-
Notifications
You must be signed in to change notification settings - Fork 3
/
fortress-block.sh
executable file
·86 lines (78 loc) · 1.85 KB
/
fortress-block.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
#!/bin/bash
config=/etc/fortress/fortress.conf
if [[ ! -f $config ]]; then
echo "Missing configuration file: $config"
exit
fi
redirect_ip=$(awk -F= '/redirect_ip/ && $1 !~ /^\s*#/ {print $2}' $config)
block_type=$( awk -F= '/block_type/ && $1 !~ /^\s*#/ {print $2}' $config)
block_time=$( awk -F= '/block_time/ && $1 !~ /^\s*#/ {print $2}' $config)
ip=''
comment=''
if [[ $# -eq 0 ]]; then
echo "Usage: $0 IP [comment]"
exit
fi
if [[ ! $1 =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
echo "Error: invalid IP format"
exit
fi
# Parameters:
# 1 - IP
# 2 - Comment
ipset_block() {
ip=$1
shift
ipset_name=$( awk -F= '/ipset_name/ && $1 !~ /^\s*#/ {print $2}' $config)
if [[ -z $ipset_name ]]; then
echo -e "Error: unable to find ipset_name in $config.\nPlease check the configuration and try again.\n"
exit
fi
if [[ -n $1 ]]; then
ipset add $ipset_name $ip comment "$*" timeout $block_time
else
ipset add $ipset_name $ip
fi
}
# Parameters:
# 1 - IP
# 2 - Comment
iptables_block() {
ip=$1
shift
chain=INPUT
chain_name=$( awk -F= '/chain_name/ && $1 !~ /^\s*#/ {print $2}' $config)
if [[ -n $chain_name ]]; then
chain=$chain_name
fi
if [[ -n $1 ]]; then
iptables -I $chain -j DROP -s $ip -m comment --comment "$*"
else
iptables -I $chain -j DROP -s $ip
fi
}
# Parameters:
# 1 - IP
redirection() {
if [[ -z $redirect_ip ]]; then
echo "No redirect IP defined. Quiting without redirection."
exit 1
fi
iptables -t nat -A PREROUTING -j DNAT -s $1 -p tcp --dport 80 --to $redirect_ip
iptables -t nat -A PREROUTING -j DNAT -s $1 -p tcp --dport 443 --to $redirect_ip
iptables -t nat -A PREROUTING -j DNAT -s $1 -p udp --dport 443 --to $redirect_ip
}
case "$block_type" in
ipset)
ipset_block $*
;;
iptables)
iptables_block $*
;;
redirect)
redirection $*
;;
*)
echo "Error: unsupported block type in the configuration $config"
;;
esac