From cefe3c1e3342ffd63de192a43f81ca7e70603161 Mon Sep 17 00:00:00 2001 From: starlight_0208 <2682994272@qq.com> Date: Sun, 31 Mar 2024 03:32:52 +0800 Subject: [PATCH] first commit --- README.md | 44 +++++++++++++++++++++++++++++++++- blacklist.py | 34 ++++++++++++++++++++++++++ clear.sh | 42 ++++++++++++++++++++++++++++++++ update.sh | 67 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 186 insertions(+), 1 deletion(-) create mode 100644 blacklist.py create mode 100644 clear.sh create mode 100644 update.sh diff --git a/README.md b/README.md index 03c1cae..249fb82 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,45 @@ # iptable-autoconf -基于科大IP Blacklist的iptables自动配置程序 \ No newline at end of file +基于[科大 IP Blacklist](https://blackip.ustc.edu.cn/)的iptables自动配置程序。 + +## 程序说明 + +本程序仅限支持iptables和ipset并且安装了python的linux系统使用。 + +自动配置iptables规则来阻止部分风险IP对内网的访问,尽管可能存在误报导致自己的请求也被删除,但是整体是可以防范非常多的网络风险。 + +数据来源于中科大开放的IP黑名单,通过shell实现一键配置规则,无需手动操作,更快更方便。 + +## 使用说明 + +### 配置规则 + +请确保本机已经安装`python 3.6+` + +1. 下载并解压该项目到指定文件夹 + +2. 运行`update.sh`,程序会自动下载最新版本数据并替换本地数据 + +3. 稍等片刻即可完成配置 + +### 删除规则 + +如果想要删除配置的规则,你可以运行`clear.sh`或者手动删除: + +1. 输入以下命令,获取对应规则的id + + ```shell + iptables --table filter --list --line-number | grep ustc + ``` + +2. 手动输入以下命令逐个删除规则 + + ```shell + iptables --delete INPUT + ``` + +## 免责声明 + +程序经过测试发现对于IPv6添加存在一定问题,建议删除相关代码之后使用。请不要在生产环境下使用本程序,以免导致配置出错。 + +不提供任何技术支持,如有使用方面的问题(主要是bug)反馈和修改建议请提交issue。不提供更新保证,不排除未来上游数据源失效的可能。 \ No newline at end of file diff --git a/blacklist.py b/blacklist.py new file mode 100644 index 0000000..2480236 --- /dev/null +++ b/blacklist.py @@ -0,0 +1,34 @@ +with open("blacklist_ustc.txt", "r") as f: + ips = f.read() + f.close() +ipv4 = [] +ipv6 = [] +ipv4_net = [] +ipv6_net = [] +for ip in ips.split("\n"): + if ip.find("/") != -1: + if ip.find(":") != -1: + ipv6_net.append(ip) + else: + ipv4_net.append(ip) + else: + if ip.find(":") != -1: + ipv6.append(ip) + else: + ipv4.append(ip) +print(f"IPv4 Count: {len(ipv4)}") +print(f"IPv6 Count: {len(ipv6)}") +print(f"IPv4 Net Count: {len(ipv4_net)}") +print(f"IPv6 Net Count: {len(ipv6_net)}") +with open("ipv4_list.txt", "w") as fp: + fp.write("\n".join(ipv4)) + fp.close +with open("ipv4_net_list.txt", "w") as fp: + fp.write("\n".join(ipv4_net)) + fp.close +with open("ipv6_list.txt", "w") as fp: + fp.write("\n".join(ipv6)) + fp.close +with open("ipv6_net_list.txt", "w") as fp: + fp.write("\n".join(ipv6_net)) + fp.close \ No newline at end of file diff --git a/clear.sh b/clear.sh new file mode 100644 index 0000000..712dda0 --- /dev/null +++ b/clear.sh @@ -0,0 +1,42 @@ +#!/bin/sh + +id_v4=`iptables --table filter --list --line-numbers | grep ustc_blacklist_v4 | awk '{print $1}'` +id_v4_net=`iptables --table filter --list --line-numbers | grep ustc_blacklist_v4_net | awk '{print $1}'` +id_v6=`iptables --table filter --list --line-numbers | grep ustc_blacklist_v6 | awk '{print $1}'` +id_v6_net=`iptables --table filter --list --line-numbers | grep ustc_blacklist_v6_net | awk '{print $1}'` + +# ipv4 list test +if [ -z $id_v4 ] +then + echo "Cannot find IPv4 ipset rule on iptables" +else + iptables --delete INPUT $id_v4 + echo "Deleted IPv4 ipset" +fi + +# # ipv6 list test +if [ -z $id_v6 ] +then + echo "Cannot find IPv6 ipset rule on iptables" +else + iptables --delete INPUT $id_v4_net + echo "Deleted IPv4 Net ipset" +fi + +# ipv4 net list test +if [ -z $id_v4_net ] +then + echo "Cannot find IPv4 Net ipset rule on iptables" +else + iptables --delete INPUT $id_v6 + echo "Deleted IPv6 ipset" +fi + +# ipv6 net list test +if [ -z $id_v6_net ] +then + echo "Cannot find IPv6 Net ipset rule on iptables" +else + iptables --delete INPUT $id_v6_net + echo "Deleted IPv6 Net ipset" +fi \ No newline at end of file diff --git a/update.sh b/update.sh new file mode 100644 index 0000000..3d35b01 --- /dev/null +++ b/update.sh @@ -0,0 +1,67 @@ +#!/bin/sh + +# create ipset +ipset create ustc_blacklist_v4 hash:ip --exist +ipset create ustc_blacklist_v4_net hash:net --exist +ipset create ustc_blacklist_v6 hash:ip --exist +ipset create ustc_blacklist_v6_net hash:net --exist +# flush ipset +ipset flush ustc_blacklist_v4 +ipset flush ustc_blacklist_v4_net +ipset flush ustc_blacklist_v6 +ipset flush ustc_blacklist_v6_net + +# delete data if exist +[ -f "blacklist_ustc.txt" ] && rm blacklist_ustc.txt +wget http://blackip.ustc.edu.cn/list.php?txt -O blacklist_ustc.txt + +# get wget command status +if [ $? -eq 0 ] +then + echo "Blacklist file downloaded." + # processing data + echo "Processing data..." + python3 proceed.py + # add the host foreach in file to ipset + # ipv4 + echo "Processing ipv4 list." + for addr in `cat dst/ipv4_list.txt` + do + ipset add ustc_blacklist_v4 $addr + done + echo "finshed." + # ipv4_net + echo "Processing ipv4 net list." + for addr in `cat dst/ipv4_net_list.txt` + do + ipset add ustc_blacklist_v4_net $addr + done + echo "finshed." + # ipv6 + echo "Processing ipv6 list." + for addr in `cat dst/ipv6_list.txt` + do + ipset add ustc_blacklist_v6 $addr + done + echo "finshed." + # ipv6 net + echo "Processing ipv6 net list." + for addr in `cat dst/ipv6_net_list.txt` + do + ipset add ustc_blacklist_v6_net $addr + done + echo "finshed." +else + echo "Failed to fetch the blacklist file." +fi + +# config iptables +iptables --table filter --append INPUT --match set --match-set ustc_blacklist_v4 src --jump DROP +iptables --table filter --append INPUT --match set --match-set ustc_blacklist_v4_net src --jump DROP +iptables --table filter --append INPUT --match set --match-set ustc_blacklist_v6 src --jump DROP +iptables --table filter --append INPUT --match set --match-set ustc_blacklist_v6_net src --jump DROP + +# echo +echo "iptable updated." +echo "listing options..." +iptables --table filter --list --line-numbers \ No newline at end of file