banip: new package to block incoming & outgoing ip addresses

a new script based package called "banIP" to block incoming & outgoing ip adresses/subnets via ipset. Features: * a shell script which uses ipset and iptables to ban a large number of IP addresses published in various IP blacklists (bogon, firehol etc.) * support blocking by ASN numbers * support blocking by iso country codes * support local white & blacklist (IPv4, IPv6 & CIDR notation) * auto-add unsuccessful ssh login attempts to local blacklist * auto-add the uplink subnet to local whitelist * per source configuration of SRC (incoming) and DST (outgoing) * supports IPv4 & IPv6 Strong LuCI support: * easy interface to track & change all aspects of your ipset configuration on the fly * integrated IPSet-Lookup * integrated RIPE-Lookup * Log-Viewer & online configuration of white- & blacklist LuCI-Screenshots will follow in the second post. Forum discussion: https://forum.openwrt.org/t/banip-new-project-needs-testers-feedback/16985 Signed-off-by: Dirk Brenken <dev@brenken.org>
2026-04-30 07:28:39 +01:00 · 2018-11-10 11:01:45 +01:00
parent d785b15857
commit b17588a856
8 changed files with 1119 additions and 0 deletions
@@ -0,0 +1,74 @@
+#!/bin/sh /etc/rc.common
+#
+
+START=30
+USE_PROCD=1
+
+EXTRA_COMMANDS="status"
+EXTRA_HELP="	status	Print runtime information"
+
+ban_init="/etc/init.d/banip"
+ban_script="/usr/bin/banip.sh"
+ban_pidfile="/var/run/banip.pid"
+
+boot()
+{
+	ban_boot="1"
+	rc_procd start_service
+}
+
+start_service()
+{
+	if [ $("${ban_init}" enabled; printf "%u" ${?}) -eq 0 ]
+	then
+		if [ "${ban_boot}" = "1" ]
+		then
+			return 0
+		fi
+		local nice="$(uci_get banip extra ban_nice)"
+		procd_open_instance "banip"
+		procd_set_param command "${ban_script}" "${@}"
+		procd_set_param pidfile "${ban_pidfile}"
+		procd_set_param nice ${nice:-0}
+		procd_set_param stdout 1
+		procd_set_param stderr 1
+		procd_close_instance
+	fi
+}
+
+stop_service()
+{
+	rc_procd "${ban_script}" stop
+	rc_procd start_service
+}
+
+status()
+{
+	local key keylist value rtfile="$(uci_get banip global ban_rtfile)"
+
+	rtfile="${rtfile:-"/tmp/ban_runtime.json"}"
+	json_load_file "${rtfile}" >/dev/null 2>&1
+	json_select data >/dev/null 2>&1
+	if [ ${?} -eq 0 ]
+	then
+		printf "%s\n" "::: banIP runtime information"
+		json_get_keys keylist
+		for key in ${keylist}
+		do
+			json_get_var value "${key}"
+			printf "  + %-10s : %s\n" "${key}" "${value}"
+		done
+	else
+		printf "%s\n" "::: no banIP runtime information available"
+	fi
+}
+
+service_triggers()
+{
+	local iface="$(uci_get banip global ban_iface)"
+	local delay="$(uci_get banip extra ban_triggerdelay)"
+
+	PROCD_RELOAD_DELAY=$((${delay:-2} * 1000))
+	procd_add_interface_trigger "interface.*.up" "${iface:-"wan"}" "${ban_init}" start
+	procd_add_reload_trigger "banip" "firewall"
+}