[PATCH 4/5] ipblacklist: Modifications to system

[Tim FitzGeorge <ipfr@tfitzgeorge.me.uk>]

[-- Attachment #1: Type: text/plain, Size: 9361 bytes --]

backup.pl           Restart when restoring backup
ipblacklist       ) Adds ipblacklist stats and errors to
ipblacklist.conf  ) daily log summary
include             Add blacklists and settings to backups
firewall-policy   ) Add main IPTables used to invoke
firewall          ) IPSets

Signed-off-by: Tim FitzGeorge <ipfr(a)tfitzgeorge.me.uk>
---
 config/backup/backup.pl          |   1 +
 config/backup/include            |   2 +
 config/firewall/firewall-policy  |   5 ++
 config/logwatch/ipblacklist      | 103 +++++++++++++++++++++++++++++++++++++++
 config/logwatch/ipblacklist.conf |  34 +++++++++++++
 src/initscripts/system/firewall  |  20 ++++++++
 6 files changed, 165 insertions(+)
 create mode 100644 config/logwatch/ipblacklist
 create mode 100644 config/logwatch/ipblacklist.conf

diff --git a/config/backup/backup.pl b/config/backup/backup.pl
index b1dd1d297..17b797c20 100644
--- a/config/backup/backup.pl
+++ b/config/backup/backup.pl
@@ -130,6 +130,7 @@ restore_backup() {
 
 	# Reload firewall
 	firewallctrl
+	/usr/local/bin/ipblacklistctrl restore
 
 	# Convert old OpenVPN CCD files (CN change, Core Update 75)
 	convert-ovpn
diff --git a/config/backup/include b/config/backup/include
index 1190eda81..78ff926f7 100644
--- a/config/backup/include
+++ b/config/backup/include
@@ -38,6 +38,7 @@
 /var/ipfire/ethernet/wireless
 /var/ipfire/firewall
 /var/ipfire/fwhosts
+/var/ipfire/ipblacklist/modified
 /var/ipfire/main/*
 /var/ipfire/ovpn
 /var/ipfire/ovpn/collectd.vpn
@@ -52,6 +53,7 @@
 /var/ipfire/time/
 /var/ipfire/urlfilter
 /var/ipfire/vpn
+/var/lib/ipblacklist
 /var/lib/suricata
 /var/log/ip-acct/*
 /var/log/rrd/*
diff --git a/config/firewall/firewall-policy b/config/firewall/firewall-policy
index 21165e933..1198d120f 100755
--- a/config/firewall/firewall-policy
+++ b/config/firewall/firewall-policy
@@ -22,6 +22,7 @@
 eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
 eval $(/usr/local/bin/readhash /var/ipfire/firewall/settings)
 eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings)
+eval $(/usr/local/bin/readhash /var/ipfire/ipblacklist/settings)
 
 function iptables() {
 	/sbin/iptables --wait "$@"
@@ -97,6 +98,10 @@ case "${HAVE_OPENVPN},${POLICY}" in
 		;;
 esac
 
+if [ "${AUTOBLACKLIST}" = "on" ]; then
+	iptables -A POLICYIN -i ${IFACE} -m hashlimit --hashlimit-mode srcip --hashlimit-above ${BLOCK_THRESHOLD}/hour --hashlimit-name AUTOBLACKLIST -j SET --add-set AUTOBLACKLIST src
+fi
+
 case "${FWPOLICY2}" in
 	REJECT)
 		if [ "${DROPINPUT}" = "on" ]; then
diff --git a/config/logwatch/ipblacklist b/config/logwatch/ipblacklist
new file mode 100644
index 000000000..0fadc6250
--- /dev/null
+++ b/config/logwatch/ipblacklist
@@ -0,0 +1,103 @@
+###########################################################################
+# ipblacklist script for Logwatch
+# Analyzes the IPFire IP Blacklist log
+#
+#########################################################################
+
+########################################################
+## Copyright (c) 2008 Lars Skj�rlund
+## Covered under the included MIT/X-Consortium License:
+##    http://www.opensource.org/licenses/mit-license.php
+## All modifications and contributions by other persons to
+## this script are assumed to have been donated to the
+## Logwatch project and thus assume the above copyright
+## and licensing terms.  If you want to make contributions
+## under your own copyright or a different license this
+## must be explicitly stated in the contribution and the
+## Logwatch project reserves the right to not accept such
+## contributions.  If you have made significant
+## contributions to this script and want to claim
+## copyright please contact logwatch-devel(a)lists.sourceforge.net.
+#########################################################
+
+#########################################################################
+# Files - all shown with default paths:
+#
+# /usr/share/logwatch/default.conf/logfiles/messages.conf
+# /usr/share/logwatch/dist.conf/services/blacklist.conf
+# /usr/share/logwatch/scripts/services/ipblacklist (this file)
+#
+# ... and of course
+#
+# /var/log/messages
+#########################################################################
+
+use Logwatch ':dates';
+
+my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'};
+
+my $SearchDate;
+
+my %Updates;
+my %Errors;
+
+$SearchDate = TimeFilter("%b %e");
+
+while (defined(my $ThisLine = <STDIN>))
+{
+  next unless ($ThisLine =~ m/^\s*\w+\s+\w+\s+(..:..:..) .* ipblacklist: (.*)/);
+
+  my $text = $2;
+
+  if ($text =~ m/Finished updating (\w+) blacklist with (\d+) changes/)
+  {
+    $Updates{$1}{updates}++;
+    $Updates{$1}{changes} += $2;
+  }
+  elsif ($text !~ m/Starting IP Blacklists/               and
+         $text !~ m/Starting IP Blacklist processing/     and
+         $text !~ m/Updating \w+ blacklist/               and
+         $text !~ m/Stopping IP Blacklists/               and
+         $text !~ m/Deleting IP Blacklists/               and
+         $text !~ m/Completed IP Blacklist update/        and
+         $text !~ m/Finished IP Blacklist processing/     and
+         $text !~ m/Blacklist \w+ Modification times/     and
+         $text !~ m/Create IPTables chains for blacklist/ and
+         $text !~ m/Delete IPTables chains for blacklist/ and
+         $text !~ m/Checking modification time for blacklist/ and
+         $text !~ m/Restoring blacklist /                 and
+         $text !~ m/Downloading blacklist/ )
+  {
+    $Errors{$text}++;
+  }
+}
+
+#####################################################################
+
+if (keys %Updates)
+{
+   print "\nThe following block lists were updated:\n";
+   foreach my $Lists (sort keys %Updates)
+   {
+     print "   $Lists: $Updates{$Lists}{updates} Time(s) - $Updates{$Lists}{changes} change(s)\n";
+   }
+}
+
+if (keys %Errors)
+{
+  print "\nThe following errors were detected:\n";
+
+  foreach my $Text (keys %Errors)
+  {
+    print "   $Text: $Errors{$Text} Time(s)\n";
+  }
+}
+
+exit(0);
+
+# vi: shiftwidth=3 tabstop=3 syntax=perl et
+# Local Variables:
+# mode: perl
+# perl-indent-level: 3
+# indent-tabs-mode: nil
+# End:
diff --git a/config/logwatch/ipblacklist.conf b/config/logwatch/ipblacklist.conf
new file mode 100644
index 000000000..ed0ecc5f1
--- /dev/null
+++ b/config/logwatch/ipblacklist.conf
@@ -0,0 +1,34 @@
+#########################################################################
+# ids-update script for Logwatch
+# Analyzes the IPFire IP Blacklist update log
+#
+# Version: 1.0.0
+#    Initial release
+#
+#########################################################################
+
+#########################################################################
+# This script is subject to the same copyright as Logwatch itself
+#########################################################################
+
+#########################################################################
+# Files - all shown with default paths:
+#
+# /usr/share/logwatch/default.conf/logfiles/messages.conf
+# /usr/share/logwatch/dist.conf/services/blacklist.conf (this file)
+# /usr/share/logwatch/scripts/services/blacklist
+#
+# ... and of course
+#
+# /var/log/messages
+#########################################################################
+
+
+Title = "IP Blacklist"
+
+# Which logfile group...
+LogFile = messages
+
+*applystddate
+
+# vi: shiftwidth=3 tabstop=3 et
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index ec396c708..a3596cd0e 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -180,6 +180,16 @@ iptables_init() {
 	iptables -A FORWARD -j P2PBLOCK
 	iptables -A OUTPUT -j P2PBLOCK
 	
+	# IP Address Blacklist chains
+	iptables -N IPBLACKLISTIN
+	iptables -N IPBLACKLISTOUT
+	iptables -N IPBLACKLISTREDIN
+	iptables -N IPBLACKLISTREDOUT
+	iptables -A INPUT ! -p icmp -j IPBLACKLISTIN
+	iptables -A FORWARD ! -p icmp -j IPBLACKLISTIN
+	iptables -A FORWARD ! -p icmp -j IPBLACKLISTOUT
+	iptables -A OUTPUT ! -p icmp -j IPBLACKLISTOUT
+
 	# Guardian (IPS) chains
 	iptables -N GUARDIAN
 	iptables -A INPUT -j GUARDIAN
@@ -382,6 +392,9 @@ iptables_init() {
 	# run captivectrl
 	/usr/local/bin/captivectrl
 
+	# run IP Blacklist start
+	/usr/local/bin/ipblacklist start
+
 	# POLICY CHAIN
 	iptables -N POLICYIN
 	iptables -A INPUT -j POLICYIN
@@ -407,6 +420,8 @@ iptables_red_up() {
 	iptables -F REDINPUT
 	iptables -F REDFORWARD
 	iptables -t nat -F REDNAT
+	iptables -F IPBLACKLISTIN
+	iptables -F IPBLACKLISTOUT
 
 	# PPPoE / PPTP Device
 	if [ "$IFACE" != "" ]; then
@@ -464,6 +479,10 @@ iptables_red_up() {
 			iptables -t nat -A REDNAT -s "${network}" -o "${IFACE}" -j RETURN
 		done
 
+		# IP Address Blacklists
+		iptables -A IPBLACKLISTIN -i $IFACE -j IPBLACKLISTREDIN
+		iptables -A IPBLACKLISTOUT -o $IFACE -j IPBLACKLISTREDOUT
+
 		# Masquerade everything else
 		iptables -t nat -A REDNAT -o $IFACE -j MASQUERADE
 	fi
@@ -504,6 +523,7 @@ case "$1" in
 	evaluate_retval
 	;;
   restart)
+	/usr/local/bin/ipblacklist stop
 	$0 start
 	;;
   *)
-- 
2.16.4