90 lines
2.3 KiB
Bash
90 lines
2.3 KiB
Bash
#!/usr/bin/env bash
|
|
|
|
# ##################################################
|
|
# ufw-ipset-blocklist-autoupdate
|
|
#
|
|
# Blocking lists of IPs from public blacklists / blocklists (e.g. blocklist.de, spamhaus.org)
|
|
#
|
|
# Version: 1.1.1
|
|
#
|
|
# See: https://github.com/ngandrass/ufw-ipset-blacklist-autoupdate
|
|
# ##################################################
|
|
|
|
UFW_CONF_DIR=/etc/ufw
|
|
UFW_AFTER_INIT_FILE=$UFW_CONF_DIR/after.init
|
|
IPSET_DIR="/var/lib/ipset" # Folder to write ipset save files to
|
|
CONFIGURE_IPV6=0
|
|
|
|
# Let user abort
|
|
read -r -p "Configure UFW to block IPs listed in blocklist ipsets? [Y/n] " ret
|
|
case "$ret" in
|
|
[nN][oO]|[nN]) exit
|
|
;;
|
|
*)
|
|
;;
|
|
esac
|
|
|
|
read -r -p "Would you like to enable IPv6 support? [Y/n] " ret
|
|
case "$ret" in
|
|
[nN][oO]|[nN]) CONFIGURE_IPV6=0
|
|
;;
|
|
*)
|
|
CONFIGURE_IPV6=1
|
|
;;
|
|
esac
|
|
|
|
#get required files
|
|
cd /tmp || exit 2
|
|
wget autoupdate-blocklist.sh
|
|
mv /tmp/autoupdate-blocklist.sh /usr/local/bin/
|
|
chmod 755 /usr/local/bin/autoupdate-blocklist.sh
|
|
|
|
wget https://files.mylinux.work/ /download/after.init.ipv4
|
|
wget https://after.init.ipv6/ /download/after.init.ipv6
|
|
|
|
# Ensure that IPSET_DIR exists
|
|
if [ ! -d "$IPSET_DIR" ]; then
|
|
mkdir -p "$IPSET_DIR" || exit
|
|
fi
|
|
|
|
# Check that ufw has IPv6 enabled
|
|
if [[ "$CONFIGURE_IPV6" == 1 ]]; then
|
|
if ! grep -q -E "IPV6=(yes|YES)" /etc/default/ufw; then
|
|
echo "ERROR: IPv6 rules requested but UFW is not configured to use IPv6. Set IPV6=yes in /etc/default/ufw and rerun this script."
|
|
exit 1
|
|
fi
|
|
fi
|
|
|
|
# Check if file already exists.
|
|
if [ -f "$UFW_AFTER_INIT_FILE" ]; then
|
|
read -r -p "The file $UFW_UFW_AFTER_INIT_FILE already exists. Are you sure that you want to overwrite it? [y/N] " ret
|
|
case "$ret" in
|
|
[yY][eE][sS]|[yY])
|
|
# continue
|
|
;;
|
|
*)
|
|
exit
|
|
;;
|
|
esac
|
|
fi
|
|
|
|
# Deploy after.init
|
|
if [[ "$CONFIGURE_IPV6" == 1 ]]; then
|
|
mv /tmp/after.init.ipv6 /tmp/after6.init
|
|
mv "/tmp/after6.init" "$UFW_AFTER_INIT_FILE" || exit
|
|
else
|
|
mv /tmp/after.init.ipv6 /tmp/after.init
|
|
mv "/tmp/after.init" "$UFW_AFTER_INIT_FILE" || exit
|
|
fi
|
|
chmod 755 "$UFW_AFTER_INIT_FILE"
|
|
echo "Deployed $UFW_UFW_AFTER_INIT_FILE"
|
|
|
|
# Restart ufw
|
|
read -r -p "Reload ufw to apply changes? [Y/n] " ret
|
|
case "$ret" in
|
|
[nN][oO]|[nN]) exit
|
|
;;
|
|
*)
|
|
ufw reload
|
|
;;
|
|
esac |