Skip to content

Instantly share code, notes, and snippets.

@dirkakrid

dirkakrid/firewall-start

Forked from mikemackintosh/firewall-start
Created December 6, 2016 07:54
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save dirkakrid/9c0d76f3fa37315eeb09b227d998174e to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save dirkakrid/9c0d76f3fa37315eeb09b227d998174e to your computer and use it in GitHub Desktop.
Download ZIP
Asus Router Firewall
Raw
firewall-start
#!/bin/sh
##################################################################################################
## 01/01/2015 --- RT-AC56U / RT-ACRT66U / RT-AC68U Firewall Addition v0.7.6 #
##################################################################################################
### ----- Make Sure To Edit The Following Files ----- #
### /jffs/scripts/firewall <-- Blacklists IP's From /tmp/home/root/ipset.txt #
### /jffs/scripts/ipset.txt <-- Banned IP List/IPSet Rules #
##################################################################################################
##############################
#####Commands / Variables#####
##############################
UNBANSINGLE="unban" # <-- Remove Single IP From Blacklist
UNBANALL="unbanall" # <-- Unbans All IPs In Blacklist
REMOVEBANS="removeall" # <-- Remove All Entries From Blacklist
SAVEIPSET="save" # <-- Save Blacklists to /jffs/scripts/ipset.txt
BANSINGLE="ban" # <-- Adds Entry To Blacklist
BANCOUNTRYSINGLE="country # <-- Adds entire country to blacklist
BANCOUNTRYLIST="bancountry # <-- Bans specified countries in this file
HIDEMYASS="hideme" # <-- Switch to unrestricted DNS (proxydns.co)
BACKUPRULES="backup" # <-- Backup IPSet Rules to /jffs/scripts/ipset2.txt
##############################
started=`date`
bannedips=/jffs/scripts/ipamount
###############################################################################################
# Unban / Unbanall / Removeall / Scan / Ban / Country / Bancountry / Hideme / Findme / Backup #
###############################################################################################
if [ X"$@" = X"$UNBANSINGLE" ]
then
echo "Input IP Address To Unban"
read unbannedip
logger -t Firewall "[Unbanning And Removing $unbannedip From Blacklist] ... ... ..."
ipset -q -D Blacklist $unbannedip
echo "`sed /$unbannedip/d /jffs/scripts/ipset.txt`" > /jffs/scripts/ipset.txt
echo "$unbannedip Is Now Unbanned"
elif [ X"$@" = X"$UNBANALL" ]
then
echo "[Unbanning All IP's] ... ... ..."
logger -t Firewall "[Unbanning All IP's] ... ... ..."
ipset flush
elif [ X"$@" = X"$REMOVEBANS" ]
then
expr `ipset list | wc -l` - 15 > /jffs/scripts/ipamount
echo "[Deleting All `cat $bannedips` Entries From Blacklist] ... ... ..."
logger -t Firewall "[Deleting `cat $bannedips` Entries From Blacklist] ... ... ..."
ipset flush
ipset save > /tmp/home/root/ipset.txt
elif [ X"$@" = X"$SAVEIPSET" ]
then
echo "[Saving Blacklists] ... ... ..."
ipset save > /jffs/scripts/ipset.txt
echo "`sed '/crond: USER admin/d' /tmp/syslog.log`" > /tmp/syslog.log
elif [ X"$@" = X"$BANSINGLE" ]
then
echo "Input IP Address"
read bannedip
logger -t Firewall "[Adding $bannedip To Blacklist] ... ... ..."
ipset -q -A Blacklist $bannedip
echo "$bannedip Is Now Banned"
elif [ X"$@" = X"$BANCOUNTRYSINGLE" ]
then
echo "Input Country Abreviation"
read country
for ip in $(wget -q -O - http://www.ipdeny.com/ipblocks/data/countries/$country.zone)
do
ipset -q -A BlockedCountries $ip
done
elif [ X"$@" = X"$BANCOUNTRYLIST" ]
then
echo "[Banning Spam Countries] ... ... ..."
for country in pk cn in jp ru sa
do
for IP in $(wget -q -O - http://www.ipdeny.com/ipblocks/data/countries/$country.zone)
do
ipset -q -A BlockedCountries $IP
done
done
elif [ X"$@" = X"$HIDEMYASS" ]
then
echo "Switching To Unrestricted Proxy DNS"
logger -t Firewall "[Switching To Unrestricted Proxy DNS] ... ... ..."
echo "nameserver 74.207.242.213" > /etc/resolv.conf
echo "nameserver 50.116.28.138" >> /etc/resolv.conf
killall dnsmasq
dnsmasq
elif [ X"$@" = X"$BACKUPRULES" ]
then
echo "Backing Up Current IPSet Rules"
cp -f /jffs/scripts/ipset.txt /jffs/scripts/ipset2.txt
else
echo "[IP Banning Started] ... ... ..."
logger -t Firewall "[IP Banning Started] ... ... ..."
# load ipset modules
KERNEL_VER=$(uname -r)
IPSET_PATH=/lib/modules/$KERNEL_VER/kernel/net/ipv4/netfilter
insmod $IPSET_PATH/ip_set.ko
insmod $IPSET_PATH/ip_set_nethash.ko
insmod $IPSET_PATH/ip_set_iphash.ko
insmod $IPSET_PATH/ipt_set.ko
sleep 2
echo "0 * * * * /jffs/scripts/firewall-start save" > /var/spool/cron/crontabs/admin
echo "0 5 * * * /jffs/scripts/firewall-start backup" >> /var/spool/cron/crontabs/admin
[ -n "`pidof crond`" ] && killall -q crond
sleep 1
crond
ipset -! restore -f /jffs/scripts/ipset.txt
ipset -N -q Blacklist iphash --hashsize 1024 --maxelem 200000
ipset -N -q BlockedCountries nethash --hashsize 4096 --maxelem 200000
iptables -D logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
iptables -D INPUT -m set --match-set Blacklist src -j DROP
iptables -D INPUT -m set --match-set BlockedCountries src -j DROP
iptables -D logdrop -m state --state NEW -j SET --add-set Blacklist src
iptables -I INPUT -m set --match-set Blacklist src -j DROP
iptables -I INPUT -m set --match-set BlockedCountries src -j DROP
iptables -I logdrop -m state --state NEW -j SET --add-set Blacklist src
echo "`sed '/DROP IN=/d' /tmp/syslog.log`" > /tmp/syslog.log
fi
#########
#Logging#
#########
OLDAMOUNT=`cat /jffs/scripts/ipamount`
echo "Started: $started"
echo "Finished: `date`"
expr `ipset --list | wc -l` - 15 > /jffs/scripts/ipamount
NEWAMOUNT=`cat /jffs/scripts/ipamount`
echo "`cat $bannedips` IP's currently banned."
logger -t Firewall "[Complete] `cat $bannedips` IPs currently banned. `expr $NEWAMOUNT - $OLDAMOUNT` New IP's Banned. "
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment