Debian environment

README.md

@@ -34,3 +34,19 @@ Next, fetch the IP ranges from RIPE stat: ``fetch-ripe-assignments.sh``
 Third, insert them into iptables via ipset: ``install-rules-ipset.sh``
 
 
+# Debian environment
+
+A debian installation uses rules in /etc/iptables/. The directory debian/ provides some files to be placed into /etc/iptables/ with an additional directory named countryblocker containing the this software.
+
+A Makefile provides the management and control of several task.
+Calling "make help" shows a summary about paths and usable targets.
+
+To setup the environment as prerequisite package ``netfilter-persistent`` and ``m4`` should be already installed.
+
+The files ``rules.v4`` and ``rules.v6`` are derived from the M4 macro templates ``rules.v4.m4`` and ``rules.v6.m4`` which are
+provided as samples. You have to adapt these to meet your environment and service portfolio.
+The M4 templates refer to rule snippets called ``add.v4``, ``head.v4`` and ``add.v6``, ``head.v6`` created by script ``gen-rules.sh`` (to be called regularly by cron) which is expected to reside in sub-directory ``countryblocker`` (in company with the remainder of this package).
+
+Optional one might create IPtable statistics (daily, weekly or whatever interval is considered as useful) using `make cron.stats` (in short described in make help). The history is stored in the sub-directory ``statistics`` with files named according to the pattern ``iptables-stats.YYYY-MM-DD`` containing the packet and byte counters of all rules.
+
+

debian/Makefile

@@ -0,0 +1,69 @@
+#
+# /etc/iptables/Makefile for Debian
+#
+
+# uncomment to add IPv6 statistics output
+
+#IP6=yes
+
+
+IPTABLES=/usr/sbin/iptables
+IP6TABLES=/usr/sbin/ip6tables
+
+
+all: .state
+
+.state gen: rules.v4 rules.v6
+	@-./UPDATE ;\
+	mkdir -p REV; \
+	cp -p rules.v4 REV/rules.v4.`date +%Y-%m-%d` ;\
+	cp -p rules.v6 REV/rules.v6.`date +%Y-%m-%d` ;\
+	touch .state
+
+rules.v4: rules.v4.m4 countryblocker/head.v4 countryblocker/add.v4
+	m4 $< > $@
+
+rules.v6: rules.v6.m4 countryblocker/head.v6 countryblocker/add.v6
+	m4 $< > $@
+
+status:
+	$(IPTABLES) -vnL
+
+status6:
+	$(IP6TABLES) -vnL
+
+stat stats:
+	@-$(IPTABLES) -L -vnx | awk '/Chain|destination/||($$1!=0){print}'
+	@-test -n "$(IP6)" && ( $(IP6TABLES) -L -vnx | awk '/Chain|destination/||($$1!=0){print}' ) || true
+
+cron.stats:
+	@-mkdir -p statistics ;\
+	$(MAKE) -s stats > statistics/iptables-stats.`date +%Y-%m-%d`
+
+
+help:
+	@-awk '/^##/,/_END_/{print substr($$0,2)}' Makefile
+
+## /etc/iptables/Makefile help
+#
+# To enable IPv6 statistic output uncomment set the IP6 variable in Makefile!
+#
+# Paths and files:
+# 	REV/	dated rule history
+# 	statistics/
+# 		dated statistic output (see cron.stats target)
+#	countryblocker/
+#		Countryblocker scripts
+#	.state	update timestamp file
+# 
+# Targets:
+# 	gen	generate IPtables rules derived from countryblocker changes
+# 	stat
+# 	status	show the IPv4 IPtables rules
+# 	status6	show the IPvr64 IPtables rules
+# 	cron.stats
+# 		create and save a statistics output in statistics/
+#
+# Cron tab (optional): (crontab -e -u root)
+# 	5 0 * * * make -sC /etc/iptables cron.stats
+#

debian/README.txt

@@ -0,0 +1,7 @@
+Debian environment
+------------------
+
+To be placed into /etc/iptables/
+
+Packages needed: netfilter-persistent
+

debian/UPDATE

@@ -0,0 +1,6 @@
+
+/sbin/service netfilter-persistent reload
+iptables-save >REV/rules.v4.last
+ip6tables-save >REV/rules.v6.last
+
+

debian/rules.v4.m4

@@ -0,0 +1,38 @@
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:FW1 - [0:0]
+include(`countryblocker/head.v4')dnl
+-A INPUT -j FW1
+-A FORWARD -j FW1
+-A FW1 -i lo -j ACCEPT
+-A FW1 -p icmp -m icmp --icmp-type any -j ACCEPT
+-A FW1 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A FW1 -m state --state INVALID -j DROP
+-A FW1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
+-A FW1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
+-A FW1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP
+-A FW1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
+-A FW1 -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
+-A FW1 -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
+
+# Allow SMTP, HTTP, IMAP, HTTPS, SUBMISSION and IMAPS
+-A FW1 -p tcp -m tcp --dport 22 -j ACCEPT
+-A FW1 -p tcp -m tcp --dport 25 -j ACCEPT
+-A FW1 -p tcp -m tcp --dport 80 -j ACCEPT
+-A FW1 -p tcp -m tcp --dport 110 -j ACCEPT
+-A FW1 -p tcp -m tcp --dport 143 -j ACCEPT
+-A FW1 -p tcp -m tcp --dport 443 -j ACCEPT
+-A FW1 -p tcp -m tcp --dport 587 -j ACCEPT
+-A FW1 -p tcp -m tcp --dport 993 -j ACCEPT
+-A FW1 -p tcp -m tcp --dport 995 -j ACCEPT
+
+# Drop the rest
+-A FW1 -j LOG --log-prefix "Rejected packet: "
+#-A FW1 -j REJECT --reject-with icmp-host-prohibited
+
+include(`countryblocker/add.v4')dnl
+
+COMMIT
+

debian/rules.v6.m4

@@ -0,0 +1,38 @@
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:FW1 - [0:0]
+include(`countryblocker/head.v6')dnl
+-A INPUT -j FW1
+-A FORWARD -j FW1
+-A FW1 -i lo -j ACCEPT
+-A FW1 -p icmp -m icmp --icmp-type any -j ACCEPT
+-A FW1 -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A FW1 -m state --state INVALID -j DROP
+-A FW1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
+-A FW1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
+-A FW1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP
+-A FW1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
+-A FW1 -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
+-A FW1 -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
+
+# Allow SMTP, HTTP, IMAP, HTTPS, SUBMISSION and IMAPS
+-A FW1 -p tcp -m tcp --dport 22 -j ACCEPT
+-A FW1 -p tcp -m tcp --dport 25 -j ACCEPT
+-A FW1 -p tcp -m tcp --dport 80 -j ACCEPT
+-A FW1 -p tcp -m tcp --dport 110 -j ACCEPT
+-A FW1 -p tcp -m tcp --dport 143 -j ACCEPT
+-A FW1 -p tcp -m tcp --dport 443 -j ACCEPT
+-A FW1 -p tcp -m tcp --dport 587 -j ACCEPT
+-A FW1 -p tcp -m tcp --dport 993 -j ACCEPT
+-A FW1 -p tcp -m tcp --dport 995 -j ACCEPT
+
+# Drop the rest
+-A FW1 -j LOG --log-prefix "Rejected packet: "
+#-A FW1 -j REJECT --reject-with icmp-host-prohibited
+
+include(`countryblocker/add.v6')dnl
+
+COMMIT
+

gen-rules.sh

@@ -0,0 +1,88 @@
+#!/bin/bash
+
+countries=$( cat countries.txt )
+date=$(date --iso-8601)
+
+cp /dev/null  add.v4
+cp /dev/null  add.v6
+cp /dev/null  head.v4
+cp /dev/null  head.v6
+
+iptables() {
+	echo "$@" >> add.v4
+}
+
+ip6tables() {
+	echo "$@" >> add.v6
+}
+
+iptables_head() {
+	echo "$@" >> head.v4
+}
+
+ip6tables_head() {
+	echo "$@" >> head.v6
+}
+
+
+#echo "making backup of iptables..."
+#mkdir -p backups
+#iptables-save > backups/$date-iptables.save
+
+
+for cc in $countries; do
+	table="${cc}-blocker"
+	iptables_head ":$table - [0:0]"
+	ip6tables_head ":$table - [0:0]"
+done
+
+for cc in $countries; do
+	table="${cc}-blocker"
+	iptables_head -A INPUT -j $table
+	ip6tables_head -A INPUT -j $table
+done
+
+for cc in $countries; do
+	table="${cc}-blocker"
+	ipv4file="data/$date-$cc-ipv4.txt"
+
+	# ################### IPv4
+	echo "Installing new netblock rules for country $cc."
+	echo "==============================================="
+	echo "(IPv4)"
+	echo 
+	let i=0
+	for netblock in $(bzcat $ipv4file.bz2 | sort | uniq |   iprange --optimize ); do
+		iptables -A $table -s $netblock -j DROP
+		result=$((i++ % 100))
+	        if [ $result -eq 0 ]; then	
+			echo -n "."
+		fi
+
+	done
+	echo "Done."
+	iptables -A $table -j RETURN 
+
+
+	# ################### IPv6
+	ipv6file="data/$date-$cc-ipv6.txt"
+
+	echo 
+	echo "(IPv6)"
+	echo 
+	let i=0
+	for netblock in $(bzcat $ipv6file.bz2 | sort | uniq  ); do
+		ip6tables  -A $table -s $netblock -j DROP
+		result=$((i++ % 100))
+	        if [ $result -eq 0 ]; then	
+			echo -n "."
+		fi
+
+	done
+
+	ip6tables -A $table -j RETURN 
+done
+
+
+
+