#!/bin/bash #Copyright 2003 William Stearns #Released under the GPL. Me='bogons' MyVersion='0.3.1' [ -r /etc/firebricks/firebricks.conf ] && . /etc/firebricks/firebricks.conf [ -r /etc/firebricks/$Me.conf ] && . /etc/firebricks/$Me.conf [ -r ${FBLibDir:-'/usr/lib/firebricks/'}/firebrickslib ] && . ${FBLibDir:-'/usr/lib/firebricks/'}/firebrickslib if [ -z "$FBLibVer" ]; then echo 'It looks like firebrickslib was not loaded, why? Exiting' >&2 exit 1 fi for OneTask in $Tasks ; do case "$OneTask" in link) $IptablesBin -N $Me >/dev/null 2>&1 $IptablesBin $AppIn INPUT -i \! lo -j $Me $IptablesBin $AppIn FORWARD -j $Me $IptablesBin $AppIn OUTPUT -j $Me ;; unlink) $IptablesBin -D INPUT -i \! lo -j $Me $IptablesBin -D FORWARD -j $Me $IptablesBin -D OUTPUT -j $Me $IptablesBin -X $Me >/dev/null 2>&1 ;; create) echo "Starting $Me" >&2 FlushOrNewChain $Me $IptablesBin -A $Me -i lo -s 127.0.0.0/8 -j RETURN $IptablesBin -A $Me -i lo -d 127.0.0.0/8 -j RETURN $IptablesBin -A $Me -o lo -s 127.0.0.0/8 -j RETURN $IptablesBin -A $Me -o lo -d 127.0.0.0/8 -j RETURN #Uncomment this if you want to automatically pull down this file. #if [ ! -f "$FBData/bogon-bn-agg.txt" ]; then # wget http://www.cymru.com/Documents/bogon-bn-agg.txt -O "$FBData/bogon-bn-agg.txt" #fi if [ -f "$FBData/bogon-bn-agg.txt" ]; then for OneBogon in `cat $FBData/bogon-bn-agg.txt` ; do case $OneBogon in 10.0.0.0/8|172.16.0.0/12|192.168.0.0./16|224.0.0.0/3) : #echo "Skipping $OneBogon, handled elsewhere." >&2 ;; *) LogAs='bogon' $Ipt -A $Me -s $OneBogon $Tail LogAs='bogon' $Ipt -A $Me -d $OneBogon $Tail ;; esac done else echo "No $FBData/bogon-bn-agg.txt, please get from:" >&2 echo 'http://www.cymru.com/Documents/bogon-bn-agg.txt' >&2 echo "Unable to initialize $Me." >&2 fi ;; destroy) echo "Stopping $Me" >&2 DestroyChain $Me ;; renamechain) TempChain="$Me-$RANDOM" echo "Replacing existing rules in $Me with new rules" >&2 $IptablesBin -E $Me $TempChain ;; replacelinks) if [ -z "$TempChain" ]; then echo "No temporary chain to relink in $Me replacelinks, replace operation incomplete." >&2 elif ! $IptablesBin -L $Me >/dev/null 2>&1 ; then echo "No $Me chain in $Me, replace operation incomplete." >&2 elif ! $IptablesBin -L $TempChain >/dev/null 2>&1 ; then echo "No $TempChain chain in $Me, replace operation incomplete." >&2 elif [ "`$IptablesBin -L INPUT -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then echo "Too few/many references to $TempChain in INPUT in $Me replacelinks, replace operation incomplete." >&2 elif [ "`$IptablesBin -L FORWARD -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then echo "Too few/many references to $TempChain in FORWARD in $Me replacelinks, replace operation incomplete." >&2 elif [ "`$IptablesBin -L OUTPUT -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then echo "Too few/many references to $TempChain in OUTPUT in $Me replacelinks, replace operation incomplete." >&2 else $IptablesBin -R INPUT `$IptablesBin -L INPUT -n --line-numbers | grep $TempChain | awk '{print $1}'` -i \! lo -j $Me $IptablesBin -R FORWARD `$IptablesBin -L FORWARD -n --line-numbers | grep $TempChain | awk '{print $1}'` -j $Me $IptablesBin -R OUTPUT `$IptablesBin -L OUTPUT -n --line-numbers | grep $TempChain | awk '{print $1}'` -j $Me DestroyChain $TempChain unset TempChain fi ;; status) if $IptablesBin -L $Me >/dev/null 2>&1 ; then echo "$Me created" >&2 else echo "$Me destroyed" >&2 fi ;; version) echo "$Me $MyVersion, firebrickslib $FBLibVer" >&2 ;; help) cat <&2 The $Me module checks for bogon source addresses; addresses which have not yet been assigned by IANA. No legitimate hosts should be using them. This module should be safe to use, but please check no less than once a month for an updated bogon list. The file can be found at http://www.cymru.com/Documents/bogon-bn-agg.txt and should be placed in $FBData/bogon-bn-agg.txt . EOTEXT DefaultHelp ;; *) echo "Unknown action $Action in $Me, no action taken." >&2 ;; esac done