banip: release 0.9.4-1
* add support for destination port & protocol limitations for external feeds (see readme for details), useful for lan-forward ad- or DoH-blocking, e.g. only tcp ports 80 and 443 * add turris sentinel blocklist feed * update readme Signed-off-by: Dirk Brenken <dev@brenken.org>
This commit is contained in:
parent
04ac8c177d
commit
730ad59cb9
|
@ -5,8 +5,8 @@
|
|||
include $(TOPDIR)/rules.mk
|
||||
|
||||
PKG_NAME:=banip
|
||||
PKG_VERSION:=0.9.3
|
||||
PKG_RELEASE:=5
|
||||
PKG_VERSION:=0.9.4
|
||||
PKG_RELEASE:=1
|
||||
PKG_LICENSE:=GPL-3.0-or-later
|
||||
PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org>
|
||||
|
||||
|
|
|
@ -9,56 +9,57 @@ IP address blocking is commonly used to protect against brute force attacks, pre
|
|||
* banIP supports the following fully pre-configured domain blocklist feeds (free for private usage, for commercial use please check their individual licenses).
|
||||
**Please note:** By default every feed blocks all supported chains. The columns "WAN-INP", "WAN-FWD" and "LAN-FWD" show for which chains the feeds are suitable in common scenarios, e.g. the first entry should be limited to the LAN forward chain - see the config options 'ban\_blockpolicy', 'ban\_blockinput', 'ban\_blockforwardwan' and 'ban\_blockforwardlan' below.
|
||||
|
||||
| Feed | Focus | WAN-INP | WAN-FWD | LAN-FWD | Information |
|
||||
| :------------------ | :----------------------------- | :-----: | :-----: | :-----: | :----------------------------------------------------------- |
|
||||
| adaway | adaway IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
|
||||
| adguard | adguard IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
|
||||
| adguardtrackers | adguardtracker IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
|
||||
| antipopads | antipopads IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
|
||||
| asn | ASN IPs | | | x | [Link](https://asn.ipinfo.app) |
|
||||
| backscatterer | backscatterer IPs | x | x | | [Link](https://www.uceprotect.net/en/index.php) |
|
||||
| binarydefense | binary defense banlist | x | x | | [Link](https://iplists.firehol.org/?ipset=bds_atif) |
|
||||
| bogon | bogon prefixes | x | x | | [Link](https://team-cymru.com) |
|
||||
| bruteforceblock | bruteforceblocker IPs | x | x | | [Link](https://danger.rulez.sk/index.php/bruteforceblocker/) |
|
||||
| country | country blocks | x | x | | [Link](https://www.ipdeny.com/ipblocks) |
|
||||
| cinsscore | suspicious attacker IPs | x | x | | [Link](https://cinsscore.com/#list) |
|
||||
| darklist | blocks suspicious attacker IPs | x | x | | [Link](https://darklist.de) |
|
||||
| debl | fail2ban IP blacklist | x | x | | [Link](https://www.blocklist.de) |
|
||||
| doh | public DoH-Provider | | | x | [Link](https://github.com/dibdot/DoH-IP-blocklists) |
|
||||
| drop | spamhaus drop compilation | x | x | | [Link](https://www.spamhaus.org) |
|
||||
| dshield | dshield IP blocklist | x | x | | [Link](https://www.dshield.org) |
|
||||
| edrop | spamhaus edrop compilation | x | x | | [Link](https://www.spamhaus.org) |
|
||||
| etcompromised | ET compromised hosts | x | x | | [Link](https://iplists.firehol.org/?ipset=et_compromised) |
|
||||
| feodo | feodo tracker | x | x | x | [Link](https://feodotracker.abuse.ch) |
|
||||
| firehol1 | firehol level 1 compilation | x | x | | [Link](https://iplists.firehol.org/?ipset=firehol_level1) |
|
||||
| firehol2 | firehol level 2 compilation | x | x | | [Link](https://iplists.firehol.org/?ipset=firehol_level2) |
|
||||
| firehol3 | firehol level 3 compilation | x | x | | [Link](https://iplists.firehol.org/?ipset=firehol_level3) |
|
||||
| firehol4 | firehol level 4 compilation | x | x | | [Link](https://iplists.firehol.org/?ipset=firehol_level4) |
|
||||
| greensnow | suspicious server IPs | x | x | | [Link](https://greensnow.co) |
|
||||
| iblockads | Advertising IPs | | | x | [Link](https://www.iblocklist.com) |
|
||||
| iblockspy | Malicious spyware IPs | x | x | | [Link](https://www.iblocklist.com) |
|
||||
| ipblackhole | blackhole IPs | x | x | | [Link](https://ip.blackhole.monster) |
|
||||
| ipthreat | hacker and botnet TPs | x | x | | [Link](https://ipthreat.net) |
|
||||
| myip | real-time IP blocklist | x | x | | [Link](https://myip.ms) |
|
||||
| nixspam | iX spam protection | x | x | | [Link](http://www.nixspam.org) |
|
||||
| oisdbig | OISD-big IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
|
||||
| oisdnsfw | OISD-nsfw IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
|
||||
| oisdsmall | OISD-small IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
|
||||
| proxy | open proxies | x | | | [Link](https://iplists.firehol.org/?ipset=proxylists) |
|
||||
| ssbl | SSL botnet IPs | x | x | | [Link](https://sslbl.abuse.ch) |
|
||||
| stevenblack | stevenblack IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
|
||||
| talos | talos IPs | x | x | | [Link](https://talosintelligence.com/reputation_center) |
|
||||
| threat | emerging threats | x | x | | [Link](https://rules.emergingthreats.net) |
|
||||
| threatview | malicious IPs | x | x | | [Link](https://threatview.io) |
|
||||
| tor | tor exit nodes | x | x | | [Link](https://github.com/SecOps-Institute/Tor-IP-Addresses) |
|
||||
| uceprotect1 | spam protection level 1 | x | x | | [Link](http://www.uceprotect.net/en/index.php) |
|
||||
| uceprotect2 | spam protection level 2 | x | x | | [Link](http://www.uceprotect.net/en/index.php) |
|
||||
| uceprotect3 | spam protection level 3 | x | x | | [Link](http://www.uceprotect.net/en/index.php) |
|
||||
| urlhaus | urlhaus IDS IPs | x | x | | [Link](https://urlhaus.abuse.ch) |
|
||||
| urlvir | malware related IPs | x | x | | [Link](https://iplists.firehol.org/?ipset=urlvir) |
|
||||
| webclient | malware related IPs | x | x | | [Link](https://iplists.firehol.org/?ipset=firehol_webclient) |
|
||||
| voip | VoIP fraud blocklist | x | x | | [Link](https://voipbl.org) |
|
||||
| yoyo | yoyo IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
|
||||
| Feed | Focus | WAN-INP | WAN-FWD | LAN-FWD | Port-Limit | Information |
|
||||
| :------------------ | :----------------------------- | :-----: | :-----: | :-----: | :----------: | :----------------------------------------------------------- |
|
||||
| adaway | adaway IPs | | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
|
||||
| adguard | adguard IPs | | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
|
||||
| adguardtrackers | adguardtracker IPs | | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
|
||||
| antipopads | antipopads IPs | | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
|
||||
| asn | ASN segments | | | x | tcp: 80, 443 | [Link](https://asn.ipinfo.app) |
|
||||
| backscatterer | backscatterer IPs | x | x | | | [Link](https://www.uceprotect.net/en/index.php) |
|
||||
| binarydefense | binary defense banlist | x | x | | | [Link](https://iplists.firehol.org/?ipset=bds_atif) |
|
||||
| bogon | bogon prefixes | x | x | | | [Link](https://team-cymru.com) |
|
||||
| bruteforceblock | bruteforceblocker IPs | x | x | | | [Link](https://danger.rulez.sk/index.php/bruteforceblocker/) |
|
||||
| country | country blocks | x | x | | | [Link](https://www.ipdeny.com/ipblocks) |
|
||||
| cinsscore | suspicious attacker IPs | x | x | | | [Link](https://cinsscore.com/#list) |
|
||||
| darklist | blocks suspicious attacker IPs | x | x | | | [Link](https://darklist.de) |
|
||||
| debl | fail2ban IP blacklist | x | x | | | [Link](https://www.blocklist.de) |
|
||||
| doh | public DoH-Provider | | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/DoH-IP-blocklists) |
|
||||
| drop | spamhaus drop compilation | x | x | | | [Link](https://www.spamhaus.org) |
|
||||
| dshield | dshield IP blocklist | x | x | | | [Link](https://www.dshield.org) |
|
||||
| edrop | spamhaus edrop compilation | x | x | | | [Link](https://www.spamhaus.org) |
|
||||
| etcompromised | ET compromised hosts | x | x | | | [Link](https://iplists.firehol.org/?ipset=et_compromised) |
|
||||
| feodo | feodo tracker | x | x | | | [Link](https://feodotracker.abuse.ch) |
|
||||
| firehol1 | firehol level 1 compilation | x | x | | | [Link](https://iplists.firehol.org/?ipset=firehol_level1) |
|
||||
| firehol2 | firehol level 2 compilation | x | x | | | [Link](https://iplists.firehol.org/?ipset=firehol_level2) |
|
||||
| firehol3 | firehol level 3 compilation | x | x | | | [Link](https://iplists.firehol.org/?ipset=firehol_level3) |
|
||||
| firehol4 | firehol level 4 compilation | x | x | | | [Link](https://iplists.firehol.org/?ipset=firehol_level4) |
|
||||
| greensnow | suspicious server IPs | x | x | | | [Link](https://greensnow.co) |
|
||||
| iblockads | Advertising IPs | | | x | tcp: 80, 443 | [Link](https://www.iblocklist.com) |
|
||||
| iblockspy | Malicious spyware IPs | | | x | tcp: 80, 443 | [Link](https://www.iblocklist.com) |
|
||||
| ipblackhole | blackhole IPs | x | x | | | [Link](https://ip.blackhole.monster) |
|
||||
| ipthreat | hacker and botnet TPs | x | x | | | [Link](https://ipthreat.net) |
|
||||
| myip | real-time IP blocklist | x | x | | | [Link](https://myip.ms) |
|
||||
| nixspam | iX spam protection | x | x | | | [Link](http://www.nixspam.org) |
|
||||
| oisdbig | OISD-big IPs | | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
|
||||
| oisdnsfw | OISD-nsfw IPs | | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
|
||||
| oisdsmall | OISD-small IPs | | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
|
||||
| proxy | open proxies | x | | | | [Link](https://iplists.firehol.org/?ipset=proxylists) |
|
||||
| ssbl | SSL botnet IPs | x | x | | | [Link](https://sslbl.abuse.ch) |
|
||||
| stevenblack | stevenblack IPs | | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
|
||||
| talos | talos IPs | x | x | | | [Link](https://talosintelligence.com/reputation_center) |
|
||||
| threat | emerging threats | x | x | | | [Link](https://rules.emergingthreats.net) |
|
||||
| threatview | malicious IPs | x | x | | | [Link](https://threatview.io) |
|
||||
| tor | tor exit nodes | x | x | | | [Link](https://github.com/SecOps-Institute/Tor-IP-Addresses) |
|
||||
| turris | turris sentinel blocklist | x | x | | | [Link](https://view.sentinel.turris.cz) |
|
||||
| uceprotect1 | spam protection level 1 | x | x | | | [Link](https://www.uceprotect.net/en/index.php) |
|
||||
| uceprotect2 | spam protection level 2 | x | x | | | [Link](https://www.uceprotect.net/en/index.php) |
|
||||
| uceprotect3 | spam protection level 3 | x | x | | | [Link](https://www.uceprotect.net/en/index.php) |
|
||||
| urlhaus | urlhaus IDS IPs | x | x | | | [Link](https://urlhaus.abuse.ch) |
|
||||
| urlvir | malware related IPs | x | x | | | [Link](https://iplists.firehol.org/?ipset=urlvir) |
|
||||
| webclient | malware related IPs | x | x | | | [Link](https://iplists.firehol.org/?ipset=firehol_webclient) |
|
||||
| voip | VoIP fraud blocklist | x | x | | | [Link](https://voipbl.org) |
|
||||
| yoyo | yoyo IPs | | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
|
||||
|
||||
* Zero-conf like automatic installation & setup, usually no manual changes needed
|
||||
* All Sets are handled in a separate nft table/namespace 'banIP'
|
||||
|
@ -76,8 +77,9 @@ IP address blocking is commonly used to protect against brute force attacks, pre
|
|||
* Per feed it can be defined whether the wan-input chain, the wan-forward chain or the lan-forward chain should be blocked (default: all chains)
|
||||
* Automatic blocklist backup & restore, the backups will be used in case of download errors or during startup
|
||||
* Automatically selects one of the following download utilities with ssl support: aria2c, curl, uclient-fetch or full wget
|
||||
* Provides HTTP ETag or entity tag support to download only ressources that have been updated on the server side, to save bandwith and speed up banIP reloads
|
||||
* Supports an 'allowlist only' mode, this option restricts internet access from/to a given number of secure websites/IPs
|
||||
* Provides HTTP ETag support to download only ressources that have been updated on the server side, to speed up banIP reloads and to save bandwith
|
||||
* Supports an 'allowlist only' mode, this option skips all blocklists and restricts the internet access only to specific, explicitly allowed IP segments
|
||||
* Supports external allowlist URLs to reference additional IPv4/IPv6 feeds
|
||||
* Deduplicate IPs accross all Sets (single IPs only, no intervals)
|
||||
* Provides comprehensive runtime information
|
||||
* Provides a detailed Set report
|
||||
|
@ -87,7 +89,7 @@ IP address blocking is commonly used to protect against brute force attacks, pre
|
|||
* Procd based init system support (start/stop/restart/reload/status/report/search/survey/lookup)
|
||||
* Procd network interface trigger support
|
||||
* Add new or edit existing banIP feeds on your own with the LuCI integrated custom feed editor
|
||||
* Supports external allowlist URLs to reference additional IPv4/IPv6 feeds
|
||||
* Supports destination port & protocol limitations for external feeds (see the feed list above). To change the default assignments just use the feed editor
|
||||
* Supports allowing / blocking of certain VLAN forwards
|
||||
* Provides an option to transfer logging events on remote servers via cgi interface
|
||||
|
||||
|
@ -97,7 +99,7 @@ IP address blocking is commonly used to protect against brute force attacks, pre
|
|||
* A certificate store like 'ca-bundle', as banIP checks the validity of the SSL certificates of all download sites by default
|
||||
* For E-Mail notifications you need to install and setup the additional 'msmtp' package
|
||||
|
||||
**Please note the following:**
|
||||
**Please note:**
|
||||
* Devices with less than 256Mb of RAM are **_not_** supported
|
||||
* Any previous installation of ancient banIP 0.7.x must be uninstalled, and the /etc/banip folder and the /etc/config/banip configuration file must be deleted (they are recreated when this version is installed)
|
||||
|
||||
|
@ -154,7 +156,8 @@ Available commands:
|
|||
| ban_autoblocklist | option | 1 | add suspicious attacker IPs and resolved domains automatically to the local blocklist (not only to the Sets) |
|
||||
| ban_autoblocksubnet | option | 0 | add entire subnets to the blocklist Sets based on an additional RDAP request with the suspicious IP |
|
||||
| ban_autoallowuplink | option | subnet | limit the uplink autoallow function to: 'subnet', 'ip' or 'disable' it at all |
|
||||
| ban_allowlistonly | option | 0 | restrict the internet access from/to a given number of secure websites/IPs |
|
||||
| ban_allowlistonly | option | 0 | skip all blocklists and restrict the internet access only to specific, explicitly allowed IP segments |
|
||||
| ban_allowurl | list | - | external allowlist feed URLs, one or more references to simple remote IP lists |
|
||||
| ban_basedir | option | /tmp | base working directory while banIP processing |
|
||||
| ban_reportdir | option | /tmp/banIP-report | directory where banIP stores the report files |
|
||||
| ban_backupdir | option | /tmp/banIP-backup | directory where banIP stores the compressed backup files |
|
||||
|
@ -166,7 +169,7 @@ Available commands:
|
|||
| ban_vlanallow | list | - | always allow certain VLAN forwards, e.g. br-lan.20 |
|
||||
| ban_vlanblock | list | - | always block certain VLAN forwards, e.g. br-lan.10 |
|
||||
| ban_trigger | list | - | logical reload trigger interface(s), e.g. 'wan' |
|
||||
| ban_triggerdelay | option | 10 | trigger timeout during interface reload and boot |
|
||||
| ban_triggerdelay | option | 20 | trigger timeout during interface reload and boot |
|
||||
| ban_deduplicate | option | 1 | deduplicate IP addresses across all active Sets |
|
||||
| ban_splitsize | option | 0 | split ext. Sets after every n lines/members (saves RAM) |
|
||||
| ban_cores | option | - / autodetect | limit the cpu cores used by banIP (saves RAM) |
|
||||
|
@ -203,54 +206,56 @@ Available commands:
|
|||
:::
|
||||
::: banIP Set Statistics
|
||||
:::
|
||||
Timestamp: 2023-06-21 07:03:23
|
||||
Timestamp: 2024-03-02 07:38:28
|
||||
------------------------------
|
||||
auto-added to allowlist today: 0
|
||||
auto-added to blocklist today: 0
|
||||
|
||||
Set | Elements | WAN-Input (packets) | WAN-Forward (packets) | LAN-Forward (packets)
|
||||
---------------------+--------------+-----------------------+-----------------------+------------------------
|
||||
allowlistv4MAC | 0 | - | - | OK: 0
|
||||
allowlistv6MAC | 0 | - | - | OK: 0
|
||||
allowlistv4 | 1 | OK: 0 | OK: 0 | OK: 0
|
||||
allowlistv6 | 1 | OK: 0 | OK: 0 | OK: 0
|
||||
cinsscorev4 | 13115 | OK: 142 | OK: 0 | -
|
||||
deblv4 | 8076 | OK: 5 | OK: 0 | OK: 0
|
||||
countryv6 | 37313 | OK: 0 | OK: 1 | -
|
||||
countryv4 | 36155 | OK: 33 | OK: 0 | -
|
||||
deblv6 | 15 | OK: 0 | OK: 0 | OK: 0
|
||||
dropv6 | 35 | OK: 0 | OK: 0 | OK: 0
|
||||
dropv4 | 620 | OK: 0 | OK: 0 | OK: 0
|
||||
dohv6 | 598 | - | - | OK: 0
|
||||
dohv4 | 902 | - | - | OK: 0
|
||||
edropv4 | 247 | OK: 0 | OK: 0 | OK: 0
|
||||
threatviewv4 | 571 | OK: 0 | OK: 0 | OK: 0
|
||||
firehol1v4 | 877 | OK: 8 | OK: 0 | OK: 0
|
||||
ipthreatv4 | 5751 | OK: 0 | OK: 0 | OK: 0
|
||||
urlvirv4 | 169 | OK: 0 | OK: 0 | OK: 0
|
||||
blocklistv4MAC | 0 | - | - | OK: 0
|
||||
blocklistv6MAC | 0 | - | - | OK: 0
|
||||
blocklistv4 | 3 | OK: 0 | OK: 0 | OK: 0
|
||||
blocklistv6 | 0 | OK: 0 | OK: 0 | OK: 0
|
||||
---------------------+--------------+-----------------------+-----------------------+------------------------
|
||||
22 | 104449 | 16 (188) | 16 (1) | 19 (0)
|
||||
Set | Elements | WAN-Input (packets) | WAN-Forward (packets) | LAN-Forward (packets) | Port/Protocol Limit
|
||||
---------------------+--------------+-----------------------+-----------------------+-----------------------+------------------------
|
||||
allowlistv4MAC | 0 | - | - | OK: 0 | -
|
||||
allowlistv6MAC | 0 | - | - | OK: 0 | -
|
||||
allowlistv4 | 1 | OK: 0 | OK: 0 | OK: 0 | -
|
||||
allowlistv6 | 2 | OK: 0 | OK: 0 | OK: 0 | -
|
||||
adguardtrackersv6 | 74 | - | - | OK: 0 | tcp: 80, 443
|
||||
adguardtrackersv4 | 883 | - | - | OK: 0 | tcp: 80, 443
|
||||
cinsscorev4 | 12053 | OK: 25 | OK: 0 | - | -
|
||||
countryv4 | 37026 | OK: 14 | OK: 0 | - | -
|
||||
deblv4 | 13592 | OK: 0 | OK: 0 | - | -
|
||||
countryv6 | 38139 | OK: 0 | OK: 0 | - | -
|
||||
deblv6 | 82 | OK: 0 | OK: 0 | - | -
|
||||
dohv6 | 837 | - | - | OK: 0 | tcp: 80, 443
|
||||
dohv4 | 1240 | - | - | OK: 0 | tcp: 80, 443
|
||||
dropv6 | 51 | OK: 0 | OK: 0 | - | -
|
||||
dropv4 | 592 | OK: 0 | OK: 0 | - | -
|
||||
firehol1v4 | 906 | OK: 1 | OK: 0 | - | -
|
||||
firehol2v4 | 2105 | OK: 0 | OK: 0 | OK: 0 | -
|
||||
threatv4 | 55 | OK: 0 | OK: 0 | - | -
|
||||
ipthreatv4 | 2042 | OK: 0 | OK: 0 | - | -
|
||||
turrisv4 | 6433 | OK: 0 | OK: 0 | - | -
|
||||
blocklistv4MAC | 0 | - | - | OK: 0 | -
|
||||
blocklistv6MAC | 0 | - | - | OK: 0 | -
|
||||
blocklistv4 | 0 | OK: 0 | OK: 0 | OK: 0 | -
|
||||
blocklistv6 | 0 | OK: 0 | OK: 0 | OK: 0 | -
|
||||
---------------------+--------------+-----------------------+-----------------------+-----------------------+------------------------
|
||||
24 | 116113 | 16 (40) | 16 (0) | 13 (0)
|
||||
```
|
||||
|
||||
**banIP runtime information**
|
||||
```
|
||||
root@blackhole:/etc/config$ /etc/init.d/banip status
|
||||
~# /etc/init.d/banip status
|
||||
::: banIP runtime information
|
||||
+ status : active (nft: ✔, monitor: ✔)
|
||||
+ version : 0.9.0-1
|
||||
+ element_count : 111094
|
||||
+ active_feeds : allowlistv4MAC, allowlistv6MAC, allowlistv4, allowlistv6, cinsscorev4, deblv4, countryv6, countryv4, deblv6, dropv6, dropv4, dohv6, dohv4, threatviewv4, firehol1v4, ipthreatv4, firehol2v4, urlvirv4, urlhausv4, blocklistv4MAC, blocklistv6MAC, blocklistv4, blocklistv6
|
||||
+ active_devices : wan: br-wan, 10g-1 / wan-if: wan, wan6 / vlan-allow: - / vlan-block: -
|
||||
+ active_uplink : 91.63.198.120, 2a12:810c:0:80:a20d:52c3:5cf:f4f
|
||||
+ nft_info : priority: -200, policy: performance, loglevel: warn, expiry: -
|
||||
+ version : 0.9.4-1
|
||||
+ element_count : 116113
|
||||
+ active_feeds : allowlistv4MAC, allowlistv6MAC, allowlistv4, allowlistv6, adguardtrackersv6, adguardtrackersv4, cinsscorev4, countryv4, deblv4, countryv6, deblv6, dohv6, dohv4, dropv6, dropv4, firehol1v4, firehol2v4, threatv4, ipthreatv4, turrisv4, blocklistv4MAC, blocklistv6MAC, blocklistv4, blocklistv6
|
||||
+ active_devices : wan: pppoe-wan / wan-if: wan, wan_6 / vlan-allow: - / vlan-block: -
|
||||
+ active_uplink : 217.89.211.113, fe80::2c35:fb80:e78c:cf71, 2003:ed:b5ff:2338:2c15:fb80:e78c:cf71
|
||||
+ nft_info : priority: -200, policy: performance, loglevel: warn, expiry: 2h
|
||||
+ run_info : base: /mnt/data/banIP, backup: /mnt/data/banIP/backup, report: /mnt/data/banIP/report
|
||||
+ run_flags : auto: ✔, proto (4/6): ✔/✔, log (wan-inp/wan-fwd/lan-fwd): ✔/✔/✔, dedup: ✔, split: ✘, custom feed: ✘, allowed only: ✘
|
||||
+ last_run : action: reload, fetch: curl, duration: 0m 36s, date: 2023-07-16 06:59:28
|
||||
+ system_info : cores: 4, memory: 1663, device: Bananapi BPI-R3, OpenWrt SNAPSHOT r23565-8fb0c196e8
|
||||
+ last_run : action: reload, log: logread, fetch: curl, duration: 0m 50s, date: 2024-03-02 07:35:01
|
||||
+ system_info : cores: 4, memory: 1685, device: Bananapi BPI-R3, OpenWrt SNAPSHOT r25356-09be63de70
|
||||
```
|
||||
|
||||
**banIP search information**
|
||||
|
@ -307,7 +312,7 @@ Furthermore, you can reference external Allowlist URLs with additional IPv4 and
|
|||
Both local lists also accept domain names as input to allow IP filtering based on these names. The corresponding IPs (IPv4 & IPv6) will be extracted and added to the Sets. You can also start the domain lookup separately via /etc/init.d/banip lookup at any time.
|
||||
|
||||
**allowlist-only mode**
|
||||
banIP supports an "allowlist only" mode. This option restricts the internet access from/to a small number of secure MACs, IPs or domains, and block access from/to the rest of the internet. All IPs and Domains which are _not_ listed in the allowlist (plus the external Allowlist URLs) are blocked.
|
||||
banIP supports an "allowlist only" mode. This option skips all blocklists and restricts the internet access only to specific, explicitly allowed IP segments - and block access to the rest of the internet. All IPs which are _not_ listed in the allowlist (plus the external Allowlist URLs) are blocked.
|
||||
|
||||
**MAC/IP-binding**
|
||||
banIP supports concatenation of local MAC addresses with IPv4/IPv6 addresses, e.g. to enforce dhcp assignments. Following notations in the local allow and block lists are allowed:
|
||||
|
@ -391,7 +396,7 @@ password <password>
|
|||
```
|
||||
Finally add a valid E-Mail receiver address.
|
||||
|
||||
**change existing banIP feeds or add a new one**
|
||||
**change existing banIP feeds or add port limitations**
|
||||
The banIP default blocklist feeds are stored in an external JSON file '/etc/banip/banip.feeds'. All custom changes should be stored in an external JSON file '/etc/banip/banip.custom.feeds' (empty by default). It's recommended to use the LuCI based Custom Feed Editor to make changes to this file.
|
||||
A valid JSON source object contains the following information, e.g.:
|
||||
```
|
||||
|
@ -402,11 +407,12 @@ A valid JSON source object contains the following information, e.g.:
|
|||
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
|
||||
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}",
|
||||
"descr": "tor exit nodes",
|
||||
"flag": ""
|
||||
"flag": "80-89 443 tcp"
|
||||
},
|
||||
[...]
|
||||
```
|
||||
Add an unique feed name (no spaces, no special chars) and make the required changes: adapt at least the URL, the regex and the description for a new feed. The flag is optional, currently only 'gz' is supported to process archive downloads.
|
||||
Add an unique feed name (no spaces, no special chars) and make the required changes: adapt at least the URL, the regex and the description for a new feed.
|
||||
Please note: the flag field is optional, it's a space separated list of options: supported are 'gz' as an archive format, port numbers (plus ranges) for destination port limitations with 'tcp' (default) or 'udp' as protocol variants.
|
||||
|
||||
## Support
|
||||
Please join the banIP discussion in this [forum thread](https://forum.openwrt.org/t/banip-support-thread/16985) or contact me by mail <dev@brenken.org>
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
# banIP shared function library/include - ban incoming and outgoing IPs via named nftables Sets
|
||||
# Copyright (c) 2018-2023 Dirk Brenken (dev@brenken.org)
|
||||
# Copyright (c) 2018-2024 Dirk Brenken (dev@brenken.org)
|
||||
# This is free software, licensed under the GNU General Public License v3.
|
||||
|
||||
# (s)hellcheck exceptions
|
||||
|
@ -632,7 +632,8 @@ f_nftinit() {
|
|||
#
|
||||
f_down() {
|
||||
local log_input log_forwardwan log_forwardlan start_ts end_ts tmp_raw tmp_load tmp_file split_file ruleset_raw handle rc etag_rc
|
||||
local cnt_set cnt_dl restore_rc feed_direction feed_rc feed_log feed="${1}" proto="${2}" feed_url="${3}" feed_rule="${4}" feed_flag="${5}"
|
||||
local expr cnt_set cnt_dl restore_rc feed_direction feed_rc feed_log feed_comp feed_proto feed_dport flag
|
||||
local feed="${1}" proto="${2}" feed_url="${3}" feed_rule="${4}" feed_flag="${5}"
|
||||
|
||||
start_ts="$(date +%s)"
|
||||
feed="${feed}v${proto}"
|
||||
|
@ -679,18 +680,37 @@ f_down() {
|
|||
feed_direction="${feed_direction} forwardlan"
|
||||
fi
|
||||
|
||||
# prepare feed flags
|
||||
#
|
||||
for flag in ${feed_flag}; do
|
||||
if [ "${flag}" = "gz" ] && ! printf "%s" "${feed_comp}" | "${ban_grepcmd}" -qw "${flag}"; then
|
||||
feed_comp="${flag}"
|
||||
elif { [ "${flag}" = "tcp" ] || [ "${flag}" = "udp" ]; } && ! printf "%s" "${feed_proto}" | "${ban_grepcmd}" -qw "${flag}"; then
|
||||
feed_proto="${flag}"
|
||||
elif [ -n "${flag//[![:digit]]/}" ] && ! printf "%s" "${feed_dport}" | "${ban_grepcmd}" -qw "${flag}"; then
|
||||
if [ -z "${feed_dport}" ]; then
|
||||
feed_dport="${flag}"
|
||||
else
|
||||
feed_dport="${feed_dport}, ${flag}"
|
||||
fi
|
||||
fi
|
||||
done
|
||||
[ -n "${feed_dport}" ] && feed_dport="${feed_proto:-"tcp"} dport { ${feed_dport} }"
|
||||
|
||||
# chain/rule maintenance
|
||||
#
|
||||
if [ "${ban_action}" = "reload" ] && "${ban_nftcmd}" -t list set inet banIP "${feed}" >/dev/null 2>&1; then
|
||||
ruleset_raw="$("${ban_nftcmd}" -tj list ruleset 2>/dev/null)"
|
||||
{
|
||||
printf "%s\n" "flush set inet banIP ${feed}"
|
||||
handle="$(printf "%s\n" "${ruleset_raw}" | "${ban_jsoncmd}" -ql1 -e "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"wan-input\"][@.expr[0].match.right=\"@${feed}\"].handle")"
|
||||
[ -n "${handle}" ] && printf "%s\n" "delete rule inet banIP wan-input handle ${handle}"
|
||||
handle="$(printf "%s\n" "${ruleset_raw}" | "${ban_jsoncmd}" -ql1 -e "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"wan-forward\"][@.expr[0].match.right=\"@${feed}\"].handle")"
|
||||
[ -n "${handle}" ] && printf "%s\n" "delete rule inet banIP wan-forward handle ${handle}"
|
||||
handle="$(printf "%s\n" "${ruleset_raw}" | "${ban_jsoncmd}" -ql1 -e "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"lan-forward\"][@.expr[0].match.right=\"@${feed}\"].handle")"
|
||||
[ -n "${handle}" ] && printf "%s\n" "delete rule inet banIP lan-forward handle ${handle}"
|
||||
for expr in 0 1; do
|
||||
handle="$(printf "%s\n" "${ruleset_raw}" | "${ban_jsoncmd}" -ql1 -e "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"wan-input\"][@.expr[${expr}].match.right=\"@${feed}\"].handle")"
|
||||
[ -n "${handle}" ] && printf "%s\n" "delete rule inet banIP wan-input handle ${handle}"
|
||||
handle="$(printf "%s\n" "${ruleset_raw}" | "${ban_jsoncmd}" -ql1 -e "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"wan-forward\"][@.expr[${expr}].match.right=\"@${feed}\"].handle")"
|
||||
[ -n "${handle}" ] && printf "%s\n" "delete rule inet banIP wan-forward handle ${handle}"
|
||||
handle="$(printf "%s\n" "${ruleset_raw}" | "${ban_jsoncmd}" -ql1 -e "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"lan-forward\"][@.expr[${expr}].match.right=\"@${feed}\"].handle")"
|
||||
[ -n "${handle}" ] && printf "%s\n" "delete rule inet banIP lan-forward handle ${handle}"
|
||||
done
|
||||
} >"${tmp_flush}"
|
||||
fi
|
||||
|
||||
|
@ -915,15 +935,11 @@ f_down() {
|
|||
|
||||
# handle compressed downloads
|
||||
#
|
||||
elif [ -n "${feed_flag}" ]; then
|
||||
case "${feed_flag}" in
|
||||
"gz")
|
||||
feed_log="$("${ban_fetchcmd}" ${ban_fetchparm} "${tmp_raw}" "${feed_url}" 2>&1)"
|
||||
feed_rc="${?}"
|
||||
[ "${feed_rc}" = "0" ] && "${ban_zcatcmd}" "${tmp_raw}" 2>/dev/null >"${tmp_load}"
|
||||
rm -f "${tmp_raw}"
|
||||
;;
|
||||
esac
|
||||
elif [ "${feed_comp}" = "gz" ]; then
|
||||
feed_log="$("${ban_fetchcmd}" ${ban_fetchparm} "${tmp_raw}" "${feed_url}" 2>&1)"
|
||||
feed_rc="${?}"
|
||||
[ "${feed_rc}" = "0" ] && "${ban_zcatcmd}" "${tmp_raw}" 2>/dev/null >"${tmp_load}"
|
||||
rm -f "${tmp_raw}"
|
||||
|
||||
# handle normal downloads
|
||||
#
|
||||
|
@ -956,6 +972,7 @@ f_down() {
|
|||
"${ban_awkcmd}" "${feed_rule}" "${tmp_load}" 2>/dev/null >"${tmp_split}"
|
||||
fi
|
||||
feed_rc="${?}"
|
||||
|
||||
# split Sets
|
||||
#
|
||||
if [ "${feed_rc}" = "0" ]; then
|
||||
|
@ -981,13 +998,13 @@ f_down() {
|
|||
# input and forward rules
|
||||
#
|
||||
if [ "${ban_blocktype}" = "reject" ]; then
|
||||
[ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ip saddr @${feed} ${log_input} counter goto reject-chain"
|
||||
[ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ip saddr @${feed} ${log_forwardwan} counter goto reject-chain"
|
||||
[ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ${feed_dport} ip saddr @${feed} ${log_input} counter goto reject-chain"
|
||||
[ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ${feed_dport} ip saddr @${feed} ${log_forwardwan} counter goto reject-chain"
|
||||
else
|
||||
[ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ip saddr @${feed} ${log_input} counter drop"
|
||||
[ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ip saddr @${feed} ${log_forwardwan} counter drop"
|
||||
[ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ${feed_dport} ip saddr @${feed} ${log_input} counter drop"
|
||||
[ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ${feed_dport} ip saddr @${feed} ${log_forwardwan} counter drop"
|
||||
fi
|
||||
[ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ip daddr @${feed} ${log_forwardlan} counter goto reject-chain"
|
||||
[ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ${feed_dport} ip daddr @${feed} ${log_forwardlan} counter goto reject-chain"
|
||||
} >"${tmp_nft}"
|
||||
elif [ "${feed_rc}" = "0" ] && [ "${proto}" = "6" ]; then
|
||||
{
|
||||
|
@ -1000,13 +1017,13 @@ f_down() {
|
|||
# input and forward rules
|
||||
#
|
||||
if [ "${ban_blocktype}" = "reject" ]; then
|
||||
[ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ip6 saddr @${feed} ${log_input} counter goto reject-chain"
|
||||
[ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ip6 saddr @${feed} ${log_forwardwan} counter goto reject-chain"
|
||||
[ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ${feed_dport} ip6 saddr @${feed} ${log_input} counter goto reject-chain"
|
||||
[ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ${feed_dport} ip6 saddr @${feed} ${log_forwardwan} counter goto reject-chain"
|
||||
else
|
||||
[ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ip6 saddr @${feed} ${log_input} counter drop"
|
||||
[ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ip6 saddr @${feed} ${log_forwardwan} counter drop"
|
||||
[ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ${feed_dport} ip6 saddr @${feed} ${log_input} counter drop"
|
||||
[ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ${feed_dport} ip6 saddr @${feed} ${log_forwardwan} counter drop"
|
||||
fi
|
||||
[ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ip6 daddr @${feed} ${log_forwardlan} counter goto reject-chain"
|
||||
[ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ${feed_dport} ip6 daddr @${feed} ${log_forwardlan} counter goto reject-chain"
|
||||
} >"${tmp_nft}"
|
||||
fi
|
||||
fi
|
||||
|
@ -1083,7 +1100,7 @@ f_restore() {
|
|||
# remove disabled Sets
|
||||
#
|
||||
f_rmset() {
|
||||
local feedlist tmp_del ruleset_raw item table_sets handle del_set feed_log feed_rc
|
||||
local expr feedlist tmp_del ruleset_raw item table_sets handle del_set feed_log feed_rc
|
||||
|
||||
f_getfeed
|
||||
json_get_keys feedlist
|
||||
|
@ -1098,12 +1115,14 @@ f_rmset() {
|
|||
del_set="${del_set}${item}, "
|
||||
rm -f "${ban_backupdir}/banIP.${item}.gz"
|
||||
printf "%s\n" "flush set inet banIP ${item}"
|
||||
handle="$(printf "%s\n" "${ruleset_raw}" | "${ban_jsoncmd}" -ql1 -e "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"wan-input\"][@.expr[0].match.right=\"@${item}\"].handle")"
|
||||
[ -n "${handle}" ] && printf "%s\n" "delete rule inet banIP wan-input handle ${handle}"
|
||||
handle="$(printf "%s\n" "${ruleset_raw}" | "${ban_jsoncmd}" -ql1 -e "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"wan-forward\"][@.expr[0].match.right=\"@${item}\"].handle")"
|
||||
[ -n "${handle}" ] && printf "%s\n" "delete rule inet banIP wan-forward handle ${handle}"
|
||||
handle="$(printf "%s\n" "${ruleset_raw}" | "${ban_jsoncmd}" -ql1 -e "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"lan-forward\"][@.expr[0].match.right=\"@${item}\"].handle")"
|
||||
[ -n "${handle}" ] && printf "%s\n" "delete rule inet banIP lan-forward handle ${handle}"
|
||||
for expr in 0 1; do
|
||||
handle="$(printf "%s\n" "${ruleset_raw}" | "${ban_jsoncmd}" -ql1 -e "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"wan-input\"][@.expr[${expr}].match.right=\"@${item}\"].handle")"
|
||||
[ -n "${handle}" ] && printf "%s\n" "delete rule inet banIP wan-input handle ${handle}"
|
||||
handle="$(printf "%s\n" "${ruleset_raw}" | "${ban_jsoncmd}" -ql1 -e "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"wan-forward\"][@.expr[${expr}].match.right=\"@${item}\"].handle")"
|
||||
[ -n "${handle}" ] && printf "%s\n" "delete rule inet banIP wan-forward handle ${handle}"
|
||||
handle="$(printf "%s\n" "${ruleset_raw}" | "${ban_jsoncmd}" -ql1 -e "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"lan-forward\"][@.expr[${expr}].match.right=\"@${item}\"].handle")"
|
||||
[ -n "${handle}" ] && printf "%s\n" "delete rule inet banIP lan-forward handle ${handle}"
|
||||
done
|
||||
printf "%s\n\n" "delete set inet banIP ${item}"
|
||||
fi
|
||||
done
|
||||
|
@ -1279,8 +1298,8 @@ f_lookup() {
|
|||
# table statistics
|
||||
#
|
||||
f_report() {
|
||||
local report_jsn report_txt tmp_val ruleset_raw item table_sets set_cnt set_input set_forwardwan set_forwardlan set_cntinput set_cntforwardwan set_cntforwardlan output="${1}"
|
||||
local detail set_details jsnval timestamp autoadd_allow autoadd_block sum_sets sum_setinput sum_setforwardwan sum_setforwardlan sum_setelements sum_cntinput sum_cntforwardwan sum_cntforwardlan
|
||||
local report_jsn report_txt tmp_val ruleset_raw item table_sets set_cnt set_input set_forwardwan set_forwardlan set_cntinput set_cntforwardwan set_cntforwardlan set_proto set_dport set_details
|
||||
local expr detail jsnval timestamp autoadd_allow autoadd_block sum_sets sum_setinput sum_setforwardwan sum_setforwardlan sum_setelements sum_cntinput sum_cntforwardwan sum_cntforwardlan output="${1}"
|
||||
|
||||
[ -z "${ban_dev}" ] && f_conf
|
||||
f_mkdir "${ban_reportdir}"
|
||||
|
@ -1305,9 +1324,28 @@ f_report() {
|
|||
printf "%s\n" "{"
|
||||
printf "\t%s\n" '"sets":{'
|
||||
for item in ${table_sets}; do
|
||||
set_cntinput="$(printf "%s" "${ruleset_raw}" | "${ban_jsoncmd}" -ql1 -e "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"wan-input\"][@.expr[0].match.right=\"@${item}\"].expr[*].counter.packets")"
|
||||
set_cntforwardwan="$(printf "%s" "${ruleset_raw}" | "${ban_jsoncmd}" -ql1 -e "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"wan-forward\"][@.expr[0].match.right=\"@${item}\"].expr[*].counter.packets")"
|
||||
set_cntforwardlan="$(printf "%s" "${ruleset_raw}" | "${ban_jsoncmd}" -ql1 -e "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"lan-forward\"][@.expr[0].match.right=\"@${item}\"].expr[*].counter.packets")"
|
||||
set_cntinput=""
|
||||
set_cntforwardwan=""
|
||||
set_cntforwardlan=""
|
||||
set_proto=""
|
||||
set_dport=""
|
||||
for expr in 0 1; do
|
||||
[ -z "${set_cntinput}" ] && set_cntinput="$(printf "%s" "${ruleset_raw}" | "${ban_jsoncmd}" -ql1 -e "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"wan-input\"][@.expr[${expr}].match.right=\"@${item}\"].expr[*].counter.packets")"
|
||||
[ "${expr}" = "1" ] && [ -z "${set_dport}" ] && set_dport="$(printf "%s" "${ruleset_raw}" | "${ban_jsoncmd}" -ql1 -e "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"wan-input\"][@.expr[${expr}].match.right=\"@${item}\"].expr[*].match.right.set")"
|
||||
[ "${expr}" = "1" ] && [ -z "${set_proto}" ] && set_proto="$(printf "%s" "${ruleset_raw}" | "${ban_jsoncmd}" -ql1 -e "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"wan-input\"][@.expr[${expr}].match.right=\"@${item}\"].expr[*].match.left.payload.protocol")"
|
||||
[ -z "${set_cntforwardwan}" ] && set_cntforwardwan="$(printf "%s" "${ruleset_raw}" | "${ban_jsoncmd}" -ql1 -e "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"wan-forward\"][@.expr[${expr}].match.right=\"@${item}\"].expr[*].counter.packets")"
|
||||
[ "${expr}" = "1" ] && [ -z "${set_dport}" ] && set_dport="$(printf "%s" "${ruleset_raw}" | "${ban_jsoncmd}" -ql1 -e "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"wan-forward\"][@.expr[${expr}].match.right=\"@${item}\"].expr[*].match.right.set")"
|
||||
[ "${expr}" = "1" ] && [ -z "${set_proto}" ] && set_proto="$(printf "%s" "${ruleset_raw}" | "${ban_jsoncmd}" -ql1 -e "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"wan-forward\"][@.expr[${expr}].match.right=\"@${item}\"].expr[*].match.left.payload.protocol")"
|
||||
[ -z "${set_cntforwardlan}" ] && set_cntforwardlan="$(printf "%s" "${ruleset_raw}" | "${ban_jsoncmd}" -ql1 -e "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"lan-forward\"][@.expr[${expr}].match.right=\"@${item}\"].expr[*].counter.packets")"
|
||||
[ "${expr}" = "1" ] && [ -z "${set_dport}" ] && set_dport="$(printf "%s" "${ruleset_raw}" | "${ban_jsoncmd}" -ql1 -e "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"lan-forward\"][@.expr[${expr}].match.right=\"@${item}\"].expr[*].match.right.set")"
|
||||
[ "${expr}" = "1" ] && [ -z "${set_proto}" ] && set_proto="$(printf "%s" "${ruleset_raw}" | "${ban_jsoncmd}" -ql1 -e "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"lan-forward\"][@.expr[${expr}].match.right=\"@${item}\"].expr[*].match.left.payload.protocol")"
|
||||
done
|
||||
if [ -n "${set_dport}" ]; then
|
||||
set_dport="${set_dport//[\{\}\":]/}"
|
||||
set_dport="${set_dport#\[ *}"
|
||||
set_dport="${set_dport%* \]}"
|
||||
set_dport="${set_proto}: $(f_trim "${set_dport}")"
|
||||
fi
|
||||
if [ "${ban_reportelements}" = "1" ]; then
|
||||
set_cnt="$("${ban_nftcmd}" -j list set inet banIP "${item}" 2>/dev/null | "${ban_jsoncmd}" -qe '@.nftables[*].set.elem[*]' | wc -l 2>/dev/null)"
|
||||
sum_setelements="$((sum_setelements + set_cnt))"
|
||||
|
@ -1347,7 +1385,8 @@ f_report() {
|
|||
printf "\t\t\t%s\n" "\"cnt_forwardwan\": \"${set_cntforwardwan}\","
|
||||
printf "\t\t\t%s\n" "\"wan_forward\": \"${set_forwardwan}\","
|
||||
printf "\t\t\t%s\n" "\"cnt_forwardlan\": \"${set_cntforwardlan}\","
|
||||
printf "\t\t\t%s\n" "\"lan_forward\": \"${set_forwardlan}\""
|
||||
printf "\t\t\t%s\n" "\"lan_forward\": \"${set_forwardlan}\"",
|
||||
printf "\t\t\t%s\n" "\"port\": \"${set_dport:-"-"}\""
|
||||
printf "\t\t%s" "}"
|
||||
sum_sets="$((sum_sets + 1))"
|
||||
done
|
||||
|
@ -1392,8 +1431,8 @@ f_report() {
|
|||
json_select "sets" >/dev/null 2>&1
|
||||
json_get_keys table_sets >/dev/null 2>&1
|
||||
if [ -n "${table_sets}" ]; then
|
||||
printf "%-25s%-15s%-24s%-24s%s\n" " Set" "| Elements" "| WAN-Input (packets)" "| WAN-Forward (packets)" "| LAN-Forward (packets)"
|
||||
printf "%s\n" " ---------------------+--------------+-----------------------+-----------------------+------------------------"
|
||||
printf "%-25s%-15s%-24s%-24s%-24s%s\n" " Set" "| Elements" "| WAN-Input (packets)" "| WAN-Forward (packets)" "| LAN-Forward (packets)" "| Port/Protocol Limit"
|
||||
printf "%s\n" " ---------------------+--------------+-----------------------+-----------------------+-----------------------+------------------------"
|
||||
for item in ${table_sets}; do
|
||||
printf " %-21s" "${item}"
|
||||
json_select "${item}"
|
||||
|
@ -1416,7 +1455,7 @@ f_report() {
|
|||
printf "\n"
|
||||
json_select ".."
|
||||
done
|
||||
printf "%s\n" " ---------------------+--------------+-----------------------+-----------------------+------------------------"
|
||||
printf "%s\n" " ---------------------+--------------+-----------------------+-----------------------+-----------------------+------------------------"
|
||||
printf "%-25s%-15s%-24s%-24s%s\n" " ${sum_sets}" "| ${sum_setelements}" "| ${sum_setinput} (${sum_cntinput})" "| ${sum_setforwardwan} (${sum_cntforwardwan})" "| ${sum_setforwardlan} (${sum_cntforwardlan})"
|
||||
fi
|
||||
} >>"${report_txt}"
|
||||
|
|
|
@ -4,35 +4,40 @@
|
|||
"url_6": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/adaway-ipv6.txt",
|
||||
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
|
||||
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
|
||||
"descr": "adaway IPs"
|
||||
"descr": "adaway IPs",
|
||||
"flag": "80 443"
|
||||
},
|
||||
"adguard":{
|
||||
"url_4": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/adguard-ipv4.txt",
|
||||
"url_6": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/adguard-ipv6.txt",
|
||||
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
|
||||
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
|
||||
"descr": "adguard IPs"
|
||||
"descr": "adguard IPs",
|
||||
"flag": "80 443"
|
||||
},
|
||||
"adguardtrackers":{
|
||||
"url_4": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/adguardtrackers-ipv4.txt",
|
||||
"url_6": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/adguardtrackers-ipv6.txt",
|
||||
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
|
||||
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
|
||||
"descr": "adguardtracker IPs"
|
||||
"descr": "adguardtracker IPs",
|
||||
"flag": "80 443"
|
||||
},
|
||||
"antipopads":{
|
||||
"url_4": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/antipopads-ipv4.txt",
|
||||
"url_6": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/antipopads-ipv6.txt",
|
||||
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
|
||||
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
|
||||
"descr": "antipopads IPs"
|
||||
"descr": "antipopads IPs",
|
||||
"flag": "80 443"
|
||||
},
|
||||
"asn":{
|
||||
"url_4": "https://asn.ipinfo.app/api/text/list/",
|
||||
"url_6": "https://asn.ipinfo.app/api/text/list/",
|
||||
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
|
||||
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}",
|
||||
"descr": "ASN IPs"
|
||||
"descr": "ASN IP segments",
|
||||
"flag": "80 443"
|
||||
},
|
||||
"backscatterer":{
|
||||
"url_4": "http://wget-mirrors.uceprotect.net/rbldnsd-all/ips.backscatterer.org.gz",
|
||||
|
@ -86,7 +91,8 @@
|
|||
"url_6": "https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/master/doh-ipv6.txt",
|
||||
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
|
||||
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
|
||||
"descr": "public DoH-Provider"
|
||||
"descr": "public DoH-Provider",
|
||||
"flag": "80 443"
|
||||
},
|
||||
"drop":{
|
||||
"url_4": "https://www.spamhaus.org/drop/drop.txt",
|
||||
|
@ -144,13 +150,13 @@
|
|||
"url_4": "https://list.iblocklist.com/?list=dgxtneitpuvgqqcpfulq&fileformat=cidr&archiveformat=gz",
|
||||
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
|
||||
"descr": "advertising IPs",
|
||||
"flag": "gz"
|
||||
"flag": "gz 80 443"
|
||||
},
|
||||
"iblockspy":{
|
||||
"url_4": "https://list.iblocklist.com/?list=llvtlsjyoyiczbkjsxpf&fileformat=cidr&archiveformat=gz",
|
||||
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
|
||||
"descr": "malicious spyware IPs",
|
||||
"flag": "gz"
|
||||
"flag": "gz 80 443"
|
||||
},
|
||||
"ipblackhole":{
|
||||
"url_4": "https://ip.blackhole.monster/blackhole-today",
|
||||
|
@ -181,21 +187,24 @@
|
|||
"url_6": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/oisdbig-ipv6.txt",
|
||||
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
|
||||
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
|
||||
"descr": "OISD-big IPs"
|
||||
"descr": "OISD-big IPs",
|
||||
"flag": "80 443"
|
||||
},
|
||||
"oisdnsfw":{
|
||||
"url_4": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/oisdnsfw-ipv4.txt",
|
||||
"url_6": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/oisdnsfw-ipv6.txt",
|
||||
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
|
||||
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
|
||||
"descr": "OISD-nsfw IPs"
|
||||
"descr": "OISD-nsfw IPs",
|
||||
"flag": "80 443"
|
||||
},
|
||||
"oisdsmall":{
|
||||
"url_4": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/oisdsmall-ipv4.txt",
|
||||
"url_6": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/oisdsmall-ipv6.txt",
|
||||
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
|
||||
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
|
||||
"descr": "OISD-small IPs"
|
||||
"descr": "OISD-small IPs",
|
||||
"flag": "80 443"
|
||||
},
|
||||
"proxy":{
|
||||
"url_4": "https://iplists.firehol.org/files/proxylists.ipset",
|
||||
|
@ -212,7 +221,8 @@
|
|||
"url_6": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/stevenblack-ipv6.txt",
|
||||
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
|
||||
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
|
||||
"descr": "stevenblack IPs"
|
||||
"descr": "stevenblack IPs",
|
||||
"flag": "80 443"
|
||||
},
|
||||
"talos":{
|
||||
"url_4": "https://www.talosintelligence.com/documents/ip-blacklist",
|
||||
|
@ -236,6 +246,11 @@
|
|||
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}",
|
||||
"descr": "tor exit nodes"
|
||||
},
|
||||
"turris":{
|
||||
"url_4":"https://view.sentinel.turris.cz/greylist-data/greylist-latest.csv",
|
||||
"rule_4":"BEGIN{FS=\",\"}/(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)/{printf \"%s,\\n\",$1}",
|
||||
"descr":"turris sentinel blocklist"
|
||||
},
|
||||
"uceprotect1":{
|
||||
"url_4": "http://wget-mirrors.uceprotect.net/rbldnsd-all/dnsbl-1.uceprotect.net.gz",
|
||||
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
|
||||
|
@ -279,6 +294,7 @@
|
|||
"url_6": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/yoyo-ipv6.txt",
|
||||
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
|
||||
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
|
||||
"descr": "yoyo IPs"
|
||||
"descr": "yoyo IPs",
|
||||
"flag": "80 443"
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue