Dirk Brenken
GitHub
commit
d5a13478eb
|
|
@ -5,8 +5,8 @@
|
||||||
include $(TOPDIR)/rules.mk
|
include $(TOPDIR)/rules.mk
|
||||||
|
|
||||||
PKG_NAME:=banip
|
PKG_NAME:=banip
|
||||||
PKG_VERSION:=0.9.4
|
PKG_VERSION:=0.9.5
|
||||||
PKG_RELEASE:=3
|
PKG_RELEASE:=1
|
||||||
PKG_LICENSE:=GPL-3.0-or-later
|
PKG_LICENSE:=GPL-3.0-or-later
|
||||||
PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org>
|
PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org>
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -17,12 +17,12 @@ IP address blocking is commonly used to protect against brute force attacks, pre
|
||||||
| antipopads | antipopads IPs | | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
|
| antipopads | antipopads IPs | | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
|
||||||
| asn | ASN segments | | | x | tcp: 80, 443 | [Link](https://asn.ipinfo.app) |
|
| asn | ASN segments | | | x | tcp: 80, 443 | [Link](https://asn.ipinfo.app) |
|
||||||
| backscatterer | backscatterer IPs | x | x | | | [Link](https://www.uceprotect.net/en/index.php) |
|
| backscatterer | backscatterer IPs | x | x | | | [Link](https://www.uceprotect.net/en/index.php) |
|
||||||
|
| becyber | malicious attacker IPs | x | x | | | [Link](https://github.com/duggytuxy/malicious_ip_addresses) |
|
||||||
| binarydefense | binary defense banlist | x | x | | | [Link](https://iplists.firehol.org/?ipset=bds_atif) |
|
| binarydefense | binary defense banlist | x | x | | | [Link](https://iplists.firehol.org/?ipset=bds_atif) |
|
||||||
| bogon | bogon prefixes | x | x | | | [Link](https://team-cymru.com) |
|
| bogon | bogon prefixes | x | x | | | [Link](https://team-cymru.com) |
|
||||||
| bruteforceblock | bruteforceblocker IPs | x | x | | | [Link](https://danger.rulez.sk/index.php/bruteforceblocker/) |
|
| bruteforceblock | bruteforceblocker IPs | x | x | | | [Link](https://danger.rulez.sk/index.php/bruteforceblocker/) |
|
||||||
| country | country blocks | x | x | | | [Link](https://www.ipdeny.com/ipblocks) |
|
| country | country blocks | x | x | | | [Link](https://www.ipdeny.com/ipblocks) |
|
||||||
| cinsscore | suspicious attacker IPs | x | x | | | [Link](https://cinsscore.com/#list) |
|
| cinsscore | suspicious attacker IPs | x | x | | | [Link](https://cinsscore.com/#list) |
|
||||||
| darklist | blocks suspicious attacker IPs | x | x | | | [Link](https://darklist.de) |
|
|
||||||
| debl | fail2ban IP blacklist | x | x | | | [Link](https://www.blocklist.de) |
|
| debl | fail2ban IP blacklist | x | x | | | [Link](https://www.blocklist.de) |
|
||||||
| doh | public DoH-Provider | | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/DoH-IP-blocklists) |
|
| doh | public DoH-Provider | | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/DoH-IP-blocklists) |
|
||||||
| drop | spamhaus drop compilation | x | x | | | [Link](https://www.spamhaus.org) |
|
| drop | spamhaus drop compilation | x | x | | | [Link](https://www.spamhaus.org) |
|
||||||
|
|
@ -37,14 +37,15 @@ IP address blocking is commonly used to protect against brute force attacks, pre
|
||||||
| greensnow | suspicious server IPs | x | x | | | [Link](https://greensnow.co) |
|
| greensnow | suspicious server IPs | x | x | | | [Link](https://greensnow.co) |
|
||||||
| iblockads | Advertising IPs | | | x | tcp: 80, 443 | [Link](https://www.iblocklist.com) |
|
| iblockads | Advertising IPs | | | x | tcp: 80, 443 | [Link](https://www.iblocklist.com) |
|
||||||
| iblockspy | Malicious spyware IPs | | | x | tcp: 80, 443 | [Link](https://www.iblocklist.com) |
|
| iblockspy | Malicious spyware IPs | | | x | tcp: 80, 443 | [Link](https://www.iblocklist.com) |
|
||||||
| ipblackhole | blackhole IPs | x | x | | | [Link](https://ip.blackhole.monster) |
|
| ipsum | malicious IPs | x | x | | | [Link](https://github.com/stamparm/ipsum) |
|
||||||
| ipthreat | hacker and botnet TPs | x | x | | | [Link](https://ipthreat.net) |
|
| ipthreat | hacker and botnet TPs | x | x | | | [Link](https://ipthreat.net) |
|
||||||
| myip | real-time IP blocklist | x | x | | | [Link](https://myip.ms) |
|
| myip | real-time IP blocklist | x | x | | | [Link](https://myip.ms) |
|
||||||
| nixspam | iX spam protection | x | x | | | [Link](http://www.nixspam.org) |
|
| nixspam | iX spam protection | x | x | | | [Link](http://www.nixspam.org) |
|
||||||
| oisdbig | OISD-big IPs | | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
|
| oisdbig | OISD-big IPs | | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
|
||||||
| oisdnsfw | OISD-nsfw IPs | | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
|
| oisdnsfw | OISD-nsfw IPs | | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
|
||||||
| oisdsmall | OISD-small IPs | | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
|
| oisdsmall | OISD-small IPs | | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
|
||||||
| proxy | open proxies | x | | | | [Link](https://iplists.firehol.org/?ipset=proxylists) |
|
| pallebone | curated IP blocklist | x | x | | | [Link](https://github.com/pallebone/StrictBlockPAllebone) |
|
||||||
|
| proxy | open proxies | x | x | | | [Link](https://iplists.firehol.org/?ipset=proxylists) |
|
||||||
| ssbl | SSL botnet IPs | x | x | | | [Link](https://sslbl.abuse.ch) |
|
| ssbl | SSL botnet IPs | x | x | | | [Link](https://sslbl.abuse.ch) |
|
||||||
| stevenblack | stevenblack IPs | | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
|
| stevenblack | stevenblack IPs | | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
|
||||||
| talos | talos IPs | x | x | | | [Link](https://talosintelligence.com/reputation_center) |
|
| talos | talos IPs | x | x | | | [Link](https://talosintelligence.com/reputation_center) |
|
||||||
|
|
@ -66,10 +67,12 @@ IP address blocking is commonly used to protect against brute force attacks, pre
|
||||||
* Full IPv4 and IPv6 support
|
* Full IPv4 and IPv6 support
|
||||||
* Supports nft atomic Set loading
|
* Supports nft atomic Set loading
|
||||||
* Supports blocking by ASN numbers and by iso country codes
|
* Supports blocking by ASN numbers and by iso country codes
|
||||||
|
* Block countries dynamically by Regional Internet Registry (RIR), e.g. all countries related to ARIN. Supported service regions are: AFRINIC, ARIN, APNIC, LACNIC and RIPE
|
||||||
* Supports local allow- and blocklist with MAC/IPv4/IPv6 addresses or domain names
|
* Supports local allow- and blocklist with MAC/IPv4/IPv6 addresses or domain names
|
||||||
* Supports concatenation of local MAC addresses with IPv4/IPv6 addresses, e.g. to enforce dhcp assignments
|
* Supports concatenation of local MAC addresses with IPv4/IPv6 addresses, e.g. to enforce dhcp assignments
|
||||||
* All local input types support ranges in CIDR notation
|
* All local input types support ranges in CIDR notation
|
||||||
* Auto-add the uplink subnet or uplink IP to the local allowlist
|
* Auto-add the uplink subnet or uplink IP to the local allowlist
|
||||||
|
* Prevent common ICMP, UDP and SYN flood attacks and drop spoofed tcp flags & invalid conntrack packets (DDoS attacks) in an additional prerouting chain
|
||||||
* Provides a small background log monitor to ban unsuccessful login attempts in real-time (like fail2ban, crowdsec etc.)
|
* Provides a small background log monitor to ban unsuccessful login attempts in real-time (like fail2ban, crowdsec etc.)
|
||||||
* Auto-add unsuccessful LuCI, nginx, Asterisk or ssh login attempts to the local blocklist
|
* Auto-add unsuccessful LuCI, nginx, Asterisk or ssh login attempts to the local blocklist
|
||||||
* Auto-add entire subnets to the blocklist Sets based on an additional RDAP request with the monitored suspicious IP
|
* Auto-add entire subnets to the blocklist Sets based on an additional RDAP request with the monitored suspicious IP
|
||||||
|
|
@ -80,6 +83,7 @@ IP address blocking is commonly used to protect against brute force attacks, pre
|
||||||
* Provides HTTP ETag support to download only ressources that have been updated on the server side, to speed up banIP reloads and to save bandwith
|
* Provides HTTP ETag support to download only ressources that have been updated on the server side, to speed up banIP reloads and to save bandwith
|
||||||
* Supports an 'allowlist only' mode, this option skips all blocklists and restricts the internet access only to specific, explicitly allowed IP segments
|
* Supports an 'allowlist only' mode, this option skips all blocklists and restricts the internet access only to specific, explicitly allowed IP segments
|
||||||
* Supports external allowlist URLs to reference additional IPv4/IPv6 feeds
|
* Supports external allowlist URLs to reference additional IPv4/IPv6 feeds
|
||||||
|
* Optionally always allow certain protocols/destination ports in wan-input and wan-forward chains
|
||||||
* Deduplicate IPs accross all Sets (single IPs only, no intervals)
|
* Deduplicate IPs accross all Sets (single IPs only, no intervals)
|
||||||
* Provides comprehensive runtime information
|
* Provides comprehensive runtime information
|
||||||
* Provides a detailed Set report
|
* Provides a detailed Set report
|
||||||
|
|
@ -149,14 +153,19 @@ Available commands:
|
||||||
| ban_logreadfile | option | /var/log/messages | alternative location for parsing the log file, e.g. via syslog-ng, to deactivate the standard parsing via logread |
|
| ban_logreadfile | option | /var/log/messages | alternative location for parsing the log file, e.g. via syslog-ng, to deactivate the standard parsing via logread |
|
||||||
| ban_autodetect | option | 1 | auto-detect wan interfaces, devices and subnets |
|
| ban_autodetect | option | 1 | auto-detect wan interfaces, devices and subnets |
|
||||||
| ban_debug | option | 0 | enable banIP related debug logging |
|
| ban_debug | option | 0 | enable banIP related debug logging |
|
||||||
| ban_loginput | option | 1 | log drops in the wan-input chain |
|
| ban_icmplimit | option | 10 | treshold in number of packets to detect icmp DDoS in prerouting chain |
|
||||||
| ban_logforwardwan | option | 1 | log drops in the wan-forward chain |
|
| ban_synlimit | option | 10 | treshold in number of packets to detect syn DDoS in prerouting chain |
|
||||||
| ban_logforwardlan | option | 0 | log rejects in the lan-forward chain |
|
| ban_udplimit | option | 100 | treshold in number of packets to detect udp DDoS in prerouting chain |
|
||||||
|
| ban_logprerouting | option | 0 | log supsicious packets in the prerouting chain |
|
||||||
|
| ban_loginput | option | 0 | log supsicious packets in the wan-input chain |
|
||||||
|
| ban_logforwardwan | option | 0 | log supsicious packets in the wan-forward chain |
|
||||||
|
| ban_logforwardlan | option | 0 | log supsicious packets in the lan-forward chain |
|
||||||
| ban_autoallowlist | option | 1 | add wan IPs/subnets and resolved domains automatically to the local allowlist (not only to the Sets) |
|
| ban_autoallowlist | option | 1 | add wan IPs/subnets and resolved domains automatically to the local allowlist (not only to the Sets) |
|
||||||
| ban_autoblocklist | option | 1 | add suspicious attacker IPs and resolved domains automatically to the local blocklist (not only to the Sets) |
|
| ban_autoblocklist | option | 1 | add suspicious attacker IPs and resolved domains automatically to the local blocklist (not only to the Sets) |
|
||||||
| ban_autoblocksubnet | option | 0 | add entire subnets to the blocklist Sets based on an additional RDAP request with the suspicious IP |
|
| ban_autoblocksubnet | option | 0 | add entire subnets to the blocklist Sets based on an additional RDAP request with the suspicious IP |
|
||||||
| ban_autoallowuplink | option | subnet | limit the uplink autoallow function to: 'subnet', 'ip' or 'disable' it at all |
|
| ban_autoallowuplink | option | subnet | limit the uplink autoallow function to: 'subnet', 'ip' or 'disable' it at all |
|
||||||
| ban_allowlistonly | option | 0 | skip all blocklists and restrict the internet access only to specific, explicitly allowed IP segments |
|
| ban_allowlistonly | option | 0 | skip all blocklists and restrict the internet access only to specific, explicitly allowed IP segments |
|
||||||
|
| ban_allowflag | option | - | always allow certain protocols(tcp or udp) plus destination ports or port ranges, e.g.: 'tcp 80 443-445' |
|
||||||
| ban_allowurl | list | - | external allowlist feed URLs, one or more references to simple remote IP lists |
|
| ban_allowurl | list | - | external allowlist feed URLs, one or more references to simple remote IP lists |
|
||||||
| ban_basedir | option | /tmp | base working directory while banIP processing |
|
| ban_basedir | option | /tmp | base working directory while banIP processing |
|
||||||
| ban_reportdir | option | /tmp/banIP-report | directory where banIP stores the report files |
|
| ban_reportdir | option | /tmp/banIP-report | directory where banIP stores the report files |
|
||||||
|
|
@ -174,11 +183,12 @@ Available commands:
|
||||||
| ban_splitsize | option | 0 | split ext. Sets after every n lines/members (saves RAM) |
|
| ban_splitsize | option | 0 | split ext. Sets after every n lines/members (saves RAM) |
|
||||||
| ban_cores | option | - / autodetect | limit the cpu cores used by banIP (saves RAM) |
|
| ban_cores | option | - / autodetect | limit the cpu cores used by banIP (saves RAM) |
|
||||||
| ban_nftloglevel | option | warn | nft loglevel, values: emerg, alert, crit, err, warn, notice, info, debug |
|
| ban_nftloglevel | option | warn | nft loglevel, values: emerg, alert, crit, err, warn, notice, info, debug |
|
||||||
| ban_nftpriority | option | -200 | nft priority for the banIP table (default is the prerouting table priority) |
|
| ban_nftpriority | option | -100 | nft priority for the banIP table (the prerouting table is fixed to priority -150) |
|
||||||
| ban_nftpolicy | option | memory | nft policy for banIP-related Sets, values: memory, performance |
|
| ban_nftpolicy | option | memory | nft policy for banIP-related Sets, values: memory, performance |
|
||||||
| ban_nftexpiry | option | - | expiry time for auto added blocklist members, e.g. '5m', '2h' or '1d' |
|
| ban_nftexpiry | option | - | expiry time for auto added blocklist members, e.g. '5m', '2h' or '1d' |
|
||||||
| ban_feed | list | - | external download feeds, e.g. 'yoyo', 'doh', 'country' or 'talos' (see feed table) |
|
| ban_feed | list | - | external download feeds, e.g. 'yoyo', 'doh', 'country' or 'talos' (see feed table) |
|
||||||
| ban_asn | list | - | ASNs for the 'asn' feed, e.g.'32934' |
|
| ban_asn | list | - | ASNs for the 'asn' feed, e.g.'32934' |
|
||||||
|
| ban_region | list | - | Regional Internet Registry (RIR) country selection. Supported regions are: AFRINIC, ARIN, APNIC, LACNIC and RIPE |
|
||||||
| ban_country | list | - | country iso codes for the 'country' feed, e.g. 'ru' |
|
| ban_country | list | - | country iso codes for the 'country' feed, e.g. 'ru' |
|
||||||
| ban_blockpolicy | option | - | limit the default block policy to a certain chain, e.g. 'input', 'forwardwan' or 'forwardlan' |
|
| ban_blockpolicy | option | - | limit the default block policy to a certain chain, e.g. 'input', 'forwardwan' or 'forwardlan' |
|
||||||
| ban_blocktype | option | drop | 'drop' packets silently on input and forwardwan chains or actively 'reject' the traffic |
|
| ban_blocktype | option | drop | 'drop' packets silently on input and forwardwan chains or actively 'reject' the traffic |
|
||||||
|
|
@ -206,39 +216,46 @@ Available commands:
|
||||||
:::
|
:::
|
||||||
::: banIP Set Statistics
|
::: banIP Set Statistics
|
||||||
:::
|
:::
|
||||||
Timestamp: 2024-03-02 07:38:28
|
Timestamp: 2024-04-17 23:02:15
|
||||||
------------------------------
|
------------------------------
|
||||||
auto-added to allowlist today: 0
|
blocked syn-flood packets in prerouting : 5
|
||||||
auto-added to blocklist today: 0
|
blocked udp-flood packets in prerouting : 11
|
||||||
|
blocked icmp-flood packets in prerouting : 6
|
||||||
|
blocked invalid ct packets in prerouting : 277
|
||||||
|
blocked invalid tcp packets in prerouting: 0
|
||||||
|
----------
|
||||||
|
auto-added IPs to allowlist today: 0
|
||||||
|
auto-added IPs to blocklist today: 0
|
||||||
|
|
||||||
Set | Elements | WAN-Input (packets) | WAN-Forward (packets) | LAN-Forward (packets) | Port/Protocol Limit
|
Set | Elements | WAN-Input (packets) | WAN-Forward (packets) | LAN-Forward (packets) | Port/Protocol Limit
|
||||||
---------------------+--------------+-----------------------+-----------------------+-----------------------+------------------------
|
---------------------+--------------+-----------------------+-----------------------+-----------------------+------------------------
|
||||||
allowlistv4MAC | 0 | - | - | OK: 0 | -
|
allowlistv4MAC | 0 | - | - | ON: 0 | -
|
||||||
allowlistv6MAC | 0 | - | - | OK: 0 | -
|
allowlistv6MAC | 0 | - | - | ON: 0 | -
|
||||||
allowlistv4 | 1 | OK: 0 | OK: 0 | OK: 0 | -
|
allowlistv4 | 1 | ON: 0 | ON: 0 | ON: 0 | -
|
||||||
allowlistv6 | 2 | OK: 0 | OK: 0 | OK: 0 | -
|
allowlistv6 | 2 | ON: 0 | ON: 0 | ON: 0 | -
|
||||||
adguardtrackersv6 | 74 | - | - | OK: 0 | tcp: 80, 443
|
adguardtrackersv6 | 105 | - | - | ON: 0 | tcp: 80, 443
|
||||||
adguardtrackersv4 | 883 | - | - | OK: 0 | tcp: 80, 443
|
adguardtrackersv4 | 816 | - | - | ON: 0 | tcp: 80, 443
|
||||||
cinsscorev4 | 12053 | OK: 25 | OK: 0 | - | -
|
becyberv4 | 229006 | ON: 2254 | ON: 0 | - | -
|
||||||
countryv4 | 37026 | OK: 14 | OK: 0 | - | -
|
cinsscorev4 | 7135 | ON: 1630 | ON: 2 | - | -
|
||||||
deblv4 | 13592 | OK: 0 | OK: 0 | - | -
|
deblv4 | 10191 | ON: 23 | ON: 0 | - | -
|
||||||
countryv6 | 38139 | OK: 0 | OK: 0 | - | -
|
countryv6 | 38233 | ON: 7 | ON: 0 | - | -
|
||||||
deblv6 | 82 | OK: 0 | OK: 0 | - | -
|
countryv4 | 37169 | ON: 2323 | ON: 0 | - | -
|
||||||
dohv6 | 837 | - | - | OK: 0 | tcp: 80, 443
|
deblv6 | 65 | ON: 0 | ON: 0 | - | -
|
||||||
dohv4 | 1240 | - | - | OK: 0 | tcp: 80, 443
|
dropv6 | 66 | ON: 0 | ON: 0 | - | -
|
||||||
dropv6 | 51 | OK: 0 | OK: 0 | - | -
|
dohv4 | 1219 | - | - | ON: 0 | tcp: 80, 443
|
||||||
dropv4 | 592 | OK: 0 | OK: 0 | - | -
|
dropv4 | 895 | ON: 75 | ON: 0 | - | -
|
||||||
firehol1v4 | 906 | OK: 1 | OK: 0 | - | -
|
dohv6 | 832 | - | - | ON: 0 | tcp: 80, 443
|
||||||
firehol2v4 | 2105 | OK: 0 | OK: 0 | OK: 0 | -
|
threatv4 | 20 | ON: 0 | ON: 0 | - | -
|
||||||
threatv4 | 55 | OK: 0 | OK: 0 | - | -
|
firehol1v4 | 753 | ON: 1 | ON: 0 | - | -
|
||||||
ipthreatv4 | 2042 | OK: 0 | OK: 0 | - | -
|
ipthreatv4 | 1369 | ON: 20 | ON: 0 | - | -
|
||||||
turrisv4 | 6433 | OK: 0 | OK: 0 | - | -
|
firehol2v4 | 2216 | ON: 1 | ON: 0 | - | -
|
||||||
blocklistv4MAC | 0 | - | - | OK: 0 | -
|
turrisv4 | 5613 | ON: 179 | ON: 0 | - | -
|
||||||
blocklistv6MAC | 0 | - | - | OK: 0 | -
|
blocklistv4MAC | 0 | - | - | ON: 0 | -
|
||||||
blocklistv4 | 0 | OK: 0 | OK: 0 | OK: 0 | -
|
blocklistv6MAC | 0 | - | - | ON: 0 | -
|
||||||
blocklistv6 | 0 | OK: 0 | OK: 0 | OK: 0 | -
|
blocklistv4 | 0 | ON: 0 | ON: 0 | ON: 0 | -
|
||||||
|
blocklistv6 | 0 | ON: 0 | ON: 0 | ON: 0 | -
|
||||||
---------------------+--------------+-----------------------+-----------------------+-----------------------+------------------------
|
---------------------+--------------+-----------------------+-----------------------+-----------------------+------------------------
|
||||||
24 | 116113 | 16 (40) | 16 (0) | 13 (0)
|
25 | 335706 | 17 (6513) | 17 (2) | 12 (0)
|
||||||
```
|
```
|
||||||
|
|
||||||
**banIP runtime information**
|
**banIP runtime information**
|
||||||
|
|
@ -246,16 +263,16 @@ Available commands:
|
||||||
~# /etc/init.d/banip status
|
~# /etc/init.d/banip status
|
||||||
::: banIP runtime information
|
::: banIP runtime information
|
||||||
+ status : active (nft: ✔, monitor: ✔)
|
+ status : active (nft: ✔, monitor: ✔)
|
||||||
+ version : 0.9.4-1
|
+ version : 0.9.5-r1
|
||||||
+ element_count : 116113
|
+ element_count : 335706
|
||||||
+ active_feeds : allowlistv4MAC, allowlistv6MAC, allowlistv4, allowlistv6, adguardtrackersv6, adguardtrackersv4, cinsscorev4, countryv4, deblv4, countryv6, deblv6, dohv6, dohv4, dropv6, dropv4, firehol1v4, firehol2v4, threatv4, ipthreatv4, turrisv4, blocklistv4MAC, blocklistv6MAC, blocklistv4, blocklistv6
|
+ active_feeds : allowlistv4MAC, allowlistv6MAC, allowlistv4, allowlistv6, adguardtrackersv6, adguardtrackersv4, becyberv4, cinsscorev4, deblv4, countryv6, countryv4, deblv6, dropv6, dohv4, dropv4, dohv6, threatv4, firehol1v4, ipthreatv4, firehol2v4, turrisv4, blocklistv4MAC, blocklistv6MAC, blocklistv4, blocklistv6
|
||||||
+ active_devices : wan: pppoe-wan / wan-if: wan, wan_6 / vlan-allow: - / vlan-block: -
|
+ active_devices : wan: pppoe-wan / wan-if: wan, wan_6 / vlan-allow: - / vlan-block: -
|
||||||
+ active_uplink : 217.89.211.113, fe80::2c35:fb80:e78c:cf71, 2003:ed:b5ff:2338:2c15:fb80:e78c:cf71
|
+ active_uplink : 217.83.205.130, fe80::9cd6:12e9:c4df:75d3, 2003:ed:b5ff:43bd:9cd5:12e7:c3ef:75d8
|
||||||
+ nft_info : priority: -200, policy: performance, loglevel: warn, expiry: 2h
|
+ nft_info : priority: 0, policy: performance, loglevel: warn, expiry: 2h
|
||||||
+ run_info : base: /mnt/data/banIP, backup: /mnt/data/banIP/backup, report: /mnt/data/banIP/report
|
+ run_info : base: /mnt/data/banIP, backup: /mnt/data/banIP/backup, report: /mnt/data/banIP/report
|
||||||
+ run_flags : auto: ✔, proto (4/6): ✔/✔, log (wan-inp/wan-fwd/lan-fwd): ✔/✔/✔, dedup: ✔, split: ✘, custom feed: ✘, allowed only: ✘
|
+ run_flags : auto: ✔, proto (4/6): ✔/✔, log (pre/inp/fwd/lan): ✔/✘/✘/✘, dedup: ✔, split: ✘, custom feed: ✘, allowed only: ✘
|
||||||
+ last_run : action: reload, log: logread, fetch: curl, duration: 0m 50s, date: 2024-03-02 07:35:01
|
+ last_run : action: reload, log: logread, fetch: curl, duration: 2m 33s, date: 2024-04-17 05:57:56
|
||||||
+ system_info : cores: 4, memory: 1685, device: Bananapi BPI-R3, OpenWrt SNAPSHOT r25356-09be63de70
|
+ system_info : cores: 4, memory: 1573, device: Bananapi BPI-R3, OpenWrt SNAPSHOT r25932-338b463e1e
|
||||||
```
|
```
|
||||||
|
|
||||||
**banIP search information**
|
**banIP search information**
|
||||||
|
|
@ -315,11 +332,14 @@ Both local lists also accept domain names as input to allow IP filtering based o
|
||||||
banIP supports an "allowlist only" mode. This option skips all blocklists and restricts the internet access only to specific, explicitly allowed IP segments - and block access to the rest of the internet. All IPs which are _not_ listed in the allowlist (plus the external Allowlist URLs) are blocked.
|
banIP supports an "allowlist only" mode. This option skips all blocklists and restricts the internet access only to specific, explicitly allowed IP segments - and block access to the rest of the internet. All IPs which are _not_ listed in the allowlist (plus the external Allowlist URLs) are blocked.
|
||||||
|
|
||||||
**MAC/IP-binding**
|
**MAC/IP-binding**
|
||||||
banIP supports concatenation of local MAC addresses with IPv4/IPv6 addresses, e.g. to enforce dhcp assignments. Following notations in the local allow and block lists are allowed:
|
banIP supports concatenation of local MAC addresses/ranges with IPv4/IPv6 addresses, e.g. to enforce dhcp assignments. Following notations in the local allow and block lists are allowed:
|
||||||
```
|
```
|
||||||
MAC-address only:
|
MAC-address only:
|
||||||
C8:C2:9B:F7:80:12 => this will be populated to the v4MAC- and v6MAC-Sets with the IP-wildcards 0.0.0.0/0 and ::/0
|
C8:C2:9B:F7:80:12 => this will be populated to the v4MAC- and v6MAC-Sets with the IP-wildcards 0.0.0.0/0 and ::/0
|
||||||
|
|
||||||
|
MAC-address range:
|
||||||
|
C8:C2:9B:F7:80:12/24 => this populate the MAC-range C8:C2:9B:00:00:00", "C8:C2:9B:FF:FF:FF to the v4MAC- and v6MAC-Sets with the IP-wildcards 0.0.0.0/0 and ::/0
|
||||||
|
|
||||||
MAC-address with IPv4 concatenation:
|
MAC-address with IPv4 concatenation:
|
||||||
C8:C2:9B:F7:80:12 192.168.1.10 => this will be populated only to v4MAC-Set with the certain IP, no entry in the v6MAC-Set
|
C8:C2:9B:F7:80:12 192.168.1.10 => this will be populated only to v4MAC-Set with the certain IP, no entry in the v6MAC-Set
|
||||||
|
|
||||||
|
|
@ -334,6 +354,7 @@ MAC-address with IPv4 and IPv6 wildcard concatenation:
|
||||||
C8:C2:9B:F7:80:12 192.168.1.10 => this will be populated to v4MAC-Set with the certain IP
|
C8:C2:9B:F7:80:12 192.168.1.10 => this will be populated to v4MAC-Set with the certain IP
|
||||||
C8:C2:9B:F7:80:12 => this will be populated to v6MAC-Set with the IP-wildcard ::/0
|
C8:C2:9B:F7:80:12 => this will be populated to v6MAC-Set with the IP-wildcard ::/0
|
||||||
```
|
```
|
||||||
|
|
||||||
**enable the cgi interface to receive remote logging events**
|
**enable the cgi interface to receive remote logging events**
|
||||||
banIP ships a basic cgi interface in '/www/cgi-bin/banip' to receive remote logging events (disabled by default). The cgi interface evaluates logging events via GET or POST request (see examples below). To enable the cgi interface set the following options:
|
banIP ships a basic cgi interface in '/www/cgi-bin/banip' to receive remote logging events (disabled by default). The cgi interface evaluates logging events via GET or POST request (see examples below). To enable the cgi interface set the following options:
|
||||||
|
|
||||||
|
|
@ -407,12 +428,12 @@ A valid JSON source object contains the following information, e.g.:
|
||||||
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
|
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
|
||||||
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}",
|
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}",
|
||||||
"descr": "tor exit nodes",
|
"descr": "tor exit nodes",
|
||||||
"flag": "80-89 443 tcp"
|
"flag": "tcp 80-89 443"
|
||||||
},
|
},
|
||||||
[...]
|
[...]
|
||||||
```
|
```
|
||||||
Add an unique feed name (no spaces, no special chars) and make the required changes: adapt at least the URL, the regex and the description for a new feed.
|
Add an unique feed name (no spaces, no special chars) and make the required changes: adapt at least the URL, the regex and the description for a new feed.
|
||||||
Please note: the flag field is optional, it's a space separated list of options: supported are 'gz' as an archive format, port numbers (plus ranges) for destination port limitations with 'tcp' (default) or 'udp' as protocol variants.
|
Please note: the flag field is optional, it's a space separated list of options: supported are 'gz' as an archive format, protocols 'tcp' or 'udp' with port numbers/port ranges for destination port limitations.
|
||||||
|
|
||||||
## Support
|
## Support
|
||||||
Please join the banIP discussion in this [forum thread](https://forum.openwrt.org/t/banip-support-thread/16985) or contact me by mail <dev@brenken.org>
|
Please join the banIP discussion in this [forum thread](https://forum.openwrt.org/t/banip-support-thread/16985) or contact me by mail <dev@brenken.org>
|
||||||
|
|
|
||||||
|
|
@ -16,6 +16,7 @@ ban_basedir="/tmp"
|
||||||
ban_backupdir="/tmp/banIP-backup"
|
ban_backupdir="/tmp/banIP-backup"
|
||||||
ban_reportdir="/tmp/banIP-report"
|
ban_reportdir="/tmp/banIP-report"
|
||||||
ban_feedfile="/etc/banip/banip.feeds"
|
ban_feedfile="/etc/banip/banip.feeds"
|
||||||
|
ban_countryfile="/etc/banip/banip.countries"
|
||||||
ban_customfeedfile="/etc/banip/banip.custom.feeds"
|
ban_customfeedfile="/etc/banip/banip.custom.feeds"
|
||||||
ban_allowlist="/etc/banip/banip.allowlist"
|
ban_allowlist="/etc/banip/banip.allowlist"
|
||||||
ban_blocklist="/etc/banip/banip.blocklist"
|
ban_blocklist="/etc/banip/banip.blocklist"
|
||||||
|
|
@ -36,18 +37,24 @@ ban_reportelements="1"
|
||||||
ban_remotelog="0"
|
ban_remotelog="0"
|
||||||
ban_remotetoken=""
|
ban_remotetoken=""
|
||||||
ban_nftloglevel="warn"
|
ban_nftloglevel="warn"
|
||||||
ban_nftpriority="-200"
|
ban_nftpriority="-100"
|
||||||
ban_nftpolicy="memory"
|
ban_nftpolicy="memory"
|
||||||
ban_nftexpiry=""
|
ban_nftexpiry=""
|
||||||
ban_loglimit="100"
|
ban_loglimit="100"
|
||||||
|
ban_icmplimit="10"
|
||||||
|
ban_synlimit="10"
|
||||||
|
ban_udplimit="100"
|
||||||
ban_logcount="1"
|
ban_logcount="1"
|
||||||
ban_logterm=""
|
ban_logterm=""
|
||||||
|
ban_region=""
|
||||||
ban_country=""
|
ban_country=""
|
||||||
ban_asn=""
|
ban_asn=""
|
||||||
ban_loginput="1"
|
ban_logprerouting="0"
|
||||||
ban_logforwardwan="1"
|
ban_loginput="0"
|
||||||
|
ban_logforwardwan="0"
|
||||||
ban_logforwardlan="0"
|
ban_logforwardlan="0"
|
||||||
ban_allowurl=""
|
ban_allowurl=""
|
||||||
|
ban_allowflag=""
|
||||||
ban_allowlistonly="0"
|
ban_allowlistonly="0"
|
||||||
ban_autoallowlist="1"
|
ban_autoallowlist="1"
|
||||||
ban_autoallowuplink="subnet"
|
ban_autoallowuplink="subnet"
|
||||||
|
|
@ -104,6 +111,7 @@ f_system() {
|
||||||
[ "${cpu}" = "0" ] && cpu="1"
|
[ "${cpu}" = "0" ] && cpu="1"
|
||||||
[ "${core}" = "0" ] && core="1"
|
[ "${core}" = "0" ] && core="1"
|
||||||
ban_cores="$((cpu * core))"
|
ban_cores="$((cpu * core))"
|
||||||
|
[ "${ban_cores}" -gt "16" ] && ban_cores="16"
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -211,8 +219,7 @@ f_rmpid() {
|
||||||
kill -INT "${pid}" >/dev/null 2>&1
|
kill -INT "${pid}" >/dev/null 2>&1
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
: >"${ban_rdapfile}"
|
: >"${ban_rdapfile}" >"${ban_pidfile}"
|
||||||
: >"${ban_pidfile}"
|
|
||||||
}
|
}
|
||||||
|
|
||||||
# write log messages
|
# write log messages
|
||||||
|
|
@ -247,7 +254,9 @@ f_log() {
|
||||||
# load config
|
# load config
|
||||||
#
|
#
|
||||||
f_conf() {
|
f_conf() {
|
||||||
unset ban_dev ban_vlanallow ban_vlanblock ban_ifv4 ban_ifv6 ban_feed ban_allowurl ban_blockinput ban_blockforwardwan ban_blockforwardlan ban_logterm ban_country ban_asn
|
local rir ccode region country
|
||||||
|
|
||||||
|
unset ban_dev ban_vlanallow ban_vlanblock ban_ifv4 ban_ifv6 ban_feed ban_allowurl ban_blockinput ban_blockforwardwan ban_blockforwardlan ban_logterm ban_region ban_country ban_asn
|
||||||
config_cb() {
|
config_cb() {
|
||||||
option_cb() {
|
option_cb() {
|
||||||
local option="${1}"
|
local option="${1}"
|
||||||
|
|
@ -294,6 +303,9 @@ f_conf() {
|
||||||
"ban_logterm")
|
"ban_logterm")
|
||||||
eval "${option}=\"$(printf "%s" "${ban_logterm}")${value}\\|\""
|
eval "${option}=\"$(printf "%s" "${ban_logterm}")${value}\\|\""
|
||||||
;;
|
;;
|
||||||
|
"ban_region")
|
||||||
|
eval "${option}=\"$(printf "%s" "${ban_region}")${value} \""
|
||||||
|
;;
|
||||||
"ban_country")
|
"ban_country")
|
||||||
eval "${option}=\"$(printf "%s" "${ban_country}")${value} \""
|
eval "${option}=\"$(printf "%s" "${ban_country}")${value} \""
|
||||||
;;
|
;;
|
||||||
|
|
@ -305,6 +317,14 @@ f_conf() {
|
||||||
}
|
}
|
||||||
config_load banip
|
config_load banip
|
||||||
[ -f "${ban_logreadfile}" ] && ban_logreadcmd="$(command -v tail)" || ban_logreadcmd="$(command -v logread)"
|
[ -f "${ban_logreadfile}" ] && ban_logreadcmd="$(command -v tail)" || ban_logreadcmd="$(command -v logread)"
|
||||||
|
|
||||||
|
for rir in ${ban_region}; do
|
||||||
|
while read -r ccode region country; do
|
||||||
|
if [ "${rir}" = "${region}" ] && ! printf "%s" "${ban_country}" | "${ban_grepcmd}" -qw "${ccode}"; then
|
||||||
|
ban_country="${ban_country} ${ccode}"
|
||||||
|
fi
|
||||||
|
done < "${ban_countryfile}"
|
||||||
|
done
|
||||||
}
|
}
|
||||||
|
|
||||||
# get nft/monitor actuals
|
# get nft/monitor actuals
|
||||||
|
|
@ -575,12 +595,33 @@ f_etag() {
|
||||||
# build initial nft file with base table, chains and rules
|
# build initial nft file with base table, chains and rules
|
||||||
#
|
#
|
||||||
f_nftinit() {
|
f_nftinit() {
|
||||||
local wan_dev vlan_allow vlan_block feed_log feed_rc file="${1}"
|
local wan_dev vlan_allow vlan_block log_ct log_icmp log_syn log_udp log_tcp feed_log feed_rc allow_proto allow_dport flag file="${1}"
|
||||||
|
|
||||||
wan_dev="$(printf "%s" "${ban_dev}" | "${ban_sedcmd}" 's/^/\"/;s/$/\"/;s/ /\", \"/g')"
|
wan_dev="$(printf "%s" "${ban_dev}" | "${ban_sedcmd}" 's/^/\"/;s/$/\"/;s/ /\", \"/g')"
|
||||||
[ -n "${ban_vlanallow}" ] && vlan_allow="$(printf "%s" "${ban_vlanallow%%?}" | "${ban_sedcmd}" 's/^/\"/;s/$/\"/;s/ /\", \"/g')"
|
[ -n "${ban_vlanallow}" ] && vlan_allow="$(printf "%s" "${ban_vlanallow%%?}" | "${ban_sedcmd}" 's/^/\"/;s/$/\"/;s/ /\", \"/g')"
|
||||||
[ -n "${ban_vlanblock}" ] && vlan_block="$(printf "%s" "${ban_vlanblock%%?}" | "${ban_sedcmd}" 's/^/\"/;s/$/\"/;s/ /\", \"/g')"
|
[ -n "${ban_vlanblock}" ] && vlan_block="$(printf "%s" "${ban_vlanblock%%?}" | "${ban_sedcmd}" 's/^/\"/;s/$/\"/;s/ /\", \"/g')"
|
||||||
|
|
||||||
|
for flag in ${ban_allowflag}; do
|
||||||
|
if [ -z "${allow_proto}" ] && { [ "${flag}" = "tcp" ] || [ "${flag}" = "udp" ]; }; then
|
||||||
|
allow_proto="${flag}"
|
||||||
|
elif [ -n "${allow_proto}" ] && [ -n "${flag//[![:digit]-]/}" ] && ! printf "%s" "${allow_dport}" | "${ban_grepcmd}" -qw "${flag}"; then
|
||||||
|
if [ -z "${allow_dport}" ]; then
|
||||||
|
allow_dport="${flag}"
|
||||||
|
else
|
||||||
|
allow_dport="${allow_dport}, ${flag}"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
[ -n "${allow_dport}" ] && allow_dport="${allow_proto} dport { ${allow_dport} }"
|
||||||
|
|
||||||
|
if [ "${ban_logprerouting}" = "1" ]; then
|
||||||
|
log_icmp="log level ${ban_nftloglevel} prefix \"banIP/pre-icmp/drop: \""
|
||||||
|
log_syn="log level ${ban_nftloglevel} prefix \"banIP/pre-syn/drop: \""
|
||||||
|
log_udp="log level ${ban_nftloglevel} prefix \"banIP/pre-udp/drop: \""
|
||||||
|
log_tcp="log level ${ban_nftloglevel} prefix \"banIP/pre-tcp/drop: \""
|
||||||
|
log_ct="log level ${ban_nftloglevel} prefix \"banIP/pre-ct/drop: \""
|
||||||
|
fi
|
||||||
|
|
||||||
{
|
{
|
||||||
# nft header (tables and chains)
|
# nft header (tables and chains)
|
||||||
#
|
#
|
||||||
|
|
@ -589,36 +630,55 @@ f_nftinit() {
|
||||||
printf "%s\n" "delete table inet banIP"
|
printf "%s\n" "delete table inet banIP"
|
||||||
fi
|
fi
|
||||||
printf "%s\n" "add table inet banIP"
|
printf "%s\n" "add table inet banIP"
|
||||||
|
printf "%s\n" "add counter inet banIP cnt-icmpflood"
|
||||||
|
printf "%s\n" "add counter inet banIP cnt-udpflood"
|
||||||
|
printf "%s\n" "add counter inet banIP cnt-synflood"
|
||||||
|
printf "%s\n" "add counter inet banIP cnt-tcpinvalid"
|
||||||
|
printf "%s\n" "add counter inet banIP cnt-ctinvalid"
|
||||||
|
printf "%s\n" "add chain inet banIP pre-routing { type filter hook prerouting priority -150; policy accept; }"
|
||||||
printf "%s\n" "add chain inet banIP wan-input { type filter hook input priority ${ban_nftpriority}; policy accept; }"
|
printf "%s\n" "add chain inet banIP wan-input { type filter hook input priority ${ban_nftpriority}; policy accept; }"
|
||||||
printf "%s\n" "add chain inet banIP wan-forward { type filter hook forward priority ${ban_nftpriority}; policy accept; }"
|
printf "%s\n" "add chain inet banIP wan-forward { type filter hook forward priority ${ban_nftpriority}; policy accept; }"
|
||||||
printf "%s\n" "add chain inet banIP lan-forward { type filter hook forward priority ${ban_nftpriority}; policy accept; }"
|
printf "%s\n" "add chain inet banIP lan-forward { type filter hook forward priority ${ban_nftpriority}; policy accept; }"
|
||||||
printf "%s\n" "add chain inet banIP reject-chain"
|
printf "%s\n" "add chain inet banIP reject-chain"
|
||||||
|
|
||||||
# default reject rules
|
# default reject chain rules
|
||||||
#
|
#
|
||||||
printf "%s\n" "add rule inet banIP reject-chain meta l4proto tcp reject with tcp reset"
|
printf "%s\n" "add rule inet banIP reject-chain meta l4proto tcp reject with tcp reset"
|
||||||
printf "%s\n" "add rule inet banIP reject-chain reject"
|
printf "%s\n" "add rule inet banIP reject-chain reject"
|
||||||
|
|
||||||
|
# default pre-routing rules
|
||||||
|
#
|
||||||
|
printf "%s\n" "add rule inet banIP pre-routing iifname != { ${wan_dev} } counter accept"
|
||||||
|
printf "%s\n" "add rule inet banIP pre-routing ct state invalid ${log_ct} counter name cnt-ctinvalid drop"
|
||||||
|
printf "%s\n" "add rule inet banIP pre-routing ip protocol icmp limit rate over ${ban_icmplimit}/second ${log_icmp} counter name cnt-icmpflood drop"
|
||||||
|
printf "%s\n" "add rule inet banIP pre-routing ip6 nexthdr icmpv6 limit rate over ${ban_icmplimit}/second ${log_icmp} counter name cnt-icmpflood drop"
|
||||||
|
printf "%s\n" "add rule inet banIP pre-routing meta l4proto udp ct state new limit rate over ${ban_udplimit}/second ${log_udp} counter name cnt-udpflood drop"
|
||||||
|
printf "%s\n" "add rule inet banIP pre-routing tcp flags & (fin|syn|rst|ack) == syn limit rate over ${ban_synlimit}/second ${log_syn} counter name cnt-synflood drop"
|
||||||
|
printf "%s\n" "add rule inet banIP pre-routing tcp flags & (fin|syn) == (fin|syn) ${log_tcp} counter name cnt-tcpinvalid drop"
|
||||||
|
printf "%s\n" "add rule inet banIP pre-routing tcp flags & (syn|rst) == (syn|rst) ${log_tcp} counter name cnt-tcpinvalid drop"
|
||||||
|
printf "%s\n" "add rule inet banIP pre-routing tcp flags & (fin|syn|rst|psh|ack|urg) < (fin) ${log_tcp} counter name cnt-tcpinvalid drop"
|
||||||
|
printf "%s\n" "add rule inet banIP pre-routing tcp flags & (fin|syn|rst|psh|ack|urg) == (fin|psh|urg) ${log_tcp} counter name cnt-tcpinvalid drop"
|
||||||
|
|
||||||
# default wan-input rules
|
# default wan-input rules
|
||||||
#
|
#
|
||||||
printf "%s\n" "add rule inet banIP wan-input ct state established,related counter accept"
|
|
||||||
printf "%s\n" "add rule inet banIP wan-input iifname != { ${wan_dev} } counter accept"
|
printf "%s\n" "add rule inet banIP wan-input iifname != { ${wan_dev} } counter accept"
|
||||||
|
printf "%s\n" "add rule inet banIP wan-input ct state established,related counter accept"
|
||||||
printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv4 udp sport 67-68 udp dport 67-68 counter accept"
|
printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv4 udp sport 67-68 udp dport 67-68 counter accept"
|
||||||
printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv6 udp sport 547 udp dport 546 counter accept"
|
printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv6 udp sport 547 udp dport 546 counter accept"
|
||||||
printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv4 icmp type { echo-request } limit rate 1000/second counter accept"
|
printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv6 icmpv6 type { nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert} ip6 hoplimit 1 counter accept"
|
||||||
printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv6 icmpv6 type { echo-request } limit rate 1000/second counter accept"
|
printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv6 icmpv6 type { nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert} ip6 hoplimit 255 counter accept"
|
||||||
printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv6 icmpv6 type { nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert} limit rate 1000/second ip6 hoplimit 1 counter accept"
|
[ -n "${allow_dport}" ] && printf "%s\n" "add rule inet banIP wan-input ${allow_dport} counter accept"
|
||||||
printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv6 icmpv6 type { nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert} limit rate 1000/second ip6 hoplimit 255 counter accept"
|
|
||||||
|
|
||||||
# default wan-forward rules
|
# default wan-forward rules
|
||||||
#
|
#
|
||||||
printf "%s\n" "add rule inet banIP wan-forward ct state established,related counter accept"
|
|
||||||
printf "%s\n" "add rule inet banIP wan-forward iifname != { ${wan_dev} } counter accept"
|
printf "%s\n" "add rule inet banIP wan-forward iifname != { ${wan_dev} } counter accept"
|
||||||
|
printf "%s\n" "add rule inet banIP wan-forward ct state established,related counter accept"
|
||||||
|
[ -n "${allow_dport}" ] && printf "%s\n" "add rule inet banIP wan-forward ${allow_dport} counter accept"
|
||||||
|
|
||||||
# default lan-forward rules
|
# default lan-forward rules
|
||||||
#
|
#
|
||||||
printf "%s\n" "add rule inet banIP lan-forward ct state established,related counter accept"
|
|
||||||
printf "%s\n" "add rule inet banIP lan-forward oifname != { ${wan_dev} } counter accept"
|
printf "%s\n" "add rule inet banIP lan-forward oifname != { ${wan_dev} } counter accept"
|
||||||
|
printf "%s\n" "add rule inet banIP lan-forward ct state established,related counter accept"
|
||||||
[ -n "${vlan_allow}" ] && printf "%s\n" "add rule inet banIP lan-forward iifname { ${vlan_allow} } counter accept"
|
[ -n "${vlan_allow}" ] && printf "%s\n" "add rule inet banIP lan-forward iifname { ${vlan_allow} } counter accept"
|
||||||
[ -n "${vlan_block}" ] && printf "%s\n" "add rule inet banIP lan-forward iifname { ${vlan_block} } counter goto reject-chain"
|
[ -n "${vlan_block}" ] && printf "%s\n" "add rule inet banIP lan-forward iifname { ${vlan_block} } counter goto reject-chain"
|
||||||
} >"${file}"
|
} >"${file}"
|
||||||
|
|
@ -628,7 +688,8 @@ f_nftinit() {
|
||||||
feed_log="$("${ban_nftcmd}" -f "${file}" 2>&1)"
|
feed_log="$("${ban_nftcmd}" -f "${file}" 2>&1)"
|
||||||
feed_rc="${?}"
|
feed_rc="${?}"
|
||||||
|
|
||||||
f_log "debug" "f_nftinit ::: wan_dev: ${wan_dev}, vlan_allow: ${vlan_allow:-"-"}, vlan_block: ${vlan_block:-"-"}, priority: ${ban_nftpriority}, policy: ${ban_nftpolicy}, loglevel: ${ban_nftloglevel}, rc: ${feed_rc:-"-"}, log: ${feed_log:-"-"}"
|
f_log "debug" "f_nftinit ::: wan_dev: ${wan_dev}, vlan_allow: ${vlan_allow:-"-"}, vlan_block: ${vlan_block:-"-"}, allowed_dports: ${allow_dport:-"-"}, priority: ${ban_nftpriority}, policy: ${ban_nftpolicy}, loglevel: ${ban_nftloglevel}, rc: ${feed_rc:-"-"}, log: ${feed_log:-"-"}"
|
||||||
|
: >"${file}"
|
||||||
return "${feed_rc}"
|
return "${feed_rc}"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -636,7 +697,7 @@ f_nftinit() {
|
||||||
#
|
#
|
||||||
f_down() {
|
f_down() {
|
||||||
local log_input log_forwardwan log_forwardlan start_ts end_ts tmp_raw tmp_load tmp_file split_file ruleset_raw handle rc etag_rc
|
local log_input log_forwardwan log_forwardlan start_ts end_ts tmp_raw tmp_load tmp_file split_file ruleset_raw handle rc etag_rc
|
||||||
local expr cnt_set cnt_dl restore_rc feed_direction feed_rc feed_log feed_comp feed_proto feed_dport flag
|
local expr cnt_set cnt_dl restore_rc feed_direction feed_rc feed_log feed_comp feed_proto feed_dport feed_target
|
||||||
local feed="${1}" proto="${2}" feed_url="${3}" feed_rule="${4}" feed_flag="${5}"
|
local feed="${1}" proto="${2}" feed_url="${3}" feed_rule="${4}" feed_flag="${5}"
|
||||||
|
|
||||||
start_ts="$(date +%s)"
|
start_ts="$(date +%s)"
|
||||||
|
|
@ -653,6 +714,14 @@ f_down() {
|
||||||
[ "${ban_logforwardwan}" = "1" ] && log_forwardwan="log level ${ban_nftloglevel} prefix \"banIP/fwd-wan/${ban_blocktype}/${feed}: \""
|
[ "${ban_logforwardwan}" = "1" ] && log_forwardwan="log level ${ban_nftloglevel} prefix \"banIP/fwd-wan/${ban_blocktype}/${feed}: \""
|
||||||
[ "${ban_logforwardlan}" = "1" ] && log_forwardlan="log level ${ban_nftloglevel} prefix \"banIP/fwd-lan/reject/${feed}: \""
|
[ "${ban_logforwardlan}" = "1" ] && log_forwardlan="log level ${ban_nftloglevel} prefix \"banIP/fwd-lan/reject/${feed}: \""
|
||||||
|
|
||||||
|
# set feed target
|
||||||
|
#
|
||||||
|
if [ "${ban_blocktype}" = "reject" ]; then
|
||||||
|
feed_target="goto reject-chain"
|
||||||
|
else
|
||||||
|
feed_target="drop"
|
||||||
|
fi
|
||||||
|
|
||||||
# set feed block direction
|
# set feed block direction
|
||||||
#
|
#
|
||||||
if [ "${ban_blockpolicy}" = "input" ]; then
|
if [ "${ban_blockpolicy}" = "input" ]; then
|
||||||
|
|
@ -689,9 +758,9 @@ f_down() {
|
||||||
for flag in ${feed_flag}; do
|
for flag in ${feed_flag}; do
|
||||||
if [ "${flag}" = "gz" ] && ! printf "%s" "${feed_comp}" | "${ban_grepcmd}" -qw "${flag}"; then
|
if [ "${flag}" = "gz" ] && ! printf "%s" "${feed_comp}" | "${ban_grepcmd}" -qw "${flag}"; then
|
||||||
feed_comp="${flag}"
|
feed_comp="${flag}"
|
||||||
elif { [ "${flag}" = "tcp" ] || [ "${flag}" = "udp" ]; } && ! printf "%s" "${feed_proto}" | "${ban_grepcmd}" -qw "${flag}"; then
|
elif [ -z "${feed_proto}" ] && { [ "${flag}" = "tcp" ] || [ "${flag}" = "udp" ]; }; then
|
||||||
feed_proto="${flag}"
|
feed_proto="${flag}"
|
||||||
elif [ -n "${flag//[![:digit]]/}" ] && ! printf "%s" "${feed_dport}" | "${ban_grepcmd}" -qw "${flag}"; then
|
elif [ -n "${feed_proto}" ] && [ -n "${flag//[![:digit]-]/}" ] && ! printf "%s" "${feed_dport}" | "${ban_grepcmd}" -qw "${flag}"; then
|
||||||
if [ -z "${feed_dport}" ]; then
|
if [ -z "${feed_dport}" ]; then
|
||||||
feed_dport="${flag}"
|
feed_dport="${flag}"
|
||||||
else
|
else
|
||||||
|
|
@ -699,7 +768,7 @@ f_down() {
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
[ -n "${feed_dport}" ] && feed_dport="${feed_proto:-"tcp"} dport { ${feed_dport} }"
|
[ -n "${feed_dport}" ] && feed_dport="${feed_proto} dport { ${feed_dport} }"
|
||||||
|
|
||||||
# chain/rule maintenance
|
# chain/rule maintenance
|
||||||
#
|
#
|
||||||
|
|
@ -732,7 +801,7 @@ f_down() {
|
||||||
done
|
done
|
||||||
elif [ "${feed%v*}" = "asn" ]; then
|
elif [ "${feed%v*}" = "asn" ]; then
|
||||||
for asn in ${ban_asn}; do
|
for asn in ${ban_asn}; do
|
||||||
f_etag "${feed}" "${feed_url}AS${asn}" ".{asn}"
|
f_etag "${feed}" "${feed_url}AS${asn}" ".${asn}"
|
||||||
rc="${?}"
|
rc="${?}"
|
||||||
[ "${rc}" = "4" ] && break
|
[ "${rc}" = "4" ] && break
|
||||||
etag_rc="$((etag_rc + rc))"
|
etag_rc="$((etag_rc + rc))"
|
||||||
|
|
@ -768,6 +837,7 @@ f_down() {
|
||||||
break
|
break
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|
||||||
if [ "${feed_rc}" = "0" ]; then
|
if [ "${feed_rc}" = "0" ]; then
|
||||||
f_backup "allowlist" "${tmp_allow}"
|
f_backup "allowlist" "${tmp_allow}"
|
||||||
elif [ -z "${restore_rc}" ] && [ "${feed_rc}" != "0" ]; then
|
elif [ -z "${restore_rc}" ] && [ "${feed_rc}" != "0" ]; then
|
||||||
|
|
@ -795,22 +865,14 @@ f_down() {
|
||||||
printf "%s\n" "add set inet banIP ${feed} { type ipv4_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }"
|
printf "%s\n" "add set inet banIP ${feed} { type ipv4_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }"
|
||||||
if [ -z "${feed_direction##*input*}" ]; then
|
if [ -z "${feed_direction##*input*}" ]; then
|
||||||
if [ "${ban_allowlistonly}" = "1" ]; then
|
if [ "${ban_allowlistonly}" = "1" ]; then
|
||||||
if [ "${ban_blocktype}" = "reject" ]; then
|
printf "%s\n" "add rule inet banIP wan-input ip saddr != @${feed} ${log_input} counter ${feed_target}"
|
||||||
printf "%s\n" "add rule inet banIP wan-input ip saddr != @${feed} ${log_input} counter goto reject-chain"
|
|
||||||
else
|
|
||||||
printf "%s\n" "add rule inet banIP wan-input ip saddr != @${feed} ${log_input} counter drop"
|
|
||||||
fi
|
|
||||||
else
|
else
|
||||||
printf "%s\n" "add rule inet banIP wan-input ip saddr @${feed} counter accept"
|
printf "%s\n" "add rule inet banIP wan-input ip saddr @${feed} counter accept"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
if [ -z "${feed_direction##*forwardwan*}" ]; then
|
if [ -z "${feed_direction##*forwardwan*}" ]; then
|
||||||
if [ "${ban_allowlistonly}" = "1" ]; then
|
if [ "${ban_allowlistonly}" = "1" ]; then
|
||||||
if [ "${ban_blocktype}" = "reject" ]; then
|
printf "%s\n" "add rule inet banIP wan-forward ip saddr != @${feed} ${log_forwardwan} counter ${feed_target}"
|
||||||
printf "%s\n" "add rule inet banIP wan-forward ip saddr != @${feed} ${log_forwardwan} counter goto reject-chain"
|
|
||||||
else
|
|
||||||
printf "%s\n" "add rule inet banIP wan-forward ip saddr != @${feed} ${log_forwardwan} counter drop"
|
|
||||||
fi
|
|
||||||
else
|
else
|
||||||
printf "%s\n" "add rule inet banIP wan-forward ip saddr @${feed} counter accept"
|
printf "%s\n" "add rule inet banIP wan-forward ip saddr @${feed} counter accept"
|
||||||
fi
|
fi
|
||||||
|
|
@ -828,35 +890,28 @@ f_down() {
|
||||||
printf "%s\n" "add set inet banIP ${feed} { type ipv6_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }"
|
printf "%s\n" "add set inet banIP ${feed} { type ipv6_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }"
|
||||||
if [ -z "${feed_direction##*input*}" ]; then
|
if [ -z "${feed_direction##*input*}" ]; then
|
||||||
if [ "${ban_allowlistonly}" = "1" ]; then
|
if [ "${ban_allowlistonly}" = "1" ]; then
|
||||||
if [ "${ban_blocktype}" = "reject" ]; then
|
printf "%s\n" "add rule inet banIP wan-input ip6 saddr != @${feed} ${log_input} counter ${feed_target}"
|
||||||
printf "%s\n" "add rule inet banIP wan-input ip6 saddr != @${feed} ${log_input} counter goto reject-chain"
|
|
||||||
else
|
|
||||||
printf "%s\n" "add rule inet banIP wan-input ip6 saddr != @${feed} ${log_input} counter drop"
|
|
||||||
fi
|
|
||||||
else
|
else
|
||||||
printf "%s\n" "add rule inet banIP wan-input ip6 saddr @${feed} counter accept"
|
printf "%s\n" "add rule inet banIP wan-input ip6 saddr @${feed} counter accept"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
if [ -z "${feed_direction##*forwardwan*}" ]; then
|
if [ -z "${feed_direction##*forwardwan*}" ]; then
|
||||||
if [ "${ban_allowlistonly}" = "1" ]; then
|
if [ "${ban_allowlistonly}" = "1" ]; then
|
||||||
if [ "${ban_blocktype}" = "reject" ]; then
|
printf "%s\n" "add rule inet banIP wan-forward ip6 saddr != @${feed} ${log_forwardwan} counter ${feed_target}"
|
||||||
printf "%s\n" "add rule inet banIP wan-forward ip6 saddr != @${feed} ${log_forwardwan} counter goto reject-chain"
|
|
||||||
else
|
|
||||||
printf "%s\n" "add rule inet banIP wan-forward ip6 saddr != @${feed} ${log_forwardwan} counter drop"
|
|
||||||
fi
|
|
||||||
else
|
else
|
||||||
printf "%s\n" "add rule inet banIP wan-forward ip6 saddr @${feed} counter accept"
|
printf "%s\n" "add rule inet banIP wan-forward ip6 saddr @${feed} counter accept"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
if [ -z "${feed_direction##*forwardlan*}" ]; then
|
if [ -z "${feed_direction##*forwardlan*}" ]; then
|
||||||
if [ "${ban_allowlistonly}" = "1" ]; then
|
if [ "${ban_allowlistonly}" = "1" ]; then
|
||||||
printf "%s\n" "add rule inet banIP lan-forward ip6 daddr != @${feed} ${log_forwardlan} counter goto reject-chain"
|
printf "%s\n" "add rule inet banIP lan-forward ip6 daddr != @${feed} ${log_forwardlan} counter ${feed_target}"
|
||||||
else
|
else
|
||||||
printf "%s\n" "add rule inet banIP lan-forward ip6 daddr @${feed} counter accept"
|
printf "%s\n" "add rule inet banIP lan-forward ip6 daddr @${feed} counter accept"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
} >"${tmp_nft}"
|
} >"${tmp_nft}"
|
||||||
|
: >"${tmp_flush}" >"${tmp_raw}" >"${tmp_file}"
|
||||||
feed_rc="0"
|
feed_rc="0"
|
||||||
elif [ "${feed%v*}" = "blocklist" ]; then
|
elif [ "${feed%v*}" = "blocklist" ]; then
|
||||||
{
|
{
|
||||||
|
|
@ -881,13 +936,8 @@ f_down() {
|
||||||
fi
|
fi
|
||||||
"${ban_awkcmd}" '{ORS=" ";print}' "${tmp_split}" 2>/dev/null >"${tmp_file}"
|
"${ban_awkcmd}" '{ORS=" ";print}' "${tmp_split}" 2>/dev/null >"${tmp_file}"
|
||||||
printf "%s\n" "add set inet banIP ${feed} { type ipv4_addr; flags interval, timeout; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }"
|
printf "%s\n" "add set inet banIP ${feed} { type ipv4_addr; flags interval, timeout; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }"
|
||||||
if [ "${ban_blocktype}" = "reject" ]; then
|
[ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ip saddr @${feed} ${log_input} counter ${feed_target}"
|
||||||
[ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ip saddr @${feed} ${log_input} counter goto reject-chain"
|
[ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ip saddr @${feed} ${log_forwardwan} counter ${feed_target}"
|
||||||
[ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ip saddr @${feed} ${log_forwardwan} counter goto reject-chain"
|
|
||||||
else
|
|
||||||
[ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ip saddr @${feed} ${log_input} counter drop"
|
|
||||||
[ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ip saddr @${feed} ${log_forwardwan} counter drop"
|
|
||||||
fi
|
|
||||||
[ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ip daddr @${feed} ${log_forwardlan} counter goto reject-chain"
|
[ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ip daddr @${feed} ${log_forwardlan} counter goto reject-chain"
|
||||||
elif [ "${proto}" = "6" ]; then
|
elif [ "${proto}" = "6" ]; then
|
||||||
if [ "${ban_deduplicate}" = "1" ]; then
|
if [ "${ban_deduplicate}" = "1" ]; then
|
||||||
|
|
@ -902,16 +952,12 @@ f_down() {
|
||||||
fi
|
fi
|
||||||
"${ban_awkcmd}" '{ORS=" ";print}' "${tmp_split}" 2>/dev/null >"${tmp_file}"
|
"${ban_awkcmd}" '{ORS=" ";print}' "${tmp_split}" 2>/dev/null >"${tmp_file}"
|
||||||
printf "%s\n" "add set inet banIP ${feed} { type ipv6_addr; flags interval, timeout; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }"
|
printf "%s\n" "add set inet banIP ${feed} { type ipv6_addr; flags interval, timeout; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }"
|
||||||
if [ "${ban_blocktype}" = "reject" ]; then
|
[ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ip6 saddr @${feed} ${log_input} counter ${feed_target}"
|
||||||
[ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ip6 saddr @${feed} ${log_input} counter goto reject-chain"
|
[ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ip6 saddr @${feed} ${log_forwardwan} counter ${feed_target}"
|
||||||
[ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ip6 saddr @${feed} ${log_forwardwan} counter goto reject-chain"
|
|
||||||
else
|
|
||||||
[ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ip6 saddr @${feed} ${log_input} counter drop"
|
|
||||||
[ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ip6 saddr @${feed} ${log_forwardwan} counter drop"
|
|
||||||
fi
|
|
||||||
[ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ip6 daddr @${feed} ${log_forwardlan} counter goto reject-chain"
|
[ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ip6 daddr @${feed} ${log_forwardlan} counter goto reject-chain"
|
||||||
fi
|
fi
|
||||||
} >"${tmp_nft}"
|
} >"${tmp_nft}"
|
||||||
|
: >"${tmp_flush}" >"${tmp_raw}" >"${tmp_file}"
|
||||||
feed_rc="0"
|
feed_rc="0"
|
||||||
|
|
||||||
# handle external feeds
|
# handle external feeds
|
||||||
|
|
@ -925,7 +971,7 @@ f_down() {
|
||||||
feed_rc="${?}"
|
feed_rc="${?}"
|
||||||
[ "${feed_rc}" = "0" ] && "${ban_catcmd}" "${tmp_raw}" 2>/dev/null >>"${tmp_load}"
|
[ "${feed_rc}" = "0" ] && "${ban_catcmd}" "${tmp_raw}" 2>/dev/null >>"${tmp_load}"
|
||||||
done
|
done
|
||||||
rm -f "${tmp_raw}"
|
: >"${tmp_raw}"
|
||||||
|
|
||||||
# handle asn downloads
|
# handle asn downloads
|
||||||
#
|
#
|
||||||
|
|
@ -935,7 +981,7 @@ f_down() {
|
||||||
feed_rc="${?}"
|
feed_rc="${?}"
|
||||||
[ "${feed_rc}" = "0" ] && "${ban_catcmd}" "${tmp_raw}" 2>/dev/null >>"${tmp_load}"
|
[ "${feed_rc}" = "0" ] && "${ban_catcmd}" "${tmp_raw}" 2>/dev/null >>"${tmp_load}"
|
||||||
done
|
done
|
||||||
rm -f "${tmp_raw}"
|
: >"${tmp_raw}"
|
||||||
|
|
||||||
# handle compressed downloads
|
# handle compressed downloads
|
||||||
#
|
#
|
||||||
|
|
@ -943,7 +989,7 @@ f_down() {
|
||||||
feed_log="$("${ban_fetchcmd}" ${ban_fetchparm} "${tmp_raw}" "${feed_url}" 2>&1)"
|
feed_log="$("${ban_fetchcmd}" ${ban_fetchparm} "${tmp_raw}" "${feed_url}" 2>&1)"
|
||||||
feed_rc="${?}"
|
feed_rc="${?}"
|
||||||
[ "${feed_rc}" = "0" ] && "${ban_zcatcmd}" "${tmp_raw}" 2>/dev/null >"${tmp_load}"
|
[ "${feed_rc}" = "0" ] && "${ban_zcatcmd}" "${tmp_raw}" 2>/dev/null >"${tmp_load}"
|
||||||
rm -f "${tmp_raw}"
|
: >"${tmp_raw}"
|
||||||
|
|
||||||
# handle normal downloads
|
# handle normal downloads
|
||||||
#
|
#
|
||||||
|
|
@ -970,27 +1016,28 @@ f_down() {
|
||||||
# deduplicate Sets
|
# deduplicate Sets
|
||||||
#
|
#
|
||||||
if [ "${ban_deduplicate}" = "1" ] && [ "${feed_url}" != "local" ]; then
|
if [ "${ban_deduplicate}" = "1" ] && [ "${feed_url}" != "local" ]; then
|
||||||
"${ban_awkcmd}" "${feed_rule}" "${tmp_load}" 2>/dev/null >"${tmp_raw}"
|
"${ban_awkcmd}" '{sub("\r$", ""); print}' "${tmp_load}" 2>/dev/null | "${ban_awkcmd}" "${feed_rule}" 2>/dev/null >"${tmp_raw}"
|
||||||
"${ban_awkcmd}" 'NR==FNR{member[$0];next}!($0 in member)' "${ban_tmpfile}.deduplicate" "${tmp_raw}" 2>/dev/null | tee -a "${ban_tmpfile}.deduplicate" >"${tmp_split}"
|
"${ban_awkcmd}" 'NR==FNR{member[$0];next}!($0 in member)' "${ban_tmpfile}.deduplicate" "${tmp_raw}" 2>/dev/null | tee -a "${ban_tmpfile}.deduplicate" >"${tmp_split}"
|
||||||
else
|
else
|
||||||
"${ban_awkcmd}" "${feed_rule}" "${tmp_load}" 2>/dev/null >"${tmp_split}"
|
"${ban_awkcmd}" '{sub("\r$", ""); print}' "${tmp_load}" 2>/dev/null | "${ban_awkcmd}" "${feed_rule}" 2>/dev/null >"${tmp_split}"
|
||||||
fi
|
fi
|
||||||
feed_rc="${?}"
|
feed_rc="${?}"
|
||||||
|
|
||||||
# split Sets
|
# split Sets
|
||||||
#
|
#
|
||||||
if [ "${feed_rc}" = "0" ]; then
|
if [ "${feed_rc}" = "0" ]; then
|
||||||
if [ -n "${ban_splitsize//[![:digit]]/}" ] && [ "${ban_splitsize//[![:digit]]/}" -gt "0" ]; then
|
if [ -n "${ban_splitsize//[![:digit]]/}" ] && [ "${ban_splitsize//[![:digit]]/}" -gt "512" ]; then
|
||||||
if ! "${ban_awkcmd}" "NR%${ban_splitsize//[![:digit]]/}==1{file=\"${tmp_file}.\"++i;}{ORS=\" \";print > file}" "${tmp_split}" 2>/dev/null; then
|
if ! "${ban_awkcmd}" "NR%${ban_splitsize//[![:digit]]/}==1{file=\"${tmp_file}.\"++i;}{ORS=\" \";print > file}" "${tmp_split}" 2>/dev/null; then
|
||||||
rm -f "${tmp_file}".*
|
|
||||||
f_log "info" "can't split Set '${feed}' to size '${ban_splitsize//[![:digit]]/}'"
|
f_log "info" "can't split Set '${feed}' to size '${ban_splitsize//[![:digit]]/}'"
|
||||||
|
rm -f "${tmp_file}".*
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
"${ban_awkcmd}" '{ORS=" ";print}' "${tmp_split}" 2>/dev/null >"${tmp_file}.1"
|
"${ban_awkcmd}" '{ORS=" ";print}' "${tmp_split}" 2>/dev/null >"${tmp_file}.1"
|
||||||
fi
|
fi
|
||||||
feed_rc="${?}"
|
feed_rc="${?}"
|
||||||
fi
|
fi
|
||||||
rm -f "${tmp_raw}" "${tmp_load}"
|
: >"${tmp_raw}" >"${tmp_load}"
|
||||||
|
|
||||||
if [ "${feed_rc}" = "0" ] && [ "${proto}" = "4" ]; then
|
if [ "${feed_rc}" = "0" ] && [ "${proto}" = "4" ]; then
|
||||||
{
|
{
|
||||||
# nft header (IPv4 Set)
|
# nft header (IPv4 Set)
|
||||||
|
|
@ -1001,13 +1048,8 @@ f_down() {
|
||||||
|
|
||||||
# input and forward rules
|
# input and forward rules
|
||||||
#
|
#
|
||||||
if [ "${ban_blocktype}" = "reject" ]; then
|
[ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ${feed_dport} ip saddr @${feed} ${log_input} counter ${feed_target}"
|
||||||
[ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ${feed_dport} ip saddr @${feed} ${log_input} counter goto reject-chain"
|
[ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ${feed_dport} ip saddr @${feed} ${log_forwardwan} counter ${feed_target}"
|
||||||
[ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ${feed_dport} ip saddr @${feed} ${log_forwardwan} counter goto reject-chain"
|
|
||||||
else
|
|
||||||
[ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ${feed_dport} ip saddr @${feed} ${log_input} counter drop"
|
|
||||||
[ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ${feed_dport} ip saddr @${feed} ${log_forwardwan} counter drop"
|
|
||||||
fi
|
|
||||||
[ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ${feed_dport} ip daddr @${feed} ${log_forwardlan} counter goto reject-chain"
|
[ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ${feed_dport} ip daddr @${feed} ${log_forwardlan} counter goto reject-chain"
|
||||||
} >"${tmp_nft}"
|
} >"${tmp_nft}"
|
||||||
elif [ "${feed_rc}" = "0" ] && [ "${proto}" = "6" ]; then
|
elif [ "${feed_rc}" = "0" ] && [ "${proto}" = "6" ]; then
|
||||||
|
|
@ -1020,16 +1062,12 @@ f_down() {
|
||||||
|
|
||||||
# input and forward rules
|
# input and forward rules
|
||||||
#
|
#
|
||||||
if [ "${ban_blocktype}" = "reject" ]; then
|
[ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ${feed_dport} ip6 saddr @${feed} ${log_input} counter ${feed_target}"
|
||||||
[ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ${feed_dport} ip6 saddr @${feed} ${log_input} counter goto reject-chain"
|
[ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ${feed_dport} ip6 saddr @${feed} ${log_forwardwan} counter ${feed_target}"
|
||||||
[ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ${feed_dport} ip6 saddr @${feed} ${log_forwardwan} counter goto reject-chain"
|
|
||||||
else
|
|
||||||
[ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ${feed_dport} ip6 saddr @${feed} ${log_input} counter drop"
|
|
||||||
[ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ${feed_dport} ip6 saddr @${feed} ${log_forwardwan} counter drop"
|
|
||||||
fi
|
|
||||||
[ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ${feed_dport} ip6 daddr @${feed} ${log_forwardlan} counter goto reject-chain"
|
[ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ${feed_dport} ip6 daddr @${feed} ${log_forwardlan} counter goto reject-chain"
|
||||||
} >"${tmp_nft}"
|
} >"${tmp_nft}"
|
||||||
fi
|
fi
|
||||||
|
: >"${tmp_flush}" >"${tmp_file}.1"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# load generated nft file in banIP table
|
# load generated nft file in banIP table
|
||||||
|
|
@ -1039,6 +1077,7 @@ f_down() {
|
||||||
cnt_dl="$("${ban_awkcmd}" 'END{printf "%d",NR}' "${tmp_allow}" 2>/dev/null)"
|
cnt_dl="$("${ban_awkcmd}" 'END{printf "%d",NR}' "${tmp_allow}" 2>/dev/null)"
|
||||||
else
|
else
|
||||||
cnt_dl="$("${ban_awkcmd}" 'END{printf "%d",NR}' "${tmp_split}" 2>/dev/null)"
|
cnt_dl="$("${ban_awkcmd}" 'END{printf "%d",NR}' "${tmp_split}" 2>/dev/null)"
|
||||||
|
: >"${tmp_split}"
|
||||||
fi
|
fi
|
||||||
if [ "${cnt_dl:-"0"}" -gt "0" ] || [ "${feed_url}" = "local" ] || [ "${feed%v*}" = "allowlist" ] || [ "${feed%v*}" = "blocklist" ]; then
|
if [ "${cnt_dl:-"0"}" -gt "0" ] || [ "${feed_url}" = "local" ] || [ "${feed%v*}" = "allowlist" ] || [ "${feed%v*}" = "blocklist" ]; then
|
||||||
feed_log="$("${ban_nftcmd}" -f "${tmp_nft}" 2>&1)"
|
feed_log="$("${ban_nftcmd}" -f "${tmp_nft}" 2>&1)"
|
||||||
|
|
@ -1048,15 +1087,13 @@ f_down() {
|
||||||
#
|
#
|
||||||
if [ "${feed_rc}" = "0" ]; then
|
if [ "${feed_rc}" = "0" ]; then
|
||||||
for split_file in "${tmp_file}".*; do
|
for split_file in "${tmp_file}".*; do
|
||||||
[ ! -f "${split_file}" ] && break
|
[ ! -s "${split_file}" ] && continue
|
||||||
if [ "${split_file##*.}" = "1" ]; then
|
"${ban_sedcmd}" -i "1 i #!/usr/sbin/nft -f\nadd element inet banIP "${feed}" { " "${split_file}"
|
||||||
rm -f "${split_file}"
|
printf "%s\n" "}" >> "${split_file}"
|
||||||
continue
|
if ! "${ban_nftcmd}" -f "${split_file}" >/dev/null 2>&1; then
|
||||||
fi
|
|
||||||
if ! "${ban_nftcmd}" add element inet banIP "${feed}" "{ $("${ban_catcmd}" "${split_file}") }" >/dev/null 2>&1; then
|
|
||||||
f_log "info" "can't add split file '${split_file##*.}' to Set '${feed}'"
|
f_log "info" "can't add split file '${split_file##*.}' to Set '${feed}'"
|
||||||
fi
|
fi
|
||||||
rm -f "${split_file}"
|
: >"${split_file}"
|
||||||
done
|
done
|
||||||
if [ "${ban_debug}" = "1" ] && [ "${ban_reportelements}" = "1" ]; then
|
if [ "${ban_debug}" = "1" ] && [ "${ban_reportelements}" = "1" ]; then
|
||||||
cnt_set="$("${ban_nftcmd}" -j list set inet banIP "${feed}" 2>/dev/null | "${ban_jsoncmd}" -qe '@.nftables[*].set.elem[*]' | wc -l 2>/dev/null)"
|
cnt_set="$("${ban_nftcmd}" -j list set inet banIP "${feed}" 2>/dev/null | "${ban_jsoncmd}" -qe '@.nftables[*].set.elem[*]' | wc -l 2>/dev/null)"
|
||||||
|
|
@ -1066,7 +1103,7 @@ f_down() {
|
||||||
f_log "info" "skip empty feed '${feed}'"
|
f_log "info" "skip empty feed '${feed}'"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
rm -f "${tmp_split}" "${tmp_nft}"
|
: >"${tmp_nft}"
|
||||||
end_ts="$(date +%s)"
|
end_ts="$(date +%s)"
|
||||||
|
|
||||||
f_log "debug" "f_down ::: feed: ${feed}, cnt_dl: ${cnt_dl:-"-"}, cnt_set: ${cnt_set:-"-"}, split_size: ${ban_splitsize:-"-"}, time: $((end_ts - start_ts)), rc: ${feed_rc:-"-"}, log: ${feed_log:-"-"}"
|
f_log "debug" "f_down ::: feed: ${feed}, cnt_dl: ${cnt_dl:-"-"}, cnt_set: ${cnt_set:-"-"}, split_size: ${ban_splitsize:-"-"}, time: $((end_ts - start_ts)), rc: ${feed_rc:-"-"}, log: ${feed_log:-"-"}"
|
||||||
|
|
@ -1110,7 +1147,7 @@ f_rmset() {
|
||||||
json_get_keys feedlist
|
json_get_keys feedlist
|
||||||
tmp_del="${ban_tmpfile}.final.delete"
|
tmp_del="${ban_tmpfile}.final.delete"
|
||||||
ruleset_raw="$("${ban_nftcmd}" -tj list ruleset 2>/dev/null)"
|
ruleset_raw="$("${ban_nftcmd}" -tj list ruleset 2>/dev/null)"
|
||||||
table_sets="$(printf "%s\n" "${ruleset_raw}" | "${ban_jsoncmd}" -qe '@.nftables[@.set.table="banIP"].set.name')"
|
table_sets="$(printf "%s\n" "${ruleset_raw}" | "${ban_jsoncmd}" -qe '@.nftables[@.set.table="banIP"&&@.set.family="inet"].set.name')"
|
||||||
{
|
{
|
||||||
printf "%s\n\n" "#!/usr/sbin/nft -f"
|
printf "%s\n\n" "#!/usr/sbin/nft -f"
|
||||||
for item in ${table_sets}; do
|
for item in ${table_sets}; do
|
||||||
|
|
@ -1137,7 +1174,7 @@ f_rmset() {
|
||||||
feed_log="$("${ban_nftcmd}" -f "${tmp_del}" 2>&1)"
|
feed_log="$("${ban_nftcmd}" -f "${tmp_del}" 2>&1)"
|
||||||
feed_rc="${?}"
|
feed_rc="${?}"
|
||||||
fi
|
fi
|
||||||
rm -f "${tmp_del}"
|
: >"${tmp_del}"
|
||||||
|
|
||||||
f_log "debug" "f_rmset ::: sets: ${del_set:-"-"}, rc: ${feed_rc:-"-"}, log: ${feed_log:-"-"}"
|
f_log "debug" "f_rmset ::: sets: ${del_set:-"-"}, rc: ${feed_rc:-"-"}, log: ${feed_log:-"-"}"
|
||||||
}
|
}
|
||||||
|
|
@ -1153,7 +1190,7 @@ f_genstatus() {
|
||||||
end_time="$(date "+%s")"
|
end_time="$(date "+%s")"
|
||||||
duration="$(((end_time - ban_starttime) / 60))m $(((end_time - ban_starttime) % 60))s"
|
duration="$(((end_time - ban_starttime) / 60))m $(((end_time - ban_starttime) % 60))s"
|
||||||
fi
|
fi
|
||||||
table_sets="$("${ban_nftcmd}" -tj list ruleset 2>/dev/null | "${ban_jsoncmd}" -qe '@.nftables[@.set.table="banIP"].set.name')"
|
table_sets="$("${ban_nftcmd}" -tj list ruleset 2>/dev/null | "${ban_jsoncmd}" -qe '@.nftables[@.set.table="banIP"&&@.set.family="inet"].set.name')"
|
||||||
if [ "${ban_reportelements}" = "1" ]; then
|
if [ "${ban_reportelements}" = "1" ]; then
|
||||||
for object in ${table_sets}; do
|
for object in ${table_sets}; do
|
||||||
cnt_elements="$((cnt_elements + $("${ban_nftcmd}" -j list set inet banIP "${object}" 2>/dev/null | "${ban_jsoncmd}" -qe '@.nftables[*].set.elem[*]' | wc -l 2>/dev/null)))"
|
cnt_elements="$((cnt_elements + $("${ban_nftcmd}" -j list set inet banIP "${object}" 2>/dev/null | "${ban_jsoncmd}" -qe '@.nftables[*].set.elem[*]' | wc -l 2>/dev/null)))"
|
||||||
|
|
@ -1202,7 +1239,7 @@ f_genstatus() {
|
||||||
json_close_array
|
json_close_array
|
||||||
json_add_string "nft_info" "priority: ${ban_nftpriority}, policy: ${ban_nftpolicy}, loglevel: ${ban_nftloglevel}, expiry: ${ban_nftexpiry:-"-"}"
|
json_add_string "nft_info" "priority: ${ban_nftpriority}, policy: ${ban_nftpolicy}, loglevel: ${ban_nftloglevel}, expiry: ${ban_nftexpiry:-"-"}"
|
||||||
json_add_string "run_info" "base: ${ban_basedir}, backup: ${ban_backupdir}, report: ${ban_reportdir}"
|
json_add_string "run_info" "base: ${ban_basedir}, backup: ${ban_backupdir}, report: ${ban_reportdir}"
|
||||||
json_add_string "run_flags" "auto: $(f_char ${ban_autodetect}), proto (4/6): $(f_char ${ban_protov4})/$(f_char ${ban_protov6}), log (wan-inp/wan-fwd/lan-fwd): $(f_char ${ban_loginput})/$(f_char ${ban_logforwardwan})/$(f_char ${ban_logforwardlan}), dedup: $(f_char ${ban_deduplicate}), split: $(f_char ${split}), custom feed: $(f_char ${custom_feed}), allowed only: $(f_char ${ban_allowlistonly})"
|
json_add_string "run_flags" "auto: $(f_char ${ban_autodetect}), proto (4/6): $(f_char ${ban_protov4})/$(f_char ${ban_protov6}), log (pre/inp/fwd/lan): $(f_char ${ban_logprerouting})/$(f_char ${ban_loginput})/$(f_char ${ban_logforwardwan})/$(f_char ${ban_logforwardlan}), dedup: $(f_char ${ban_deduplicate}), split: $(f_char ${split}), custom feed: $(f_char ${custom_feed}), allowed only: $(f_char ${ban_allowlistonly})"
|
||||||
json_add_string "last_run" "${runtime:-"-"}"
|
json_add_string "last_run" "${runtime:-"-"}"
|
||||||
json_add_string "system_info" "cores: ${ban_cores}, memory: ${ban_memory}, device: ${ban_sysver}"
|
json_add_string "system_info" "cores: ${ban_cores}, memory: ${ban_memory}, device: ${ban_sysver}"
|
||||||
json_dump >"${ban_rtfile}"
|
json_dump >"${ban_rtfile}"
|
||||||
|
|
@ -1284,12 +1321,12 @@ f_lookup() {
|
||||||
cnt_domain="$((cnt_domain + 1))"
|
cnt_domain="$((cnt_domain + 1))"
|
||||||
done
|
done
|
||||||
if [ -n "${elementsv4}" ]; then
|
if [ -n "${elementsv4}" ]; then
|
||||||
if ! "${ban_nftcmd}" add element inet banIP "${feed}v4" "{ ${elementsv4} }" >/dev/null 2>&1; then
|
if ! "${ban_nftcmd}" add element inet banIP "${feed}v4" { ${elementsv4} } >/dev/null 2>&1; then
|
||||||
f_log "info" "can't add lookup file to Set '${feed}v4'"
|
f_log "info" "can't add lookup file to Set '${feed}v4'"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
if [ -n "${elementsv6}" ]; then
|
if [ -n "${elementsv6}" ]; then
|
||||||
if ! "${ban_nftcmd}" add element inet banIP "${feed}v6" "{ ${elementsv6} }" >/dev/null 2>&1; then
|
if ! "${ban_nftcmd}" add element inet banIP "${feed}v6" { ${elementsv6} } >/dev/null 2>&1; then
|
||||||
f_log "info" "can't add lookup file to Set '${feed}v6'"
|
f_log "info" "can't add lookup file to Set '${feed}v6'"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
@ -1303,8 +1340,8 @@ f_lookup() {
|
||||||
#
|
#
|
||||||
f_report() {
|
f_report() {
|
||||||
local report_jsn report_txt tmp_val ruleset_raw item table_sets set_cnt set_input set_forwardwan set_forwardlan set_cntinput set_cntforwardwan set_cntforwardlan set_proto set_dport set_details
|
local report_jsn report_txt tmp_val ruleset_raw item table_sets set_cnt set_input set_forwardwan set_forwardlan set_cntinput set_cntforwardwan set_cntforwardlan set_proto set_dport set_details
|
||||||
local expr detail jsnval timestamp autoadd_allow autoadd_block sum_sets sum_setinput sum_setforwardwan sum_setforwardlan sum_setelements sum_cntinput sum_cntforwardwan sum_cntforwardlan output="${1}"
|
local expr detail jsnval timestamp autoadd_allow autoadd_block sum_sets sum_setinput sum_setforwardwan sum_setforwardlan sum_setelements sum_cntinput sum_cntforwardwan sum_cntforwardlan
|
||||||
|
local sum_synflood sum_udpflood sum_icmpflood sum_ctinvalid sum_tcpinvalid output="${1}"
|
||||||
[ -z "${ban_dev}" ] && f_conf
|
[ -z "${ban_dev}" ] && f_conf
|
||||||
f_mkdir "${ban_reportdir}"
|
f_mkdir "${ban_reportdir}"
|
||||||
report_jsn="${ban_reportdir}/ban_report.jsn"
|
report_jsn="${ban_reportdir}/ban_report.jsn"
|
||||||
|
|
@ -1313,7 +1350,7 @@ f_report() {
|
||||||
# json output preparation
|
# json output preparation
|
||||||
#
|
#
|
||||||
ruleset_raw="$("${ban_nftcmd}" -tj list ruleset 2>/dev/null)"
|
ruleset_raw="$("${ban_nftcmd}" -tj list ruleset 2>/dev/null)"
|
||||||
table_sets="$(printf "%s" "${ruleset_raw}" | "${ban_jsoncmd}" -qe '@.nftables[@.set.table="banIP"].set.name')"
|
table_sets="$(printf "%s" "${ruleset_raw}" | "${ban_jsoncmd}" -qe '@.nftables[@.set.table="banIP"&&@.set.family="inet"].set.name')"
|
||||||
sum_sets="0"
|
sum_sets="0"
|
||||||
sum_setinput="0"
|
sum_setinput="0"
|
||||||
sum_setforwardwan="0"
|
sum_setforwardwan="0"
|
||||||
|
|
@ -1322,6 +1359,11 @@ f_report() {
|
||||||
sum_cntinput="0"
|
sum_cntinput="0"
|
||||||
sum_cntforwardwan="0"
|
sum_cntforwardwan="0"
|
||||||
sum_cntforwardlan="0"
|
sum_cntforwardlan="0"
|
||||||
|
sum_synflood="$(printf "%s" "${ruleset_raw}" | "${ban_jsoncmd}" -qe '@.nftables[@.counter.name="cnt-synflood"].*.packets')"
|
||||||
|
sum_udpflood="$(printf "%s" "${ruleset_raw}" | "${ban_jsoncmd}" -qe '@.nftables[@.counter.name="cnt-udpflood"].*.packets')"
|
||||||
|
sum_icmpflood="$(printf "%s" "${ruleset_raw}" | "${ban_jsoncmd}" -qe '@.nftables[@.counter.name="cnt-icmpflood"].*.packets')"
|
||||||
|
sum_ctinvalid="$(printf "%s" "${ruleset_raw}" | "${ban_jsoncmd}" -qe '@.nftables[@.counter.name="cnt-ctinvalid"].*.packets')"
|
||||||
|
sum_tcpinvalid="$(printf "%s" "${ruleset_raw}" | "${ban_jsoncmd}" -qe '@.nftables[@.counter.name="cnt-tcpinvalid"].*.packets')"
|
||||||
timestamp="$(date "+%Y-%m-%d %H:%M:%S")"
|
timestamp="$(date "+%Y-%m-%d %H:%M:%S")"
|
||||||
: >"${report_jsn}"
|
: >"${report_jsn}"
|
||||||
{
|
{
|
||||||
|
|
@ -1344,12 +1386,6 @@ f_report() {
|
||||||
[ "${expr}" = "1" ] && [ -z "${set_dport}" ] && set_dport="$(printf "%s" "${ruleset_raw}" | "${ban_jsoncmd}" -ql1 -e "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"lan-forward\"][@.expr[${expr}].match.right=\"@${item}\"].expr[*].match.right.set")"
|
[ "${expr}" = "1" ] && [ -z "${set_dport}" ] && set_dport="$(printf "%s" "${ruleset_raw}" | "${ban_jsoncmd}" -ql1 -e "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"lan-forward\"][@.expr[${expr}].match.right=\"@${item}\"].expr[*].match.right.set")"
|
||||||
[ "${expr}" = "1" ] && [ -z "${set_proto}" ] && set_proto="$(printf "%s" "${ruleset_raw}" | "${ban_jsoncmd}" -ql1 -e "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"lan-forward\"][@.expr[${expr}].match.right=\"@${item}\"].expr[*].match.left.payload.protocol")"
|
[ "${expr}" = "1" ] && [ -z "${set_proto}" ] && set_proto="$(printf "%s" "${ruleset_raw}" | "${ban_jsoncmd}" -ql1 -e "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"lan-forward\"][@.expr[${expr}].match.right=\"@${item}\"].expr[*].match.left.payload.protocol")"
|
||||||
done
|
done
|
||||||
if [ -n "${set_dport}" ]; then
|
|
||||||
set_dport="${set_dport//[\{\}\":]/}"
|
|
||||||
set_dport="${set_dport#\[ *}"
|
|
||||||
set_dport="${set_dport%* \]}"
|
|
||||||
set_dport="${set_proto}: $(f_trim "${set_dport}")"
|
|
||||||
fi
|
|
||||||
if [ "${ban_reportelements}" = "1" ]; then
|
if [ "${ban_reportelements}" = "1" ]; then
|
||||||
set_cnt="$("${ban_nftcmd}" -j list set inet banIP "${item}" 2>/dev/null | "${ban_jsoncmd}" -qe '@.nftables[*].set.elem[*]' | wc -l 2>/dev/null)"
|
set_cnt="$("${ban_nftcmd}" -j list set inet banIP "${item}" 2>/dev/null | "${ban_jsoncmd}" -qe '@.nftables[*].set.elem[*]' | wc -l 2>/dev/null)"
|
||||||
sum_setelements="$((sum_setelements + set_cnt))"
|
sum_setelements="$((sum_setelements + set_cnt))"
|
||||||
|
|
@ -1357,8 +1393,14 @@ f_report() {
|
||||||
set_cnt=""
|
set_cnt=""
|
||||||
sum_setelements="n/a"
|
sum_setelements="n/a"
|
||||||
fi
|
fi
|
||||||
|
if [ -n "${set_dport}" ]; then
|
||||||
|
set_dport="${set_dport//[\{\}\":]/}"
|
||||||
|
set_dport="${set_dport#\[ *}"
|
||||||
|
set_dport="${set_dport%* \]}"
|
||||||
|
set_dport="${set_proto}: $(f_trim "${set_dport}")"
|
||||||
|
fi
|
||||||
if [ -n "${set_cntinput}" ]; then
|
if [ -n "${set_cntinput}" ]; then
|
||||||
set_input="OK"
|
set_input="ON"
|
||||||
sum_setinput="$((sum_setinput + 1))"
|
sum_setinput="$((sum_setinput + 1))"
|
||||||
sum_cntinput="$((sum_cntinput + set_cntinput))"
|
sum_cntinput="$((sum_cntinput + set_cntinput))"
|
||||||
else
|
else
|
||||||
|
|
@ -1366,7 +1408,7 @@ f_report() {
|
||||||
set_cntinput=""
|
set_cntinput=""
|
||||||
fi
|
fi
|
||||||
if [ -n "${set_cntforwardwan}" ]; then
|
if [ -n "${set_cntforwardwan}" ]; then
|
||||||
set_forwardwan="OK"
|
set_forwardwan="ON"
|
||||||
sum_setforwardwan="$((sum_setforwardwan + 1))"
|
sum_setforwardwan="$((sum_setforwardwan + 1))"
|
||||||
sum_cntforwardwan="$((sum_cntforwardwan + set_cntforwardwan))"
|
sum_cntforwardwan="$((sum_cntforwardwan + set_cntforwardwan))"
|
||||||
else
|
else
|
||||||
|
|
@ -1374,7 +1416,7 @@ f_report() {
|
||||||
set_cntforwardwan=""
|
set_cntforwardwan=""
|
||||||
fi
|
fi
|
||||||
if [ -n "${set_cntforwardlan}" ]; then
|
if [ -n "${set_cntforwardlan}" ]; then
|
||||||
set_forwardlan="OK"
|
set_forwardlan="ON"
|
||||||
sum_setforwardlan="$((sum_setforwardlan + 1))"
|
sum_setforwardlan="$((sum_setforwardlan + 1))"
|
||||||
sum_cntforwardlan="$((sum_cntforwardlan + set_cntforwardlan))"
|
sum_cntforwardlan="$((sum_cntforwardlan + set_cntforwardlan))"
|
||||||
else
|
else
|
||||||
|
|
@ -1398,6 +1440,11 @@ f_report() {
|
||||||
printf "\t%s\n" "\"timestamp\": \"${timestamp}\","
|
printf "\t%s\n" "\"timestamp\": \"${timestamp}\","
|
||||||
printf "\t%s\n" "\"autoadd_allow\": \"$("${ban_grepcmd}" -c "added on ${timestamp% *}" "${ban_allowlist}")\","
|
printf "\t%s\n" "\"autoadd_allow\": \"$("${ban_grepcmd}" -c "added on ${timestamp% *}" "${ban_allowlist}")\","
|
||||||
printf "\t%s\n" "\"autoadd_block\": \"$("${ban_grepcmd}" -c "added on ${timestamp% *}" "${ban_blocklist}")\","
|
printf "\t%s\n" "\"autoadd_block\": \"$("${ban_grepcmd}" -c "added on ${timestamp% *}" "${ban_blocklist}")\","
|
||||||
|
printf "\t%s\n" "\"sum_synflood\": \"${sum_synflood}\","
|
||||||
|
printf "\t%s\n" "\"sum_udpflood\": \"${sum_udpflood}\","
|
||||||
|
printf "\t%s\n" "\"sum_icmpflood\": \"${sum_icmpflood}\","
|
||||||
|
printf "\t%s\n" "\"sum_ctinvalid\": \"${sum_ctinvalid}\","
|
||||||
|
printf "\t%s\n" "\"sum_tcpinvalid\": \"${sum_tcpinvalid}\","
|
||||||
printf "\t%s\n" "\"sum_sets\": \"${sum_sets}\","
|
printf "\t%s\n" "\"sum_sets\": \"${sum_sets}\","
|
||||||
printf "\t%s\n" "\"sum_setinput\": \"${sum_setinput}\","
|
printf "\t%s\n" "\"sum_setinput\": \"${sum_setinput}\","
|
||||||
printf "\t%s\n" "\"sum_setforwardwan\": \"${sum_setforwardwan}\","
|
printf "\t%s\n" "\"sum_setforwardwan\": \"${sum_setforwardwan}\","
|
||||||
|
|
@ -1418,6 +1465,11 @@ f_report() {
|
||||||
json_get_var timestamp "timestamp" >/dev/null 2>&1
|
json_get_var timestamp "timestamp" >/dev/null 2>&1
|
||||||
json_get_var autoadd_allow "autoadd_allow" >/dev/null 2>&1
|
json_get_var autoadd_allow "autoadd_allow" >/dev/null 2>&1
|
||||||
json_get_var autoadd_block "autoadd_block" >/dev/null 2>&1
|
json_get_var autoadd_block "autoadd_block" >/dev/null 2>&1
|
||||||
|
json_get_var sum_synflood "sum_synflood" >/dev/null 2>&1
|
||||||
|
json_get_var sum_udpflood "sum_udpflood" >/dev/null 2>&1
|
||||||
|
json_get_var sum_icmpflood "sum_icmpflood" >/dev/null 2>&1
|
||||||
|
json_get_var sum_ctinvalid "sum_ctinvalid" >/dev/null 2>&1
|
||||||
|
json_get_var sum_tcpinvalid "sum_tcpinvalid" >/dev/null 2>&1
|
||||||
json_get_var sum_sets "sum_sets" >/dev/null 2>&1
|
json_get_var sum_sets "sum_sets" >/dev/null 2>&1
|
||||||
json_get_var sum_setinput "sum_setinput" >/dev/null 2>&1
|
json_get_var sum_setinput "sum_setinput" >/dev/null 2>&1
|
||||||
json_get_var sum_setforwardwan "sum_setforwardwan" >/dev/null 2>&1
|
json_get_var sum_setforwardwan "sum_setforwardwan" >/dev/null 2>&1
|
||||||
|
|
@ -1430,8 +1482,14 @@ f_report() {
|
||||||
printf "%s\n%s\n%s\n" ":::" "::: banIP Set Statistics" ":::"
|
printf "%s\n%s\n%s\n" ":::" "::: banIP Set Statistics" ":::"
|
||||||
printf "%s\n" " Timestamp: ${timestamp}"
|
printf "%s\n" " Timestamp: ${timestamp}"
|
||||||
printf "%s\n" " ------------------------------"
|
printf "%s\n" " ------------------------------"
|
||||||
printf "%s\n" " auto-added to allowlist today: ${autoadd_allow}"
|
printf "%s\n" " blocked syn-flood packets : ${sum_synflood}"
|
||||||
printf "%s\n\n" " auto-added to blocklist today: ${autoadd_block}"
|
printf "%s\n" " blocked udp-flood packets : ${sum_udpflood}"
|
||||||
|
printf "%s\n" " blocked icmp-flood packets : ${sum_icmpflood}"
|
||||||
|
printf "%s\n" " blocked invalid ct packets : ${sum_ctinvalid}"
|
||||||
|
printf "%s\n" " blocked invalid tcp packets: ${sum_tcpinvalid}"
|
||||||
|
printf "%s\n" " ----------"
|
||||||
|
printf "%s\n" " auto-added IPs to allowlist: ${autoadd_allow}"
|
||||||
|
printf "%s\n\n" " auto-added IPs to blocklist: ${autoadd_block}"
|
||||||
json_select "sets" >/dev/null 2>&1
|
json_select "sets" >/dev/null 2>&1
|
||||||
json_get_keys table_sets >/dev/null 2>&1
|
json_get_keys table_sets >/dev/null 2>&1
|
||||||
if [ -n "${table_sets}" ]; then
|
if [ -n "${table_sets}" ]; then
|
||||||
|
|
@ -1488,10 +1546,10 @@ f_search() {
|
||||||
local item table_sets ip proto hold cnt result_flag="/var/run/banIP.search" input="${1}"
|
local item table_sets ip proto hold cnt result_flag="/var/run/banIP.search" input="${1}"
|
||||||
|
|
||||||
if [ -n "${input}" ]; then
|
if [ -n "${input}" ]; then
|
||||||
ip="$(printf "%s" "${input}" | "${ban_awkcmd}" 'BEGIN{RS="(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?[[:space:]]*$)"}{printf "%s",RT}')"
|
ip="$(printf "%s" "${input}" | "${ban_awkcmd}" 'BEGIN{RS="(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?[[:space:]]*$)"}{printf "%s",RT}')"
|
||||||
[ -n "${ip}" ] && proto="v4"
|
[ -n "${ip}" ] && proto="v4"
|
||||||
if [ -z "${proto}" ]; then
|
if [ -z "${proto}" ]; then
|
||||||
ip="$(printf "%s" "${input}" | "${ban_awkcmd}" 'BEGIN{RS="(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]].*|$)"}{printf "%s",RT}')"
|
ip="$(printf "%s" "${input}" | "${ban_awkcmd}" 'BEGIN{RS="(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]].*|$)"}{printf "%s",RT}')"
|
||||||
[ -n "${ip}" ] && proto="v6"
|
[ -n "${ip}" ] && proto="v6"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
@ -1564,7 +1622,7 @@ f_mail() {
|
||||||
# log monitor
|
# log monitor
|
||||||
#
|
#
|
||||||
f_monitor() {
|
f_monitor() {
|
||||||
local daemon logread_cmd loglimit_cmd nft_expiry line proto ip log_raw log_count rdap_log rdap_rc rdap_elements rdap_info
|
local daemon logread_cmd loglimit_cmd nft_expiry line proto ip log_raw log_count rdap_log rdap_rc rdap_prefix rdap_length rdap_info
|
||||||
|
|
||||||
if [ -f "${ban_logreadfile}" ]; then
|
if [ -f "${ban_logreadfile}" ]; then
|
||||||
logread_cmd="${ban_logreadcmd} -qf ${ban_logreadfile} 2>/dev/null | ${ban_grepcmd} -e \"${ban_logterm%%??}\" 2>/dev/null"
|
logread_cmd="${ban_logreadcmd} -qf ${ban_logreadfile} 2>/dev/null | ${ban_grepcmd} -e \"${ban_logterm%%??}\" 2>/dev/null"
|
||||||
|
|
@ -1609,19 +1667,22 @@ f_monitor() {
|
||||||
rdap_log="$("${ban_fetchcmd}" ${ban_rdapparm} "${ban_rdapfile}" "${ban_rdapurl}${ip}" 2>&1)"
|
rdap_log="$("${ban_fetchcmd}" ${ban_rdapparm} "${ban_rdapfile}" "${ban_rdapurl}${ip}" 2>&1)"
|
||||||
rdap_rc="${?}"
|
rdap_rc="${?}"
|
||||||
if [ "${rdap_rc}" = "0" ] && [ -s "${ban_rdapfile}" ]; then
|
if [ "${rdap_rc}" = "0" ] && [ -s "${ban_rdapfile}" ]; then
|
||||||
rdap_elements="$(jsonfilter -i "${ban_rdapfile}" -qe '@.cidr0_cidrs.*' | awk 'BEGIN{FS="[\" ]"}{printf "%s/%s, ",$6,$11}')"
|
[ "${proto}" = "v4" ] && rdap_prefix="$(jsonfilter -l1 -i "${ban_rdapfile}" -qe '@.cidr0_cidrs.*.v4prefix')"
|
||||||
rdap_info="$(jsonfilter -i "${ban_rdapfile}" -qe '@.country' -qe '@.notices[@.title="Source"].description[1]' | awk 'BEGIN{RS="";FS="\n"}{printf "%s, %s",$1,$2}')"
|
[ "${proto}" = "v6" ] && rdap_prefix="$(jsonfilter -l1 -i "${ban_rdapfile}" -qe '@.cidr0_cidrs.*.v6prefix')"
|
||||||
if [ -n "${rdap_elements//\/*/}" ]; then
|
rdap_length="$(jsonfilter -l1 -i "${ban_rdapfile}" -qe '@.cidr0_cidrs.*.length')"
|
||||||
if "${ban_nftcmd}" add element inet banIP "blocklist${proto}" "{ ${rdap_elements%%??} ${nft_expiry} }" >/dev/null 2>&1; then
|
rdap_info="$(jsonfilter -l1 -i "${ban_rdapfile}" -qe '@.country' -qe '@.notices[@.title="Source"].description[1]' | awk 'BEGIN{RS="";FS="\n"}{printf "%s, %s",$1,$2}')"
|
||||||
f_log "info" "add IP range '${rdap_elements%%??}' (source: ${rdap_info:-"-"} ::: expiry: ${ban_nftexpiry:-"-"}) to blocklist${proto} set"
|
[ -z "${rdap_info}" ] && rdap_info="$(jsonfilter -l1 -i "${ban_rdapfile}" -qe '@.notices[0].links[0].value' | awk 'BEGIN{FS="[/.]"}{printf"%s, %s","n/a",toupper($4)}')"
|
||||||
|
if [ -n "${rdap_prefix}" ] && [ -n "${rdap_length}" ]; then
|
||||||
|
if "${ban_nftcmd}" add element inet banIP "blocklist${proto}" { ${rdap_prefix}/${rdap_length} ${nft_expiry} } >/dev/null 2>&1; then
|
||||||
|
f_log "info" "add IP range '${rdap_prefix}/${rdap_length}' (source: ${rdap_info:-"n/a"} ::: expiry: ${ban_nftexpiry:-"-"}) to blocklist${proto} set"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
f_log "info" "rdap request failed (rc: ${rdap_rc:-"-"}/log: ${rdap_log})"
|
f_log "info" "rdap request failed (rc: ${rdap_rc:-"-"}/log: ${rdap_log})"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
if [ "${ban_autoblocksubnet}" = "0" ] || [ "${rdap_rc}" != "0" ] || [ ! -s "${ban_rdapfile}" ] || [ -z "${rdap_elements//\/*/}" ]; then
|
if [ "${ban_autoblocksubnet}" = "0" ] || [ "${rdap_rc}" != "0" ] || [ ! -s "${ban_rdapfile}" ] || [ -z "${rdap_prefix}" ] || [ -z "${rdap_length}" ]; then
|
||||||
if "${ban_nftcmd}" add element inet banIP "blocklist${proto}" "{ ${ip} ${nft_expiry} }" >/dev/null 2>&1; then
|
if "${ban_nftcmd}" add element inet banIP "blocklist${proto}" { ${ip} ${nft_expiry} } >/dev/null 2>&1; then
|
||||||
f_log "info" "add IP '${ip}' (expiry: ${ban_nftexpiry:-"-"}) to blocklist${proto} set"
|
f_log "info" "add IP '${ip}' (expiry: ${ban_nftexpiry:-"-"}) to blocklist${proto} set"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
|
||||||
|
|
@ -1,6 +1,6 @@
|
||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
# banIP main service script - ban incoming and outgoing IPs via named nftables Sets
|
# banIP main service script - ban incoming and outgoing IPs via named nftables Sets
|
||||||
# Copyright (c) 2018-2023 Dirk Brenken (dev@brenken.org)
|
# Copyright (c) 2018-2024 Dirk Brenken (dev@brenken.org)
|
||||||
# This is free software, licensed under the GNU General Public License v3.
|
# This is free software, licensed under the GNU General Public License v3.
|
||||||
|
|
||||||
# (s)hellcheck exceptions
|
# (s)hellcheck exceptions
|
||||||
|
|
@ -24,8 +24,8 @@ f_getif
|
||||||
f_getdev
|
f_getdev
|
||||||
f_getuplink
|
f_getuplink
|
||||||
f_mkdir "${ban_backupdir}"
|
f_mkdir "${ban_backupdir}"
|
||||||
f_mkfile "${ban_blocklist}"
|
|
||||||
f_mkfile "${ban_allowlist}"
|
f_mkfile "${ban_allowlist}"
|
||||||
|
f_mkfile "${ban_blocklist}"
|
||||||
|
|
||||||
# firewall check
|
# firewall check
|
||||||
#
|
#
|
||||||
|
|
@ -44,13 +44,13 @@ if [ "${ban_action}" != "reload" ]; then
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# init nft namespace
|
# init banIP nftables namespace
|
||||||
#
|
#
|
||||||
if [ "${ban_action}" != "reload" ] || ! "${ban_nftcmd}" -t list set inet banIP allowlistv4MAC >/dev/null 2>&1; then
|
if [ "${ban_action}" != "reload" ] || ! "${ban_nftcmd}" -t list set inet banIP allowlistv4MAC >/dev/null 2>&1; then
|
||||||
if f_nftinit "${ban_tmpfile}".init.nft; then
|
if f_nftinit "${ban_tmpfile}".init.nft; then
|
||||||
f_log "info" "initialize nft namespace"
|
f_log "info" "initialize banIP nftables namespace"
|
||||||
else
|
else
|
||||||
f_log "err" "can't initialize nft namespace"
|
f_log "err" "can't initialize banIP nftables namespace"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
@ -99,7 +99,7 @@ for feed in allowlist ${ban_feed} blocklist; do
|
||||||
continue
|
continue
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# handle IPv4/IPv6 feeds with the same/single download URL
|
# handle IPv4/IPv6 feeds with a single download URL
|
||||||
#
|
#
|
||||||
if [ "${feed_url_4}" = "${feed_url_6}" ]; then
|
if [ "${feed_url_4}" = "${feed_url_6}" ]; then
|
||||||
if [ "${ban_protov4}" = "1" ] && [ -n "${feed_url_4}" ] && [ -n "${feed_rule_4}" ]; then
|
if [ "${ban_protov4}" = "1" ] && [ -n "${feed_url_4}" ] && [ -n "${feed_rule_4}" ]; then
|
||||||
|
|
@ -115,7 +115,8 @@ for feed in allowlist ${ban_feed} blocklist; do
|
||||||
fi
|
fi
|
||||||
continue
|
continue
|
||||||
fi
|
fi
|
||||||
# handle IPv4/IPv6 feeds with separated download URLs
|
|
||||||
|
# handle IPv4/IPv6 feeds with separate download URLs
|
||||||
#
|
#
|
||||||
if [ "${ban_protov4}" = "1" ] && [ -n "${feed_url_4}" ] && [ -n "${feed_rule_4}" ]; then
|
if [ "${ban_protov4}" = "1" ] && [ -n "${feed_url_4}" ] && [ -n "${feed_rule_4}" ]; then
|
||||||
(f_down "${feed}" "4" "${feed_url_4}" "${feed_rule_4}" "${feed_flag}") &
|
(f_down "${feed}" "4" "${feed_url_4}" "${feed_rule_4}" "${feed_flag}") &
|
||||||
|
|
|
||||||
|
|
@ -1,249 +1,249 @@
|
||||||
af;Afghanistan
|
af APNIC Afghanistan
|
||||||
ax;Åland Islands
|
ax RIPE Åland Islands
|
||||||
al;Albania
|
al RIPE Albania
|
||||||
dz;Algeria
|
dz AFRINIC Algeria
|
||||||
as;American Samoa
|
as APNIC American Samoa
|
||||||
ad;Andorra
|
ad RIPE Andorra
|
||||||
ao;Angola
|
ao AFRINIC Angola
|
||||||
ai;Anguilla
|
ai ARIN Anguilla
|
||||||
aq;Antarctica
|
aq ARIN Antarctica
|
||||||
ag;Antigua & Barbuda
|
ag ARIN Antigua & Barbuda
|
||||||
ar;Argentina
|
ar LACNIC Argentina
|
||||||
am;Armenia
|
am RIPE Armenia
|
||||||
aw;Aruba
|
aw LACNIC Aruba
|
||||||
au;Australia
|
au APNIC Australia
|
||||||
at;Austria
|
at RIPE Austria
|
||||||
az;Azerbaijan
|
az RIPE Azerbaijan
|
||||||
bs;Bahamas
|
bs ARIN Bahamas
|
||||||
bh;Bahrain
|
bh RIPE Bahrain
|
||||||
bd;Bangladesh
|
bd APNIC Bangladesh
|
||||||
bb;Barbados
|
bb ARIN Barbados
|
||||||
by;Belarus
|
by RIPE Belarus
|
||||||
be;Belgium
|
be RIPE Belgium
|
||||||
bz;Belize
|
bz LACNIC Belize
|
||||||
bj;Benin
|
bj AFRINIC Benin
|
||||||
bm;Bermuda
|
bm ARIN Bermuda
|
||||||
bt;Bhutan
|
bt APNIC Bhutan
|
||||||
bo;Bolivia
|
bo LACNIC Bolivia
|
||||||
ba;Bosnia
|
bq LACNIC Bonaire
|
||||||
bw;Botswana
|
ba RIPE Bosnia & Herzegowina
|
||||||
bv;Bouvet Island
|
bw AFRINIC Botswana
|
||||||
br;Brazil
|
bv ARIN Bouvet Island
|
||||||
io;British Indian Ocean Territory
|
br LACNIC Brazil
|
||||||
vg;British Virgin Islands
|
io APNIC British Indian Ocean Territory
|
||||||
bn;Brunei
|
bn APNIC Brunei
|
||||||
bg;Bulgaria
|
bg RIPE Bulgaria
|
||||||
bf;Burkina Faso
|
bf AFRINIC Burkina Faso
|
||||||
bi;Burundi
|
bi AFRINIC Burundi
|
||||||
kh;Cambodia
|
kh APNIC Cambodia
|
||||||
cm;Cameroon
|
cm AFRINIC Cameroon
|
||||||
ca;Canada
|
ca ARIN Canada
|
||||||
cv;Cape Verde
|
cv AFRINIC Cape Verde
|
||||||
bq;Caribbean Netherlands
|
ky ARIN Cayman Islands
|
||||||
ky;Cayman Islands
|
cf AFRINIC Central African Republic
|
||||||
cf;Central African Republic
|
td AFRINIC Chad
|
||||||
td;Chad
|
cl LACNIC Chile
|
||||||
cl;Chile
|
cn APNIC China
|
||||||
cn;China
|
cx APNIC Christmas Island
|
||||||
cx;Christmas Island
|
cc APNIC Cocos Islands
|
||||||
cc;Cocos (Keeling) Islands
|
co LACNIC Colombia
|
||||||
co;Colombia
|
km AFRINIC Comoros
|
||||||
km;Comoros
|
cg AFRINIC Congo - Brazzaville
|
||||||
cg;Congo - Brazzaville
|
cd AFRINIC Congo - Kinshasa
|
||||||
cd;Congo - Kinshasa
|
ck APNIC Cook Islands
|
||||||
ck;Cook Islands
|
cr LACNIC Costa Rica
|
||||||
cr;Costa Rica
|
ci AFRINIC Côte D'ivoire
|
||||||
ci;Côte d’Ivoire
|
hr RIPE Croatia
|
||||||
hr;Croatia
|
cu LACNIC Cuba
|
||||||
cu;Cuba
|
cw LACNIC Curaçao
|
||||||
cw;Curaçao
|
cy RIPE Cyprus
|
||||||
cy;Cyprus
|
cz RIPE Czechia
|
||||||
cz;Czechia
|
dk RIPE Denmark
|
||||||
dk;Denmark
|
dj AFRINIC Djibouti
|
||||||
dj;Djibouti
|
dm ARIN Dominica
|
||||||
dm;Dominica
|
do LACNIC Dominican Republic
|
||||||
do;Dominican Republic
|
ec LACNIC Ecuador
|
||||||
ec;Ecuador
|
eg AFRINIC Egypt
|
||||||
eg;Egypt
|
sv LACNIC El Salvador
|
||||||
sv;El Salvador
|
gq AFRINIC Equatorial Guinea
|
||||||
gq;Equatorial Guinea
|
er AFRINIC Eritrea
|
||||||
er;Eritrea
|
ee RIPE Estonia
|
||||||
ee;Estonia
|
sz AFRINIC Eswatini
|
||||||
sz;Eswatini
|
et AFRINIC Ethiopia
|
||||||
et;Ethiopia
|
fk LACNIC Falkland Islands
|
||||||
fk;Falkland Islands
|
fo RIPE Faroe Islands
|
||||||
fo;Faroe Islands
|
fj APNIC Fiji
|
||||||
fj;Fiji
|
fi RIPE Finland
|
||||||
fi;Finland
|
fr RIPE France
|
||||||
fr;France
|
gf LACNIC French Guiana
|
||||||
gf;French Guiana
|
pf APNIC French Polynesia
|
||||||
pf;French Polynesia
|
tf APNIC French Southern Territories
|
||||||
tf;French Southern Territories
|
ga AFRINIC Gabon
|
||||||
ga;Gabon
|
gm AFRINIC Gambia
|
||||||
gm;Gambia
|
ge RIPE Georgia
|
||||||
ge;Georgia
|
de RIPE Germany
|
||||||
de;Germany
|
gh AFRINIC Ghana
|
||||||
gh;Ghana
|
gi RIPE Gibraltar
|
||||||
gi;Gibraltar
|
gr RIPE Greece
|
||||||
gr;Greece
|
gl RIPE Greenland
|
||||||
gl;Greenland
|
gd ARIN Grenada
|
||||||
gd;Grenada
|
gp ARIN Guadeloupe
|
||||||
gp;Guadeloupe
|
gu APNIC Guam
|
||||||
gu;Guam
|
gt LACNIC Guatemala
|
||||||
gt;Guatemala
|
gg RIPE Guernsey
|
||||||
gg;Guernsey
|
gn AFRINIC Guinea
|
||||||
gn;Guinea
|
gw AFRINIC Guinea-Bissau
|
||||||
gw;Guinea-Bissau
|
gy LACNIC Guyana
|
||||||
gy;Guyana
|
ht LACNIC Haiti
|
||||||
ht;Haiti
|
hm ARIN Heard & McDonald Islands
|
||||||
hm;Heard & McDonald Islands
|
hn LACNIC Honduras
|
||||||
hn;Honduras
|
hk APNIC Hong Kong
|
||||||
hk;Hong Kong
|
hu RIPE Hungary
|
||||||
hu;Hungary
|
is RIPE Iceland
|
||||||
is;Iceland
|
in APNIC India
|
||||||
in;India
|
id APNIC Indonesia
|
||||||
id;Indonesia
|
ir RIPE Iran
|
||||||
ir;Iran
|
iq RIPE Iraq
|
||||||
iq;Iraq
|
ie RIPE Ireland
|
||||||
ie;Ireland
|
im RIPE Isle of Man
|
||||||
im;Isle of Man
|
il RIPE Israel
|
||||||
il;Israel
|
it RIPE Italy
|
||||||
it;Italy
|
jm ARIN Jamaica
|
||||||
jm;Jamaica
|
jp APNIC Japan
|
||||||
jp;Japan
|
je RIPE Jersey
|
||||||
je;Jersey
|
jo RIPE Jordan
|
||||||
jo;Jordan
|
kz RIPE Kazakhstan
|
||||||
kz;Kazakhstan
|
ke AFRINIC Kenya
|
||||||
ke;Kenya
|
ki APNIC Kiribati
|
||||||
ki;Kiribati
|
kw RIPE Kuwait
|
||||||
kw;Kuwait
|
kg RIPE Kyrgyzstan
|
||||||
kg;Kyrgyzstan
|
la APNIC Lao
|
||||||
la;Laos
|
lv RIPE Latvia
|
||||||
lv;Latvia
|
lb RIPE Lebanon
|
||||||
lb;Lebanon
|
ls AFRINIC Lesotho
|
||||||
ls;Lesotho
|
lr AFRINIC Liberia
|
||||||
lr;Liberia
|
ly AFRINIC Libya
|
||||||
ly;Libya
|
li RIPE Liechtenstein
|
||||||
li;Liechtenstein
|
lt RIPE Lithuania
|
||||||
lt;Lithuania
|
lu RIPE Luxembourg
|
||||||
lu;Luxembourg
|
mo APNIC Macao
|
||||||
mo;Macau
|
mg AFRINIC Madagascar
|
||||||
mg;Madagascar
|
mw AFRINIC Malawi
|
||||||
mw;Malawi
|
my APNIC Malaysia
|
||||||
my;Malaysia
|
mv APNIC Maldives
|
||||||
mv;Maldives
|
ml AFRINIC Mali
|
||||||
ml;Mali
|
mt RIPE Malta
|
||||||
mt;Malta
|
mh APNIC Marshall Islands
|
||||||
mh;Marshall Islands
|
ma AFRINIC Marocco
|
||||||
mq;Martinique
|
mq ARIN Martinique
|
||||||
mr;Mauritania
|
mr AFRINIC Mauritania
|
||||||
mu;Mauritius
|
mu AFRINIC Mauritius
|
||||||
yt;Mayotte
|
yt AFRINIC Mayotte
|
||||||
mx;Mexico
|
mx LACNIC Mexico
|
||||||
fm;Micronesia
|
fm APNIC Micronesia
|
||||||
md;Moldova
|
md RIPE Moldova
|
||||||
mc;Monaco
|
mc RIPE Monaco
|
||||||
mn;Mongolia
|
mn APNIC Mongolia
|
||||||
me;Montenegro
|
me RIPE Montenegro
|
||||||
ms;Montserrat
|
ms ARIN Montserrat
|
||||||
ma;Morocco
|
mz AFRINIC Mozambique
|
||||||
mz;Mozambique
|
mm APNIC Myanmar
|
||||||
mm;Myanmar
|
na AFRINIC Namibia
|
||||||
na;Namibia
|
nr APNIC Nauru
|
||||||
nr;Nauru
|
np APNIC Nepal
|
||||||
np;Nepal
|
nl RIPE Netherlands
|
||||||
nl;Netherlands
|
nc APNIC New Caledonia
|
||||||
nc;New Caledonia
|
nz APNIC New Zealand
|
||||||
nz;New Zealand
|
ni LACNIC Nicaragua
|
||||||
ni;Nicaragua
|
ne AFRINIC Niger
|
||||||
ne;Niger
|
ng AFRINIC Nigeria
|
||||||
ng;Nigeria
|
nu APNIC Niue
|
||||||
nu;Niue
|
nf APNIC Norfolk Island
|
||||||
nf;Norfolk Island
|
kp APNIC North Korea
|
||||||
mp;Northern Mariana Islands
|
mk RIPE North Macedonia
|
||||||
kp;North Korea
|
mp APNIC Northern Mariana Islands
|
||||||
mk;North Macedonia
|
no RIPE Norway
|
||||||
no;Norway
|
om RIPE Oman
|
||||||
om;Oman
|
pk APNIC Pakistan
|
||||||
pk;Pakistan
|
pw APNIC Palau
|
||||||
pw;Palau
|
ps RIPE Palestine
|
||||||
ps;Palestine
|
pa LACNIC Panama
|
||||||
pa;Panama
|
pg APNIC Papua New Guinea
|
||||||
pg;Papua New Guinea
|
py LACNIC Paraguay
|
||||||
py;Paraguay
|
pe LACNIC Peru
|
||||||
pe;Peru
|
ph APNIC Philippines
|
||||||
ph;Philippines
|
pn APNIC Pitcairn
|
||||||
pn;Pitcairn Islands
|
pl RIPE Poland
|
||||||
pl;Poland
|
pt RIPE Portugal
|
||||||
pt;Portugal
|
pr ARIN Puerto Rico
|
||||||
pr;Puerto Rico
|
qa RIPE Qatar
|
||||||
qa;Qatar
|
re AFRINIC Reunion
|
||||||
re;Réunion
|
ro RIPE Romania
|
||||||
ro;Romania
|
ru RIPE Russian Federation
|
||||||
ru;Russia
|
rw AFRINIC Rwanda
|
||||||
rw;Rwanda
|
sh ARIN Saint Helena
|
||||||
ws;Samoa
|
bl ARIN Saint Barthélemy
|
||||||
sm;San Marino
|
kn ARIN Saint Kitts & Nevis
|
||||||
st;São Tomé & Príncipe
|
lc ARIN Saint Lucia
|
||||||
sa;Saudi Arabia
|
mf ARIN Saint Martin
|
||||||
sn;Senegal
|
pm ARIN Saint Pierre & Miquelon
|
||||||
rs;Serbia
|
vc ARIN Saint Vincent & the Grenadines
|
||||||
sc;Seychelles
|
ws APNIC Samoa
|
||||||
sl;Sierra Leone
|
sm RIPE San Marino
|
||||||
sg;Singapore
|
st AFRINIC Sao Tome & Principe
|
||||||
sx;Sint Maarten
|
sa RIPE Saudi Arabia
|
||||||
sk;Slovakia
|
sn AFRINIC Senegal
|
||||||
si;Slovenia
|
rs RIPE Serbia
|
||||||
sb;Solomon Islands
|
sc AFRINIC Seychelles
|
||||||
so;Somalia
|
sl AFRINIC Sierra Leone
|
||||||
za;South Africa
|
sg APNIC Singapore
|
||||||
gs;South Georgia & South Sandwich Islands
|
sx LACNIC Sint Maarten
|
||||||
kr;South Korea
|
sk RIPE Slovakia
|
||||||
ss;South Sudan
|
si RIPE Slovenia
|
||||||
es;Spain
|
sb APNIC Solomon Islands
|
||||||
lk;Sri Lanka
|
so AFRINIC Somalia
|
||||||
bl;St. Barthélemy
|
za AFRINIC South Africa
|
||||||
sh;St. Helena
|
gs LACNIC South Georgia
|
||||||
kn;St. Kitts & Nevis
|
kr APNIC South Korea
|
||||||
lc;St. Lucia
|
ss AFRINIC South Sudan
|
||||||
mf;St. Martin
|
es RIPE Spain
|
||||||
pm;St. Pierre & Miquelon
|
lk APNIC Sri Lanka
|
||||||
vc;St. Vincent & Grenadines
|
sd AFRINIC Sudan
|
||||||
sd;Sudan
|
sr LACNIC Suriname
|
||||||
sr;Suriname
|
sj RIPE Svalbard & Jan Mayen Islands
|
||||||
sj;Svalbard & Jan Mayen
|
se RIPE Sweden
|
||||||
se;Sweden
|
ch RIPE Switzerland
|
||||||
ch;Switzerland
|
sy RIPE Syrian
|
||||||
sy;Syria
|
tw APNIC Taiwan
|
||||||
tw;Taiwan
|
tj RIPE Tajikistan
|
||||||
tj;Tajikistan
|
tz AFRINIC Tanzania
|
||||||
tz;Tanzania
|
th APNIC Thailand
|
||||||
th;Thailand
|
tl APNIC Timor-Leste
|
||||||
tl;Timor-Leste
|
tg AFRINIC Togo
|
||||||
tg;Togo
|
tk APNIC Tokelau
|
||||||
tk;Tokelau
|
to APNIC Tonga
|
||||||
to;Tonga
|
tt LACNIC Trinidad & Tobago
|
||||||
tt;Trinidad & Tobago
|
tn AFRINIC Tunisia
|
||||||
tn;Tunisia
|
tr RIPE Türkey
|
||||||
tr;Turkey
|
tm RIPE Turkmenistan
|
||||||
tm;Turkmenistan
|
tc ARIN Turks & Caicos Islands
|
||||||
tc;Turks & Caicos Islands
|
tv APNIC Tuvalu
|
||||||
tv;Tuvalu
|
ug AFRINIC Uganda
|
||||||
ug;Uganda
|
ua RIPE Ukraine
|
||||||
ua;Ukraine
|
ae RIPE United Arab Emirates
|
||||||
ae;United Arab Emirates
|
gb RIPE United Kingdom
|
||||||
gb;United Kingdom
|
us ARIN United States
|
||||||
us;United States
|
um ARIN United States Minor Outlying Islands
|
||||||
uy;Uruguay
|
uy LACNIC Uruguay
|
||||||
um;U.S. Outlying Islands
|
uz RIPE Uzbekistan
|
||||||
vi;U.S. Virgin Islands
|
vu APNIC Vanuatu
|
||||||
uz;Uzbekistan
|
va RIPE Vatikan City
|
||||||
vu;Vanuatu
|
ve LACNIC Venezuela
|
||||||
va;Vatican City
|
vn APNIC Vietnam
|
||||||
ve;Venezuela
|
vg ARIN Virgin Islands (British)
|
||||||
vn;Vietnam
|
vi ARIN Virgin Islands (U.S.)
|
||||||
wf;Wallis & Futuna
|
wf APNIC Wallis & Futuna Islands
|
||||||
eh;Western Sahara
|
eh AFRINIC Western Sahara
|
||||||
ye;Yemen
|
ye RIPE Yemen
|
||||||
zm;Zambia
|
zm AFRINIC Zambia
|
||||||
zw;Zimbabwe
|
zw AFRINIC Zimbabwe
|
||||||
|
|
|
||||||
|
|
@ -5,7 +5,7 @@
|
||||||
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
|
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
|
||||||
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
|
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
|
||||||
"descr": "adaway IPs",
|
"descr": "adaway IPs",
|
||||||
"flag": "80 443"
|
"flag": "tcp 80 443"
|
||||||
},
|
},
|
||||||
"adguard":{
|
"adguard":{
|
||||||
"url_4": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/adguard-ipv4.txt",
|
"url_4": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/adguard-ipv4.txt",
|
||||||
|
|
@ -13,7 +13,7 @@
|
||||||
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
|
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
|
||||||
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
|
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
|
||||||
"descr": "adguard IPs",
|
"descr": "adguard IPs",
|
||||||
"flag": "80 443"
|
"flag": "tcp 80 443"
|
||||||
},
|
},
|
||||||
"adguardtrackers":{
|
"adguardtrackers":{
|
||||||
"url_4": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/adguardtrackers-ipv4.txt",
|
"url_4": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/adguardtrackers-ipv4.txt",
|
||||||
|
|
@ -21,7 +21,7 @@
|
||||||
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
|
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
|
||||||
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
|
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
|
||||||
"descr": "adguardtracker IPs",
|
"descr": "adguardtracker IPs",
|
||||||
"flag": "80 443"
|
"flag": "tcp 80 443"
|
||||||
},
|
},
|
||||||
"antipopads":{
|
"antipopads":{
|
||||||
"url_4": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/antipopads-ipv4.txt",
|
"url_4": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/antipopads-ipv4.txt",
|
||||||
|
|
@ -29,7 +29,7 @@
|
||||||
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
|
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
|
||||||
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
|
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
|
||||||
"descr": "antipopads IPs",
|
"descr": "antipopads IPs",
|
||||||
"flag": "80 443"
|
"flag": "tcp 80 443"
|
||||||
},
|
},
|
||||||
"asn":{
|
"asn":{
|
||||||
"url_4": "https://asn.ipinfo.app/api/text/list/",
|
"url_4": "https://asn.ipinfo.app/api/text/list/",
|
||||||
|
|
@ -37,7 +37,7 @@
|
||||||
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
|
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
|
||||||
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}",
|
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}",
|
||||||
"descr": "ASN IP segments",
|
"descr": "ASN IP segments",
|
||||||
"flag": "80 443"
|
"flag": "tcp 80 443"
|
||||||
},
|
},
|
||||||
"backscatterer":{
|
"backscatterer":{
|
||||||
"url_4": "http://wget-mirrors.uceprotect.net/rbldnsd-all/ips.backscatterer.org.gz",
|
"url_4": "http://wget-mirrors.uceprotect.net/rbldnsd-all/ips.backscatterer.org.gz",
|
||||||
|
|
@ -45,6 +45,13 @@
|
||||||
"descr": "backscatterer IPs",
|
"descr": "backscatterer IPs",
|
||||||
"flag": "gz"
|
"flag": "gz"
|
||||||
},
|
},
|
||||||
|
"becyber":{
|
||||||
|
"url_4": "https://raw.githubusercontent.com/duggytuxy/malicious_ip_addresses/main/botnets_zombies_scanner_spam_ips.txt",
|
||||||
|
"url_6": "https://raw.githubusercontent.com/duggytuxy/malicious_ip_addresses/main/botnets_zombies_scanner_spam_ips_ipv6.txt",
|
||||||
|
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
|
||||||
|
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}",
|
||||||
|
"descr": "malicious attacker IPs"
|
||||||
|
},
|
||||||
"binarydefense":{
|
"binarydefense":{
|
||||||
"url_4": "https://iplists.firehol.org/files/bds_atif.ipset",
|
"url_4": "https://iplists.firehol.org/files/bds_atif.ipset",
|
||||||
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
|
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
|
||||||
|
|
@ -74,14 +81,9 @@
|
||||||
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}",
|
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}",
|
||||||
"descr": "country blocks"
|
"descr": "country blocks"
|
||||||
},
|
},
|
||||||
"darklist":{
|
|
||||||
"url_4": "https://darklist.de/raw.php",
|
|
||||||
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
|
|
||||||
"descr": "suspicious attacker IPs"
|
|
||||||
},
|
|
||||||
"debl":{
|
"debl":{
|
||||||
"url_4": "https://www.blocklist.de/downloads/export-ips_all.txt",
|
"url_4": "https://lists.blocklist.de/lists/all.txt",
|
||||||
"url_6": "https://www.blocklist.de/downloads/export-ips_all.txt",
|
"url_6": "https://lists.blocklist.de/lists/all.txt",
|
||||||
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
|
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
|
||||||
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}",
|
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}",
|
||||||
"descr": "fail2ban IP blocklist"
|
"descr": "fail2ban IP blocklist"
|
||||||
|
|
@ -92,7 +94,7 @@
|
||||||
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
|
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
|
||||||
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
|
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
|
||||||
"descr": "public DoH-Provider",
|
"descr": "public DoH-Provider",
|
||||||
"flag": "80 443"
|
"flag": "tcp 80 443"
|
||||||
},
|
},
|
||||||
"drop":{
|
"drop":{
|
||||||
"url_4": "https://www.spamhaus.org/drop/drop.txt",
|
"url_4": "https://www.spamhaus.org/drop/drop.txt",
|
||||||
|
|
@ -150,18 +152,18 @@
|
||||||
"url_4": "https://list.iblocklist.com/?list=dgxtneitpuvgqqcpfulq&fileformat=cidr&archiveformat=gz",
|
"url_4": "https://list.iblocklist.com/?list=dgxtneitpuvgqqcpfulq&fileformat=cidr&archiveformat=gz",
|
||||||
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
|
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
|
||||||
"descr": "advertising IPs",
|
"descr": "advertising IPs",
|
||||||
"flag": "gz 80 443"
|
"flag": "gz tcp 80 443"
|
||||||
},
|
},
|
||||||
"iblockspy":{
|
"iblockspy":{
|
||||||
"url_4": "https://list.iblocklist.com/?list=llvtlsjyoyiczbkjsxpf&fileformat=cidr&archiveformat=gz",
|
"url_4": "https://list.iblocklist.com/?list=llvtlsjyoyiczbkjsxpf&fileformat=cidr&archiveformat=gz",
|
||||||
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
|
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
|
||||||
"descr": "malicious spyware IPs",
|
"descr": "malicious spyware IPs",
|
||||||
"flag": "gz 80 443"
|
"flag": "gz tcp 80 443"
|
||||||
},
|
},
|
||||||
"ipblackhole":{
|
"ipsum":{
|
||||||
"url_4": "https://ip.blackhole.monster/blackhole-today",
|
"url_4": "https://raw.githubusercontent.com/stamparm/ipsum/master/levels/3.txt",
|
||||||
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
|
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[-[:space:]]?/{printf \"%s,\\n\",$1}",
|
||||||
"descr": "blackhole IP blocklist"
|
"descr": "malicious IPs"
|
||||||
},
|
},
|
||||||
"ipthreat":{
|
"ipthreat":{
|
||||||
"url_4": "https://lists.ipthreat.net/file/ipthreat-lists/threat/threat-30.txt.gz",
|
"url_4": "https://lists.ipthreat.net/file/ipthreat-lists/threat/threat-30.txt.gz",
|
||||||
|
|
@ -188,7 +190,7 @@
|
||||||
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
|
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
|
||||||
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
|
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
|
||||||
"descr": "OISD-big IPs",
|
"descr": "OISD-big IPs",
|
||||||
"flag": "80 443"
|
"flag": "tcp 80 443"
|
||||||
},
|
},
|
||||||
"oisdnsfw":{
|
"oisdnsfw":{
|
||||||
"url_4": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/oisdnsfw-ipv4.txt",
|
"url_4": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/oisdnsfw-ipv4.txt",
|
||||||
|
|
@ -196,7 +198,7 @@
|
||||||
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
|
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
|
||||||
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
|
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
|
||||||
"descr": "OISD-nsfw IPs",
|
"descr": "OISD-nsfw IPs",
|
||||||
"flag": "80 443"
|
"flag": "tcp 80 443"
|
||||||
},
|
},
|
||||||
"oisdsmall":{
|
"oisdsmall":{
|
||||||
"url_4": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/oisdsmall-ipv4.txt",
|
"url_4": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/oisdsmall-ipv4.txt",
|
||||||
|
|
@ -204,7 +206,12 @@
|
||||||
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
|
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
|
||||||
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
|
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
|
||||||
"descr": "OISD-small IPs",
|
"descr": "OISD-small IPs",
|
||||||
"flag": "80 443"
|
"flag": "tcp 80 443"
|
||||||
|
},
|
||||||
|
"pallebone":{
|
||||||
|
"url_4": "https://raw.githubusercontent.com/pallebone/StrictBlockPAllebone/master/BlockIP.txt",
|
||||||
|
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
|
||||||
|
"descr": "curated IP blocklist"
|
||||||
},
|
},
|
||||||
"proxy":{
|
"proxy":{
|
||||||
"url_4": "https://iplists.firehol.org/files/proxylists.ipset",
|
"url_4": "https://iplists.firehol.org/files/proxylists.ipset",
|
||||||
|
|
@ -222,7 +229,7 @@
|
||||||
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
|
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
|
||||||
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
|
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
|
||||||
"descr": "stevenblack IPs",
|
"descr": "stevenblack IPs",
|
||||||
"flag": "80 443"
|
"flag": "tcp 80 443"
|
||||||
},
|
},
|
||||||
"talos":{
|
"talos":{
|
||||||
"url_4": "https://www.talosintelligence.com/documents/ip-blacklist",
|
"url_4": "https://www.talosintelligence.com/documents/ip-blacklist",
|
||||||
|
|
@ -295,6 +302,6 @@
|
||||||
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
|
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
|
||||||
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
|
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
|
||||||
"descr": "yoyo IPs",
|
"descr": "yoyo IPs",
|
||||||
"flag": "80 443"
|
"flag": "tcp 80 443"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue