roles/common: rework firewall
Use firehol instead of all the others. AbuseIPDB.com can't be upd- ated automatically, Abuse.ch is no longer maintained, and Spamhaus is already in firehol.
This commit is contained in:
67
roles/common/templates/update-firehol-nftables.sh.j2
Executable file
67
roles/common/templates/update-firehol-nftables.sh.j2
Executable file
@ -0,0 +1,67 @@
|
||||
#!/usr/bin/env bash
|
||||
#
|
||||
# update-firehol-nftables.sh v0.0.1
|
||||
#
|
||||
# Download FireHOL lists and load them into nftables sets.
|
||||
#
|
||||
# See: https://iplists.firehol.org/
|
||||
#
|
||||
# Copyright (C) 2025 Alan Orth
|
||||
#
|
||||
# SPDX-License-Identifier: GPL-3.0-only
|
||||
|
||||
# Exit on first error
|
||||
set -o errexit
|
||||
|
||||
firehol_level1_ipv4_set_path=/etc/nftables/firehol_level1-ipv4.nft
|
||||
|
||||
function download() {
|
||||
echo "Downloading $1"
|
||||
wget -q -O - "https://iplists.firehol.org/files/$1" > "$1"
|
||||
}
|
||||
|
||||
download firehol_level1.netset
|
||||
|
||||
if [[ -f "firehol_level1.netset" ]]; then
|
||||
echo "Processing FireHOL Level 1 list"
|
||||
|
||||
firehol_level1_ipv4_list_temp=$(mktemp)
|
||||
firehol_level1_ipv4_set_temp=$(mktemp)
|
||||
|
||||
# Filter blank lines and comments
|
||||
cat firehol_level1.netset \
|
||||
| sed \
|
||||
-e '/^$/d' \
|
||||
-e '/^#.*/d' \
|
||||
> "$firehol_level1_ipv4_list_temp"
|
||||
|
||||
echo "Building firehol_level1-ipv4 set"
|
||||
cat << NFT_HEAD > "$firehol_level1_ipv4_set_temp"
|
||||
#!/usr/sbin/nft -f
|
||||
|
||||
define FIREHOL_LEVEL1_IPV4 = {
|
||||
NFT_HEAD
|
||||
|
||||
while read -r network; do
|
||||
# nftables doesn't mind if the last element in the set has a trailing
|
||||
# comma so we don't need to do anything special here.
|
||||
echo "$network," >> "$firehol_level1_ipv4_set_temp"
|
||||
done < $firehol_level1_ipv4_list_temp
|
||||
|
||||
echo "}" >> "$firehol_level1_ipv4_set_temp"
|
||||
|
||||
install -m 0600 "$firehol_level1_ipv4_set_temp" "$firehol_level1_ipv4_set_path"
|
||||
|
||||
rm -f "$firehol_level1_ipv4_list_temp" "$firehol_level1_ipv4_set_temp"
|
||||
fi
|
||||
|
||||
echo "Reloading nftables"
|
||||
{% if ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '<=') %}
|
||||
{% set systemctl_bin = '/bin/systemctl' %}
|
||||
{% else %}
|
||||
{% set systemctl_bin = '/usr/bin/systemctl' %}
|
||||
{% endif -%}
|
||||
|
||||
{{ systemctl_bin }} reload nftables.service
|
||||
|
||||
rm -v firehol_level1.netset
|
||||
Reference in New Issue
Block a user