This is for my router running tomato firmware. I am a newb and I have racked my brain for way too long. I am about to pull my hair out. The only error I get is line 73: syntax error: missing '))'. However it doesn't seem to be performing some of the commands that are in the script. Not even a command that is not inside any "if" statements or anything (for example fileDateTor=$(date -r $IPSET_LISTS_DIR/tor.lst +%s). It doesn't add the non-existant iptables rules. This is not my script I am trying to modify it so 1) it doesn't create identical iptables rules if they already exist and 2) update the files and ipsets when they are too old. Also, I could use some help on the "if" section toward the bottom starting with "if [$(($curDate - $(date -r $IPSET_LISTS_DIR/cn.lst +%s)) / 86400) > 5]". I want to check to see if any of the files are older than 5 days and if so download all the files and create the BlockedCountriesNew list, etc. However, I don't want to do the 'swap the list' and 'destroy the list' commands with each loop for each new file. I could not figure out a good way to do that so I came up with the ugly solution below (which may not even work btw). Here is what I have so far.
Code:
#!/bin/sh
blacklist="af cn hk ir kh kp kr kz li my ng ph pk ru sg th ua vn"
# Loading ipset modules "/dev/null 2>&1" says send errors to /dev/null
lsmod | grep "ipt_set" > /dev/null 2>&1 || \
for module in ip_set ip_set_nethash ip_set_iphash ipt_set
do
insmod $module
done
# "[]" means test whatever is in the brackets Lookup 'test' command for options.
# Preparing folder to cache downloaded files "[-d IPSET_LISTS_DIR]" means test if IPSET_LISTS_DIR is a directory if that fails then run mkdir command
IPSET_LISTS_DIR=/opt/downloads/ipset_lists
[ -d "$IPSET_LISTS_DIR" ] || mkdir -p $IPSET_LISTS_DIR
# Block traffic from Tor nodes "[-e ...]" means test if file exists
if [ "$(ipset --swap TorNodes TorNodes 2>&1 | grep 'Unknown set')" != "" ]
then
ipset -N TorNodes iphash
[ -e $IPSET_LISTS_DIR/tor.lst ] || wget -q -O $IPSET_LISTS_DIR/tor.lst http://torstatus.blutmagie.de/ip_list_all.php/Tor_ip_list_ALL.csv
for IP in $(cat $IPSET_LISTS_DIR/tor.lst)
do
ipset -A TorNodes $IP
done
fi
fileDateTor=$(date -r $IPSET_LISTS_DIR/tor.lst +%s)
curDate=$(date +%s)
if [$(($curDate - $fileDateTor) / 86400) > 5]; then
ipset -N TorNodesNew iphash
wget -q -O $IPSET_LISTS_DIR/tor.lst http://torstatus.blutmagie.de/ip_list_all.php/Tor_ip_list_ALL.csv
for IP in $(cat $IPSET_LISTS_DIR/tor.lst)
do
ipset -A TorNodesNew $IP
done
ipset --swap TorNodesNew TorNodes
ipset --destroy TorNodesNew
fi
# "[-z ...]" means test to see if length of string is zero
if [ "$(iptables -nL INPUT | grep TorNodes)" = "" ]
then
iptables -I INPUT 15 -i vlan2 -m set --set TorNodes src -j DROP
fi
# Block incoming traffic from some countries. cn and pk is for China and Pakistan. See other countries code at http://www.ipdeny.com/ipblocks/
if [ "$(ipset --swap BlockedCountries BlockedCountries 2>&1 | grep 'Unknown set')" != "" ]
then
ipset -N BlockedCountries nethash
for country in $blacklist
do
[ -e $IPSET_LISTS_DIR/$country.lst ] || wget -q -O $IPSET_LISTS_DIR/$country.lst http://www.ipdeny.com/ipblocks/data/aggregated/$country-aggregated.zone
for IP in $(cat $IPSET_LISTS_DIR/$country.lst)
do
ipset -A BlockedCountries $IP
done
done
fi
if [$(($curDate - $(date -r $IPSET_LISTS_DIR/cn.lst +%s)) / 86400) > 5]; then
ipset -N BlockedCountriesNew nethash
for country in $blacklist
do
{
fileDate=$(date -r $IPSET_LISTS_DIR/$country.lst +%s)
if [$(($curDate - $fileDate) / 86400) > 5]; then
wget -q -O $IPSET_LISTS_DIR/$country.lst http://www.ipdeny.com/ipblocks/data/aggregated/$country-aggregated.zone
fi
for IP in $(cat $IPSET_LISTS_DIR/$country.lst)
do
ipset -A BlockedCountriesNew $IP
done
}
done
ipset --swap BlockedCountriesNew BlockedCountries
ipset --destroy BlockedCountriesNew
fi
if [ "$(iptables -nL INPUT | grep BlockedCountries)" = "" ]
then
iptables -I INPUT 15 -i vlan2 -m set --set BlockedCountries src -j DROP
fi
Facebook
Twitter