first commit

README.md

@@ -1,3 +1,45 @@
 # iptable-autoconf
 
-基于科大IP Blacklist的iptables自动配置程序
+基于[科大 IP Blacklist](https://blackip.ustc.edu.cn/)的iptables自动配置程序。
+
+## 程序说明
+
+本程序仅限支持iptables和ipset并且安装了python的linux系统使用。
+
+自动配置iptables规则来阻止部分风险IP对内网的访问，尽管可能存在误报导致自己的请求也被删除，但是整体是可以防范非常多的网络风险。
+
+数据来源于中科大开放的IP黑名单，通过shell实现一键配置规则，无需手动操作，更快更方便。
+
+## 使用说明
+
+### 配置规则
+
+请确保本机已经安装`python 3.6+`
+
+1. 下载并解压该项目到指定文件夹
+
+2. 运行`update.sh`，程序会自动下载最新版本数据并替换本地数据
+
+3. 稍等片刻即可完成配置
+
+### 删除规则
+
+如果想要删除配置的规则，你可以运行`clear.sh`或者手动删除：
+
+1. 输入以下命令，获取对应规则的id
+   
+   ```shell
+   iptables --table filter --list --line-number | grep ustc
+   ```
+
+2. 手动输入以下命令逐个删除规则
+   
+   ```shell
+   iptables --delete INPUT <rule_id>
+   ```
+
+## 免责声明
+
+程序经过测试发现对于IPv6添加存在一定问题，建议删除相关代码之后使用。请不要在生产环境下使用本程序，以免导致配置出错。
+
+不提供任何技术支持，如有使用方面的问题（主要是bug）反馈和修改建议请提交issue。不提供更新保证，不排除未来上游数据源失效的可能。

blacklist.py

@@ -0,0 +1,34 @@
+with open("blacklist_ustc.txt", "r") as f:
+    ips = f.read()
+    f.close()
+ipv4 = []
+ipv6 = []
+ipv4_net = []
+ipv6_net = []
+for ip in ips.split("\n"):
+    if ip.find("/") != -1:
+        if ip.find(":") != -1:
+            ipv6_net.append(ip)
+        else:
+            ipv4_net.append(ip)
+    else:
+        if ip.find(":") != -1:
+            ipv6.append(ip)
+        else:
+            ipv4.append(ip)
+print(f"IPv4 Count: {len(ipv4)}")
+print(f"IPv6 Count: {len(ipv6)}")
+print(f"IPv4 Net Count: {len(ipv4_net)}")
+print(f"IPv6 Net Count: {len(ipv6_net)}")
+with open("ipv4_list.txt", "w") as fp:
+    fp.write("\n".join(ipv4))
+    fp.close
+with open("ipv4_net_list.txt", "w") as fp:
+    fp.write("\n".join(ipv4_net))
+    fp.close
+with open("ipv6_list.txt", "w") as fp:
+    fp.write("\n".join(ipv6))
+    fp.close
+with open("ipv6_net_list.txt", "w") as fp:
+    fp.write("\n".join(ipv6_net))
+    fp.close

clear.sh

@@ -0,0 +1,42 @@
+#!/bin/sh
+
+id_v4=`iptables --table filter --list --line-numbers | grep ustc_blacklist_v4 | awk '{print $1}'`
+id_v4_net=`iptables --table filter --list --line-numbers | grep ustc_blacklist_v4_net | awk '{print $1}'`
+id_v6=`iptables --table filter --list --line-numbers | grep ustc_blacklist_v6 | awk '{print $1}'`
+id_v6_net=`iptables --table filter --list --line-numbers | grep ustc_blacklist_v6_net | awk '{print $1}'`
+
+# ipv4 list test
+if [ -z $id_v4 ]
+then 
+    echo "Cannot find IPv4 ipset rule on iptables"
+else
+    iptables --delete INPUT $id_v4
+    echo "Deleted IPv4 ipset"
+fi
+
+# # ipv6 list test
+if [ -z $id_v6 ]
+then 
+    echo "Cannot find IPv6 ipset rule on iptables"
+else
+    iptables --delete INPUT $id_v4_net
+    echo "Deleted IPv4 Net ipset"
+fi
+
+# ipv4 net list test
+if [ -z $id_v4_net ]
+then 
+    echo "Cannot find IPv4 Net ipset rule on iptables"
+else
+    iptables --delete INPUT $id_v6
+    echo "Deleted IPv6 ipset"
+fi
+
+# ipv6 net list test
+if [ -z $id_v6_net ]
+then 
+    echo "Cannot find IPv6 Net ipset rule on iptables"
+else
+    iptables --delete INPUT $id_v6_net
+    echo "Deleted IPv6 Net ipset"
+fi

update.sh

@@ -0,0 +1,67 @@
+#!/bin/sh
+
+# create ipset
+ipset create ustc_blacklist_v4 hash:ip --exist
+ipset create ustc_blacklist_v4_net hash:net --exist
+ipset create ustc_blacklist_v6 hash:ip --exist
+ipset create ustc_blacklist_v6_net hash:net --exist
+# flush ipset             
+ipset flush ustc_blacklist_v4
+ipset flush ustc_blacklist_v4_net
+ipset flush ustc_blacklist_v6
+ipset flush ustc_blacklist_v6_net
+                                                    
+# delete data if exist                                            
+[ -f "blacklist_ustc.txt" ] && rm blacklist_ustc.txt              
+wget http://blackip.ustc.edu.cn/list.php?txt -O blacklist_ustc.txt
+                         
+# get wget command status
+if [ $? -eq 0 ]                      
+then                                       
+    echo "Blacklist file downloaded."      
+    # processing data                      
+    echo "Processing data..."              
+    python3 proceed.py                     
+    # add the host foreach in file to ipset
+    # ipv4
+    echo "Processing ipv4 list."
+    for addr in `cat dst/ipv4_list.txt`                    
+    do                                        
+        ipset add ustc_blacklist_v4 $addr        
+    done
+    echo "finshed."
+    # ipv4_net
+    echo "Processing ipv4 net list."
+    for addr in `cat dst/ipv4_net_list.txt`                    
+    do                                        
+        ipset add ustc_blacklist_v4_net $addr        
+    done
+    echo "finshed."
+    # ipv6
+    echo "Processing ipv6 list."
+    for addr in `cat dst/ipv6_list.txt`                    
+    do                                        
+        ipset add ustc_blacklist_v6 $addr        
+    done
+    echo "finshed."
+    # ipv6 net
+    echo "Processing ipv6 net list."
+    for addr in `cat dst/ipv6_net_list.txt`                    
+    do                                        
+        ipset add ustc_blacklist_v6_net $addr        
+    done
+    echo "finshed."                        
+else                                                                                         
+    echo "Failed to fetch the blacklist file."                                               
+fi                                                                                           
+                                                                                             
+# config iptables                                                                            
+iptables --table filter --append INPUT --match set --match-set ustc_blacklist_v4 src --jump DROP
+iptables --table filter --append INPUT --match set --match-set ustc_blacklist_v4_net src --jump DROP
+iptables --table filter --append INPUT --match set --match-set ustc_blacklist_v6 src --jump DROP
+iptables --table filter --append INPUT --match set --match-set ustc_blacklist_v6_net src --jump DROP
+
+# echo
+echo "iptable updated."
+echo "listing options..."
+iptables --table filter --list --line-numbers