OpenWrt Forum Archive

Topic: Firewall - [SOLUTION] blocking ABUSE IP's (backlist IP)

The content of this topic has been archived on 11 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Hello,
as several guys were looking for ....
maybe anyone wants to use that script in his firewall config

USE AT YOUR OWN RISK !

here a link, on which you will find a very good solution for huge long IP list. .....

https://n0where.net/iptables-blacklist-script/
(package ipset needed, but normally included on each image)


if you want it based on IP tables only ... see below

INSTALL:
1.) simply add that script at the end of your /etc/firewall,costumer
      (via luci you can go to: Menu -.> Network -> firewall - tab: "Custom Rules")
2.) create your wanted blocked IP list copy it to: /etc/config/firewall.blacklist.ip
(simly the format is (1 per line):
      1.2.3.4
      2.2.2.2/24
      3.2.2.2
      ....
      ....

Thats it !

##################################################################
#---------------- BLOCKING(DROP) blacklisted IP's ------------------------------------------
BLACKLIST=/etc/config/firewall.blacklist.ip
EXTERNAL_DEVICE=3g-4G
BLACKLIST_SOURCE="https://lists.blocklist.de/lists/all.txt"

#cleanup if already existing rules
iptables -F BLOCKING_IP &> /dev/null
iptables -D INPUT -i "${EXTERNAL_DEVICE}" -j BLOCKING_IP &> /dev/null
iptables -D FORWARD -i "${EXTERNAL_DEVICE}" -j BLOCKING_IP &> /dev/null

#creating rules
iptables -N BLOCKING_IP &> /dev/null
iptables -I INPUT -i "${EXTERNAL_DEVICE}" -j BLOCKING_IP &> /dev/null
iptables -I FORWARD -i "${EXTERNAL_DEVICE}" -j BLOCKING_IP &> /dev/null

# Block abusing IPs from ${BLACKLIST}
if [[ -f "${BLACKLIST}" ]] && [[ -s "${BLACKLIST}" ]]; then
    echo " FIREWALL - Blocking ABUSIVE IP's"
    cat ${BLACKLIST} | cut -f1 -d "#" | \
    while read IP
        do
        #while read IP; do
       echo " FIREWALL - Blocking IP:${IP}"
       iptables -I BLOCKING_IP  -s "${IP}" -j DROP
    done
fi

cu camel

(Last edited by camro on 28 Nov 2016, 23:06)

my new solution is now:
(based on link from first posting)

1.) creating a file: /etc/firewall.blacklist.sh and set it be executable via:

chmod: 0777  /etc/firewall.blacklist.sh

and code:

#!/bin/sh
IP_TMP=/tmp/firewall.ip.tmp
IP_BLACKLIST=/etc/firewall.blacklist.conf
IP_BLACKLIST_TMP=/tmp/firewall.blacklist.tmp
IP_BLACKLIST_CUSTOM=/etc/firewall.blacklist-custom.conf # optional
list="chinese nigerian russian lacnic exploited-servers"

BLACKLIST1="http://www.projecthoneypot.org/list_of_ips.php?t=d&rss=1" # Project Honey Pot Directory of Dictionary Attacker IPs
BLACKLIST2="http://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.1.1.1"  # TOR Exit Nodes 
BLACKLIST3="http://www.maxmind.com/en/anonymous_proxies" # MaxMind GeoIP Anonymous Proxies
BLACKLIST4="http://danger.rulez.sk/projects/bruteforceblocker/blist.php" # BruteForceBlocker IP List
BLACKLIST4="http://rules.emergingthreats.net/blockrules/rbn-ips.txt" # Emerging Threats - Russian Business Networks List
BLACKLIST5="http://www.spamhaus.org/drop/drop.lasso" # Spamhaus Don't Route Or Peer List 
BLACKLIST6="http://cinsscore.com/list/ci-badguys.txt" # C.I. Army Malicious IP List 
BLACKLIST7="http://www.openbl.org/lists/base.txt"  # OpenBL.org 30 day List 
BLACKLIST8="http://www.autoshun.org/files/shunlist.csv" # Autoshun Shun List 
BLACKLIST9="http://lists.blocklist.de/lists/all.txt" # blocklist.de attackers

j=1
for j in `seq 1 9`; do
    eval JJ=\${BLACKLIST${j}}
    curl "$JJ" > $IP_TMP
    grep -o '(?:\d{1,3}\.){3}\d{1,3}(?:/\d{1,2})?' $IP_TMP >> $IP_BLACKLIST_TMP
done
rm -f $IP_TMP

for i in `echo $list`; do
        # Download
        wget --quiet http://www.wizcrafts.net/$i-iptables-blocklist.html
        # Grep out all but ip blocks
        cat $i-iptables-blocklist.html | grep -v \< | grep -v \: | grep -v \; | grep -v \# | grep [0-9] > $i.txt
        # Consolidate blocks into master list
        cat $i.txt >> $IP_BLACKLIST_TMP
done

sort $IP_BLACKLIST_TMP -n | uniq > $IP_BLACKLIST
rm -f $IP_BLACKLIST_TMP
#wc -l $IP_BLACKLIST


# apply rules
ipset flush BLACKLIST

#backlisted from spamhaus
ipset create BLACKLIST hash:net &> /dev/null
iptables -F INPUT -m set --match-set BLACKLIST src -j DROP &> /dev/null
iptables -I INPUT -m set --match-set BLACKLIST src -j DROP

egrep -v "^#|^$" $IP_BLACKLIST | while IFS= read -r ip
do
echo $ip
        ipset add BLACKLIST $ip
done

2.) Scheduled task - executing once per day ...
59    22    *    *    *    /etc/firewall.blacklist.sh

3.) adding to Firewall.customer
LUCI -> Network -> Firewall -> tab: customer rules

adding:

##################################################################
#---------------- BLOCKING(DROP) blacklisted IP's ------------------------------------------
# will be executed via cronjob ..... daily is enough => sh -c /etc/firewall.blacklist.sh

IP_BLACKLIST=/etc/firewall.blacklist.conf
# flush and re-apply rules
ipset flush BLACKLIST &> /dev/null
ipset create BLACKLIST hash:net &> /dev/null
iptables -D INPUT -m set --match-set BLACKLIST src -j DROP &> /dev/null
iptables -I INPUT -m set --match-set BLACKLIST src -j DROP
egrep -v "^#|^$" $IP_BLACKLIST | while IFS= read -r ip; do
 ipset add BLACKLIST $ip
done

(Last edited by camro on 29 Nov 2016, 04:20)

The discussion might have continued from here.