Custom rule for ip blacklist firewall.local

tberthel · 7 September 2022 09:26

Hi all. I have a problem with the firewall.local start - stop function.
i will try to use the good-old script PeerGuardian wiki.ipfire.org - PeerGuardian Script
But my config from the past is lost - equal my docu from there:
https://wiki.ipfire.org/optimization/scripts/pg/peergaurdian_cli__forum.ipfire.org_all.pdf

can you tell me, what values i need for blacklist start & stop function in firewall.local? this is actually my code, but it is not right.

#!/bin/sh
# Used for private firewall rules
IPT="/sbin/iptables"
BLACKLIST="/etc/sysconfig/blacklist"
# See how we were called.
case "$1" in
  start)
        ## add your 'start' rules here
       for BLACKLIST in `cat $BLACKLIST`; do
       $IPT -A CUSTOMINPUT -s $BLACKLIST -j DROP
        ;;
  stop)
        ## add your 'stop' rules here
        ;;
  reload)
        $0 stop
        $0 start
        ## add your 'reload' rules here
        ;;
  *)
        echo "Usage: $0 {start|stop|reload}"
        ;;
esac

this messages i see it after reload firewall-rules:

/etc/sysconfig/firewall.local reload
/etc/sysconfig/firewall.local: line 11: syntax error near unexpected token `;;'
/etc/sysconfig/firewall.local: line 11: `        ;;'

Cheers, 5p9

bbitsch · 7 September 2022 11:37

Hello @tberthel ,

welcome to the community.

Some comments about your script.

the for loop in the start section lacks of a done statement
there should be code in the stop section which deletes the rules
to be sure about interpretation by bash, just use another variable for the members of ‘cat $BLACKLIST’

My recommendation:

#!/bin/sh
# Used for private firewall rules
IPT="/sbin/iptables"
BLACKLIST="/etc/sysconfig/blacklist"
# See how we were called.
case "$1" in
  start)
        ## add your 'start' rules here
       for BL in `cat $BLACKLIST`; do
       $IPT -A CUSTOMINPUT -s $BL -j DROP
       done
        ;;
  stop)
        ## add your 'stop' rules here
       for BL in `cat $BLACKLIST`; do
       $IPT -D CUSTOMINPUT -s $BL -j DROP
       done
        ;;
  reload)
        $0 stop
        $0 start
        ## add your 'reload' rules here
        ;;
  *)
        echo "Usage: $0 {start|stop|reload}"
        ;;
esac

tberthel · 8 September 2022 13:12

Hi Bernhard,
since the conversion of the forum i was no longer active here.
thanks for the helping and the hint.

Thats the problem the end of function like:

done

now, i have a second problem with the egrep -v and ipv6 invert-match.
https://wiki.ipfire.org/optimization/scripts/pg

the orig code does not work:

printf "\n Remove comments, ipv6 address etc."
egrep -v '(^[](/space)*/|^[](/space)*#|^[](/space)*$)|/[0-9]|\:|/g' /etc/sysconfig/blacklisttmp > /etc/sysconfig/blacklist

my new regex code for the script find any ipv6 but the move without ipv6 in the blacklist file is ignored :

egrep -v '(?:^|(?<=\s))(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))(?=\s|$)' /etc/sysconfig/blacklisttmp > /etc/sysconfig/blacklist

in the blacklist file i found ipv6 addresses and i dont no why!

200.142.103.202
2001:470:1:332::166
200.153.21.10
...
...
200.174.29.180
2001:9e8:2711:b500:4873:b110:28f3:52f8
200.205.119.25
...
...
200.35.54.73
2003:e5:2701:1d79:d197:317:6230:aa41
2003:e5:2f08:4b22:fcf2:d5c2:8dd2:3966
2003:e5:2f08:4b68:fcf2:d5c2:8dd2:3966
2003:e5:2f08:4b82:fcf2:d5c2:8dd2:3966
...

BR

bbitsch · 8 September 2022 14:22

@tberthel ,
to help with your complicated regular expression, it would be nice if you could explain what exactly is to be filtered. BTW, explaining code to others sometimes helps to understand.

ummeegge · 8 September 2022 19:03

Hi all,
@tberthel, Thomas nice to see you again after felt 10 years …
If i understand you right you want to filter only for ipv4 addresses by trying to exclude (-v option) the ipv6 addresses ? If so, for regular IP´s
grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}"
and CIDRs
grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}/[0-9]{1,2}"
?
And to wipe some doubles out and get a sorted list, pipe the grep output through a
sort -nu
? As an idea ? May i helps…

Best wishes to you all and sorry @bbitsch hope i haven´t break your always good and verifying questions

EDIT: As i took a fast look to the script, the last paragraph might bring the usage of IPSet to light since it has been written to prevent the overload of IPTables causing too many entries, as an idea to think about…

ummeegge · 11 September 2022 17:58

→ ipset_update.sh · master · ummeegge / scripts · GitLab really an old one but may an idea (an for sure debugging) worth ?!

Best,

Erik