[PATCH v2 7/8] ipblacklist: Modifications to system

[Tim FitzGeorge <ipfr@tfitzgeorge.me.uk>]

[-- Attachment #1: Type: text/plain, Size: 7974 bytes --]

backup.pl           Restart when restoring backup
ipblacklist       ) Adds ipblacklist stats, events and errors
ipblacklist.conf  ) to the daily log summary
include             Add blacklists and settings to backups
firewall            Add main IPTables used to invoke IPSet

Signed-off-by: Tim FitzGeorge <ipfr(a)tfitzgeorge.me.uk>
---
 config/backup/backup.pl          |   1 +
 config/backup/include            |   2 +
 config/logwatch/ipblacklist      | 105 +++++++++++++++++++++++++++++++++++++++
 config/logwatch/ipblacklist.conf |  34 +++++++++++++
 src/initscripts/system/firewall  |  12 +++++
 5 files changed, 154 insertions(+)
 create mode 100644 config/logwatch/ipblacklist
 create mode 100644 config/logwatch/ipblacklist.conf

diff --git a/config/backup/backup.pl b/config/backup/backup.pl
index 5b5734044..d253bd90f 100644
--- a/config/backup/backup.pl
+++ b/config/backup/backup.pl
@@ -141,6 +141,7 @@ restore_backup() {
 
 	# Reload firewall
 	firewallctrl
+	/usr/local/bin/ipblacklistctrl restore
 
 	# Convert old OpenVPN CCD files (CN change, Core Update 75)
 	convert-ovpn
diff --git a/config/backup/include b/config/backup/include
index 5db452cda..1a63ef1b1 100644
--- a/config/backup/include
+++ b/config/backup/include
@@ -39,6 +39,7 @@
 /var/ipfire/ethernet/wireless
 /var/ipfire/firewall
 /var/ipfire/fwhosts
+/var/ipfire/ipblacklist/modified
 /var/ipfire/main/*
 /var/ipfire/ovpn
 /var/ipfire/ovpn/collectd.vpn
@@ -54,6 +55,7 @@
 /var/ipfire/time/
 /var/ipfire/urlfilter
 /var/ipfire/vpn
+/var/lib/ipblacklist
 /var/lib/suricata
 /var/log/ip-acct/*
 /var/log/rrd/*
diff --git a/config/logwatch/ipblacklist b/config/logwatch/ipblacklist
new file mode 100644
index 000000000..6d6c46188
--- /dev/null
+++ b/config/logwatch/ipblacklist
@@ -0,0 +1,105 @@
+###########################################################################
+# ipblacklist script for Logwatch
+# Analyzes the IPFire IP Blacklist log
+#
+#########################################################################
+
+########################################################
+## Copyright (c) 2008 Lars Skj�rlund
+## Covered under the included MIT/X-Consortium License:
+##    http://www.opensource.org/licenses/mit-license.php
+## All modifications and contributions by other persons to
+## this script are assumed to have been donated to the
+## Logwatch project and thus assume the above copyright
+## and licensing terms.  If you want to make contributions
+## under your own copyright or a different license this
+## must be explicitly stated in the contribution and the
+## Logwatch project reserves the right to not accept such
+## contributions.  If you have made significant
+## contributions to this script and want to claim
+## copyright please contact logwatch-devel(a)lists.sourceforge.net.
+#########################################################
+
+#########################################################################
+# Files - all shown with default paths:
+#
+# /usr/share/logwatch/default.conf/logfiles/messages.conf
+# /usr/share/logwatch/dist.conf/services/blacklist.conf
+# /usr/share/logwatch/scripts/services/ipblacklist (this file)
+#
+# ... and of course
+#
+# /var/log/messages
+#########################################################################
+
+use Logwatch ':dates';
+
+my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'};
+
+my $SearchDate;
+
+my %Updates;
+my %Errors;
+
+$SearchDate = TimeFilter("%b %e");
+
+while (defined(my $ThisLine = <STDIN>))
+{
+  next unless ($ThisLine =~ m/^\s*\w+\s+\w+\s+(..:..:..) .* ipblacklist: (.*)/);
+
+  my $text = $2;
+
+  if ($text =~ m/Updated (\w+) blacklist with (\d+) changes/)
+  {
+    $Updates{$1}{updates}++;
+    $Updates{$1}{changes} += $2;
+  }
+  elsif ($text !~ m/Starting IP Blacklists/                        and
+         $text !~ m/Starting IP Blacklist processing/              and
+         $text !~ m/Stopping IP Blacklists/                        and
+         $text !~ m/Deleting IP Blacklists/                        and
+         $text !~ m/Finished IP Blacklist processing/              and
+         $text !~ m/Create IPTables chains for blacklist/          and
+         $text !~ m/Delete IPTables chains for blacklist/          and
+         $text !~ m/Add IP Address Blacklist update to crontab/    and
+         $text !~ m/Enable IP Address Blacklist update in crontab/ and
+         $text !~ m/Disable IP Address Blacklist updates/          and
+         $text !~ m/Restoring blacklist /                          and
+         $text !~ m/Blacklist \w+ changed type/                    and
+         $text !~ m/Blacklist \w+ changed size/                    and
+         $text !~ m/Enabling IP Blacklist logging/                 and
+         $text !~ m/Disabling IP Blacklist logging/ )
+  {
+    $Errors{$text}++;
+  }
+}
+
+#####################################################################
+
+if (keys %Updates)
+{
+   print "\nThe following block lists were updated:\n";
+   foreach my $Lists (sort keys %Updates)
+   {
+     print "   $Lists: $Updates{$Lists}{updates} Time(s) - $Updates{$Lists}{changes} change(s)\n";
+   }
+}
+
+if (keys %Errors)
+{
+  print "\nThe following errors were detected:\n";
+
+  foreach my $Text (keys %Errors)
+  {
+    print "   $Text: $Errors{$Text} Time(s)\n";
+  }
+}
+
+exit(0);
+
+# vi: shiftwidth=3 tabstop=3 syntax=perl et
+# Local Variables:
+# mode: perl
+# perl-indent-level: 3
+# indent-tabs-mode: nil
+# End:
diff --git a/config/logwatch/ipblacklist.conf b/config/logwatch/ipblacklist.conf
new file mode 100644
index 000000000..ed0ecc5f1
--- /dev/null
+++ b/config/logwatch/ipblacklist.conf
@@ -0,0 +1,34 @@
+#########################################################################
+# ids-update script for Logwatch
+# Analyzes the IPFire IP Blacklist update log
+#
+# Version: 1.0.0
+#    Initial release
+#
+#########################################################################
+
+#########################################################################
+# This script is subject to the same copyright as Logwatch itself
+#########################################################################
+
+#########################################################################
+# Files - all shown with default paths:
+#
+# /usr/share/logwatch/default.conf/logfiles/messages.conf
+# /usr/share/logwatch/dist.conf/services/blacklist.conf (this file)
+# /usr/share/logwatch/scripts/services/blacklist
+#
+# ... and of course
+#
+# /var/log/messages
+#########################################################################
+
+
+Title = "IP Blacklist"
+
+# Which logfile group...
+LogFile = messages
+
+*applystddate
+
+# vi: shiftwidth=3 tabstop=3 et
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index ab144ea18..8e7c1c7ef 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -196,6 +196,14 @@ iptables_init() {
 	iptables -A FORWARD -i tun+ -j OVPNBLOCK
 	iptables -A FORWARD -o tun+ -j OVPNBLOCK
 
+	# IP Address Blacklist chains
+	iptables -N BLACKLISTIN
+	iptables -N BLACKLISTOUT
+	iptables -A INPUT ! -p icmp -j BLACKLISTIN
+	iptables -A FORWARD ! -p icmp -j BLACKLISTIN
+	iptables -A FORWARD ! -p icmp -j BLACKLISTOUT
+	iptables -A OUTPUT ! -p icmp -j BLACKLISTOUT
+
 	# IPS (suricata) chains
 	iptables -N IPS_INPUT
 	iptables -N IPS_FORWARD
@@ -382,6 +390,9 @@ iptables_init() {
 	# run captivectrl
 	/usr/local/bin/captivectrl
 
+	# run IP Blacklist start
+	/usr/local/bin/ipblacklist start
+
 	# POLICY CHAIN
 	iptables -N POLICYIN
 	iptables -A INPUT -j POLICYIN
@@ -504,6 +515,7 @@ case "$1" in
 	evaluate_retval
 	;;
   restart)
+	/usr/local/bin/ipblacklist stop
 	$0 start
 	;;
   *)
-- 
2.16.4