call BuildPackage,banip))
|