backup.pl Restart when restoring backup ipblacklist ) Adds ipblacklist stats and errors to ipblacklist.conf ) daily log summary include Add blacklists and settings to backups firewall-policy ) Add main IPTables used to invoke firewall ) IPSets
Signed-off-by: Tim FitzGeorge ipfr@tfitzgeorge.me.uk --- config/backup/backup.pl | 1 + config/backup/include | 2 + config/firewall/firewall-policy | 5 ++ config/logwatch/ipblacklist | 103 +++++++++++++++++++++++++++++++++++++++ config/logwatch/ipblacklist.conf | 34 +++++++++++++ src/initscripts/system/firewall | 20 ++++++++ 6 files changed, 165 insertions(+) create mode 100644 config/logwatch/ipblacklist create mode 100644 config/logwatch/ipblacklist.conf
diff --git a/config/backup/backup.pl b/config/backup/backup.pl index b1dd1d297..17b797c20 100644 --- a/config/backup/backup.pl +++ b/config/backup/backup.pl @@ -130,6 +130,7 @@ restore_backup() {
# Reload firewall firewallctrl + /usr/local/bin/ipblacklistctrl restore
# Convert old OpenVPN CCD files (CN change, Core Update 75) convert-ovpn diff --git a/config/backup/include b/config/backup/include index 1190eda81..78ff926f7 100644 --- a/config/backup/include +++ b/config/backup/include @@ -38,6 +38,7 @@ /var/ipfire/ethernet/wireless /var/ipfire/firewall /var/ipfire/fwhosts +/var/ipfire/ipblacklist/modified /var/ipfire/main/* /var/ipfire/ovpn /var/ipfire/ovpn/collectd.vpn @@ -52,6 +53,7 @@ /var/ipfire/time/ /var/ipfire/urlfilter /var/ipfire/vpn +/var/lib/ipblacklist /var/lib/suricata /var/log/ip-acct/* /var/log/rrd/* diff --git a/config/firewall/firewall-policy b/config/firewall/firewall-policy index 21165e933..1198d120f 100755 --- a/config/firewall/firewall-policy +++ b/config/firewall/firewall-policy @@ -22,6 +22,7 @@ eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) eval $(/usr/local/bin/readhash /var/ipfire/firewall/settings) eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings) +eval $(/usr/local/bin/readhash /var/ipfire/ipblacklist/settings)
function iptables() { /sbin/iptables --wait "$@" @@ -97,6 +98,10 @@ case "${HAVE_OPENVPN},${POLICY}" in ;; esac
+if [ "${AUTOBLACKLIST}" = "on" ]; then + iptables -A POLICYIN -i ${IFACE} -m hashlimit --hashlimit-mode srcip --hashlimit-above ${BLOCK_THRESHOLD}/hour --hashlimit-name AUTOBLACKLIST -j SET --add-set AUTOBLACKLIST src +fi + case "${FWPOLICY2}" in REJECT) if [ "${DROPINPUT}" = "on" ]; then diff --git a/config/logwatch/ipblacklist b/config/logwatch/ipblacklist new file mode 100644 index 000000000..0fadc6250 --- /dev/null +++ b/config/logwatch/ipblacklist @@ -0,0 +1,103 @@ +########################################################################### +# ipblacklist script for Logwatch +# Analyzes the IPFire IP Blacklist log +# +######################################################################### + +######################################################## +## Copyright (c) 2008 Lars Skj�rlund +## Covered under the included MIT/X-Consortium License: +## http://www.opensource.org/licenses/mit-license.php +## All modifications and contributions by other persons to +## this script are assumed to have been donated to the +## Logwatch project and thus assume the above copyright +## and licensing terms. If you want to make contributions +## under your own copyright or a different license this +## must be explicitly stated in the contribution and the +## Logwatch project reserves the right to not accept such +## contributions. If you have made significant +## contributions to this script and want to claim +## copyright please contact logwatch-devel@lists.sourceforge.net. +######################################################### + +######################################################################### +# Files - all shown with default paths: +# +# /usr/share/logwatch/default.conf/logfiles/messages.conf +# /usr/share/logwatch/dist.conf/services/blacklist.conf +# /usr/share/logwatch/scripts/services/ipblacklist (this file) +# +# ... and of course +# +# /var/log/messages +######################################################################### + +use Logwatch ':dates'; + +my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'}; + +my $SearchDate; + +my %Updates; +my %Errors; + +$SearchDate = TimeFilter("%b %e"); + +while (defined(my $ThisLine = <STDIN>)) +{ + next unless ($ThisLine =~ m/^\s*\w+\s+\w+\s+(..:..:..) .* ipblacklist: (.*)/); + + my $text = $2; + + if ($text =~ m/Finished updating (\w+) blacklist with (\d+) changes/) + { + $Updates{$1}{updates}++; + $Updates{$1}{changes} += $2; + } + elsif ($text !~ m/Starting IP Blacklists/ and + $text !~ m/Starting IP Blacklist processing/ and + $text !~ m/Updating \w+ blacklist/ and + $text !~ m/Stopping IP Blacklists/ and + $text !~ m/Deleting IP Blacklists/ and + $text !~ m/Completed IP Blacklist update/ and + $text !~ m/Finished IP Blacklist processing/ and + $text !~ m/Blacklist \w+ Modification times/ and + $text !~ m/Create IPTables chains for blacklist/ and + $text !~ m/Delete IPTables chains for blacklist/ and + $text !~ m/Checking modification time for blacklist/ and + $text !~ m/Restoring blacklist / and + $text !~ m/Downloading blacklist/ ) + { + $Errors{$text}++; + } +} + +##################################################################### + +if (keys %Updates) +{ + print "\nThe following block lists were updated:\n"; + foreach my $Lists (sort keys %Updates) + { + print " $Lists: $Updates{$Lists}{updates} Time(s) - $Updates{$Lists}{changes} change(s)\n"; + } +} + +if (keys %Errors) +{ + print "\nThe following errors were detected:\n"; + + foreach my $Text (keys %Errors) + { + print " $Text: $Errors{$Text} Time(s)\n"; + } +} + +exit(0); + +# vi: shiftwidth=3 tabstop=3 syntax=perl et +# Local Variables: +# mode: perl +# perl-indent-level: 3 +# indent-tabs-mode: nil +# End: diff --git a/config/logwatch/ipblacklist.conf b/config/logwatch/ipblacklist.conf new file mode 100644 index 000000000..ed0ecc5f1 --- /dev/null +++ b/config/logwatch/ipblacklist.conf @@ -0,0 +1,34 @@ +######################################################################### +# ids-update script for Logwatch +# Analyzes the IPFire IP Blacklist update log +# +# Version: 1.0.0 +# Initial release +# +######################################################################### + +######################################################################### +# This script is subject to the same copyright as Logwatch itself +######################################################################### + +######################################################################### +# Files - all shown with default paths: +# +# /usr/share/logwatch/default.conf/logfiles/messages.conf +# /usr/share/logwatch/dist.conf/services/blacklist.conf (this file) +# /usr/share/logwatch/scripts/services/blacklist +# +# ... and of course +# +# /var/log/messages +######################################################################### + + +Title = "IP Blacklist" + +# Which logfile group... +LogFile = messages + +*applystddate + +# vi: shiftwidth=3 tabstop=3 et diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index ec396c708..a3596cd0e 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -180,6 +180,16 @@ iptables_init() { iptables -A FORWARD -j P2PBLOCK iptables -A OUTPUT -j P2PBLOCK + # IP Address Blacklist chains + iptables -N IPBLACKLISTIN + iptables -N IPBLACKLISTOUT + iptables -N IPBLACKLISTREDIN + iptables -N IPBLACKLISTREDOUT + iptables -A INPUT ! -p icmp -j IPBLACKLISTIN + iptables -A FORWARD ! -p icmp -j IPBLACKLISTIN + iptables -A FORWARD ! -p icmp -j IPBLACKLISTOUT + iptables -A OUTPUT ! -p icmp -j IPBLACKLISTOUT + # Guardian (IPS) chains iptables -N GUARDIAN iptables -A INPUT -j GUARDIAN @@ -382,6 +392,9 @@ iptables_init() { # run captivectrl /usr/local/bin/captivectrl
+ # run IP Blacklist start + /usr/local/bin/ipblacklist start + # POLICY CHAIN iptables -N POLICYIN iptables -A INPUT -j POLICYIN @@ -407,6 +420,8 @@ iptables_red_up() { iptables -F REDINPUT iptables -F REDFORWARD iptables -t nat -F REDNAT + iptables -F IPBLACKLISTIN + iptables -F IPBLACKLISTOUT
# PPPoE / PPTP Device if [ "$IFACE" != "" ]; then @@ -464,6 +479,10 @@ iptables_red_up() { iptables -t nat -A REDNAT -s "${network}" -o "${IFACE}" -j RETURN done
+ # IP Address Blacklists + iptables -A IPBLACKLISTIN -i $IFACE -j IPBLACKLISTREDIN + iptables -A IPBLACKLISTOUT -o $IFACE -j IPBLACKLISTREDOUT + # Masquerade everything else iptables -t nat -A REDNAT -o $IFACE -j MASQUERADE fi @@ -504,6 +523,7 @@ case "$1" in evaluate_retval ;; restart) + /usr/local/bin/ipblacklist stop $0 start ;; *)