├── README.md ├── blacklist-domains.txt ├── iblocklist-loader-v2.sh ├── iblocklist-loader.sh ├── whitelist-cidrs.txt └── whitelist-domains.txt /README.md: -------------------------------------------------------------------------------- 1 | # iblocklist-loader 2 | Generic script to create ipsets lists from the free lists available from iblocklist.com with optional whitelisting by domain 3 | 4 | For ASUSWRT, place this in `/jffs/scripts` and make it executable. This script can be called from `/jffs/scripts/firewall-start` or can be scheduled to be run periodically via cron 5 | 6 | For PCs and other routers with ipsets, this should work as well. I've tested it on a CentOS machine 7 | -------------------------------------------------------------------------------- /blacklist-domains.txt: -------------------------------------------------------------------------------- 1 | # This file contains the blacklisted domains used by iblocklist-loader (Referenced via BLACKLIST_DOMAINS_FILE= line) 2 | # The IPv4 addresses for the domains in this file would be added to an ipset list called [BlacklistDomains] and then 3 | # an iptables DROP/REJECT rule will be created by iblocklist-loader. These domains would be processed right after the 4 | # WHITELIST_DOMAINS_FILE processing. 5 | 6 | # Below are some telemetry and scanner blocking found from the sources as indicated. 7 | # You can add to this list any domains you'd like to explicitly block 8 | 9 | # Telemetry servers from http://cyberwarzone.com/block-these-ips-to-stop-microsoft-from-snooping-on-your-windows-10-device/ 10 | settings-sandbox.data.microsoft.com # Singapore 11 | statsfe1.ws.microsoft.com # United States 12 | fe2.update.microsoft.com.akadns.net # United States 13 | telemetry.appex.bing.net # United States 14 | cs1.wpc.v0cdn.net # United States 15 | redir.metaservices.microsoft.com # United States, CO, Englewood 16 | i1.services.social.microsoft.com # United States, MA, Cambridge 17 | sls.update.microsoft.com.akadns.net # United States, WA, Redmond 18 | diagnostics.support.microsoft.com # United States, WA, Redmond 19 | choice.microsoft.com # United States, WA, Redmond 20 | choice.microsoft.com.nsatc.net # United States, WA, Redmond 21 | pre.footprintpredict.com # United States, WA, Redmond 22 | watson.live.com # United States, WA, Redmond 23 | survey.watson.microsoft.com # United States, WA, Redmond 24 | vortex.data.microsoft.com # United States, WA, Redmond 25 | vortex-win.data.microsoft.com # United States, WA, Redmond 26 | vortex-sandbox.data.microsoft.com # United States, WA, Redmond 27 | watson.ppe.telemetry.microsoft.com # United States, WA, Redmond 28 | df.telemetry.microsoft.com # United States, WA, Redmond 29 | telemetry.microsoft.com # United States, WA, Redmond 30 | reports.wes.df.telemetry.microsoft.com # United States, WA, Redmond 31 | services.wes.df.telemetry.microsoft.com # United States, WA, Redmond 32 | urs.microsoft.com # United States, TX, San Antonio 33 | wes.df.telemetry.microsoft.com # United States, WA, Redmond 34 | sqm.df.telemetry.microsoft.com # United States, WA, Redmond 35 | statsfe2.ws.microsoft.com # United States, WA, Redmond 36 | statsfe2.update.microsoft.com.akadns.net # United States, WA, Redmond 37 | watson.telemetry.microsoft.com # United States, WA, Redmond 38 | watson.telemetry.microsoft.com.nsatc.net # United States, WA, Redmond 39 | oca.telemetry.microsoft.com # United States, WA, Redmond 40 | oca.telemetry.microsoft.com.nsatc.net # United States, WA, Redmond 41 | watson.microsoft.com # United States, WA, Redmond 42 | telecommand.telemetry.microsoft.com # United States, WA, Redmond 43 | telecommand.telemetry.microsoft.com.nsatc.net # United States, WA, Redmond 44 | sqm.telemetry.microsoft.com # United States, WA, Redmond 45 | sqm.telemetry.microsoft.com.nsatc.net # United States, WA, Redmond 46 | corpext.msitadfs.glbdns2.microsoft.com # United States, WA, Redmond 47 | corp.sts.microsoft.com # United States, WA, Redmond 48 | telemetry.urs.microsoft.com # United States, WA, Redmond 49 | 50 | # Shodan and project25499 scanners from http://wiki.ipfire.org/en/configuration/firewall/blockshodan 51 | shodan.io # US 52 | census1.shodan.io # US 53 | census2.shodan.io # US 54 | census3.shodan.io # US 55 | census4.shodan.io # NL 56 | census5.shodan.io # RO 57 | census6.shodan.io # US 58 | census7.shodan.io # US 59 | census8.shodan.io # US 60 | census9.shodan.io # US 61 | census10.shodan.io # IS 62 | census11.shodan.io # IS 63 | census12.shodan.io # US 64 | atlantic.census.shodan.io # DE 65 | pacific.census.shodan.io # DE 66 | rim.census.shodan.io # DE 67 | pirate.census.shodan.io # US 68 | ninja.census.shodan.io # US 69 | border.census.shodan.io # US 70 | burger.census.shodan.io # US 71 | atlantic.dns.shodan.io # US 72 | blog.shodan.io # US 73 | hello.data.shodan.io # US 74 | www.shodan.io # US 75 | scanner01.project25499.com # US 76 | scanner02.project25499.com # US 77 | scanner03.project25499.com # US 78 | scanner04.project25499.com # US 79 | scanner05.project25499.com # US 80 | 81 | # Ragentek Android OTA MITM Vulnerability from https://www.kb.cert.org/vuls/id/624539 82 | oyag.lhzbdvm.com 83 | oyag.prugskh.net 84 | oyag.prugskh.com 85 | -------------------------------------------------------------------------------- /iblocklist-loader-v2.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # Generic iblocklist.com ipset loader for ipset v4 and v6 (Extended version with more lists and options) 4 | # Author: redhat27, Version 1.2 5 | # snbforums thread: https://www.snbforums.com/threads/iblocklist-com-generic-ipset-loader-for-ipset-v6-and-v4.37976/ 6 | # credits for v6 implementation: http://www.unix.com/shell-programming-and-scripting/233825-convert-ip-ranges-cidr-netblocks.html 7 | 8 | # Available free lists from [https://www.iblocklist.com/lists] Format: 9 | # -------List (General)---Maintainer---Download URL-------------------------------------------Traffic 10 | List001="Pedophiles I-Blocklist http://list.iblocklist.com/?list=dufcxgnbjsdwmwctgfuj src" 11 | List002="level1 Bluetack http://list.iblocklist.com/?list=ydxerpxkpcfqjaybcssw src" 12 | List003="level2 Bluetack http://list.iblocklist.com/?list=gyisgnzbhppbvsphucsw src" 13 | List004="level3 Bluetack http://list.iblocklist.com/?list=uwnukjqktoggdknzrhgh src" 14 | List005="edu Bluetack http://list.iblocklist.com/?list=imlmncgrkbnacgcwfjvh src" 15 | List006="rangetest Bluetack http://list.iblocklist.com/?list=plkehquoahljmyxjixpu src" 16 | List007="bogon Bluetack http://list.iblocklist.com/?list=gihxqmhyunbxhbmgqrla src" 17 | List008="ads Bluetack http://list.iblocklist.com/?list=dgxtneitpuvgqqcpfulq src" 18 | List009="spyware Bluetack http://list.iblocklist.com/?list=llvtlsjyoyiczbkjsxpf src" 19 | List010="proxy Bluetack http://list.iblocklist.com/?list=xoebmbyexwuiogmbyprb src" 20 | List011="badpeers Bluetack http://list.iblocklist.com/?list=cwworuawihqvocglcoss src" 21 | List012="Microsoft Bluetack http://list.iblocklist.com/?list=xshktygkujudfnjfioro src" 22 | List013="spider Bluetack http://list.iblocklist.com/?list=mcvxsnihddgutbjfbghy src" 23 | List014="hijacked Bluetack http://list.iblocklist.com/?list=usrcshglbiilevmyfhse src" 24 | List015="dshield Bluetack http://list.iblocklist.com/?list=xpbqleszmajjesnzddhv src" 25 | List016="forumspam Bluetack http://list.iblocklist.com/?list=ficutxiwawokxlcyoeye src" 26 | List017="webexploit Bluetack http://list.iblocklist.com/?list=ghlzqtqxnzctvvajwwag src" 27 | List018="iana-reserved Bluetack http://list.iblocklist.com/?list=bcoepfyewziejvcqyhqo src" 28 | List019="iana-private Bluetack http://list.iblocklist.com/?list=cslpybexmxyuacbyuvib src" 29 | List020="iana-multicast Bluetack http://list.iblocklist.com/?list=pwqnlynprfgtjbgqoizj src" 30 | List021="NonLanComputers Bluetack http://list.iblocklist.com/?list=jhaoawihmfxgnvmaqffp src" 31 | List022="exclusions Bluetack http://list.iblocklist.com/?list=mtxmiireqmjzazcsoiem src" 32 | List023="DROP Spamhaus http://list.iblocklist.com/?list=zbdlwrqkabxbcppvrnos src" 33 | List024="ZeuS abuse http://list.iblocklist.com/?list=ynkdjqsjyfmilsgbogqf src" 34 | List025="SpyEye abuse http://list.iblocklist.com/?list=zvjxsfuvdhoxktpeiokq src" 35 | List026="Palevo abuse http://list.iblocklist.com/?list=erqajhwrxiuvjxqrrwfj src" 36 | List027="Malicious CI-Army http://list.iblocklist.com/?list=npkuuhuxcsllnhoamkvm src" 37 | List028="malc0de malc0de http://list.iblocklist.com/?list=pbqcylkejciyhmwttify src" 38 | List029="adservers Yoyo http://list.iblocklist.com/?list=zhogegszwduurnvsyhdf src" 39 | List030="bogon cidr-report http://list.iblocklist.com/?list=lujdnbasfaaixitgmxpp src" 40 | List031="CruzITWebAttacks CruzIT http://list.iblocklist.com/?list=czvaehmjpsnwwttrdoyl src" 41 | List032="Business-ISPs TBG http://list.iblocklist.com/?list=jcjfaxgyyshvdbceroxf src" 42 | List033="Primary-Threats TBG http://list.iblocklist.com/?list=ijfqtofzixtwayqovmxn src" 43 | List034="Hijacked TBG http://list.iblocklist.com/?list=tbnuqfclfkemqivekikv src" 44 | List035="Bogon TBG http://list.iblocklist.com/?list=ewqglwibdgjttwttrinl src" 45 | List036="Search-Engines TBG http://list.iblocklist.com/?list=pfefqteoxlfzopecdtyw src" 46 | List037="Corporate-Ranges TBG http://list.iblocklist.com/?list=ecqbsykllnadihkdirsh src" 47 | # -------List (Orgs)------Maintainer---Download URL-------------------------------------------Traffic 48 | List038="TheOnionRouter I-Blocklist http://list.iblocklist.com/?list=togdoptykrlolpddwbvz src,dst" 49 | List039="Apple I-Blocklist http://list.iblocklist.com/?list=aphcqvpxuqgrkgufjruj src,dst" 50 | List040="LogMeIn I-Blocklist http://list.iblocklist.com/?list=tgbankumtwtrzllndbmb src,dst" 51 | List041="Steam I-Blocklist http://list.iblocklist.com/?list=cnxkgiklecdaihzukrud src,dst" 52 | List042="Xfire I-Blocklist http://list.iblocklist.com/?list=ppqqnyihmcrryraaqsjo src,dst" 53 | List043="Blizzard I-Blocklist http://list.iblocklist.com/?list=ercbntshuthyykfkmhxc src,dst" 54 | List044="Ubisoft I-Blocklist http://list.iblocklist.com/?list=etmcrglomupyxtaebzht src,dst" 55 | List045="Nintendo I-Blocklist http://list.iblocklist.com/?list=pevkykuhgaegqyayzbnr src,dst" 56 | List046="Activision I-Blocklist http://list.iblocklist.com/?list=gfnxlhxsijzrcuxwzebb src,dst" 57 | List047="SonyOnlineEnt I-Blocklist http://list.iblocklist.com/?list=tukpvrvlubsputmkmiwg src,dst" 58 | List048="CrowdCtrlPrds I-Blocklist http://list.iblocklist.com/?list=eveiyhgmusglurfmjyag src,dst" 59 | List049="LindenLab I-Blocklist http://list.iblocklist.com/?list=qnjdimxnaupjmpqolxcv src,dst" 60 | List050="ElectronicArts I-Blocklist http://list.iblocklist.com/?list=ejqebpcdmffinaetsvxj src,dst" 61 | List051="SquareEnix I-Blocklist http://list.iblocklist.com/?list=odyaqontcydnodrlyina src,dst" 62 | List052="NCsoft I-Blocklist http://list.iblocklist.com/?list=mwjuwmebrnzyyxpbezxu src,dst" 63 | List053="RiotGames I-Blocklist http://list.iblocklist.com/?list=sdlvfabdjvrdttfjotcy src,dst" 64 | List054="PunkBuster I-Blocklist http://list.iblocklist.com/?list=zvwwndvzulqcltsicwdg src,dst" 65 | List055="Joost I-Blocklist http://list.iblocklist.com/?list=alxugfmeszbhpxqfdits src,dst" 66 | List056="Pandora I-Blocklist http://list.iblocklist.com/?list=aevzidimyvwybzkletsg src,dst" 67 | List057="ThePirateBay I-Blocklist http://list.iblocklist.com/?list=nzldzlpkgrcncdomnttb src,dst" 68 | # -------List (ISP)-------Maintainer---Download URL [Note: Don't block your own ISP!]---------Traffic 69 | List058="AOL I-Blocklist http://list.iblocklist.com/?list=toboaiysofkflwgrttmb src,dst" 70 | List059="Comcast I-Blocklist http://list.iblocklist.com/?list=rsgyxvuklicibautguia src,dst" 71 | List060="Cablevision I-Blocklist http://list.iblocklist.com/?list=dwwbsmzirrykdlvpqozb src,dst" 72 | List061="Verizon I-Blocklist http://list.iblocklist.com/?list=cdmdbprvldivlqsaqjol src,dst" 73 | List062="ATT I-Blocklist http://list.iblocklist.com/?list=grbtkzijgrowvobvessf src,dst" 74 | List063="CoxComm I-Blocklist http://list.iblocklist.com/?list=nlgdvmvfxvoimdunmuju src,dst" 75 | List064="TimeWarnerCble I-Blocklist http://list.iblocklist.com/?list=aqtsnttnqmcucwrjmohd src,dst" 76 | List065="Charter I-Blocklist http://list.iblocklist.com/?list=htnzojgossawhpkbulqw src,dst" 77 | List066="Embarq I-Blocklist http://list.iblocklist.com/?list=twdblifaysaqtypevvdp src,dst" 78 | List067="Suddenlink I-Blocklist http://list.iblocklist.com/?list=psaoblrwylfrdsspfuiq src,dst" 79 | List068="Sprint I-Blocklist http://list.iblocklist.com/?list=hngtqrhhuadlceqxbrob src,dst" 80 | # -------List (Country)---Maintainer---Download URL-------------------------------------------Traffic 81 | List069="Afghanistan I-Blocklist http://list.iblocklist.com/?list=af src,dst" 82 | List070="Aland-Islands I-Blocklist http://list.iblocklist.com/?list=ax src,dst" 83 | List071="Albania I-Blocklist http://list.iblocklist.com/?list=al src,dst" 84 | List072="Algeria I-Blocklist http://list.iblocklist.com/?list=dz src,dst" 85 | List073="American-Samoa I-Blocklist http://list.iblocklist.com/?list=as src,dst" 86 | List074="Andorra I-Blocklist http://list.iblocklist.com/?list=ad src,dst" 87 | List075="Angola I-Blocklist http://list.iblocklist.com/?list=ao src,dst" 88 | List076="Anguilla I-Blocklist http://list.iblocklist.com/?list=ai src,dst" 89 | List077="AntiguaBarbuda I-Blocklist http://list.iblocklist.com/?list=ag src,dst" 90 | List078="Antilles I-Blocklist http://list.iblocklist.com/?list=an src,dst" 91 | List079="Argentina I-Blocklist http://list.iblocklist.com/?list=ar src,dst" 92 | List080="Armenia I-Blocklist http://list.iblocklist.com/?list=am src,dst" 93 | List081="Aruba I-Blocklist http://list.iblocklist.com/?list=aw src,dst" 94 | List082="Asia-Pas-Loc I-Blocklist http://list.iblocklist.com/?list=ap src,dst" 95 | List083="Australia I-Blocklist http://list.iblocklist.com/?list=au src,dst" 96 | List084="Austria I-Blocklist http://list.iblocklist.com/?list=at src,dst" 97 | List085="Azerbaijan I-Blocklist http://list.iblocklist.com/?list=az src,dst" 98 | List086="Bahamas I-Blocklist http://list.iblocklist.com/?list=bs src,dst" 99 | List087="Bahrain I-Blocklist http://list.iblocklist.com/?list=bh src,dst" 100 | List088="Bangladesh I-Blocklist http://list.iblocklist.com/?list=bd src,dst" 101 | List089="Barbados I-Blocklist http://list.iblocklist.com/?list=bb src,dst" 102 | List090="Belarus I-Blocklist http://list.iblocklist.com/?list=by src,dst" 103 | List091="Belgium I-Blocklist http://list.iblocklist.com/?list=be src,dst" 104 | List092="Belize I-Blocklist http://list.iblocklist.com/?list=bz src,dst" 105 | List093="Benin I-Blocklist http://list.iblocklist.com/?list=bj src,dst" 106 | List094="Bermuda I-Blocklist http://list.iblocklist.com/?list=bm src,dst" 107 | List095="Bhutan I-Blocklist http://list.iblocklist.com/?list=bt src,dst" 108 | List096="Bolivia I-Blocklist http://list.iblocklist.com/?list=bo src,dst" 109 | List097="Bosnia I-Blocklist http://list.iblocklist.com/?list=ba src,dst" 110 | List098="Botswana I-Blocklist http://list.iblocklist.com/?list=bw src,dst" 111 | List099="Brazil I-Blocklist http://list.iblocklist.com/?list=br src,dst" 112 | List100="Brunei I-Blocklist http://list.iblocklist.com/?list=bn src,dst" 113 | List101="Bulgaria I-Blocklist http://list.iblocklist.com/?list=bg src,dst" 114 | List102="Burkina-Faso I-Blocklist http://list.iblocklist.com/?list=bf src,dst" 115 | List103="Burundi I-Blocklist http://list.iblocklist.com/?list=bi src,dst" 116 | List104="Cambodia I-Blocklist http://list.iblocklist.com/?list=kh src,dst" 117 | List105="Cameroon I-Blocklist http://list.iblocklist.com/?list=cm src,dst" 118 | List106="Canada I-Blocklist http://list.iblocklist.com/?list=ca src,dst" 119 | List107="Cape-Verde I-Blocklist http://list.iblocklist.com/?list=cv src,dst" 120 | List108="Cayman-Islands I-Blocklist http://list.iblocklist.com/?list=ky src,dst" 121 | List109="Chile I-Blocklist http://list.iblocklist.com/?list=cl src,dst" 122 | List110="China I-Blocklist http://list.iblocklist.com/?list=cn src,dst" 123 | List111="Colombia I-Blocklist http://list.iblocklist.com/?list=co src,dst" 124 | List112="Congo I-Blocklist http://list.iblocklist.com/?list=cd src,dst" 125 | List113="Congo I-Blocklist http://list.iblocklist.com/?list=cg src,dst" 126 | List114="Cook-Islands I-Blocklist http://list.iblocklist.com/?list=ck src,dst" 127 | List115="Costa-Rica I-Blocklist http://list.iblocklist.com/?list=cr src,dst" 128 | List116="Cote-Divoire I-Blocklist http://list.iblocklist.com/?list=ci src,dst" 129 | List117="Croatia I-Blocklist http://list.iblocklist.com/?list=hr src,dst" 130 | List118="CtrlAfricanRep I-Blocklist http://list.iblocklist.com/?list=cf src,dst" 131 | List119="Cuba I-Blocklist http://list.iblocklist.com/?list=cu src,dst" 132 | List120="Cyprus I-Blocklist http://list.iblocklist.com/?list=cy src,dst" 133 | List121="Czech-Republic I-Blocklist http://list.iblocklist.com/?list=cz src,dst" 134 | List122="Denmark I-Blocklist http://list.iblocklist.com/?list=dk src,dst" 135 | List123="Djibouti I-Blocklist http://list.iblocklist.com/?list=dj src,dst" 136 | List124="DominicanRep I-Blocklist http://list.iblocklist.com/?list=do src,dst" 137 | List125="Ecuador I-Blocklist http://list.iblocklist.com/?list=ec src,dst" 138 | List126="Egypt I-Blocklist http://list.iblocklist.com/?list=eg src,dst" 139 | List127="El-Salvador I-Blocklist http://list.iblocklist.com/?list=sv src,dst" 140 | List128="Eqtrl-Guinea I-Blocklist http://list.iblocklist.com/?list=gq src,dst" 141 | List129="Eritrea I-Blocklist http://list.iblocklist.com/?list=er src,dst" 142 | List130="Estonia I-Blocklist http://list.iblocklist.com/?list=ee src,dst" 143 | List131="Ethiopia I-Blocklist http://list.iblocklist.com/?list=et src,dst" 144 | List132="European-Union I-Blocklist http://list.iblocklist.com/?list=eu src,dst" 145 | List133="Faroe-Islands I-Blocklist http://list.iblocklist.com/?list=fo src,dst" 146 | List134="Fiji I-Blocklist http://list.iblocklist.com/?list=fj src,dst" 147 | List135="Finland I-Blocklist http://list.iblocklist.com/?list=fi src,dst" 148 | List136="France I-Blocklist http://list.iblocklist.com/?list=fr src,dst" 149 | List137="French-Guiana I-Blocklist http://list.iblocklist.com/?list=gf src,dst" 150 | List138="Fr-Polynesia I-Blocklist http://list.iblocklist.com/?list=pf src,dst" 151 | List139="Gabon I-Blocklist http://list.iblocklist.com/?list=ga src,dst" 152 | List140="Gambia I-Blocklist http://list.iblocklist.com/?list=gm src,dst" 153 | List141="Georgia I-Blocklist http://list.iblocklist.com/?list=ge src,dst" 154 | List142="Germany I-Blocklist http://list.iblocklist.com/?list=de src,dst" 155 | List143="Ghana I-Blocklist http://list.iblocklist.com/?list=gh src,dst" 156 | List144="Gibraltar I-Blocklist http://list.iblocklist.com/?list=gi src,dst" 157 | List145="Greece I-Blocklist http://list.iblocklist.com/?list=gr src,dst" 158 | List146="Greenland I-Blocklist http://list.iblocklist.com/?list=gl src,dst" 159 | List147="Grenada I-Blocklist http://list.iblocklist.com/?list=gd src,dst" 160 | List148="Guadeloupe I-Blocklist http://list.iblocklist.com/?list=gp src,dst" 161 | List149="Guam I-Blocklist http://list.iblocklist.com/?list=gu src,dst" 162 | List150="Guatemala I-Blocklist http://list.iblocklist.com/?list=gt src,dst" 163 | List151="Guernsey I-Blocklist http://list.iblocklist.com/?list=gg src,dst" 164 | List152="Guinea-bissau I-Blocklist http://list.iblocklist.com/?list=gw src,dst" 165 | List153="Guinea I-Blocklist http://list.iblocklist.com/?list=gn src,dst" 166 | List154="Guyana I-Blocklist http://list.iblocklist.com/?list=gy src,dst" 167 | List155="Haiti I-Blocklist http://list.iblocklist.com/?list=ht src,dst" 168 | List156="Honduras I-Blocklist http://list.iblocklist.com/?list=hn src,dst" 169 | List157="Hong-Kong I-Blocklist http://list.iblocklist.com/?list=hk src,dst" 170 | List158="Hungary I-Blocklist http://list.iblocklist.com/?list=hu src,dst" 171 | List159="Iceland I-Blocklist http://list.iblocklist.com/?list=is src,dst" 172 | List160="India I-Blocklist http://list.iblocklist.com/?list=in src,dst" 173 | List161="Indian-Ocean I-Blocklist http://list.iblocklist.com/?list=io src,dst" 174 | List162="Indonesia I-Blocklist http://list.iblocklist.com/?list=id src,dst" 175 | List163="Iran I-Blocklist http://list.iblocklist.com/?list=ir src,dst" 176 | List164="Iraq I-Blocklist http://list.iblocklist.com/?list=iq src,dst" 177 | List165="Ireland I-Blocklist http://list.iblocklist.com/?list=ie src,dst" 178 | List166="Isle-of-Man I-Blocklist http://list.iblocklist.com/?list=im src,dst" 179 | List167="Israel I-Blocklist http://list.iblocklist.com/?list=il src,dst" 180 | List168="Italy I-Blocklist http://list.iblocklist.com/?list=it src,dst" 181 | List169="Jamaica I-Blocklist http://list.iblocklist.com/?list=jm src,dst" 182 | List170="Japan I-Blocklist http://list.iblocklist.com/?list=jp src,dst" 183 | List171="Jersey I-Blocklist http://list.iblocklist.com/?list=je src,dst" 184 | List172="Jordan I-Blocklist http://list.iblocklist.com/?list=jo src,dst" 185 | List173="Kazakhstan I-Blocklist http://list.iblocklist.com/?list=kz src,dst" 186 | List174="Kenya I-Blocklist http://list.iblocklist.com/?list=ke src,dst" 187 | List175="Kiribati I-Blocklist http://list.iblocklist.com/?list=ki src,dst" 188 | List176="Korea I-Blocklist http://list.iblocklist.com/?list=kp src,dst" 189 | List177="Korea I-Blocklist http://list.iblocklist.com/?list=kr src,dst" 190 | List178="Kuwait I-Blocklist http://list.iblocklist.com/?list=kw src,dst" 191 | List179="Kyrgyzstan I-Blocklist http://list.iblocklist.com/?list=kg src,dst" 192 | List180="Lao I-Blocklist http://list.iblocklist.com/?list=la src,dst" 193 | List181="Latvia I-Blocklist http://list.iblocklist.com/?list=lv src,dst" 194 | List182="Lebanon I-Blocklist http://list.iblocklist.com/?list=lb src,dst" 195 | List183="Lesotho I-Blocklist http://list.iblocklist.com/?list=ls src,dst" 196 | List184="Liberia I-Blocklist http://list.iblocklist.com/?list=lr src,dst" 197 | List185="Libya I-Blocklist http://list.iblocklist.com/?list=ly src,dst" 198 | List186="Liechtenstein I-Blocklist http://list.iblocklist.com/?list=li src,dst" 199 | List187="Lithuania I-Blocklist http://list.iblocklist.com/?list=lt src,dst" 200 | List188="Luxembourg I-Blocklist http://list.iblocklist.com/?list=lu src,dst" 201 | List189="Macau I-Blocklist http://list.iblocklist.com/?list=mo src,dst" 202 | List190="Macedonia I-Blocklist http://list.iblocklist.com/?list=mk src,dst" 203 | List191="Madagascar I-Blocklist http://list.iblocklist.com/?list=mg src,dst" 204 | List192="Malawi I-Blocklist http://list.iblocklist.com/?list=mw src,dst" 205 | List193="Malaysia I-Blocklist http://list.iblocklist.com/?list=my src,dst" 206 | List194="Maldives I-Blocklist http://list.iblocklist.com/?list=mv src,dst" 207 | List195="Mali I-Blocklist http://list.iblocklist.com/?list=ml src,dst" 208 | List196="Malta I-Blocklist http://list.iblocklist.com/?list=mt src,dst" 209 | List197="Marshall-Ils I-Blocklist http://list.iblocklist.com/?list=mh src,dst" 210 | List198="Mauritania I-Blocklist http://list.iblocklist.com/?list=mr src,dst" 211 | List199="Mauritius I-Blocklist http://list.iblocklist.com/?list=mu src,dst" 212 | List200="Mexico I-Blocklist http://list.iblocklist.com/?list=mx src,dst" 213 | List201="Micronesia I-Blocklist http://list.iblocklist.com/?list=fm src,dst" 214 | List202="MoldovaRep I-Blocklist http://list.iblocklist.com/?list=md src,dst" 215 | List203="Monaco I-Blocklist http://list.iblocklist.com/?list=mc src,dst" 216 | List204="Mongolia I-Blocklist http://list.iblocklist.com/?list=mn src,dst" 217 | List205="Montenegro I-Blocklist http://list.iblocklist.com/?list=me src,dst" 218 | List206="Montserrat I-Blocklist http://list.iblocklist.com/?list=ms src,dst" 219 | List207="Morocco I-Blocklist http://list.iblocklist.com/?list=ma src,dst" 220 | List208="Mozambique I-Blocklist http://list.iblocklist.com/?list=mz src,dst" 221 | List209="Myanmar I-Blocklist http://list.iblocklist.com/?list=mm src,dst" 222 | List210="Namibia I-Blocklist http://list.iblocklist.com/?list=na src,dst" 223 | List211="Nauru I-Blocklist http://list.iblocklist.com/?list=nr src,dst" 224 | List212="Nepal I-Blocklist http://list.iblocklist.com/?list=np src,dst" 225 | List213="Netherlands I-Blocklist http://list.iblocklist.com/?list=nl src,dst" 226 | List214="New-Caledonia I-Blocklist http://list.iblocklist.com/?list=nc src,dst" 227 | List215="New-Zealand I-Blocklist http://list.iblocklist.com/?list=nz src,dst" 228 | List216="Nicaragua I-Blocklist http://list.iblocklist.com/?list=ni src,dst" 229 | List217="Nigeria I-Blocklist http://list.iblocklist.com/?list=ng src,dst" 230 | List218="Niger I-Blocklist http://list.iblocklist.com/?list=ne src,dst" 231 | List219="Niue I-Blocklist http://list.iblocklist.com/?list=nu src,dst" 232 | List220="Norfolk-Island I-Blocklist http://list.iblocklist.com/?list=nf src,dst" 233 | List221="Norway I-Blocklist http://list.iblocklist.com/?list=no src,dst" 234 | List222="Nrth-Mariana I-Blocklist http://list.iblocklist.com/?list=mp src,dst" 235 | List223="Oman I-Blocklist http://list.iblocklist.com/?list=om src,dst" 236 | List224="Pakistan I-Blocklist http://list.iblocklist.com/?list=pk src,dst" 237 | List225="Palau I-Blocklist http://list.iblocklist.com/?list=pw src,dst" 238 | List226="PalestinianTty I-Blocklist http://list.iblocklist.com/?list=ps src,dst" 239 | List227="Panama I-Blocklist http://list.iblocklist.com/?list=pa src,dst" 240 | List228="PapuaNewGuinea I-Blocklist http://list.iblocklist.com/?list=pg src,dst" 241 | List229="Paraguay I-Blocklist http://list.iblocklist.com/?list=py src,dst" 242 | List230="Peru I-Blocklist http://list.iblocklist.com/?list=pe src,dst" 243 | List231="Philippines I-Blocklist http://list.iblocklist.com/?list=ph src,dst" 244 | List232="Poland I-Blocklist http://list.iblocklist.com/?list=pl src,dst" 245 | List233="Portugal I-Blocklist http://list.iblocklist.com/?list=pt src,dst" 246 | List234="Puerto-Rico I-Blocklist http://list.iblocklist.com/?list=pr src,dst" 247 | List235="Qatar I-Blocklist http://list.iblocklist.com/?list=qa src,dst" 248 | List236="Reunion I-Blocklist http://list.iblocklist.com/?list=re src,dst" 249 | List237="Romania I-Blocklist http://list.iblocklist.com/?list=ro src,dst" 250 | List238="Russia I-Blocklist http://list.iblocklist.com/?list=ru src,dst" 251 | List239="Rwanda I-Blocklist http://list.iblocklist.com/?list=rw src,dst" 252 | List240="Saint-Lucia I-Blocklist http://list.iblocklist.com/?list=lc src,dst" 253 | List241="Saint-Martin I-Blocklist http://list.iblocklist.com/?list=mf src,dst" 254 | List242="Saint-Vincent I-Blocklist http://list.iblocklist.com/?list=vc src,dst" 255 | List243="Samoa I-Blocklist http://list.iblocklist.com/?list=ws src,dst" 256 | List244="San-Marino I-Blocklist http://list.iblocklist.com/?list=sm src,dst" 257 | List245="Saudi-Arabia I-Blocklist http://list.iblocklist.com/?list=sa src,dst" 258 | List246="Senegal I-Blocklist http://list.iblocklist.com/?list=sn src,dst" 259 | List247="Serbia I-Blocklist http://list.iblocklist.com/?list=rs src,dst" 260 | List248="Seychelles I-Blocklist http://list.iblocklist.com/?list=sc src,dst" 261 | List249="Sierra-Leone I-Blocklist http://list.iblocklist.com/?list=sl src,dst" 262 | List250="Singapore I-Blocklist http://list.iblocklist.com/?list=sg src,dst" 263 | List251="Slovakia I-Blocklist http://list.iblocklist.com/?list=sk src,dst" 264 | List252="Slovenia I-Blocklist http://list.iblocklist.com/?list=si src,dst" 265 | List253="SolomonIslands I-Blocklist http://list.iblocklist.com/?list=sb src,dst" 266 | List254="South-Africa I-Blocklist http://list.iblocklist.com/?list=za src,dst" 267 | List255="Spain I-Blocklist http://list.iblocklist.com/?list=es src,dst" 268 | List256="Srb-Montenegro I-Blocklist http://list.iblocklist.com/?list=cs src,dst" 269 | List257="Sri-Lanka I-Blocklist http://list.iblocklist.com/?list=lk src,dst" 270 | List258="StKittsNevis I-Blocklist http://list.iblocklist.com/?list=kn src,dst" 271 | List259="StPierreMiqln I-Blocklist http://list.iblocklist.com/?list=pm src,dst" 272 | List260="Sudan I-Blocklist http://list.iblocklist.com/?list=sd src,dst" 273 | List261="Suriname I-Blocklist http://list.iblocklist.com/?list=sr src,dst" 274 | List262="Swaziland I-Blocklist http://list.iblocklist.com/?list=sz src,dst" 275 | List263="Sweden I-Blocklist http://list.iblocklist.com/?list=se src,dst" 276 | List264="Switzerland I-Blocklist http://list.iblocklist.com/?list=ch src,dst" 277 | List265="SyrianArabRep I-Blocklist http://list.iblocklist.com/?list=sy src,dst" 278 | List266="Taiwan I-Blocklist http://list.iblocklist.com/?list=tw src,dst" 279 | List267="Tajikistan I-Blocklist http://list.iblocklist.com/?list=tj src,dst" 280 | List268="Tanzania I-Blocklist http://list.iblocklist.com/?list=tz src,dst" 281 | List269="Thailand I-Blocklist http://list.iblocklist.com/?list=th src,dst" 282 | List270="Timor-leste I-Blocklist http://list.iblocklist.com/?list=tl src,dst" 283 | List271="Togo I-Blocklist http://list.iblocklist.com/?list=tg src,dst" 284 | List272="Tonga I-Blocklist http://list.iblocklist.com/?list=to src,dst" 285 | List273="TrinidadTobago I-Blocklist http://list.iblocklist.com/?list=tt src,dst" 286 | List274="Tunisia I-Blocklist http://list.iblocklist.com/?list=tn src,dst" 287 | List275="Turkey I-Blocklist http://list.iblocklist.com/?list=tr src,dst" 288 | List276="Turkmenistan I-Blocklist http://list.iblocklist.com/?list=tm src,dst" 289 | List277="TurksCaicos I-Blocklist http://list.iblocklist.com/?list=tc src,dst" 290 | List278="Tuvalu I-Blocklist http://list.iblocklist.com/?list=tv src,dst" 291 | List279="UAE I-Blocklist http://list.iblocklist.com/?list=ae src,dst" 292 | List280="Uganda I-Blocklist http://list.iblocklist.com/?list=ug src,dst" 293 | List281="Ukraine I-Blocklist http://list.iblocklist.com/?list=ua src,dst" 294 | List282="United-Kingdom I-Blocklist http://list.iblocklist.com/?list=gb src,dst" 295 | List283="United-States I-Blocklist http://list.iblocklist.com/?list=us src,dst" 296 | List284="Uruguay I-Blocklist http://list.iblocklist.com/?list=uy src,dst" 297 | List285="Uzbekistan I-Blocklist http://list.iblocklist.com/?list=uz src,dst" 298 | List286="Vanuatu I-Blocklist http://list.iblocklist.com/?list=vu src,dst" 299 | List287="Vatican-City I-Blocklist http://list.iblocklist.com/?list=va src,dst" 300 | List288="Venezuela I-Blocklist http://list.iblocklist.com/?list=ve src,dst" 301 | List289="Vietnam I-Blocklist http://list.iblocklist.com/?list=vn src,dst" 302 | List290="Virgin-Ils-BR I-Blocklist http://list.iblocklist.com/?list=vg src,dst" 303 | List291="Virgin-Ils-US I-Blocklist http://list.iblocklist.com/?list=vi src,dst" 304 | List292="WallisFutuna I-Blocklist http://list.iblocklist.com/?list=wf src,dst" 305 | List293="Yemen I-Blocklist http://list.iblocklist.com/?list=ye src,dst" 306 | List294="Zambia I-Blocklist http://list.iblocklist.com/?list=zm src,dst" 307 | List295="Zimbabwe I-Blocklist http://list.iblocklist.com/?list=zw src,dst" 308 | 309 | # Block traffic from any of the above lists 310 | BLOCKLIST_INDEXES="13 15 17 10" # Can be any combination of above list indexes, e.g "38 13", "1", "7 24 8 29 31" etc. [Example: PeerGuardian implementation would be "2 11"] 311 | 312 | # Allow traffic from any of the above lists [!] 313 | ALLOWLIST_INDEXES="" # Can be any combination of above list indexes, just like BLOCKLIST_INDEXES 314 | 315 | # Your favorite domain blocked after your chosen blocklist(s) are active? You can (optionally) specify domains to whitelist in a local file 316 | WHITELIST_DOMAINS_FILE="/jffs/ipset_lists/whitelist-domains.txt" # One line per domain, comments (starting with the '#' character) allowed, even inline comments 317 | WHITELIST_DOMAINS_TRAFFIC="src,dst" # [src|dst|src,dst] Use [src] to allow inbound traffic, [dst] to allow outbound traffic and [src,dst] to allow both traffic 318 | 319 | # You can also force some domains to be blacklisted in a local file (optional) 320 | # You can use the blacklist at [https://github.com/shounak-de/iblocklist-loader/blob/master/blacklist-domains.txt] as is 321 | # to block Microsoft telemetry, Shodan and Project 25499 scanners, and then then add your own (if needed) 322 | BLACKLIST_DOMAINS_FILE="/jffs/ipset_lists/blacklist-domains.txt" # One line per domain, comments (starting with the '#' character) allowed, even inline comments 323 | BLACKLIST_DOMAINS_TRAFFIC="src,dst" # [src|dst|src,dst] Use [src] to block inbound traffic, [dst] to block outbound traffic and [src,dst] to block both traffic 324 | 325 | # You should always have a WHITELIST_CIDR_FILE defined and present to stop the downloaded ipset data attempting to block your internal LAN IPs. You may *append* to this list to this list (if you want, but totally optional) to whitelist other CIDR ranges. 326 | WHITELIST_CIDRS_FILE="/jffs/ipset_lists/whitelist-cidrs.txt" # One line per CIDR entry, comments (starting with the '#' character) allowed, even inline comments 327 | WHITELIST_CIDRS_TRAFFIC="src,dst" # [src|dst|src,dst] Use [src] to allow inbound traffic, [dst] to allow outbound traffic and [src,dst] to allow both traffic 328 | 329 | # You can also manually add some CIDR ranges to be blacklisted in a local file (optional) 330 | BLACKLIST_CIDRS_FILE="/jffs/ipset_lists/blacklist-cidrs.txt" # One line per domain, comments (starting with the '#' character) allowed, even inline comments 331 | BLACKLIST_CIDRS_TRAFFIC="src,dst" # [src|dst|src,dst] Use [src] to block inbound traffic, [dst] to block outbound traffic and [src,dst] to block both traffic 332 | 333 | # Note: You can also control the inboud/outbound/both traffic for each of the lists: Just modify the [Traffic] column (the last one) in each list 334 | 335 | ################################## [[[ IMPORTANT ]]] #################################### 336 | # Processing order of block list, allow list, whitelist domains and blacklist domains: # 337 | # Network traffic be filtered in this order in iptables PREROUTING chain in raw table: # 338 | # [1] Traffic to/from whitelisted domains in the WHITELIST_DOMAINS_FILE (if specified) # <= Traffic will be allowed through the firewall 339 | # [2] Traffic to/from blacklisted domains in the BLACKLIST_DOMAINS_FILE (if specified) # <= Traffic will be blocked on the firewall 340 | # [3] Traffic to/from whitelisted domains in the WHITELIST_CIDR_FILE (private IP ranges)# <= Traffic will be allowed through the firewall 341 | # [4] Traffic to/from blacklisted domains in the BLACKLIST_CIDR_FILE (if specified) # <= Traffic will be blocked on the firewall 342 | # [5] Traffic to/from lists referenced in the ALLOWLIST_INDEXES (if specified) # <= Traffic will be allowed through the firewall 343 | # [6] Traffic to/from lists referenced in the BLOCKLIST_INDEXES (if specified) # <= Traffic will be blocked on the firewall 344 | # [7] Your existing iptables PREROUTING rules (raw table). # 345 | ######################################################################################### 346 | 347 | # Use locally cached ipset data or download on each run 348 | USE_LOCAL_CACHE=Y # [Y|N] 349 | 350 | # Re-download list data if locally saved files are older than this many days [Needed mostly for USE_LOCAL_CACHE=Y] 351 | LISTS_SAVE_DAYS=10 352 | 353 | # Use DROP or REJECT target for iptables block rule. Briefly, for DROP, attacker (or IP being blocked) will get no response and timeout, 354 | # and REJECT will send immediate response of destination-unreachable (Attacker will know your IP is actively rejecting requests) 355 | # See: http://www.chiark.greenend.org.uk/~peterb/network/drop-vs-reject and http://serverfault.com/questions/157375/reject-vs-drop-when-using-iptables 356 | # or from our own RMerlin: https://www.snbforums.com/threads/ip-tables-confusion.30373/#post-237738 357 | IPTABLES_BLOCK_TARGET=DROP # [DROP|REJECT] 358 | 359 | # Folder to cache downloaded files [Needed for USE_LOCAL_CACHE=Y or storing the file for posterity] 360 | IPSET_LISTS_DIR=/jffs/ipset_lists 361 | 362 | # *** No settings to modify from here on down *** 363 | [ -d "$IPSET_LISTS_DIR" ] || mkdir -p $IPSET_LISTS_DIR 364 | 365 | GetListDetails () { 366 | i=$1 367 | [ ${#i} -eq 1 ] && i="00${i}" 368 | [ ${#i} -eq 2 ] && i="0${i}" 369 | SetName=$(eval echo \$$(eval echo List${i}) | awk '{ print toupper(substr($2,1,1)) substr($2,2) toupper(substr($1,1,1)) substr($1,2) }') 370 | Url=$(eval echo \$$(eval echo List${i}) | awk '{ print $3 }') 371 | Traffic=$(eval echo \$$(eval echo List${i}) | awk '{ print $4 }') 372 | [ ! -s "$IPSET_LISTS_DIR/${SetName}.gz" -o -n "$(find $IPSET_LISTS_DIR/${SetName}.gz -mtime +$LISTS_SAVE_DAYS -print 2>/dev/null)" ] && wget -q -O $IPSET_LISTS_DIR/${SetName}.gz ${Url} 373 | [ "$USE_LOCAL_CACHE" = "Y" ] && GetCommand="cat $IPSET_LISTS_DIR/${SetName}.gz" || GetCommand="wget -q -O - \"${Url}\"" 374 | } 375 | 376 | # If the script is run from console, then print to console what it is doing at the moment (and also log to syslog) 377 | # If run from cron, just write to syslog (no console output) 378 | Log () { 379 | Message="$1" 380 | # Determine if the script is run interactively or via cron 381 | [ ! -t 1 ] || echo "$(basename $0): $Message" 382 | logger -t Firewall "$(basename $0): $Message" 383 | } 384 | 385 | # Wait if this is run early on (before the router has internet connectivity) [Needed by wget to download files] 386 | while ! ping -q -c 1 google.com &>/dev/null; do 387 | sleep 1 388 | WaitSeconds=$((WaitSeconds+1)) 389 | [ $WaitSeconds -gt 300 ] && Log "Router not online: attempting to use cached files if they exist" && USE_LOCAL_CACHE=Y 390 | done 391 | 392 | # Different routers got different iptables and ipset syntax, also ipset v6.x did away with iptreemap. 393 | # That resulted in a totally different way of parsing the large IP ranges, (hash:ip cannot handle large sets of sometimes 8M+ IPs) 394 | # For ipset v6.x, the script converts IP ranges to CIDR. It creates 2 sets: One for single IPs, and one for CIDRs. 395 | # For ipset v4.x, the original implementaion of using iptreemap is retained. 396 | case $(ipset -v | grep -o "v[4,6]") in 397 | v6) 398 | # Loading ipset modules 399 | lsmod | grep -q "xt_set" || \ 400 | for module in ip_set ip_set_hash_net ip_set_hash_ip xt_set; do 401 | modprobe $module 402 | done; 403 | MATCH_SET='--match-set'; CREATE='create'; DESTROY='destroy'; ADD='add'; IPHASH='hash:ip'; NETHASH='hash:net' 404 | ipset destroy tIP 2>/dev/null; ipset destroy tNet 2>/dev/null # Recover if previous run aborted 405 | for processType in BLOCK ALLOW; do 406 | [ "$processType" = "BLOCK" ] && PROCESS_RULES_TARGET=$IPTABLES_BLOCK_TARGET || PROCESS_RULES_TARGET=ACCEPT 407 | for index in $(eval echo \$$(eval echo ${processType}LIST_INDEXES)); do 408 | GetListDetails $index 409 | # Create the sets if they do not exist 410 | $(ipset swap ${SetName}Single ${SetName}Single 2>&1 | grep -q "name does not exist") && ipset n ${SetName}Single hash:ip hashsize 2048 maxelem 1048576 411 | $(ipset swap ${SetName}CIDR ${SetName}CIDR 2>&1 | grep -q "name does not exist") && ipset n ${SetName}CIDR hash:net hashsize 4096 maxelem 4194304 412 | 413 | if ! $(iptables-save | grep -q ${SetName}) || [ "$USE_LOCAL_CACHE" = "N" ]; then 414 | Log "Started processing ${SetName} $(echo $processType | tr '[A-Z]' '[a-z]')list" 415 | ( echo -e "n tIP -exist hash:ip hashsize 2048 maxelem 1048576\nn tNet -exist hash:net hashsize 4096 maxelem 4194304" 416 | eval $GetCommand | gunzip | sed -n '/0.0.0.0/d;s/^.*://p' | \ 417 | nice -n 15 awk ' 418 | # convert dotted quads to long decimal ip. Ex: int ip2dec("192.168.0.15") 419 | function ip2dec(ip, slice) { 420 | split(ip, slice, ".") 421 | return (slice[1] * 2^24) + (slice[2] * 2^16) + (slice[3] * 2^8) + slice[4] 422 | } 423 | # convert decimal long ip to dotted quads. Ex: str dec2ip(1171259392) 424 | function dec2ip(dec, ip, quad) { 425 | for (i=3; i>=1; i--) { quad = 256^i; ip = ip int(dec/quad) "."; dec = dec%quad } 426 | return ip dec 427 | } 428 | # convert ip ranges to CIDR notation. Ex: str range2cidr(ip2dec("192.168.0.15"), ip2dec("192.168.5.115")) 429 | function range2cidr(ipStart, ipEnd, bits, mask, newip) { 430 | bits = 1; mask = 1 431 | while (bits < 32) { 432 | newip = or(ipStart, mask) 433 | if ((newip>ipEnd) || ((lshift(rshift(ipStart,bits),bits)) != ipStart)) { bits--; mask = rshift(mask,1); break } 434 | bits++; mask = lshift(mask,1)+1 435 | } 436 | newip = or(ipStart, mask); bits = 32 - bits 437 | # ipset cannot handle single IP via /32 [https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=583079] 438 | if (bits==32) return "add tIP " dec2ip(ipStart) 439 | else result = dec2ip(ipStart) "/" bits 440 | if (newip < ipEnd) result = result "\n" range2cidr(newip + 1, ipEnd) 441 | return "add tNet " result 442 | } 443 | BEGIN { FS="-" } 444 | $1==$2 { print "add tIP " $1 } 445 | $1!=$2 { print range2cidr(ip2dec($1), ip2dec($2)) } 446 | ' 447 | ) > /tmp/${SetName}.txt 448 | (grep " tIP " /tmp/${SetName}.txt; echo "COMMIT") | nice -n 15 ipset restore 449 | (grep " tNet " /tmp/${SetName}.txt; echo "COMMIT") | nice -n 15 ipset restore 450 | rm -f /tmp/${SetName}.txt 451 | ipset swap tIP ${SetName}Single 452 | ipset swap tNet ${SetName}CIDR 453 | ipset destroy tIP; ipset destroy tNet 454 | Log "Loaded ${SetName}Single $(echo $processType | tr '[A-Z]' '[a-z]')list with $(ipset -L ${SetName}Single | wc -l | awk '{print $1-7}') entries" 455 | Log "Loaded ${SetName}CIDR $(echo $processType | tr '[A-Z]' '[a-z]')list with $(ipset -L ${SetName}CIDR | wc -l | awk '{print $1-7}') entries" 456 | else 457 | iptables -D PREROUTING -t raw -m set --match-set ${SetName}Single $Traffic -j $PROCESS_RULES_TARGET 458 | iptables -D PREROUTING -t raw -m set --match-set ${SetName}CIDR $Traffic -j $PROCESS_RULES_TARGET 459 | Log "Skipped loading ${SetName} $(echo $processType | tr '[A-Z]' '[a-z]')lists as they are already loaded. To force reloading, set USE_LOCAL_CACHE=N" 460 | fi 461 | iptables -I PREROUTING -t raw -m set --match-set ${SetName}Single $Traffic -j $PROCESS_RULES_TARGET 462 | iptables -I PREROUTING -t raw -m set --match-set ${SetName}CIDR $Traffic -j $PROCESS_RULES_TARGET 463 | done 464 | done;; 465 | v4) 466 | # Loading ipset modules 467 | lsmod | grep -q "ipt_set" || \ 468 | for module in ip_set ip_set_iptreemap ipt_set; do 469 | modprobe $module 470 | done; 471 | MATCH_SET='--set'; CREATE='--create'; DESTROY='--destroy'; ADD='--add'; IPHASH='iphash'; NETHASH='nethash' 472 | ipset --destroy iBTmp 2>/dev/null # Recover if previous run aborted 473 | for processType in BLOCK ALLOW; do 474 | [ "$processType" = "BLOCK" ] && PROCESS_RULES_TARGET=$IPTABLES_BLOCK_TARGET || PROCESS_RULES_TARGET=ACCEPT 475 | for index in $(eval echo \$$(eval echo ${processType}LIST_INDEXES)); do 476 | GetListDetails $index 477 | # Create the set if it does not exist 478 | $(ipset --swap ${SetName} ${SetName} 2>&1 | grep -q "Unknown set") && ipset -N ${SetName} iptreemap 479 | 480 | if ! $(iptables-save | grep -q ${SetName}) || [ "$USE_LOCAL_CACHE" = "N" ]; then 481 | Log "Started processing ${SetName} $(echo $processType | tr '[A-Z]' '[a-z]')list" 482 | ( echo "-N iBTmp iptreemap" 483 | eval $GetCommand | gunzip | nice -n 15 sed -n '/0.0.0.0/d;s/^.*:/-A iBTmp /p' 484 | echo -e "COMMIT" 485 | ) | nice -n 15 ipset --restore 486 | ipset --swap iBTmp ${SetName} 487 | ipset --destroy iBTmp 488 | Log "Loaded ${SetName} $(echo $processType | tr '[A-Z]' '[a-z]')list with $(ipset -L ${SetName} | wc -l | awk '{print $1-6}') entries" 489 | else 490 | iptables -D PREROUTING -t raw -m set --set ${SetName} $Traffic -j $PROCESS_RULES_TARGET 491 | Log "Skipped loading ${SetName} $(echo $processType | tr '[A-Z]' '[a-z]')list as it's already loaded. To force reloading, set USE_LOCAL_CACHE=N" 492 | fi 493 | iptables -I PREROUTING -t raw -m set --set ${SetName} $Traffic -j $PROCESS_RULES_TARGET 494 | done 495 | done;; 496 | *) 497 | Log "Unknown ipset version. Exiting." 498 | exit 1;; 499 | esac 500 | [ ! -s $WHITELIST_CIDRS_FILE ] && curl -sk "https://raw.githubusercontent.com/shounak-de/iblocklist-loader/master/whitelist-cidrs.txt" -o $WHITELIST_CIDRS_FILE 501 | for CIDRs in BLACK WHITE; do 502 | if [ -s "$(eval echo \$$(eval echo ${CIDRs}LIST_CIDRS_FILE))" ]; then 503 | [ "$CIDRs" = "BLACK" ] && PROCESS_RULES_TARGET=$IPTABLES_BLOCK_TARGET || PROCESS_RULES_TARGET=ACCEPT 504 | IPSET_LIST="${CIDRs:0:1}$(echo ${CIDRs:1} | tr '[A-Z]' '[a-z]')listCIDRs" 505 | iptables-save | grep -q $IPSET_LIST && iptables -D PREROUTING -t raw -m set $MATCH_SET $IPSET_LIST $(eval echo \$$(eval echo ${CIDRs}LIST_CIDRS_TRAFFIC)) -j $PROCESS_RULES_TARGET 506 | ipset $DESTROY $IPSET_LIST &>/dev/null # Destroy *if* existing (It will exist if this script is run more than once, e.g. scheduled in cron) 507 | ipset $CREATE $IPSET_LIST $NETHASH 508 | [ $? -eq 0 ] && entryCount=0 509 | while read line; do 510 | if [ -n "${line%%#*}" ]; then 511 | for cidr in ${line%%#*}; do 512 | ipset -q $ADD $IPSET_LIST $cidr 513 | [ $? -eq 0 ] && entryCount=$((entryCount+1)) 514 | done 515 | fi 516 | done <$(eval echo \$$(eval echo ${CIDRs}LIST_CIDRS_FILE)) 517 | Log "Added $IPSET_LIST ($entryCount entries)" 518 | iptables-save | grep -q $IPSET_LIST || iptables -I PREROUTING -t raw -m set $MATCH_SET $IPSET_LIST $(eval echo \$$(eval echo ${CIDRs}LIST_CIDRS_TRAFFIC)) -j $PROCESS_RULES_TARGET 519 | fi 520 | done 521 | for domainsFile in BLACK WHITE; do 522 | if [ -s "$(eval echo \$$(eval echo ${domainsFile}LIST_DOMAINS_FILE))" ]; then 523 | [ "$domainsFile" = "BLACK" ] && PROCESS_RULES_TARGET=$IPTABLES_BLOCK_TARGET || PROCESS_RULES_TARGET=ACCEPT 524 | IPSET_LIST="${domainsFile:0:1}$(echo ${domainsFile:1} | tr '[A-Z]' '[a-z]')listDomains" 525 | iptables-save | grep -q $IPSET_LIST && iptables -D PREROUTING -t raw -m set $MATCH_SET $IPSET_LIST $(eval echo \$$(eval echo ${domainsFile}LIST_DOMAINS_TRAFFIC)) -j $PROCESS_RULES_TARGET 526 | ipset $DESTROY $IPSET_LIST &>/dev/null # Destroy *if* existing (It will exist if this script is run more than once, e.g. scheduled in cron) 527 | ipset $CREATE $IPSET_LIST $IPHASH 528 | [ $? -eq 0 ] && entryCount=0 529 | while read line; do 530 | if [ -n "${line%%#*}" ]; then 531 | for ip in $(nslookup ${line%%#*} | sed -n '/^$/,$ s/^A.*: //p' | cut -d' ' -f1 | grep -v ":"); do 532 | ipset -q $ADD $IPSET_LIST $ip 533 | [ $? -eq 0 ] && entryCount=$((entryCount+1)) 534 | done 535 | fi 536 | done <$(eval echo \$$(eval echo ${domainsFile}LIST_DOMAINS_FILE)) 537 | Log "Added $IPSET_LIST ($entryCount entries)" 538 | iptables-save | grep -q $IPSET_LIST || iptables -I PREROUTING -t raw -m set $MATCH_SET $IPSET_LIST $(eval echo \$$(eval echo ${domainsFile}LIST_DOMAINS_TRAFFIC)) -j $PROCESS_RULES_TARGET 539 | fi 540 | done 541 | -------------------------------------------------------------------------------- /iblocklist-loader.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # Generic iblocklist.com ipset loader for ipset v4 and v6 (Original version) 4 | # Author: redhat27, Version 1.1 5 | # snbforums thread: https://www.snbforums.com/threads/iblocklist-com-generic-ipset-loader-for-ipset-v6-and-v4.37976/ 6 | # credits for v6 implementation: http://www.unix.com/shell-programming-and-scripting/233825-convert-ip-ranges-cidr-netblocks.html 7 | 8 | # Available free lists from [https://www.iblocklist.com/lists] Format: 9 | # ------List name-----------Maintainer--Download URL------------------------------------------------------------------------- 10 | List01="Pedophiles I-Blocklist http://list.iblocklist.com/?list=dufcxgnbjsdwmwctgfuj&fileformat=p2p&archiveformat=gz" 11 | List02="level1 Bluetack http://list.iblocklist.com/?list=ydxerpxkpcfqjaybcssw&fileformat=p2p&archiveformat=gz" 12 | List03="level2 Bluetack http://list.iblocklist.com/?list=gyisgnzbhppbvsphucsw&fileformat=p2p&archiveformat=gz" 13 | List04="level3 Bluetack http://list.iblocklist.com/?list=uwnukjqktoggdknzrhgh&fileformat=p2p&archiveformat=gz" 14 | List05="edu Bluetack http://list.iblocklist.com/?list=imlmncgrkbnacgcwfjvh&fileformat=p2p&archiveformat=gz" 15 | List06="rangetest Bluetack http://list.iblocklist.com/?list=plkehquoahljmyxjixpu&fileformat=p2p&archiveformat=gz" 16 | List07="bogon Bluetack http://list.iblocklist.com/?list=gihxqmhyunbxhbmgqrla&fileformat=p2p&archiveformat=gz" 17 | List08="ads Bluetack http://list.iblocklist.com/?list=dgxtneitpuvgqqcpfulq&fileformat=p2p&archiveformat=gz" 18 | List09="spyware Bluetack http://list.iblocklist.com/?list=llvtlsjyoyiczbkjsxpf&fileformat=p2p&archiveformat=gz" 19 | List10="proxy Bluetack http://list.iblocklist.com/?list=xoebmbyexwuiogmbyprb&fileformat=p2p&archiveformat=gz" 20 | List11="badpeers Bluetack http://list.iblocklist.com/?list=cwworuawihqvocglcoss&fileformat=p2p&archiveformat=gz" 21 | List12="Microsoft Bluetack http://list.iblocklist.com/?list=xshktygkujudfnjfioro&fileformat=p2p&archiveformat=gz" 22 | List13="spider Bluetack http://list.iblocklist.com/?list=mcvxsnihddgutbjfbghy&fileformat=p2p&archiveformat=gz" 23 | List14="hijacked Bluetack http://list.iblocklist.com/?list=usrcshglbiilevmyfhse&fileformat=p2p&archiveformat=gz" 24 | List15="dshield Bluetack http://list.iblocklist.com/?list=xpbqleszmajjesnzddhv&fileformat=p2p&archiveformat=gz" 25 | List16="forumspam Bluetack http://list.iblocklist.com/?list=ficutxiwawokxlcyoeye&fileformat=p2p&archiveformat=gz" 26 | List17="webexploit Bluetack http://list.iblocklist.com/?list=ghlzqtqxnzctvvajwwag&fileformat=p2p&archiveformat=gz" 27 | List18="iana-reserved Bluetack http://list.iblocklist.com/?list=bcoepfyewziejvcqyhqo&fileformat=p2p&archiveformat=gz" 28 | List19="iana-private Bluetack http://list.iblocklist.com/?list=cslpybexmxyuacbyuvib&fileformat=p2p&archiveformat=gz" 29 | List20="iana-multicast Bluetack http://list.iblocklist.com/?list=pwqnlynprfgtjbgqoizj&fileformat=p2p&archiveformat=gz" 30 | List21="NonLanComputers Bluetack http://list.iblocklist.com/?list=jhaoawihmfxgnvmaqffp&fileformat=p2p&archiveformat=gz" 31 | List22="exclusions Bluetack http://list.iblocklist.com/?list=mtxmiireqmjzazcsoiem&fileformat=p2p&archiveformat=gz" 32 | List23="DROP Spamhaus http://list.iblocklist.com/?list=zbdlwrqkabxbcppvrnos&fileformat=p2p&archiveformat=gz" 33 | List24="ZeuS abuse http://list.iblocklist.com/?list=ynkdjqsjyfmilsgbogqf&fileformat=p2p&archiveformat=gz" 34 | List25="SpyEye abuse http://list.iblocklist.com/?list=zvjxsfuvdhoxktpeiokq&fileformat=p2p&archiveformat=gz" 35 | List26="Palevo abuse http://list.iblocklist.com/?list=erqajhwrxiuvjxqrrwfj&fileformat=p2p&archiveformat=gz" 36 | List27="Malicious CI-Army http://list.iblocklist.com/?list=npkuuhuxcsllnhoamkvm&fileformat=p2p&archiveformat=gz" 37 | List28="malc0de malc0de http://list.iblocklist.com/?list=pbqcylkejciyhmwttify&fileformat=p2p&archiveformat=gz" 38 | List29="adservers Yoyo http://list.iblocklist.com/?list=zhogegszwduurnvsyhdf&fileformat=p2p&archiveformat=gz" 39 | List30="bogon cidr-report http://list.iblocklist.com/?list=lujdnbasfaaixitgmxpp&fileformat=p2p&archiveformat=gz" 40 | List31="cruzit-web-attacks CruzIT http://list.iblocklist.com/?list=czvaehmjpsnwwttrdoyl&fileformat=p2p&archiveformat=gz" 41 | List32="Business-ISPs TBG http://list.iblocklist.com/?list=jcjfaxgyyshvdbceroxf&fileformat=p2p&archiveformat=gz" 42 | List33="Primary-Threats TBG http://list.iblocklist.com/?list=ijfqtofzixtwayqovmxn&fileformat=p2p&archiveformat=gz" 43 | List34="Hijacked TBG http://list.iblocklist.com/?list=tbnuqfclfkemqivekikv&fileformat=p2p&archiveformat=gz" 44 | List35="Bogon TBG http://list.iblocklist.com/?list=ewqglwibdgjttwttrinl&fileformat=p2p&archiveformat=gz" 45 | List36="Search-Engines TBG http://list.iblocklist.com/?list=pfefqteoxlfzopecdtyw&fileformat=p2p&archiveformat=gz" 46 | List37="Corporate-Ranges TBG http://list.iblocklist.com/?list=ecqbsykllnadihkdirsh&fileformat=p2p&archiveformat=gz" 47 | 48 | BLOCKLIST_INDEXES="13 15 27" # Can be any combination of above list indexes, e.g "15 13", "1", "7 24 8 29 31" etc. [Example: PeerGuardian implementation would be "2 11"] 49 | 50 | # Your favorite domain blocked after your chosen blocklist(s) are active? You can specify domains to whitelist in a local file 51 | WHITELIST_DOMAINS_FILE="/jffs/ipset_lists/whitelist-domains.txt" # One line per domain, comments (starting with the '#' character) allowed, even inline comments 52 | 53 | # Use locally cached ipset data or download on each run 54 | USE_LOCAL_CACHE=Y # [Y|N] 55 | 56 | # Re-download blocklist data if locally saved files are older than this many days [Needed mostly for USE_LOCAL_CACHE=Y] 57 | LISTS_SAVE_DAYS=10 58 | 59 | # Use DROP or REJECT target for iptable rule. Briefly, for DROP, attacker (or IP being blocked) will get no response and timeout, 60 | # and REJECT will send immediate response of destination-unreachable (Attacker will know your IP is actively rejecting requests) 61 | # See: http://www.chiark.greenend.org.uk/~peterb/network/drop-vs-reject and http://serverfault.com/questions/157375/reject-vs-drop-when-using-iptables 62 | # or from our own RMerlin: https://www.snbforums.com/threads/ip-tables-confusion.30373/#post-237738 63 | IPTABLES_RULE_TARGET=DROP # [DROP|REJECT] 64 | 65 | # Folder to cache downloaded files [Needed for USE_LOCAL_CACHE=Y or storing the file for posterity] 66 | IPSET_LISTS_DIR=/jffs/ipset_lists 67 | 68 | # *** No settings to modify from here on down *** 69 | [ -d "$IPSET_LISTS_DIR" ] || mkdir -p $IPSET_LISTS_DIR 70 | 71 | # Wait if this is run early on (before the router has internet connectivity) [Needed by wget to download files] 72 | while ! ping -q -c 1 google.com &>/dev/null; do 73 | sleep 1 74 | WaitSeconds=$((WaitSeconds+1)) 75 | [ $WaitSeconds -gt 300 ] && logger -t Firewall "$0: Router not online: attempting to use cached files if they exist" && USE_LOCAL_CACHE=Y 76 | done 77 | 78 | GetSetDetails () { 79 | index=$1 80 | [ ${#index} -eq 1 ] && index="0${index}" 81 | SetName=$(eval echo \$$(eval echo List${index}) | awk '{ print toupper(substr($2,1,1)) substr($2,2) toupper(substr($1,1,1)) substr($1,2) }') 82 | Url=$(eval echo \$$(eval echo List${index}) | awk '{ print $3 }') 83 | [ ! -s "$IPSET_LISTS_DIR/${SetName}.gz" -o -n "$(find $IPSET_LISTS_DIR/${SetName}.gz -mtime +$LISTS_SAVE_DAYS -print 2>/dev/null)" ] && wget -q -O $IPSET_LISTS_DIR/${SetName}.gz ${Url} 84 | [ "$USE_LOCAL_CACHE" = "Y" ] && GetCommand="cat $IPSET_LISTS_DIR/${SetName}.gz" || GetCommand="wget -q -O - \"${Url}\"" 85 | } 86 | 87 | # Different routers got different iptables and ipset syntax, also ipset v6.x did away with iptreemap. 88 | # That resulted in a totally different way of parsing the large IP ranges, (hash:ip cannot handle large sets of sometimes 8M+ IPs) 89 | # For ipset v6.x, the script converts IP ranges to CIDR. It creates 2 sets: One for single IPs, and one for CIDRs. 90 | # For ipset v4.x, the original implementaion of using iptreemap is retained. 91 | case $(ipset -v | grep -o "v[4,6]") in 92 | v6) 93 | # Loading ipset modules 94 | lsmod | grep -q "xt_set" || \ 95 | for module in ip_set ip_set_hash_net ip_set_hash_ip xt_set; do 96 | modprobe $module 97 | done; 98 | MATCH_SET='--match-set'; CREATE='create'; DESTROY='destroy'; ADD='add'; IPHASH='hash:ip' 99 | ipset destroy tIP 2>/dev/null; ipset destroy tNet 2>/dev/null # Recover if previous run aborted 100 | for index in $BLOCKLIST_INDEXES; do 101 | GetSetDetails $index 102 | # Create the sets if they do not exist 103 | $(ipset swap ${SetName}Single ${SetName}Single 2>&1 | grep -q "name does not exist") && ipset n ${SetName}Single hash:ip hashsize 2048 maxelem 1048576 104 | $(ipset swap ${SetName}CIDR ${SetName}CIDR 2>&1 | grep -q "name does not exist") && ipset n ${SetName}CIDR hash:net hashsize 4096 maxelem 4194304 105 | if ! $(iptables-save | grep -q ${SetName}) || [ "$USE_LOCAL_CACHE" = "N" ]; then 106 | logger -t Firewall "$0: Started processing ${SetName} blocklist" 107 | ( echo -e "n tIP -exist hash:ip hashsize 2048 maxelem 1048576\nn tNet -exist hash:net hashsize 4096 maxelem 4194304" 108 | eval $GetCommand | gunzip | sed -n '/0.0.0.0/d;s/^.*://p' | \ 109 | nice -n 15 awk ' 110 | # convert dotted quads to long decimal ip. Ex: int ip2dec("192.168.0.15") 111 | function ip2dec(ip, slice) { 112 | split(ip, slice, ".") 113 | return (slice[1] * 2^24) + (slice[2] * 2^16) + (slice[3] * 2^8) + slice[4] 114 | } 115 | # convert decimal long ip to dotted quads. Ex: str dec2ip(1171259392) 116 | function dec2ip(dec, ip, quad) { 117 | for (i=3; i>=1; i--) { quad = 256^i; ip = ip int(dec/quad) "."; dec = dec%quad } 118 | return ip dec 119 | } 120 | # convert ip ranges to CIDR notation. Ex: str range2cidr(ip2dec("192.168.0.15"), ip2dec("192.168.5.115")) 121 | function range2cidr(ipStart, ipEnd, bits, mask, newip) { 122 | bits = 1; mask = 1 123 | while (bits < 32) { 124 | newip = or(ipStart, mask) 125 | if ((newip>ipEnd) || ((lshift(rshift(ipStart,bits),bits)) != ipStart)) { bits--; mask = rshift(mask,1); break } 126 | bits++; mask = lshift(mask,1)+1 127 | } 128 | newip = or(ipStart, mask); bits = 32 - bits 129 | # ipset cannot handle single IP via /32 [https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=583079] 130 | if (bits==32) return "add tIP " dec2ip(ipStart) 131 | else result = dec2ip(ipStart) "/" bits 132 | if (newip < ipEnd) result = result "\n" range2cidr(newip + 1, ipEnd) 133 | return "add tNet " result 134 | } 135 | BEGIN { FS="-" } 136 | $1==$2 { print "add tIP " $1 } 137 | $1!=$2 { print range2cidr(ip2dec($1), ip2dec($2)) } 138 | ' 139 | ) > /tmp/${SetName}.txt 140 | (grep " tIP " /tmp/${SetName}.txt; echo "COMMIT") | nice -n 15 ipset restore 141 | (grep " tNet " /tmp/${SetName}.txt; echo "COMMIT") | nice -n 15 ipset restore 142 | rm -f /tmp/${SetName}.txt 143 | ipset swap tIP ${SetName}Single 144 | ipset swap tNet ${SetName}CIDR 145 | ipset destroy tIP; ipset destroy tNet 146 | logger -t Firewall "$0: Loaded ${SetName}Single blocklist with $(ipset -L ${SetName}Single | wc -l | awk '{print $1-7}') entries" 147 | logger -t Firewall "$0: Loaded ${SetName}CIDR blocklist with $(ipset -L ${SetName}CIDR | wc -l | awk '{print $1-7}') entries" 148 | else 149 | logger -t Firewall "$0: Skipped loading ${SetName} blocklists as they are already loaded. To force reloading, set USE_LOCAL_CACHE=N" 150 | iptables -D PREROUTING -t raw -m set --match-set ${SetName}Single src -j $IPTABLES_RULE_TARGET 151 | iptables -D PREROUTING -t raw -m set --match-set ${SetName}CIDR src -j $IPTABLES_RULE_TARGET 152 | fi 153 | iptables -I PREROUTING -t raw -m set --match-set ${SetName}Single src -j $IPTABLES_RULE_TARGET 154 | iptables -I PREROUTING -t raw -m set --match-set ${SetName}CIDR src -j $IPTABLES_RULE_TARGET 155 | done;; 156 | v4) 157 | # Loading ipset modules 158 | lsmod | grep -q "ipt_set" || \ 159 | for module in ip_set ip_set_iptreemap ipt_set; do 160 | modprobe $module 161 | done; 162 | MATCH_SET='--set'; CREATE='--create'; DESTROY='--destroy'; ADD='--add'; IPHASH='iphash' 163 | ipset --destroy iBTmp 2>/dev/null # Recover if previous run aborted 164 | for index in $BLOCKLIST_INDEXES; do 165 | GetSetDetails $index 166 | # Create the set if it does not exist 167 | $(ipset --swap ${SetName} ${SetName} 2>&1 | grep -q "Unknown set") && ipset -N ${SetName} iptreemap 168 | if ! $(iptables-save | grep -q ${SetName}) || [ "$USE_LOCAL_CACHE" = "N" ]; then 169 | logger -t Firewall "$0: Started processing ${SetName} blocklist" 170 | ( echo "-N iBTmp iptreemap" 171 | eval $GetCommand | gunzip | nice -n 15 sed -n '/0.0.0.0/d;s/^.*:/-A iBTmp /p' 172 | echo -e "COMMIT" 173 | ) | nice -n 15 ipset --restore 174 | ipset --swap iBTmp ${SetName} 175 | ipset --destroy iBTmp 176 | logger -t Firewall "$0: Loaded ${SetName} blocklist with $(ipset -L ${SetName} | wc -l | awk '{print $1-6}') entries" 177 | else 178 | logger -t Firewall "$0: Skipped loading ${SetName} blocklist as it's already loaded. To force reloading, set USE_LOCAL_CACHE=N" 179 | iptables -D PREROUTING -t raw -m set --set ${SetName} src -j $IPTABLES_RULE_TARGET 180 | fi 181 | iptables -I PREROUTING -t raw -m set --set ${SetName} src -j $IPTABLES_RULE_TARGET 182 | done;; 183 | *) 184 | logger -t Firewall "$0: Unknown ipset version. Exiting." 185 | exit 1;; 186 | esac 187 | if [ -s "$WHITELIST_DOMAINS_FILE" ]; then 188 | iptables-save | grep -q WhitelistDomains && iptables -D PREROUTING -t raw -m set $MATCH_SET WhitelistDomains src,dst -j ACCEPT 189 | ipset $DESTROY WhitelistDomains &>/dev/null # Destroy *if* existing (It will exist if this script is run more than once, e.g. scheduled in cron) 190 | ipset $CREATE WhitelistDomains $IPHASH 191 | [ $? -eq 0 ] && entryCount=0 192 | while read line; do 193 | if [ -n "${line%%#*}" ]; then 194 | for ip in $(nslookup ${line%%#*} | sed -n '/^$/,$ s/^A.*: //p' | cut -d' ' -f1 | grep -v ":"); do 195 | ipset $ADD WhitelistDomains $ip 196 | [ $? -eq 0 ] && entryCount=$((entryCount+1)) 197 | done 198 | fi 199 | done < $WHITELIST_DOMAINS_FILE 200 | logger -t Firewall "$0: Added WhitelistDomains ($entryCount entries)" 201 | iptables-save | grep -q WhitelistDomains || iptables -I PREROUTING -t raw -m set $MATCH_SET WhitelistDomains src,dst -j ACCEPT 202 | fi 203 | -------------------------------------------------------------------------------- /whitelist-cidrs.txt: -------------------------------------------------------------------------------- 1 | # Private IP ranges unroutable over internet 2 | # See https://en.wikipedia.org/wiki/Private_network 3 | 4 | 10.0.0.0/8 # class A network 5 | 172.16.0.0/12 # class B network 6 | 192.168.0.0/16 # class C network 7 | -------------------------------------------------------------------------------- /whitelist-domains.txt: -------------------------------------------------------------------------------- 1 | # This file contains the whitelisted domains used by iblocklist-loader (Referenced via WHITELIST_DOMAINS_FILE= line) 2 | # The IPv4 addresses for the domains in this file would be added to an ipset list called [WhitelistDomains] and then 3 | # an iptables ACCEPT rule will be created that would preceed any DROP/REJECT rule created by iblocklist-loader 4 | 5 | apple.com # blocked by TBG Primary-Threats 6 | bbc.co.uk # blocked by TBG Primary-Threats 7 | eotugame.com #blocked by Squidblacklist Malicious (premium) 8 | icloud.com # blocked by TBG Primary-Threats 9 | mail.live.com # Hotmail blocked by TBG Primary-Threats 10 | speedtest.net # blocked by Yoyo Adservers 11 | teamviewer.com # blocked by Bluetack Level1 12 | pgl.yoyo.org # blocked by FireHOL lists used by ya-malware-block 13 | --------------------------------------------------------------------------------