ansible-personal/roles/common/files/update-spamhaus-nftables.sh

#!/usr/bin/env bash
#
# update-spamhaus-nftables.sh v0.0.1
#
# Download Spamhaus DROP lists and load them into nftables sets.
# 
# See: https://www.spamhaus.org/drop/
#
# Copyright (C) 2021 Alan Orth
#
# SPDX-License-Identifier: GPL-3.0-only

# Exit on first error
set -o errexit

spamhaus_ipv4_set_path=/etc/nftables/spamhaus-ipv4.nft
spamhaus_ipv6_set_path=/etc/nftables/spamhaus-ipv6.nft

function download() {
    echo "Downloading $1"
    wget -q -O - "https://www.spamhaus.org/drop/$1" > "$1"
}

download drop.txt
download edrop.txt
download dropv6.txt

if [[ -f "drop.txt" && -f "edrop.txt" ]]; then
    echo "Processing IPv4 DROP lists"

    spamhaus_ipv4_list_temp=$(mktemp)
    spamhaus_ipv4_set_temp=$(mktemp)

    # Extract all networks from drop.txt and edrop.txt, skipping blank lines and
    # comments. Use aggregate-cidr-addresses.pl to merge overlapping IPv4 CIDR
    # ranges to work around a firewalld bug.
    #
    # See: https://bugzilla.redhat.com/show_bug.cgi?id=1836571
    cat drop.txt edrop.txt | sed -e '/^$/d' -e '/^;.*/d' -e 's/[[:space:]];[[:space:]].*//' | aggregate-cidr-addresses.pl > "$spamhaus_ipv4_list_temp"

    echo "Building spamhaus-ipv4 set"
    cat << NFT_HEAD > "$spamhaus_ipv4_set_temp"
#!/usr/sbin/nft -f

define SPAMHAUS_IPV4 = {
NFT_HEAD

    while read -r network; do
        # nftables doesn't mind if the last element in the set has a trailing
        # comma so we don't need to do anything special here.
        echo "$network," >> "$spamhaus_ipv4_set_temp"
    done < $spamhaus_ipv4_list_temp

    echo "}" >> "$spamhaus_ipv4_set_temp"

    install -m 0600 "$spamhaus_ipv4_set_temp" "$spamhaus_ipv4_set_path"

    rm -f "$spamhaus_ipv4_list_temp" "$spamhaus_ipv4_set_temp"
fi

if [[ -f "dropv6.txt" ]]; then
    echo "Processing IPv6 DROP lists"

    spamhaus_ipv6_list_temp=$(mktemp)
    spamhaus_ipv6_set_temp=$(mktemp)

    sed -e '/^$/d' -e '/^;.*/d' -e 's/[[:space:]];[[:space:]].*//' dropv6.txt > "$spamhaus_ipv6_list_temp"

    echo "Building spamhaus-ipv6 set"
    cat << NFT_HEAD > "$spamhaus_ipv6_set_temp"
#!/usr/sbin/nft -f

define SPAMHAUS_IPV6 = {
NFT_HEAD

    while read -r network; do
        echo "$network," >> "$spamhaus_ipv6_set_temp"
    done < $spamhaus_ipv6_list_temp

    echo "}" >> "$spamhaus_ipv6_set_temp"

    install -m 0600 "$spamhaus_ipv6_set_temp" "$spamhaus_ipv6_set_path"

    rm -f "$spamhaus_ipv6_list_temp" "$spamhaus_ipv6_set_temp"
fi

echo "Reloading nftables"
# The spamhaus nftables sets are included by nftables.conf
/usr/sbin/nft -f /etc/nftables.conf

rm -v drop.txt edrop.txt dropv6.txt
roles/common: Add initial support for nftables on Debian 11 I will try using nftables directly instead of via firewalld as of Debian 11 as it is the replacement for the iptables/ipset stack in recent years and is easier to work with. This also includes a systemd service, timer, and script to update the spamhaus DROP lists as nftables sets. Still need to add fail2ban support. 2021-07-26 12:09:41 +02:00			`#!/usr/bin/env bash`
			`#`
			`# update-spamhaus-nftables.sh v0.0.1`
			`#`
			`# Download Spamhaus DROP lists and load them into nftables sets.`
			`#`
			`# See: https://www.spamhaus.org/drop/`
			`#`
			`# Copyright (C) 2021 Alan Orth`
			`#`
			`# SPDX-License-Identifier: GPL-3.0-only`

			`# Exit on first error`
			`set -o errexit`

			`spamhaus_ipv4_set_path=/etc/nftables/spamhaus-ipv4.nft`
			`spamhaus_ipv6_set_path=/etc/nftables/spamhaus-ipv6.nft`

			`function download() {`
			`echo "Downloading $1"`
			`wget -q -O - "https://www.spamhaus.org/drop/$1" > "$1"`
			`}`

			`download drop.txt`
			`download edrop.txt`
			`download dropv6.txt`

			`if [[ -f "drop.txt" && -f "edrop.txt" ]]; then`
			`echo "Processing IPv4 DROP lists"`

			`spamhaus_ipv4_list_temp=$(mktemp)`
			`spamhaus_ipv4_set_temp=$(mktemp)`

			`# Extract all networks from drop.txt and edrop.txt, skipping blank lines and`
			`# comments. Use aggregate-cidr-addresses.pl to merge overlapping IPv4 CIDR`
			`# ranges to work around a firewalld bug.`
			`#`
			`# See: https://bugzilla.redhat.com/show_bug.cgi?id=1836571`
			`cat drop.txt edrop.txt \| sed -e '/^$/d' -e '/^;./d' -e 's/[[:space:]];[[:space:]].//' \| aggregate-cidr-addresses.pl > "$spamhaus_ipv4_list_temp"`

			`echo "Building spamhaus-ipv4 set"`
			`cat << NFT_HEAD > "$spamhaus_ipv4_set_temp"`
			`#!/usr/sbin/nft -f`

			`define SPAMHAUS_IPV4 = {`
			`NFT_HEAD`

			`while read -r network; do`
			`# nftables doesn't mind if the last element in the set has a trailing`
			`# comma so we don't need to do anything special here.`
			`echo "$network," >> "$spamhaus_ipv4_set_temp"`
			`done < $spamhaus_ipv4_list_temp`

			`echo "}" >> "$spamhaus_ipv4_set_temp"`

			`install -m 0600 "$spamhaus_ipv4_set_temp" "$spamhaus_ipv4_set_path"`

			`rm -f "$spamhaus_ipv4_list_temp" "$spamhaus_ipv4_set_temp"`
			`fi`

			`if [[ -f "dropv6.txt" ]]; then`
			`echo "Processing IPv6 DROP lists"`

			`spamhaus_ipv6_list_temp=$(mktemp)`
			`spamhaus_ipv6_set_temp=$(mktemp)`

			`sed -e '/^$/d' -e '/^;./d' -e 's/[[:space:]];[[:space:]].//' dropv6.txt > "$spamhaus_ipv6_list_temp"`

			`echo "Building spamhaus-ipv6 set"`
			`cat << NFT_HEAD > "$spamhaus_ipv6_set_temp"`
			`#!/usr/sbin/nft -f`

			`define SPAMHAUS_IPV6 = {`
			`NFT_HEAD`

			`while read -r network; do`
			`echo "$network," >> "$spamhaus_ipv6_set_temp"`
			`done < $spamhaus_ipv6_list_temp`

			`echo "}" >> "$spamhaus_ipv6_set_temp"`

			`install -m 0600 "$spamhaus_ipv6_set_temp" "$spamhaus_ipv6_set_path"`

			`rm -f "$spamhaus_ipv6_list_temp" "$spamhaus_ipv6_set_temp"`
			`fi`

			`echo "Reloading nftables"`
			`# The spamhaus nftables sets are included by nftables.conf`
			`/usr/sbin/nft -f /etc/nftables.conf`

			`rm -v drop.txt edrop.txt dropv6.txt`