blacklist/whitelist implementation with ipset

TESTING.md

@@ -0,0 +1,76 @@
+% Testing the script
+
+# Testing the script
+
+## Checking duplicates
+
+```bash
+$ for chain in INPUT OUTPUT FORWARD ; do echo $chain ; sudo iptables -L $chain -v | sort -u | wc -l ; sudo iptables -L $chain -v | wc -l  ; done
+INPUT
+21
+24
+OUTPUT
+14
+17
+FORWARD
+3
+3
+```
+
+## Identifying duplicates
+
+```bash
+sudo iptables -L INPUT -v | sort
+```
+
+
+```
+/sbin/iptables -A INPUT -i lo -s localhost -d localhost -j ACCEPTn
+/sbin/iptables -A INPUT -i lo -j ACCEPT
+```
+
+
+# Possible addition
+
+
+```bash
+CONFIGURATION_USER_RULES_DIR=${CONFIGURATION_DIR}/rules.d
+#...
+
+####################################################
+# Executes the user-defined rules
+####################################################
+fw_run_user_rules () {
+	local do_action
+	do_action=$1
+	if [ -d $CONFIGURATION_USER_RULES_DIR ]
+	then
+		for user_file in $(ls $CONFIGURATION_USER_RULES_DIR)
+		do
+			(
+				echo "$do_action user_file=$user_file"
+				#typeset -f | awk '/ \(\) $/ && !/^main / {print $1}'
+				awk '/^lfirewall_set_/{print $1}' "$CONFIGURATION_USER_RULES_DIR/${user_file}"
+				for function_name in `awk '/^lfirewall_set_/{print $1}' "$CONFIGURATION_USER_RULES_DIR/${user_file}"`
+				do
+					echo "$do_action $user_file > $function_name"
+				done
+			)
+		done
+	fi
+}
+
+
+# Inside fw_execute
+
+	#**************************************************************************#
+	# User Rules execution
+	#**************************************************************************#
+	# NOT YET ACTIVATED
+	#fw_run_user_rules $do_action
+
+
+# In Makefile
+config:
+    $(MKDIR) -p $(FIREWALL_ETC_DIR) $(FIREWALL_ETC_DIR)/rules.d
+```

etc/lfirewall.conf

@@ -73,3 +73,5 @@ REMOTE_TCP_SERVICES="22 $REMOTE_TCP_SERVICES" # SSH
 REMOTE_TCP_SERVICES="$REMOTE_TCP_SERVICES $SAMBA_PORTS"
 
 REMOTE_UDP_SERVICES="53" # DNS
+
+BANNED_LISTS="et_spamhaus spamhaus_drop et_dshield"

scripts/lfirewall

@@ -246,10 +246,10 @@ then
 	exit 2
 fi
 
-IPTABLES_CHECK=__iptables_check_action
-IPTABLES_ADD=__iptable_add_action
-IPTABLES_INSERT=__iptable_insert_action
-IPTABLES_SET_POLICY=__iptable_set_policy_action
+export IPTABLES_CHECK=__iptables_check_action
+export IPTABLES_ADD=__iptable_add_action
+export IPTABLES_INSERT=__iptable_insert_action
+export IPTABLES_SET_POLICY=__iptable_set_policy_action
 
 export IP_TABLES
 export NETWORK_IF
@@ -276,7 +276,10 @@ do_exec () {
 	if [ ${verbose} -ge 1 ] ; then
 		echo $IP_TABLES $iptables_option $*
 	fi
-	$IP_TABLES $iptables_option $*	
+	if ! $IP_TABLES -C $* > /dev/null 2>&1
+	then
+		$IP_TABLES $iptables_option $*
+	fi
 }
 
 do_check () {
@@ -338,10 +341,10 @@ fw_exec_basic_input_rules(){
 	$do_action $IPTABLES_ADD $IT_INPUT -i lo -j ACCEPT
 }
 
+
 ##########################
 # Executes the Firewall rules
 ##########################
-
 fw_execute () {
 	local do_action
 	do_action=$1
@@ -429,6 +432,98 @@ fw_execute () {
 	$do_action $IPTABLES_INSERT $IT_INPUT -p tcp --dport 80 -i $NETWORK_IF -m state --state NEW -m recent --update --seconds 30 --hitcount 20 -j DROP
 	$do_action $IPTABLES_INSERT $IT_INPUT -p tcp --dport 443 -i $NETWORK_IF -m state --state NEW -m recent --set
 	$do_action $IPTABLES_INSERT $IT_INPUT -p tcp --dport 443 -i $NETWORK_IF -m state --state NEW -m recent --update --seconds 30 --hitcount 20 -j DROP
+
+	#**************************************************************************#
+	# blacklist action
+	#**************************************************************************#
+	fw_blacklist $do_action
+
+	#**************************************************************************#
+	# whitelist action
+	#**************************************************************************#
+	fw_whitelist $do_action
+}
+
+
+warn_user_missing_ban_list() {
+	local ban_list_name
+	ban_list_name=$1
+	printf "###############################################################\n\r" >&2
+	printf "#                   IMPORTANT WARNING !!!                     #\n\r" >&2
+	printf "# Banned list named '$ban_list_name' does not exist           #\n\r" >&2
+	printf "# Please create it using with at least one entry using :      #\n\r" >&2
+	printf "# # ipset create $ban_list_name hash:net hashsize 4096              #\n\r" >&2
+	printf "#                                                             #\n\r" >&2
+	printf "###############################################################\n\r" >&2
+}
+
+fw_blacklist(){
+	local do_action
+	do_action=$1
+	case $do_action in
+		do_exec)
+			if [ -n "${BANNED_LISTS:-}" ]
+			then
+				for ban_list in ${BANNED_LISTS}
+				do
+					if ipset list ${ban_list} > /dev/null
+					then
+						if ! iptables -C INPUT -m set --match-set ${ban_list} src -j DROP > /dev/null 2>&1
+						then
+							echo "Enabling $ban_list"
+							iptables -I INPUT -m set --match-set ${ban_list} src -j DROP
+						fi
+					else
+						warn_user_missing_ban_list ${ban_list}
+					fi
+				done
+			fi
+			;;
+		*)
+			;;
+	esac
+}
+
+warn_user_no_whitelist() {
+	printf "###############################################################\n\r" >&2
+	printf "#                   IMPORTANT WARNING !!!                     #\n\r" >&2
+	printf "# Your whitelist is empty or non existent                     #\n\r" >&2
+	printf "# Please create one using with at least one entry using :     #\n\r" >&2
+	printf "# # ipset create whitelist hash:net hashsize 4096              #\n\r" >&2
+	printf "#                                                             #\n\r" >&2
+	printf "# Append at least your IP address using one of the following: #\n\r" >&2
+	printf "# # ipset add whitelist 12.34.56.78                        #\n\r" >&2
+	printf "# # ipset add whitelist 192.168.0.0/16                        #\n\r" >&2
+	printf "#                                                             #\n\r" >&2
+	printf "###############################################################\n\r" >&2
+}
+
+fw_whitelist() {
+	local do_action
+	do_action=$1
+	if ! ipset list whitelist > /dev/null
+	then
+		warn_user_no_whitelist
+		return
+	else
+		if [ `ipset list whitelist 2> /dev/null | awk '/Number of entries/ {print $NF}'` -eq 0 ]
+		then
+			warn_user_no_whitelist
+			return
+		fi
+	fi
+	
+	if [ -n "$TCP_SERVICES" ] ; then
+		for PORT in $TCP_SERVICES; do
+			$do_action $IPTABLES_INSERT $IT_INPUT -p tcp -m tcp --dport ${PORT} -m set --match-set whitelist src -j ACCEPT
+		done
+	fi
+	if [ -n "$UDP_SERVICES" ] ; then
+		for PORT in $UDP_SERVICES; do
+			$do_action $IPTABLES_INSERT $IT_INPUT -p udp -m udp --dport ${PORT} -m set --match-set whitelist src -j ACCEPT
+		done
+	fi
+
 }
 
 fw_network_protection(){