-
Notifications
You must be signed in to change notification settings - Fork 2
/
dshield_nft_blocklist.pl
executable file
·100 lines (76 loc) · 2.74 KB
/
dshield_nft_blocklist.pl
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
#!/usr/bin/perl
# (c) 2022 Leif Sawyer
# License: GPL 3.0 (see https://github.com/akhepcat/)
# Permanent home: https://github.com/akhepcat/Miscellaneous/
# Direct download: https://raw.githubusercontent.com/akhepcat/Miscellaneous/master/dshield_nft_blocklist.pl
#
use Net::Netmask;
use JSON::Parse 'parse_json';
# This is the one you always want to customize; some RFC-1918 examples, AWS and Google also...
my @never_block=("192.168.0.0/22", "172.16.130.0/23", "192.168.13.0/24", "54.240.0.0/18", "209.85.128.0/17" );
# This should *probably* be customized, but this gets most of the bogons from encroaching through your external interface; Classic RFC-1918 is .. not blocked by default!
my @always_block=("0.0.0.0/8", "100.64.0.0/10", "127.0.0.0/8", "169.254.0.0/16", "192.0.0.0/24", "192.0.2.0/24", "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "224.0.0.0/3" );
my @cidrs;
open(NFT, "/sbin/nft -s -nnn list set netdev filter blocklist_v4 -j |" ) || die "can't open nft to import blocklist_v4 filter";
while(<NFT>) {
$json.="$_";
}
# Ugh, working our way through the json output is... horrible.
my $parsed=parse_json($json);
my @arr1 = @{$parsed->{nftables}};
my @arr2 = @{$arr1[1]->{set}->{elem}};
my $max = $#arr2;
for ( $i=0; $i < $max +1; $i++) {
my %prefix;
my @range;
my $cidr;
my %hash1 = %{@arr2[$i]};
if ( defined($hash1{prefix}) ) {
%prefix = %{$hash1{prefix}};
$cidr=$prefix{addr} . "/" . $prefix{len};
} elsif (defined($hash1{range})) {
my @v1 = $hash1{range};
my @range = @{$v1[0]};
$cidr = Net::Netmask->safe_new($range[0] . "-" . $range[1])->desc();
} else {
next;
}
next if (!defined($cidr));
if (! grep (/^$cidr/, @always_block) ) {
push @cidrs, $cidr;
}
}
my $rcidrs = join(',', @cidrs);
if (scalar @cidrs >=1 ) {
system(qq|/sbin/nft delete element netdev filter blocklist_v4 "{ $rcidrs }"\n|);
}
@cidrs=();
open(RPT, qq!curl -silent https://www.dshield.org/block.txt | grep -E '^[0-9]+' | awk '{print \$1 "/" \$3}'| !) || die "can't read cidrs from dshield report";
while (<RPT>) {
chomp;
push @cidrs, $_;
}
close(RPT);
my @bcidrs=();
foreach $cidr (@cidrs) {
my $block = 1;
my $nt = Net::Netmask->safe_new($cidr);
if (!defined($nt) ) {
print "couldn't build net::netmask object against $cidr\n";
next;
}
foreach $permit (@never_block)
{
my $test = Net::Netmask->safe_new($permit);
if ( $nt->contains($test) eq 1 or $test->contains($nt) eq 1 ) {
$block = 0;
}
}
if ($block eq 1) {
push @bcidrs, $cidr;
}
}
if (scalar @bcidrs >= 1) {
my $bcd = join(',', @bcidrs);
system(qq|/sbin/nft add element netdev filter blocklist_v4 "{ $bcd }"\n|);
}