firewall/firewall2.sh
Your Name 3564165f53 fix
2024-09-01 22:35:47 -06:00

414 lines
11 KiB
Bash

#!/bin/bash
MY_IP=$(curl ifconfig.me)
SERVER_IP='192.168.0.55'
NGINX_ACCESS="/var/log/nginx/access.log"
WIREGUARD=(57692 853)
WEB=(80 443)
ADGUARD=(3000 8082 67)
UPTIME=(4001)
DNS=(53 67 68)
CUPS=(631 5353)
BITCOIN=(8333 8332 8334 4050)
LND=(10009 9735 8080 28334 28333 19998 29000)
SYNCTHING=(22000 8384 21027)
NFS=(2049 111)
JELLYFIN=(8096 7359)
MACHINES=(127.0.0.1)
VIRT_BRIDGE="virbr0"
ADMIN=(22)
#### NFT CONFIG ####
NFT='/usr/sbin/nft'
NFT_TCP="$NFT add rule ip filter input tcp dport"
NFT_UDP="$NFT add rule ip filter input udp dport"
NFT_DROP='counter drop'
NFT_ACCEPT='counter accept'
NFT='/usr/sbin/nft'
####
SAVED_BOTS='/opt/firewall/bots.txt'
CRAWLER_DB='/opt/firewall/crawlers.txt'
PEDO_DB='/opt/firewall/pedo.txt'
PEDO_LOG='/opt/firewall/pedo-log.txt'
fediblock_DB='/opt/firewall/fediblock.txt'
fediblock_TMP='/tmp/fediblock.tmp'
ATTACKER_DB='/opt/firewall/attacker-db.txt'
ATTACKER_LOG='/opt/firewall/attackers.txt'
BOT_ACCOUNT="blockbot@detroitriotcity.com"
CRAWLER_TMP='/tmp/crawlers.txt'
DATE="$(date +%Y:%H: -d "1 hour ago")"
#DATE="$(date +%Y:%H:)";
COUNTRY=(
https://www.ipdeny.com/ipblocks/data/countries/il.zone
https://www.ipdeny.com/ipblocks/data/countries/cn.zone
)
noscl setprivate 80ec76355ba0a72cef69d427bfc8c7dc8a7d015b2b8c07657b46ba1f972b6f35
blockCountry() {
for i in "${COUNTRY[@]}"; do
echo
echo "Blocking $i"
DB=( $(curl $i) )
for j in "${DB[@]}"; do
$NFT add rule ip filter input ip saddr $j $NFT_DROP&
done
done
}
wireguard-networking() {
$NFT add table nat
$NFT add chain nat postrouting
$NFT add rule nat postrouting oif wg0 iif enp11s0
$NFT add rule nat postrouting oif enp11s0 iif wg0
$NFT add rule nat postrouting masquerade
$NFT add rule filter forward iifname wg0 oif enp11s0 $NFT_ACCEPT
$NFT add rule filter forward iifname enp11s0 oif wg0 $NFT_ACCEPT
$NFT add rule ip filter input ip saddr 192.168.5.0/24 $NFT_ACCEPT
}
attacker-protection() {
pedo-search
attacker-search
}
fediblock(){
BLOCKED_INSTANCES=( $( curl https://fba.ryona.agency/?domain=detroitriotcity.com | grep https | grep -i href | cut -d '"' -f2 | grep -Evi 'breastmilk|detroit' | sed 's/https:\/\///g' > /tmp/blocked.txt) )
fediblock_IP=($(cat $NGINX_ACCESS | grep -Ei -f /tmp/blocked.txt | grep -vi $MY_IP | grep -i mastodon | grep -i inbox | grep -Evi 'akkoma|pleroma' | cut -d '-' -f1 | sort -u) )
cat $NGINX_ACCESS | grep -Ei -f /tmp/blocked.txt | grep -vi $MY_IP | grep -i mastodon | grep -i inbox | grep -Evi 'akkoma|pleroma'
echo
echo "Scanning Nginx for new fediblock IP's ...."
echo
for i in "${fediblock_IP[@]}"; do
echo $i >> $fediblock_TMP
done
echo "Saving fediblock list to $fediblock_DB....."
cat $fediblock_TMP $fediblock_DB | sort -u > /tmp/masto.tmp
cp -f /tmp/masto.tmp $fediblock_DB
rm -f $fediblock_TMP
rm -f /tmp/masto.tmp
BOT_LOG=($(cat $fediblock_DB | sort -u))
echo
echo "Feeding $fediblock_DB into NFT....."
echo
for i in "${BOT_LOG[@]}"; do
$NFT add rule ip filter input ip saddr $i $NFT_DROP&
done
BLOCKED_INSTANCES=( $( curl https://fba.ryona.agency/?domain=poster.place | grep https | grep -i href | cut -d '"' -f2 | grep -Evi 'breastmilk|poster' | sed 's/https:\/\///g' > /tmp/blocked.txt) )
fediblock_IP=($(cat $NGINX_ACCESS | grep -Ei -f /tmp/blocked.txt | grep -vi $MY_IP | grep -i mastodon | grep -i inbox | grep -Evi 'akkoma|pleroma' | cut -d '-' -f1 | sort -u) )
cat $NGINX_ACCESS | grep -Ei -f /tmp/blocked.txt | grep -vi $MY_IP | grep -i mastodon | grep -i inbox | grep -Evi 'akkoma|pleroma'
echo
echo "Scanning Nginx for new fediblock IP's ...."
echo
for i in "${fediblock_IP[@]}"; do
echo $i >> $fediblock_TMP
done
echo "Saving fediblock list to $fediblock_DB....."
cat $fediblock_TMP $fediblock_DB | sort -u > /tmp/masto.tmp
cp -f /tmp/masto.tmp $fediblock_DB
rm -f $fediblock_TMP
rm -f /tmp/masto.tmp
BOT_LOG=($(cat $fediblock_DB | sort -u))
echo
echo "Feeding $fediblock_DB into NFT....."
echo
for i in "${BOT_LOG[@]}"; do
$NFT add rule ip filter input ip saddr $i $NFT_DROP&
done
}
saved-bots(){
BOT_LOG=($(cat $SAVED_BOTS | sort -u))
echo
echo "Feeding $SAVED_BOTS into NFT....."
echo
for i in "${BOT_LOG[@]}"; do
$NFT add rule ip filter input ip saddr $i $NFT_DROP&
echo $i >>$CRAWLER_TMP
done
echo "Saving Bot list to $SAVED_BOTS....."
cat $CRAWLER_TMP $SAVED_BOTS | sort -u >/tmp/bot.tmp
cp -f /tmp/bot.tmp $SAVED_BOTS
rm -f /tmp/bot.tmp
BOT_LOG=($(cat $ATTACKER_LOG | sort -u))
echo
echo "Feeding $ATTACKER_LOG into NFT....."
echo
for i in "${BOT_LOG[@]}"; do
$NFT add rule ip filter input ip saddr $i $NFT_DROP&
done
}
bot-search() {
CRAWLERS=($(cat $NGINX_ACCESS | grep -vEi $MY_IP | grep -Evi 'Guro|spank|report|rape|block' | grep -Ei -f $CRAWLER_DB | cut -d "-" -f1 | sort -u))
echo >$CRAWLER_TMP
echo
echo "Processing Web Crawler list into NFT....."
echo
for i in "${CRAWLERS[@]}"; do
$NFT add rule ip filter input ip saddr $i $NFT_DROP&
echo $i >>$CRAWLER_TMP
done
cat $CRAWLER_TMP $SAVED_BOTS | sort -u >/tmp/bot.tmp
cp -f /tmp/bot.tmp $SAVED_BOTS
rm -f /tmp/bot.tmp
}
pedo-search() {
echo
echo "Processing Pedo Searches into NFT....."
PEDO_SEARCH=($(cat $NGINX_ACCESS | grep -i "$DATE" | grep -vi $MY_IP | grep -Ei -f $PEDO_DB | grep -Ei 'tag|search' | cut -d "-" -f1 | sort -u))
for i in "${PEDO_SEARCH[@]}"; do
$NFT add rule ip filter input ip saddr $i $NFT_DROP&
QUERY=$(cat $NGINX_ACCESS | grep -i "$DATE" | grep -vi $MY_IP | grep -Ei 'tag|search' | grep -Evi -f $CRAWLER_DB | grep -Evi 'packs|media|akkoma|timeline|favicon|announcements|notifications|accounts|pleroma|mutes|emoji|static|images|oauth' | grep $i | grep -Ei -f $PEDO_DB | head -1)
if [ -z "$QUERY" ]; then
echo "No Pedos Found"
else
echo "Found Pedo!"
if [[ "$QUERY" == *"detroit"* ]]; then
noscl publish --profile=33c74427f3b2b73d5e38f3e6c991c122a55d204072356f71da49a0e209fb6940 "$QUERY"
toot activate $BOT_ACCOUNT
toot post ":emergency: :hacker_p: :hacker_e: :hacker_d: :hacker_o: :trans: :hacker_a: :hacker_l: :hacker_e: :hacker_r: :hacker_t: :emergency2: $QUERY" -m /root/detroit/akkoma/blockbot/pedo.png
else
toot activate "logbot@poster.place"
toot post "$QUERY @verita84_2024" -m /root/detroit/akkoma/blockbot/pedo.png
fi
echo $i >>$PEDO_LOG
fi
done
}
attacker-search() {
echo
echo "Processing Attacker Searches into NFT....."
echo
ATTACKER_SEARCH=($(cat $NGINX_ACCESS | grep -Ei '127.0.0.1|"$DATE"' | grep -vi $MY_IP | grep -Ei -f $ATTACKER_DB | cut -d "-" -f1 | sort -u))
for i in "${ATTACKER_SEARCH[@]}"; do
$NFT add rule ip filter input ip saddr $i $NFT_DROP&
QUERY=$(cat $NGINX_ACCESS | grep -i "$DATE" | grep -vi $MY_IP | grep $i | grep -Ei -f $ATTACKER_DB | head -1)
if [ -z "$QUERY" ]; then
echo "No Attackers Found"
else
echo "Found Attacker!"
toot activate "logbot@poster.place"
toot post "[Attacker Alert] $QUERY @verita84_2024"
echo $i >>$ATTACKER_LOG
fi
done
}
basic-security() {
$NFT add rule filter input icmp type echo-request $NFT_DROP
$NFS add rule filter input log
$NFT rule filter input log $NFT_DROP
$NFT rule filter output $NFT_ACCEPT
$NFT rule filter forward $NFT_ACCEPT
$NFT insert rule filter input ct state established $NFT_ACCEPT
$NFT insert rule filter input iif lo $NFT_ACCEPT
$NFT -f /usr/share/nftables/ipv6-filter.nft
$NFT add rule ip6 filter input icmpv6 type nd-neighbor-solicit $NFT_DROP
$NFT add rule ip6 filter input icmpv6 type nd-router-advert $NFT_DROP
}
virtualization() {
ip link del virbr0
killall dnsmasq
/usr/bin/systemctl restart libvirtd
/usr/bin/virsh net-start default
/usr/bin/systemctl restart pleroma
$NFT insert rule filter input iif $VIRT_BRIDGE $NFT_ACCEPT
}
uptimeKuma() {
for i in "${UPTIME[@]}"; do
$NFT add rule ip filter input ip saddr $SERVER_IP tcp dport $i accept
done
}
admin() {
for i in "${ADMIN[@]}"; do
$NFT_TCP $i $NFT_ACCEPT
done
}
wireguard() {
sysctl -w net.ipv4.conf.all.forwarding=1
for i in "${WIREGUARD[@]}"; do
$NFT_TCP $i $NFT_ACCEPT
$NFT_UDP $i $NFT_ACCEPT
done
}
web() {
for i in "${WEB[@]}"; do
$NFT_TCP $i $NFT_ACCEPT
done
}
dns(){
for i in "${DNS[@]}"; do
$NFT_TCP $i $NFT_ACCEPT
$NFT_UDP $i $NFT_ACCEPT
done
}
adguard() {
for i in "${ADGUARD[@]}"; do
$NFT add rule ip filter input ip saddr $SERVER_IP tcp dport $i accept
$NFT add rule ip filter input ip saddr $SERVER_IP udp dport $i accept
# $NFT_TCP $i $NFT_ACCEPT
# $NFT_UDP $i $NFT_ACCEPT
done
}
cups() {
for i in "${CUPS[@]}"; do
$NFT_TCP $i $NFT_ACCEPT
$NFT_UDP $i $NFT_ACCEPT
done
}
bitcoin() {
for i in "${BITCOIN[@]}"; do
$NFT_TCP $i $NFT_ACCEPT
done
}
lnd() {
for i in "${LND[@]}"; do
$NFT add rule ip filter input ip saddr $SERVER_IP tcp dport $i accept
done
}
syncthingServer() {
for i in "${SYNCTHING[@]}"; do
$NFT add rule ip filter input ip saddr $SERVER_IP tcp dport $i accept
done
}
syncthing() {
for i in "${SYNCTHING[@]}"; do
$NFT_TCP $i $NFT_ACCEPT
$NFT_UDP $i $NFT_ACCEPT
done
}
jellyfin() {
for i in "${JELLYFIN[@]}"; do
$NFT_TCP $i $NFT_ACCEPT
$NFT_UDP $i $NFT_ACCEPT
done
}
kde-connect() {
$NFT_TCP 1714-1764 $NFT_ACCEPT
$NFT_UDP 1714-1764 $NFT_ACCEPT
}
nfs() {
for i in "${NFS[@]}"; do
$NFT_TCP $i $NFT_ACCEPT
$NFT_UDP $i $NFT_ACCEPT
done
}
trust() {
for i in "${MACHINES[@]}"; do
$NFT add rule filter input ip saddr $i $NFT_ACCEPT
done
}
start() {
$NFT flush ruleset
$NFT -f /usr/share/nftables/ipv4-filter.nft
if [[ $HOSTNAME == *"nas"* ]]; then
attacker-protection
bot-search
saved-bots
#fediblock
wireguard
web
admin
adguard
dns
cups
syncthingServer
syncthing
blockCountry
jellyfin
wireguard-networking
uptimeKuma
docker restart uptime-kuma
$NFT insert rule filter input iif docker0 $NFT_ACCEPT
basic-security
else
{
virtualization
}
basic-security
fi
}
status() {
$NFT list table filter | grep -v "0 bytes 0 drop"
$NFT list table nat
}
stop() {
$NFT flush ruleset
$NFT -f /usr/share/nftables/ipv4-filter.nft
$NFT add rule filter input icmp type echo-request $NFT_ACCEPT
$NFT rule filter input $NFT_ACCEPT
$NFT rule filter output $NFT_ACCEPT
$NFT rule filter forward $NFT_ACCEPT
$NFT insert rule filter input ct state established $NFT_ACCEPT
$NFT insert rule filter input iif lo $NFT_ACCEPT
$NFT -f /usr/share/nftables/ipv6-filter.nft
$NFT add rule ip6 filter input icmpv6 type nd-neighbor-solicit $NFT_ACCEPT
$NFT add rule ip6 filter input icmpv6 type nd-router-advert $NFT_ACCEPT
}
if [ "$1" = "start" ]; then
start
elif [ "$1" = "virt" ]; then
virtualization
elif [ "$1" = "fediblock" ]; then
fediblock
elif [ "$1" = "bot-search" ]; then
bot-search
elif [ "$1" = "attacker-protection" ]; then
attacker-protection
elif [ "$1" = "country" ]; then
blockCountry
elif [ "$1" = "status" ]; then
status
elif [ "$1" = "stop" ]; then
stop
elif [ "$1" = "saved" ]; then
saved-bots
else
echo "Invalid Choice"
fi