-
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathapiban-nft.sh
95 lines (81 loc) · 3.01 KB
/
apiban-nft.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
#! /bin/bash
# * This file is part of APIBAN.org.
# * Copyright (c) 2020 @qwell
# *
# * Permission is hereby granted, free of charge, to any person obtaining a copy
# * of this software and associated documentation files (the "Software"), to deal
# * in the Software without restriction, including without limitation the rights
# * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# * copies of the Software, and to permit persons to whom the Software is
# * furnished to do so, subject to the following conditions:
# *
# * The above copyright notice and this permission notice shall be included in all
# * copies or substantial portions of the Software.
# *
# * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# * SOFTWARE.
NOW=$(date +"%Y-%m-%d %H:%M:%S")
# APIKEY and last known ID are stored in config file
CONFIG=apibanconfig.sys
# Output to a LOD
LOG=apiban-client.log
if [ ! -e "${CONFIG}" ] ; then
# cant find config file
echo "does $CONFIG exist?"
echo "unable to locate config file $CONFIG"
exit 0
fi
# APIKEY and last known ID are stored in apibanconfig.sys
source $CONFIG
# Exit if no APIKEY
if [ -v "$APIKEY" ] ; then
echo "$NOW - Cannot determine APIKEY. Exiting." >> $LOG
exit 0
fi
# If no LKID, make it 100
if [ -v "$LKID" ] ; then
LKID="100"
fi
# check if chain APIBAN exists
CURRIPS=$(nft list chain ip filter APIBAN | awk '$1 !="-P"' | awk '{print $3}' | awk '{gsub("/32", "");print}' | grep -v filter | grep -v {)
if [ -z "$CURRIPS" ] ; then
echo "$NOW - Making target chain, resetting LKID." >> $LOG
LKID=100
nft add chain ip filter APIBAN
nft insert rule ip filter INPUT counter jump APIBAN
nft insert rule ip filter FORWARD counter jump APIBAN
fi
BANLIST=$(curl -s https://apiban.org/api/$APIKEY/banned/$LKID)
IPADDRESS=$(echo $BANLIST | jq -r ".ipaddress? | .[]")
CURRID=$(echo $BANLIST | jq -r ".ID?")
# No new bans
if [ "$CURRID" = "none" ] ; then
echo "$NOW - No new bans since $LKID. Exiting." >> $LOG
exit 0
fi
# If CURRID is not numeric, exit.
re='^[0-9]+$'
if ! [[ $CURRID =~ $re ]] ; then
echo "$NOW - Unexpected response from API ERR1 $CURRID. Exiting." >> $LOG
exit 1
fi
# update LKID
sed -i "s/^\(LKID=\).*$/\1${CURRID}/" $CONFIG
# parse through IPs
IPADDRESSARR=(${IPADDRESS//$'\"'/})
for i in "${IPADDRESSARR[@]}"
do
NOW=$(date +"%Y-%m-%d %H:%M:%S")
if [[ $CURRIPS =~ "$i" ]]; then
echo "$NOW - $i already in APIBAN chain. Bad LKID?" >> $LOG
else
nft insert rule ip filter APIBAN ip saddr $i counter drop
echo "$NOW - Adding $i to nftables" >> $LOG
fi
done
echo "$NOW - All done. Exiting." >> $LOG