firewall/firewall2.sh

438 lines
10 KiB
Bash
Raw Normal View History

2024-07-19 17:44:28 -06:00
#!/bin/bash
2024-09-09 14:14:23 -06:00
MY_IP="47.5.112.50"
2024-09-10 12:07:21 -06:00
ATTACK_THRESHOLD="50"
2024-08-01 13:00:44 -06:00
SERVER_IP='192.168.0.55'
2024-09-09 14:14:23 -06:00
NGINX_ACCESS="/tmp/access.log"
2024-09-05 09:52:50 -06:00
#WIREGUARD=(51820)
WIREGUARD=(57692)
2024-07-19 17:44:28 -06:00
WEB=(80 443)
2024-09-04 09:37:04 -06:00
ADGUARD=(3000 8082 853 )
2024-07-30 23:45:13 -06:00
UPTIME=(4001)
2024-07-31 13:45:05 -06:00
DNS=(53 67 68)
2024-07-19 17:44:28 -06:00
CUPS=(631 5353)
BITCOIN=(8333 8332 8334 4050)
2024-07-30 23:45:13 -06:00
LND=(10009 9735 8080 28334 28333 19998 29000)
2024-07-19 17:44:28 -06:00
SYNCTHING=(22000 8384 21027)
NFS=(2049 111)
2024-07-30 23:45:13 -06:00
JELLYFIN=(8096 7359)
2024-07-30 18:34:03 -06:00
MACHINES=(127.0.0.1)
2024-07-23 21:11:56 -06:00
VIRT_BRIDGE="virbr0"
2024-07-30 18:28:34 -06:00
ADMIN=(22)
2024-07-19 18:15:02 -06:00
#### NFT CONFIG ####
2024-07-20 14:37:37 -06:00
NFT='/usr/sbin/nft'
NFT_TCP="$NFT add rule ip filter input tcp dport"
NFT_UDP="$NFT add rule ip filter input udp dport"
2024-09-04 09:37:04 -06:00
NFT6_UDP="$NFT add rule ip6 filter input udp dport"
NFT6_TCP="$NFT add rule ip6 filter input tcp dport"
2024-07-19 19:18:04 -06:00
NFT_DROP='counter drop'
NFT_ACCEPT='counter accept'
2024-07-20 14:34:05 -06:00
NFT='/usr/sbin/nft'
2024-09-09 14:14:23 -06:00
NFT_CACHE='/tmp/nft.cache'
2024-07-19 17:44:28 -06:00
####
2024-08-25 15:15:42 -06:00
SAVED_BOTS='/opt/firewall/bots.txt'
CRAWLER_DB='/opt/firewall/crawlers.txt'
2024-09-10 09:15:01 -06:00
SAFE_TRAFFIC='/opt/firewall/safe.txt'
2024-08-25 15:15:42 -06:00
PEDO_DB='/opt/firewall/pedo.txt'
PEDO_LOG='/opt/firewall/pedo-log.txt'
fediblock_DB='/opt/firewall/fediblock.txt'
2024-07-23 00:17:12 -06:00
fediblock_TMP='/tmp/fediblock.tmp'
2024-08-25 15:15:42 -06:00
ATTACKER_DB='/opt/firewall/attacker-db.txt'
ATTACKER_LOG='/opt/firewall/attackers.txt'
2024-07-19 17:44:28 -06:00
BOT_ACCOUNT="blockbot@detroitriotcity.com"
CRAWLER_TMP='/tmp/crawlers.txt'
DATE="$(date +%Y:%H: -d "1 hour ago")"
#DATE="$(date +%Y:%H:)";
2024-09-09 22:54:52 -06:00
RULE_SET='/opt/firewall/nft.rules'
2024-08-01 13:00:44 -06:00
COUNTRY=(
https://www.ipdeny.com/ipblocks/data/countries/il.zone
https://www.ipdeny.com/ipblocks/data/countries/cn.zone
)
2024-09-04 09:51:57 -06:00
noscl setprivate 0fe0b7d521c1b599b12a3b1e72acc6f08d2011083f25379d0b90a506d044266f
2024-09-09 14:14:23 -06:00
nft list table filter > $NFT_CACHE
2024-07-19 17:44:28 -06:00
2024-08-01 13:00:44 -06:00
blockCountry() {
for i in "${COUNTRY[@]}"; do
echo
echo "Blocking $i"
DB=( $(curl $i) )
for j in "${DB[@]}"; do
2024-09-07 11:19:18 -06:00
$NFT add rule ip filter input ip saddr $j $NFT_DROP
2024-08-01 13:00:44 -06:00
done
done
}
2024-07-19 20:06:06 -06:00
wireguard-networking() {
2024-07-20 14:34:05 -06:00
$NFT add table nat
$NFT add chain nat postrouting
$NFT add rule nat postrouting oif wg0 iif enp11s0
$NFT add rule nat postrouting oif enp11s0 iif wg0
$NFT add rule nat postrouting masquerade
2024-08-25 15:11:05 -06:00
$NFT add rule filter forward iifname wg0 oif enp11s0 $NFT_ACCEPT
$NFT add rule filter forward iifname enp11s0 oif wg0 $NFT_ACCEPT
$NFT add rule ip filter input ip saddr 192.168.5.0/24 $NFT_ACCEPT
2024-07-19 19:56:18 -06:00
}
2024-07-20 14:51:36 -06:00
attacker-protection() {
2024-09-09 22:32:56 -06:00
saved-attackers
2024-09-09 14:14:23 -06:00
watch
2024-07-19 17:44:28 -06:00
pedo-search
2024-09-09 14:14:23 -06:00
bot-search
2024-07-20 14:51:36 -06:00
attacker-search
2024-07-19 17:44:28 -06:00
}
2024-07-20 10:02:23 -06:00
bot-search() {
2024-09-09 14:14:23 -06:00
DATE="$(date +%d/%b/%Y:%H:%M -d '1 min ago' )"
CRAWLERS=( $( grep $DATE $NGINX_ACCESS | grep -vi $MY_IP | grep -Evi 'Guro|spank|report|rape|block' | grep -Ei -f $CRAWLER_DB | cut -d "-" -f1 | sort -u))
2024-07-20 10:02:23 -06:00
echo
echo "Processing Web Crawler list into NFT....."
echo
for i in "${CRAWLERS[@]}"; do
2024-09-09 14:14:23 -06:00
CHECK=$( cat $NFT_CACHE | grep $i)
if [ "$CHECK" = "" ];
then
$NFT add rule ip filter input ip saddr $i $NFT_DROP
else
echo
echo "Skipping Duplicate IP $i"
echo
fi
2024-07-20 10:02:23 -06:00
done
}
2024-07-19 17:44:28 -06:00
pedo-search() {
2024-09-09 14:14:23 -06:00
DATE="$(date +%d/%b/%Y:%H:%M -d '1 min ago' )"
2024-07-19 17:44:28 -06:00
echo
2024-07-19 18:15:02 -06:00
echo "Processing Pedo Searches into NFT....."
2024-09-09 14:14:23 -06:00
PEDO_SEARCH=$( grep $DATE $NGINX_ACCESS | grep -vi $MY_IP | grep -Ei 'tag|search' | grep -Evi -f $CRAWLER_DB | grep -Ei -f $PEDO_DB | head -1)
echo $PEDO_SEARCH
if [ -z "$PEDO_SEARCH" ];
then
echo "No Pedos Found"
else
IP=$(echo $PEDO_SEARCH | cut -d ' ' -f1)
$NFT add rule ip filter input ip saddr $IP $NFT_DROP
noscl setprivate 0fe0b7d521c1b599b12a3b1e72acc6f08d2011083f25379d0b90a506d044266f
noscl publish --profile=33c74427f3b2b73d5e38f3e6c991c122a55d204072356f71da49a0e209fb6940 "$QUERY"
2024-07-19 17:44:28 -06:00
fi
}
attacker-search() {
echo
2024-07-19 18:15:02 -06:00
echo "Processing Attacker Searches into NFT....."
2024-07-19 17:44:28 -06:00
echo
2024-09-09 14:14:23 -06:00
DATE="$(date +%d/%b/%Y:%H:%M -d '1 min ago' )"
ATTACKER_SEARCH=( $( grep $DATE $NGINX_ACCESS | grep -Ei '127.0.0.1|"$DATE"' | grep -vi $MY_IP | grep -Ei -f $ATTACKER_DB | cut -d "-" -f1 | sort -u))
2024-07-19 17:44:28 -06:00
for i in "${ATTACKER_SEARCH[@]}"; do
2024-09-06 14:20:25 -06:00
$NFT add rule ip filter input ip saddr $i $NFT_DROP
2024-07-19 17:44:28 -06:00
QUERY=$(cat $NGINX_ACCESS | grep -i "$DATE" | grep -vi $MY_IP | grep $i | grep -Ei -f $ATTACKER_DB | head -1)
if [ -z "$QUERY" ]; then
echo "No Attackers Found"
else
echo "Found Attacker!"
2024-09-05 13:44:40 -06:00
noscl publish --profile=33c74427f3b2b73d5e38f3e6c991c122a55d204072356f71da49a0e209fb6940 "$QUERY"
2024-07-19 17:44:28 -06:00
echo $i >>$ATTACKER_LOG
fi
done
}
basic-security() {
2024-07-20 14:34:05 -06:00
$NFT add rule filter input icmp type echo-request $NFT_DROP
2024-07-23 20:20:36 -06:00
$NFS add rule filter input log
$NFT rule filter input log $NFT_DROP
2024-07-20 14:34:05 -06:00
$NFT rule filter output $NFT_ACCEPT
$NFT rule filter forward $NFT_ACCEPT
$NFT insert rule filter input ct state established $NFT_ACCEPT
$NFT insert rule filter input iif lo $NFT_ACCEPT
2024-08-22 19:44:26 -06:00
$NFT -f /usr/share/nftables/ipv6-filter.nft
2024-07-20 14:34:05 -06:00
$NFT add rule ip6 filter input icmpv6 type nd-neighbor-solicit $NFT_DROP
$NFT add rule ip6 filter input icmpv6 type nd-router-advert $NFT_DROP
2024-07-19 17:44:28 -06:00
}
2024-07-23 20:55:46 -06:00
virtualization() {
2024-07-29 13:10:36 -06:00
ip link del virbr0
2024-07-29 13:53:41 -06:00
killall dnsmasq
2024-07-29 13:47:50 -06:00
/usr/bin/systemctl restart libvirtd
2024-07-29 13:27:29 -06:00
/usr/bin/virsh net-start default
2024-08-14 21:19:06 -06:00
/usr/bin/systemctl restart pleroma
2024-07-29 13:57:50 -06:00
$NFT insert rule filter input iif $VIRT_BRIDGE $NFT_ACCEPT
2024-07-23 20:55:46 -06:00
}
2024-07-30 23:45:13 -06:00
uptimeKuma() {
for i in "${UPTIME[@]}"; do
2024-07-31 13:10:29 -06:00
$NFT add rule ip filter input ip saddr $SERVER_IP tcp dport $i accept
2024-07-27 21:34:41 -06:00
done
}
2024-07-19 17:44:28 -06:00
admin() {
for i in "${ADMIN[@]}"; do
2024-07-19 19:20:36 -06:00
$NFT_TCP $i $NFT_ACCEPT
2024-09-04 09:37:04 -06:00
$NFT6_TCP $i $NFT_ACCEPT
2024-07-19 17:44:28 -06:00
done
}
2024-07-31 15:26:53 -06:00
2024-07-19 17:44:28 -06:00
wireguard() {
sysctl -w net.ipv4.conf.all.forwarding=1
for i in "${WIREGUARD[@]}"; do
2024-07-19 18:15:02 -06:00
$NFT_TCP $i $NFT_ACCEPT
$NFT_UDP $i $NFT_ACCEPT
2024-09-04 09:37:04 -06:00
$NFT6_TCP $i $NFT_ACCEPT
$NFT6_UDP $i $NFT_ACCEPT
2024-07-19 17:44:28 -06:00
done
}
web() {
for i in "${WEB[@]}"; do
2024-07-30 23:45:13 -06:00
$NFT_TCP $i $NFT_ACCEPT
2024-09-04 09:37:04 -06:00
$NFT6_TCP $i $NFT_ACCEPT
2024-07-19 17:44:28 -06:00
done
}
2024-07-30 23:45:13 -06:00
dns(){
for i in "${DNS[@]}"; do
2024-07-19 18:15:02 -06:00
$NFT_TCP $i $NFT_ACCEPT
$NFT_UDP $i $NFT_ACCEPT
2024-09-04 09:37:04 -06:00
$NFT6_TCP $i $NFT_ACCEPT
$NFT6_UDP $i $NFT_ACCEPT
2024-07-19 17:44:28 -06:00
done
2024-07-30 23:45:13 -06:00
}
adguard() {
for i in "${ADGUARD[@]}"; do
2024-09-04 09:37:04 -06:00
$NFT_TCP $i $NFT_ACCEPT
$NFT_UDP $i $NFT_ACCEPT
$NFT6_TCP $i $NFT_ACCEPT
$NFT6_TCP $i $NFT_ACCEPT
2024-07-30 23:45:13 -06:00
done
2024-07-19 17:44:28 -06:00
}
cups() {
for i in "${CUPS[@]}"; do
2024-07-19 18:15:02 -06:00
$NFT_TCP $i $NFT_ACCEPT
$NFT_UDP $i $NFT_ACCEPT
2024-09-04 09:37:04 -06:00
$NFT6_TCP $i $NFT_ACCEPT
$NFT6_UDP $i $NFT_ACCEPT
2024-07-19 17:44:28 -06:00
done
}
bitcoin() {
for i in "${BITCOIN[@]}"; do
2024-07-19 18:15:02 -06:00
$NFT_TCP $i $NFT_ACCEPT
2024-07-19 17:44:28 -06:00
done
}
lnd() {
for i in "${LND[@]}"; do
2024-07-31 13:10:29 -06:00
$NFT add rule ip filter input ip saddr $SERVER_IP tcp dport $i accept
2024-07-19 17:44:28 -06:00
done
}
2024-07-31 13:10:29 -06:00
syncthingServer() {
for i in "${SYNCTHING[@]}"; do
$NFT add rule ip filter input ip saddr $SERVER_IP tcp dport $i accept
done
}
2024-07-19 17:44:28 -06:00
syncthing() {
for i in "${SYNCTHING[@]}"; do
2024-07-19 18:15:02 -06:00
$NFT_TCP $i $NFT_ACCEPT
$NFT_UDP $i $NFT_ACCEPT
2024-09-04 09:37:04 -06:00
$NFT6_TCP $i $NFT_ACCEPT
$NFT6_UDP $i $NFT_ACCEPT
2024-07-19 17:44:28 -06:00
done
}
jellyfin() {
for i in "${JELLYFIN[@]}"; do
2024-07-19 18:15:02 -06:00
$NFT_TCP $i $NFT_ACCEPT
$NFT_UDP $i $NFT_ACCEPT
2024-09-04 09:37:04 -06:00
$NFT6_TCP $i $NFT_ACCEPT
$NFT6_UDP $i $NFT_ACCEPT
2024-07-19 17:44:28 -06:00
done
}
kde-connect() {
2024-07-20 14:32:21 -06:00
$NFT_TCP 1714-1764 $NFT_ACCEPT
$NFT_UDP 1714-1764 $NFT_ACCEPT
2024-07-19 17:44:28 -06:00
}
2024-07-20 14:32:21 -06:00
2024-07-19 17:44:28 -06:00
nfs() {
for i in "${NFS[@]}"; do
2024-07-19 18:15:02 -06:00
$NFT_TCP $i $NFT_ACCEPT
$NFT_UDP $i $NFT_ACCEPT
2024-07-19 17:44:28 -06:00
done
}
trust() {
for i in "${MACHINES[@]}"; do
2024-07-20 14:34:05 -06:00
$NFT add rule filter input ip saddr $i $NFT_ACCEPT
2024-07-19 17:44:28 -06:00
done
}
start() {
2024-07-20 14:34:05 -06:00
$NFT flush ruleset
2024-09-09 22:54:52 -06:00
2024-09-10 11:35:44 -06:00
# if [ -f "$RULE_SET" ]; then
# echo
2024-09-09 22:54:52 -06:00
echo "Importing Existing Rule Set"
2024-09-10 11:35:44 -06:00
#$NFT -f $RULE_SET
# else
#echo
#echo "No existing Rules saved"
2024-09-09 22:54:52 -06:00
$NFT -f /usr/share/nftables/ipv4-filter.nft
2024-09-10 11:35:44 -06:00
# fi
2024-07-19 19:20:36 -06:00
2024-07-19 17:44:28 -06:00
if [[ $HOSTNAME == *"nas"* ]]; then
2024-09-09 14:14:23 -06:00
attacker-protection
2024-07-19 17:44:28 -06:00
wireguard
web
2024-07-30 23:45:13 -06:00
admin
2024-07-19 17:44:28 -06:00
adguard
2024-07-30 23:45:13 -06:00
dns
2024-07-19 17:44:28 -06:00
cups
2024-07-31 13:10:29 -06:00
syncthingServer
2024-09-01 22:35:47 -06:00
syncthing
2024-09-09 22:54:52 -06:00
#blockCountry
2024-07-19 17:44:28 -06:00
jellyfin
2024-09-05 09:52:50 -06:00
wireguard-networking
2024-07-31 00:37:48 -06:00
uptimeKuma
2024-08-22 19:44:26 -06:00
docker restart uptime-kuma
$NFT insert rule filter input iif docker0 $NFT_ACCEPT
2024-07-19 19:18:04 -06:00
basic-security
2024-07-19 17:44:28 -06:00
else
2024-09-09 22:54:52 -06:00
virtualization
2024-07-19 19:20:08 -06:00
basic-security
2024-07-19 17:44:28 -06:00
fi
2024-07-19 19:20:36 -06:00
}
2024-07-19 18:15:02 -06:00
2024-07-19 20:06:06 -06:00
status() {
2024-09-10 09:58:37 -06:00
DATE="$(date +%d/%b/%Y:%H:%M -d '1 min ago' )"
STATS=$( grep $DATE $NGINX_ACCESS | grep -vi $MY_IP | wc -l )
2024-09-10 10:00:42 -06:00
GET=$( grep $DATE $NGINX_ACCESS | grep -vi $MY_IP | grep GET | wc -l )
POST=$( grep $DATE $NGINX_ACCESS | grep -vi $MY_IP | grep POST | wc -l )
PUT=$( grep $DATE $NGINX_ACCESS | grep -vi $MY_IP | grep -i PUT | wc -l )
2024-09-10 10:12:18 -06:00
CRAWL=$( grep $DATE $NGINX_ACCESS | grep -vi $MY_IP | grep -Ei -f $CRAWLER_DB | wc -l )
2024-09-10 09:54:56 -06:00
echo "=================================================================="
2024-09-10 12:07:21 -06:00
echo "Attack Threshold: $ATTACK_THRESHOLD"
2024-09-10 10:03:43 -06:00
echo "Firewall Rules: $($NFT list table filter | wc -l)"
echo
2024-09-10 09:58:37 -06:00
echo "Traffic Last Minute: $STATS"
2024-09-10 10:03:43 -06:00
echo " GET: $GET"
echo " PUT: $PUT"
echo " POST: $POST"
2024-09-10 10:12:18 -06:00
echo " Crawlers: $CRAWL"
2024-09-10 10:03:43 -06:00
echo
2024-09-10 09:54:56 -06:00
echo "Blocked IP's:"
cat /tmp/tmp-blocked.txt
echo "=================================================================="
2024-07-19 20:06:06 -06:00
}
2024-07-19 17:44:28 -06:00
stop() {
2024-09-10 09:54:56 -06:00
forgive
2024-09-09 22:54:52 -06:00
$NFT -s list ruleset | tee $RULE_SET
2024-07-20 14:34:05 -06:00
$NFT flush ruleset
2024-08-22 19:44:26 -06:00
$NFT -f /usr/share/nftables/ipv4-filter.nft
2024-07-20 14:34:05 -06:00
$NFT add rule filter input icmp type echo-request $NFT_ACCEPT
$NFT rule filter input $NFT_ACCEPT
$NFT rule filter output $NFT_ACCEPT
$NFT rule filter forward $NFT_ACCEPT
$NFT insert rule filter input ct state established $NFT_ACCEPT
$NFT insert rule filter input iif lo $NFT_ACCEPT
2024-08-22 19:44:26 -06:00
$NFT -f /usr/share/nftables/ipv6-filter.nft
2024-07-20 14:34:05 -06:00
$NFT add rule ip6 filter input icmpv6 type nd-neighbor-solicit $NFT_ACCEPT
$NFT add rule ip6 filter input icmpv6 type nd-router-advert $NFT_ACCEPT
2024-07-19 17:44:28 -06:00
}
2024-09-09 14:14:23 -06:00
forgive() {
IP=( $( grep -vi $MY_IP /tmp/tmp-blocked.txt ) )
echo $IP
for i in "${IP[@]}"; do
2024-09-10 09:15:01 -06:00
echo "Checking $i"
2024-09-09 14:14:23 -06:00
HANDLE=$(nft -n -a list ruleset | grep $i | grep handle | cut -d '#' -f2 | cut -d ' ' -f3)
2024-09-10 09:15:01 -06:00
echo "Removing: $i"
echo $NFT delete rule ip filter input handle $HANDLE
2024-09-09 14:14:23 -06:00
$NFT delete rule ip filter input handle $HANDLE
done
echo > /tmp/tmp-blocked.txt
}
2024-09-09 22:32:56 -06:00
saved-attackers() {
echo
IP=( $( cat $ATTACKER_LOG | grep -vi $MY_IP | cut -d ' ' -f1 | sort -u ) )
for i in "${IP[@]}"; do
CHECK=$( cat $NFT_CACHE | grep $i)
if [ "$CHECK" = "" ];
then
echo "Blocking IP: $i"
logger "Blocking IP: $i"
$NFT add rule ip filter input ip saddr $i $NFT_DROP
else
echo
echo "Skipping Duplicate IP $i"
echo
fi
done
}
2024-09-09 14:14:23 -06:00
watch() {
DATE="$(date +%d/%b/%Y:%H:%M -d '1 min ago' )"
echo "Scanning $DATE"
echo
2024-09-10 09:15:01 -06:00
IP=( $( grep $DATE $NGINX_ACCESS | grep -Evi -f $SAFE_TRAFFIC | grep -vi $MY_IP | cut -d ' ' -f1 | sort -u ) )
2024-09-09 14:14:23 -06:00
for i in "${IP[@]}"; do
COUNT=$( grep $DATE $NGINX_ACCESS | grep "$i" | wc -l)
2024-09-10 11:35:44 -06:00
echo "$i $COUNT"
2024-09-09 14:14:23 -06:00
CHECK=$( cat $NFT_CACHE | grep $i)
if [ "$CHECK" = "" ];
then
2024-09-10 12:07:21 -06:00
if [[ "$COUNT" -gt "$ATTACK_THRESHOLD" ]]; then
2024-09-09 14:14:23 -06:00
echo "Blocking IP: $i"
logger "Blocking IP: $i"
echo $i >> /tmp/tmp-blocked.txt
$NFT add rule ip filter input ip saddr $i $NFT_DROP
fi
else
echo
echo "Skipping Duplicate IP $i"
echo
fi
done
}
2024-07-19 17:44:28 -06:00
if [ "$1" = "start" ]; then
start
2024-07-29 13:53:41 -06:00
elif [ "$1" = "virt" ]; then
virtualization
2024-07-20 14:51:36 -06:00
elif [ "$1" = "bot-search" ]; then
bot-search
elif [ "$1" = "attacker-protection" ]; then
attacker-protection
2024-08-01 13:00:44 -06:00
elif [ "$1" = "country" ]; then
blockCountry
2024-07-19 20:06:06 -06:00
elif [ "$1" = "status" ]; then
status
2024-09-09 14:14:23 -06:00
elif [ "$1" = "forgive" ]; then
forgive
elif [ "$1" = "watch" ]; then
watch
2024-07-19 17:44:28 -06:00
elif [ "$1" = "stop" ]; then
stop
2024-08-13 15:18:27 -06:00
elif [ "$1" = "saved" ]; then
saved-bots
2024-07-19 17:44:28 -06:00
else
echo "Invalid Choice"
fi