#!/bin/bash MY_IP=$(curl ifconfig.me) SERVER_IP='192.168.0.55' NGINX_ACCESS="/var/log/nginx/access.log" WIREGUARD=(57692 853) WEB=(80 443) ADGUARD=(3000 8082 67) UPTIME=(4001) DNS=(53 67 68) CUPS=(631 5353) BITCOIN=(8333 8332 8334 4050) LND=(10009 9735 8080 28334 28333 19998 29000) SYNCTHING=(22000 8384 21027) NFS=(2049 111) JELLYFIN=(8096 7359) MACHINES=(127.0.0.1) VIRT_BRIDGE="virbr0" ADMIN=(22) #### NFT CONFIG #### NFT='/usr/sbin/nft' NFT_TCP="$NFT add rule ip filter input tcp dport" NFT_UDP="$NFT add rule ip filter input udp dport" NFT_DROP='counter drop' NFT_ACCEPT='counter accept' NFT='/usr/sbin/nft' #### SAVED_BOTS='/opt/firewall/bots.txt' CRAWLER_DB='/opt/firewall/crawlers.txt' PEDO_DB='/opt/firewall/pedo.txt' PEDO_LOG='/opt/firewall/pedo-log.txt' fediblock_DB='/opt/firewall/fediblock.txt' fediblock_TMP='/tmp/fediblock.tmp' ATTACKER_DB='/opt/firewall/attacker-db.txt' ATTACKER_LOG='/opt/firewall/attackers.txt' BOT_ACCOUNT="blockbot@detroitriotcity.com" CRAWLER_TMP='/tmp/crawlers.txt' DATE="$(date +%Y:%H: -d "1 hour ago")" #DATE="$(date +%Y:%H:)"; COUNTRY=( https://www.ipdeny.com/ipblocks/data/countries/il.zone https://www.ipdeny.com/ipblocks/data/countries/cn.zone ) noscl setprivate 80ec76355ba0a72cef69d427bfc8c7dc8a7d015b2b8c07657b46ba1f972b6f35 blockCountry() { for i in "${COUNTRY[@]}"; do echo echo "Blocking $i" DB=( $(curl $i) ) for j in "${DB[@]}"; do $NFT add rule ip filter input ip saddr $j $NFT_DROP& done done } wireguard-networking() { $NFT add table nat $NFT add chain nat postrouting $NFT add rule nat postrouting oif wg0 iif enp11s0 $NFT add rule nat postrouting oif enp11s0 iif wg0 $NFT add rule nat postrouting masquerade $NFT add rule filter forward iifname wg0 oif enp11s0 $NFT_ACCEPT $NFT add rule filter forward iifname enp11s0 oif wg0 $NFT_ACCEPT $NFT add rule ip filter input ip saddr 192.168.5.0/24 $NFT_ACCEPT } attacker-protection() { pedo-search attacker-search } fediblock(){ BLOCKED_INSTANCES=( $( curl https://fba.ryona.agency/?domain=detroitriotcity.com | grep https | grep -i href | cut -d '"' -f2 | grep -Evi 'breastmilk|detroit' | sed 's/https:\/\///g' > /tmp/blocked.txt) ) fediblock_IP=($(cat $NGINX_ACCESS | grep -Ei -f /tmp/blocked.txt | grep -vi $MY_IP | grep -i mastodon | grep -i inbox | grep -Evi 'akkoma|pleroma' | cut -d '-' -f1 | sort -u) ) cat $NGINX_ACCESS | grep -Ei -f /tmp/blocked.txt | grep -vi $MY_IP | grep -i mastodon | grep -i inbox | grep -Evi 'akkoma|pleroma' echo echo "Scanning Nginx for new fediblock IP's ...." echo for i in "${fediblock_IP[@]}"; do echo $i >> $fediblock_TMP done echo "Saving fediblock list to $fediblock_DB....." cat $fediblock_TMP $fediblock_DB | sort -u > /tmp/masto.tmp cp -f /tmp/masto.tmp $fediblock_DB rm -f $fediblock_TMP rm -f /tmp/masto.tmp BOT_LOG=($(cat $fediblock_DB | sort -u)) echo echo "Feeding $fediblock_DB into NFT....." echo for i in "${BOT_LOG[@]}"; do $NFT add rule ip filter input ip saddr $i $NFT_DROP& done BLOCKED_INSTANCES=( $( curl https://fba.ryona.agency/?domain=poster.place | grep https | grep -i href | cut -d '"' -f2 | grep -Evi 'breastmilk|poster' | sed 's/https:\/\///g' > /tmp/blocked.txt) ) fediblock_IP=($(cat $NGINX_ACCESS | grep -Ei -f /tmp/blocked.txt | grep -vi $MY_IP | grep -i mastodon | grep -i inbox | grep -Evi 'akkoma|pleroma' | cut -d '-' -f1 | sort -u) ) cat $NGINX_ACCESS | grep -Ei -f /tmp/blocked.txt | grep -vi $MY_IP | grep -i mastodon | grep -i inbox | grep -Evi 'akkoma|pleroma' echo echo "Scanning Nginx for new fediblock IP's ...." echo for i in "${fediblock_IP[@]}"; do echo $i >> $fediblock_TMP done echo "Saving fediblock list to $fediblock_DB....." cat $fediblock_TMP $fediblock_DB | sort -u > /tmp/masto.tmp cp -f /tmp/masto.tmp $fediblock_DB rm -f $fediblock_TMP rm -f /tmp/masto.tmp BOT_LOG=($(cat $fediblock_DB | sort -u)) echo echo "Feeding $fediblock_DB into NFT....." echo for i in "${BOT_LOG[@]}"; do $NFT add rule ip filter input ip saddr $i $NFT_DROP& done } saved-bots(){ BOT_LOG=($(cat $SAVED_BOTS | sort -u)) echo echo "Feeding $SAVED_BOTS into NFT....." echo for i in "${BOT_LOG[@]}"; do $NFT add rule ip filter input ip saddr $i $NFT_DROP& echo $i >>$CRAWLER_TMP done echo "Saving Bot list to $SAVED_BOTS....." cat $CRAWLER_TMP $SAVED_BOTS | sort -u >/tmp/bot.tmp cp -f /tmp/bot.tmp $SAVED_BOTS rm -f /tmp/bot.tmp BOT_LOG=($(cat $ATTACKER_LOG | sort -u)) echo echo "Feeding $ATTACKER_LOG into NFT....." echo for i in "${BOT_LOG[@]}"; do $NFT add rule ip filter input ip saddr $i $NFT_DROP& done } bot-search() { CRAWLERS=($(cat $NGINX_ACCESS | grep -vEi $MY_IP | grep -Evi 'Guro|spank|report|rape|block' | grep -Ei -f $CRAWLER_DB | cut -d "-" -f1 | sort -u)) echo >$CRAWLER_TMP echo echo "Processing Web Crawler list into NFT....." echo for i in "${CRAWLERS[@]}"; do $NFT add rule ip filter input ip saddr $i $NFT_DROP& echo $i >>$CRAWLER_TMP done cat $CRAWLER_TMP $SAVED_BOTS | sort -u >/tmp/bot.tmp cp -f /tmp/bot.tmp $SAVED_BOTS rm -f /tmp/bot.tmp } pedo-search() { echo echo "Processing Pedo Searches into NFT....." PEDO_SEARCH=($(cat $NGINX_ACCESS | grep -i "$DATE" | grep -vi $MY_IP | grep -Ei -f $PEDO_DB | grep -Ei 'tag|search' | cut -d "-" -f1 | sort -u)) for i in "${PEDO_SEARCH[@]}"; do $NFT add rule ip filter input ip saddr $i $NFT_DROP& QUERY=$(cat $NGINX_ACCESS | grep -i "$DATE" | grep -vi $MY_IP | grep -Ei 'tag|search' | grep -Evi -f $CRAWLER_DB | grep -Evi 'packs|media|akkoma|timeline|favicon|announcements|notifications|accounts|pleroma|mutes|emoji|static|images|oauth' | grep $i | grep -Ei -f $PEDO_DB | head -1) if [ -z "$QUERY" ]; then echo "No Pedos Found" else echo "Found Pedo!" if [[ "$QUERY" == *"detroit"* ]]; then noscl publish --profile=33c74427f3b2b73d5e38f3e6c991c122a55d204072356f71da49a0e209fb6940 "$QUERY" toot activate $BOT_ACCOUNT toot post ":emergency: :hacker_p: :hacker_e: :hacker_d: :hacker_o: :trans: :hacker_a: :hacker_l: :hacker_e: :hacker_r: :hacker_t: :emergency2: $QUERY" -m /root/detroit/akkoma/blockbot/pedo.png else toot activate "logbot@poster.place" toot post "$QUERY @verita84_2024" -m /root/detroit/akkoma/blockbot/pedo.png fi echo $i >>$PEDO_LOG fi done } attacker-search() { echo echo "Processing Attacker Searches into NFT....." echo ATTACKER_SEARCH=($(cat $NGINX_ACCESS | grep -Ei '127.0.0.1|"$DATE"' | grep -vi $MY_IP | grep -Ei -f $ATTACKER_DB | cut -d "-" -f1 | sort -u)) for i in "${ATTACKER_SEARCH[@]}"; do $NFT add rule ip filter input ip saddr $i $NFT_DROP& QUERY=$(cat $NGINX_ACCESS | grep -i "$DATE" | grep -vi $MY_IP | grep $i | grep -Ei -f $ATTACKER_DB | head -1) if [ -z "$QUERY" ]; then echo "No Attackers Found" else echo "Found Attacker!" toot activate "logbot@poster.place" toot post "[Attacker Alert] $QUERY @verita84_2024" echo $i >>$ATTACKER_LOG fi done } basic-security() { $NFT add rule filter input icmp type echo-request $NFT_DROP $NFS add rule filter input log $NFT rule filter input log $NFT_DROP $NFT rule filter output $NFT_ACCEPT $NFT rule filter forward $NFT_ACCEPT $NFT insert rule filter input ct state established $NFT_ACCEPT $NFT insert rule filter input iif lo $NFT_ACCEPT $NFT -f /usr/share/nftables/ipv6-filter.nft $NFT add rule ip6 filter input icmpv6 type nd-neighbor-solicit $NFT_DROP $NFT add rule ip6 filter input icmpv6 type nd-router-advert $NFT_DROP } virtualization() { ip link del virbr0 killall dnsmasq /usr/bin/systemctl restart libvirtd /usr/bin/virsh net-start default /usr/bin/systemctl restart pleroma $NFT insert rule filter input iif $VIRT_BRIDGE $NFT_ACCEPT } uptimeKuma() { for i in "${UPTIME[@]}"; do $NFT add rule ip filter input ip saddr $SERVER_IP tcp dport $i accept done } admin() { for i in "${ADMIN[@]}"; do $NFT_TCP $i $NFT_ACCEPT done } wireguard() { sysctl -w net.ipv4.conf.all.forwarding=1 for i in "${WIREGUARD[@]}"; do $NFT_TCP $i $NFT_ACCEPT $NFT_UDP $i $NFT_ACCEPT done } web() { for i in "${WEB[@]}"; do $NFT_TCP $i $NFT_ACCEPT done } dns(){ for i in "${DNS[@]}"; do $NFT_TCP $i $NFT_ACCEPT $NFT_UDP $i $NFT_ACCEPT done } adguard() { for i in "${ADGUARD[@]}"; do $NFT add rule ip filter input ip saddr $SERVER_IP tcp dport $i accept $NFT add rule ip filter input ip saddr $SERVER_IP udp dport $i accept # $NFT_TCP $i $NFT_ACCEPT # $NFT_UDP $i $NFT_ACCEPT done } cups() { for i in "${CUPS[@]}"; do $NFT_TCP $i $NFT_ACCEPT $NFT_UDP $i $NFT_ACCEPT done } bitcoin() { for i in "${BITCOIN[@]}"; do $NFT_TCP $i $NFT_ACCEPT done } lnd() { for i in "${LND[@]}"; do $NFT add rule ip filter input ip saddr $SERVER_IP tcp dport $i accept done } syncthingServer() { for i in "${SYNCTHING[@]}"; do $NFT add rule ip filter input ip saddr $SERVER_IP tcp dport $i accept done } syncthing() { for i in "${SYNCTHING[@]}"; do $NFT_TCP $i $NFT_ACCEPT $NFT_UDP $i $NFT_ACCEPT done } jellyfin() { for i in "${JELLYFIN[@]}"; do $NFT_TCP $i $NFT_ACCEPT $NFT_UDP $i $NFT_ACCEPT done } kde-connect() { $NFT_TCP 1714-1764 $NFT_ACCEPT $NFT_UDP 1714-1764 $NFT_ACCEPT } nfs() { for i in "${NFS[@]}"; do $NFT_TCP $i $NFT_ACCEPT $NFT_UDP $i $NFT_ACCEPT done } trust() { for i in "${MACHINES[@]}"; do $NFT add rule filter input ip saddr $i $NFT_ACCEPT done } start() { $NFT flush ruleset $NFT -f /usr/share/nftables/ipv4-filter.nft if [[ $HOSTNAME == *"nas"* ]]; then attacker-protection bot-search saved-bots #fediblock wireguard web admin adguard dns cups syncthingServer #syncthing blockCountry jellyfin wireguard-networking uptimeKuma docker restart uptime-kuma $NFT insert rule filter input iif docker0 $NFT_ACCEPT basic-security else { virtualization } basic-security fi } status() { $NFT list table filter | grep -v "0 bytes 0 drop" $NFT list table nat } stop() { $NFT flush ruleset $NFT -f /usr/share/nftables/ipv4-filter.nft $NFT add rule filter input icmp type echo-request $NFT_ACCEPT $NFT rule filter input $NFT_ACCEPT $NFT rule filter output $NFT_ACCEPT $NFT rule filter forward $NFT_ACCEPT $NFT insert rule filter input ct state established $NFT_ACCEPT $NFT insert rule filter input iif lo $NFT_ACCEPT $NFT -f /usr/share/nftables/ipv6-filter.nft $NFT add rule ip6 filter input icmpv6 type nd-neighbor-solicit $NFT_ACCEPT $NFT add rule ip6 filter input icmpv6 type nd-router-advert $NFT_ACCEPT } if [ "$1" = "start" ]; then start elif [ "$1" = "virt" ]; then virtualization elif [ "$1" = "fediblock" ]; then fediblock elif [ "$1" = "bot-search" ]; then bot-search elif [ "$1" = "attacker-protection" ]; then attacker-protection elif [ "$1" = "country" ]; then blockCountry elif [ "$1" = "status" ]; then status elif [ "$1" = "stop" ]; then stop elif [ "$1" = "saved" ]; then saved-bots else echo "Invalid Choice" fi