-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy paththeblackguardscontrol_generator
executable file
·109 lines (94 loc) · 2.27 KB
/
theblackguardscontrol_generator
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
#!/bin/zsh
# Select your cool name for the table here.
name=theblackguardscontrol
target=/etc/nftables/$name.nft
feed=(
https://www.spamhaus.org/drop/drop.txt
https://raw.githubusercontent.com/herrbischoff/country-ip-blocks/master/ipv4/cn.cidr
https://raw.githubusercontent.com/SecOps-Institute/Tor-IP-Addresses/master/tor-exit-nodes.lst
https://list.blocklist.de/lists/22.txt
https://list.blocklist.de/lists/25.txt
)
# Get filename
getfn()
{
echo ${1##*/}
}
# No extension
ne()
{
echo ${1%.*}
}
files=($(for i in $feed; do getfn $i; done))
# XXX
cd /etc/${name}_generator
# Fetch files, if they are older than 1 week
for i in $feed; do
file=$(getfn $i)
# Skip downloading if file is newer than 1 day.
if [[ -f $file ]] && find $file -mtime -1 | grep -q .; then
continue
fi
curl -O $i
done
# First clear out the existing table
nft table ip $name
nft delete table ip $name
# Set up table.
> $name.nft << EOF
#!/usr/sbin/nft -f
# First create the table, so we can flush it, even if it didn't exist before.
table ip $name
flush table ip $name
table ip $name {
EOF
for i in $files; do
>> $name.nft << EOF
set set_$(ne $i) {
type ipv4_addr
flags interval
auto-merge
}
EOF
done
>> $name.nft << EOF
chain permissiondenied {
type filter hook input priority filter - 10
policy accept
EOF
for i in $files; do
j=$(ne $i)
>> $name.nft << EOF
ip saddr @set_$j log prefix "[$j]" group 0 drop
EOF
done
>> $name.nft << EOF
}
}
EOF
nft -f $name.nft
# Now fill tables with ip ranges
for file in $files; do
unset set
j=$(ne $file)
for i in $(cat $file|sed -e 's|[;#].*||'|grep -v ':'); do
set+=($i,)
# Some lists are so big, we have to feed the list in chunks.
if (( ${#set[@]} >= 1000 )); then
nft add element ip $name set_$j "{ $set }"
set=()
fi
done
nft add element ip $name set_$j "{ $set }"
done
# Now create the final config file, with all entries added.
# Actually, let nft create the file.
cat << EOF > $name.nft
#!/usr/sbin/nft -f
# Create this table to make sure it exists when we delete it. Get it? :-)
table ip $name
delete table ip $name
$(nft list table $name)
EOF
chmod 755 $name.nft
cp $name.nft $target