Menu
What's new
By:
Filters Better Search

ipset Bogon filtering

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

K

krabs

Guest
Code: 
#!/bin/sh

# fullbogons-ipv4 
# Based on BoneKracker and Ryzhov_Al coded scripts.
# Entware version of wget needed for Time-Stamping.

# Purpose: Periodically update an ipset used in a running firewall to block
# bogons. Bogons are addresses that nobody should be using on the public
# Internet because they are either private, not to be assigned, or have
# not yet been assigned.
#
# Notes: Call this from crontab. Feed updated every 4 hours.

# Loading ipset modules
lsmod | grep "ipt_set" > /dev/null 2>&1 || \
for module in ip_set ip_set_nethash ipt_set
do
    insmod $module
done

IPSET_TARGET="http://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt"
IPSET_LISTS_DIR=/tmp/mnt/data/ipset_lists // change directory to yours
IPSET_DATA_FILE="${IPSET_LISTS_DIR}/fullbogons-ipv4.txt"

# Preparing folder to cache downloaded files
[ -d "$IPSET_LISTS_DIR" ] || mkdir -p $IPSET_LISTS_DIR

# Function to get modification time of the file in log-friendly format
get_timestamp() {
    date -r "$1" +'%m/%d %R'
}

# File modification time on server is preserved during wget download
[ -w "$IPSET_DATA_FILE" ] && old_timestamp=$(get_timestamp "$IPSET_DATA_FILE") 
  
# Fetch file only if newer than the version we already have
/opt/bin/wget -qNP ${IPSET_LISTS_DIR} ${IPSET_TARGET} 2>&1 \
 | logger -t ipset -p cron.err  

# Report exit status to "System Log" if download not successful or continue script
if [ $? -ne 0 ]
then
    logger -t ipset -p cron.err "Error, exit script;"
    exit 1
fi

timestamp=$(get_timestamp "$IPSET_DATA_FILE")

# Compare timestamps because wget returns success even if no newer file
if [ "${timestamp}" != "${old_timestamp}" ]
then
    # Block traffic from fullbogons-ipv4
    if [ "$(ipset --swap FullBogons FullBogons 2>&1 | grep 'Unknown set')" != "" ]
    then
        ipset -N FullBogons nethash
        sed -ri '/^[#< \t]|^$/d' $IPSET_DATA_FILE
        for IP in $(cat $IPSET_DATA_FILE)
        do
            ipset -A FullBogons $IP
        done
    fi
    iptables-save | grep FullBogons > /dev/null 2>&1 || iptables -I INPUT -i eth0 -m set --set FullBogons src -j DROP
else
    logger -t ipset -p cron.err "wget: Server file no newer than local file -- not retrieving, exit script;"        
fi

add a cronjob to /jffs/scripts/services-start to run it every 4 hours
update timings file are as follows
# 00:48 - 00:50
# 04:48 - 04:50
# 08:48 - 08:50
# 12:48 - 12:50
# 16:48 - 16:50
# 20:48 - 20:50

Code: 
/usr/sbin/cru a fullbogons      "52 */4 * * *   sh /<script location>/fullbogons.sh"
 
You must log in or register to reply here.

Similar threads

chetstone
Which user script to use to start a daemon at boot-up?
Replies
3
Views
414
chetstone
chetstone
W
custom ddns update every minutes with AX86U 3004.388.7 firmeware
2
Replies
21
Views
3K
Tech9
Tech9
GShlomi
Sharing my DualWan with port forwarding and DDNS experience
Replies
0
Views
490
GShlomi
GShlomi
commodoro
DDNS Custom check External IP and refresh if necessary
Replies
0
Views
712
commodoro
commodoro
T
Troubles with VPN Client + DDNS Setup on GT-BE98
Replies
5
Views
450
Tuntenfisch
T
Similar threads
Thread starter Title Forum Replies Date
P Help with traffic filtering Asuswrt-Merlin 0
fffddd URL filtering in the firewall does not take effect Asuswrt-Merlin 7
R Wireless MAC (Band filter filtering out Guest network) Asuswrt-Merlin 2
R DNS filtering when using cloudflare DNS? Asuswrt-Merlin 6

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 788 (members: 20, guests: 768)
Top