Alan Orth
9bba0d96bb
I will try using nftables directly instead of via firewalld as of Debian 11 as it is the replacement for the iptables/ipset stack in recent years and is easier to work with. This also includes a systemd service, timer, and script to update the spamhaus DROP lists as nftables sets. Still need to add fail2ban support.
92 lines
2.5 KiB
Bash
Executable File
92 lines
2.5 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
#
|
|
# update-spamhaus-nftables.sh v0.0.1
|
|
#
|
|
# Download Spamhaus DROP lists and load them into nftables sets.
|
|
#
|
|
# See: https://www.spamhaus.org/drop/
|
|
#
|
|
# Copyright (C) 2021 Alan Orth
|
|
#
|
|
# SPDX-License-Identifier: GPL-3.0-only
|
|
|
|
# Exit on first error
|
|
set -o errexit
|
|
|
|
spamhaus_ipv4_set_path=/etc/nftables/spamhaus-ipv4.nft
|
|
spamhaus_ipv6_set_path=/etc/nftables/spamhaus-ipv6.nft
|
|
|
|
function download() {
|
|
echo "Downloading $1"
|
|
wget -q -O - "https://www.spamhaus.org/drop/$1" > "$1"
|
|
}
|
|
|
|
download drop.txt
|
|
download edrop.txt
|
|
download dropv6.txt
|
|
|
|
if [[ -f "drop.txt" && -f "edrop.txt" ]]; then
|
|
echo "Processing IPv4 DROP lists"
|
|
|
|
spamhaus_ipv4_list_temp=$(mktemp)
|
|
spamhaus_ipv4_set_temp=$(mktemp)
|
|
|
|
# Extract all networks from drop.txt and edrop.txt, skipping blank lines and
|
|
# comments. Use aggregate-cidr-addresses.pl to merge overlapping IPv4 CIDR
|
|
# ranges to work around a firewalld bug.
|
|
#
|
|
# See: https://bugzilla.redhat.com/show_bug.cgi?id=1836571
|
|
cat drop.txt edrop.txt | sed -e '/^$/d' -e '/^;.*/d' -e 's/[[:space:]];[[:space:]].*//' | aggregate-cidr-addresses.pl > "$spamhaus_ipv4_list_temp"
|
|
|
|
echo "Building spamhaus-ipv4 set"
|
|
cat << NFT_HEAD > "$spamhaus_ipv4_set_temp"
|
|
#!/usr/sbin/nft -f
|
|
|
|
define SPAMHAUS_IPV4 = {
|
|
NFT_HEAD
|
|
|
|
while read -r network; do
|
|
# nftables doesn't mind if the last element in the set has a trailing
|
|
# comma so we don't need to do anything special here.
|
|
echo "$network," >> "$spamhaus_ipv4_set_temp"
|
|
done < $spamhaus_ipv4_list_temp
|
|
|
|
echo "}" >> "$spamhaus_ipv4_set_temp"
|
|
|
|
install -m 0600 "$spamhaus_ipv4_set_temp" "$spamhaus_ipv4_set_path"
|
|
|
|
rm -f "$spamhaus_ipv4_list_temp" "$spamhaus_ipv4_set_temp"
|
|
fi
|
|
|
|
if [[ -f "dropv6.txt" ]]; then
|
|
echo "Processing IPv6 DROP lists"
|
|
|
|
spamhaus_ipv6_list_temp=$(mktemp)
|
|
spamhaus_ipv6_set_temp=$(mktemp)
|
|
|
|
sed -e '/^$/d' -e '/^;.*/d' -e 's/[[:space:]];[[:space:]].*//' dropv6.txt > "$spamhaus_ipv6_list_temp"
|
|
|
|
echo "Building spamhaus-ipv6 set"
|
|
cat << NFT_HEAD > "$spamhaus_ipv6_set_temp"
|
|
#!/usr/sbin/nft -f
|
|
|
|
define SPAMHAUS_IPV6 = {
|
|
NFT_HEAD
|
|
|
|
while read -r network; do
|
|
echo "$network," >> "$spamhaus_ipv6_set_temp"
|
|
done < $spamhaus_ipv6_list_temp
|
|
|
|
echo "}" >> "$spamhaus_ipv6_set_temp"
|
|
|
|
install -m 0600 "$spamhaus_ipv6_set_temp" "$spamhaus_ipv6_set_path"
|
|
|
|
rm -f "$spamhaus_ipv6_list_temp" "$spamhaus_ipv6_set_temp"
|
|
fi
|
|
|
|
echo "Reloading nftables"
|
|
# The spamhaus nftables sets are included by nftables.conf
|
|
/usr/sbin/nft -f /etc/nftables.conf
|
|
|
|
rm -v drop.txt edrop.txt dropv6.txt
|