Compare commits

...

6 commits

Author SHA1 Message Date
Gregory Colpart
334229b1f1 confusion :/ 2025-01-02 16:14:06 +01:00
Gregory Colpart
18dd0d57ef fix errors (IPv4->IPv4/IPv6) and add infos in SERVICESTCP* comments 2025-01-02 15:35:59 +01:00
Gregory Colpart
40ea8c4cfd on passe à ipset 2024-11-09 18:18:14 +01:00
Gregory Colpart
67e8ad9f85 ajout d'un script pour blacklister tout Asie/Pacifique 2024-11-09 13:53:48 +01:00
70d3790337
Update default config with Evolix IPv6 addresses 2024-11-05 15:04:58 +01:00
Gregory Colpart
133ba0a75c add scripts to block IPv4 ranges with AS numbers 2024-07-31 00:48:53 +02:00
4 changed files with 71 additions and 7 deletions

25
blacklist-as.sh Normal file
View file

@ -0,0 +1,25 @@
#!/bin/sh
# Only IPv4 (could be easily IPv6 but need minfirewall / NEEDRESTRICT IPv6-compatible first)
rpkideny_file=/var/tmp/rpki_deny
cd /var/tmp
rm -f $rpkideny_file
GET http://antispam00.evolix.org/spam/rpki.cidr.md5 > rpki.cidr.md5
GET http://antispam00.evolix.org/spam/rpki.cidr > rpki.cidr
for i in 4134; do
grep "^$i," rpki.cidr | grep -v '::' >> $rpkideny_file
done
/sbin/iptables -F NEEDRESTRICT
for i in $(cat $rpkideny_file); do
BLOCK=$(echo $i | cut -d, -f2)
/sbin/iptables -I NEEDRESTRICT -s $BLOCK -j DROP
done

18
blacklist-asiapacific.sh Normal file
View file

@ -0,0 +1,18 @@
#!/bin/sh
# use it with /sbin/iptables -I INPUT -m set --match-set apnic-ipv4 src -j DROP
cd /var/tmp
rm -f $apnicdeny_file
GET http://antispam00.evolix.org/spam/apnic.cidr.md5 > apnic.cidr.md5
GET http://antispam00.evolix.org/spam/apnic.cidr > apnic.cidr
ipset destroy apnic-ipv4
ipset create apnic-ipv4 hash:net
for i in $(cat /var/tmp/apnic.cidr); do
BLOCK=$(echo $i | cut -d"|" -f2)
/sbin/ipset add apnic-ipv4 $BLOCK
done

View file

@ -1,5 +1,5 @@
# Configuration for minifirewall : https://gitea.evolix.org/evolix/minifirewall
# Version 23.07
# Version 24.11
# shellcheck shell=sh disable=SC2034
# Main interface
@ -23,8 +23,7 @@ DOCKER='off'
INTLAN='192.0.2.1/32 2001:db8::1/128'
# Trusted IP addresses for private and semi-public services
# TODO: add all our IPv6 adresses
TRUSTEDIPS='31.170.9.129 2a01:9500:37:129::/64 31.170.8.4 2a01:9500::fada 82.65.34.85 2a01:e0a:571:2a10::1 54.37.106.210 51.210.84.146'
TRUSTEDIPS='31.170.9.129 2a01:9500:37:129::/64 31.170.8.4 2a01:9500::fada 82.65.34.85 2a01:e0a:571:2a10::1 46.231.240.96 2a0c:e303:0:6000::/57 54.37.106.210 2001:41d0:8:8b70::210 51.210.84.146 2001:41d0:8:8b70::146'
# Privilegied IP addresses for semi-public services
# (no need to add again TRUSTEDIPS)
@ -34,7 +33,7 @@ PRIVILEGIEDIPS=''
# Local services IP restrictions
#######################################
# Protected services
# Protected services (protected by NEEDRESTRICT chain, to customize in your own way)
# (add also in Public services if needed)
SERVICESTCP1p='22222'
SERVICESUDP1p=''
@ -43,11 +42,11 @@ SERVICESUDP1p=''
SERVICESTCP1='22222'
SERVICESUDP1=''
# Semi-public services (IPv4)
# Semi-public services (for IPv4/IPv6 from PRIVILEGIEDIPS *and* TRUSTEDIPS)
SERVICESTCP2='22'
SERVICESUDP2=''
# Private services (IPv4)
# Private services (for IPv4/IPv6 from TRUSTEDIPS only)
SERVICESTCP3='5666'
SERVICESUDP3=''
@ -102,7 +101,7 @@ BACKUPSERVERS=''
#
# Within included files, you can use those helper functions :
# * is_ipv6_enabled: returns true if IPv6 is enabled, or false
# * is_docker_enabled: returns true if Docker mode is eabled, or false
# * is_docker_enabled: returns true if Docker mode is enabled, or false
# * is_proxy_enabled: returns true if Proxy mode is enabled , or false

22
rpki.sh Normal file
View file

@ -0,0 +1,22 @@
#!/bin/sh
umask 022
tmp_rpki_file="/var/tmp/tmp_rpki.cidr"
rpki_file="/var/tmp/rpki.cidr"
rm -f $rpki_file
YEAR_TODAY=$( date +%Y )
MONTH_TODAY=$( date +%m )
DAY_TODAY=$( date +%d )
wget -q -O- https://ftp.ripe.net/ripe/rpki/ripencc.tal/${YEAR_TODAY}/${MONTH_TODAY}/${DAY_TODAY}/roas.csv.xz | unxz | grep ^rsync > $tmp_rpki_file
wget -q -O- https://ftp.ripe.net/ripe/rpki/arin.tal/${YEAR_TODAY}/${MONTH_TODAY}/${DAY_TODAY}/roas.csv.xz | unxz | grep ^rsync >> $tmp_rpki_file
wget -q -O- https://ftp.ripe.net/ripe/rpki/afrinic.tal/${YEAR_TODAY}/${MONTH_TODAY}/${DAY_TODAY}/roas.csv.xz | unxz | grep ^rsync >> $tmp_rpki_file
wget -q -O- https://ftp.ripe.net/ripe/rpki/lacnic.tal/${YEAR_TODAY}/${MONTH_TODAY}/${DAY_TODAY}/roas.csv.xz | unxz | grep ^rsync >> $tmp_rpki_file
cat $tmp_rpki_file | cut -d, -f2,3 | sed 's/^AS//' | sort > $rpki_file
md5sum $rpki_file > /var/www/spam/rpki.cidr.md5
mv $rpki_file /var/www/spam/