This is a test for IPFire and and not finished, I will upload the finished version on GitHub fully documented.
Once finished you will be quickly able to block entire ASN ranges.
#!/bin/bash
#
# Beta version
# ToDo
# Comment
# Upload on GitHub
# Fix IPv6 among other stuff in v1.1+
#
customnetworks=/var/ipfire/fwhosts/customnetworks
customgroups=/var/ipfire/fwhosts/customgroups
auto_remark="entry by asn_ipfire.sh"
iptable_path="/sbin/iptables"
afwall_path="/system/bin/iptables"
file_network="network_list.txt"
file_network_raw="$file_network"
file_iptable="iptable_rules.txt"
file_afwall="afwall_rules.txt"
file_asn="asn_list.txt"
getASNfromCOMPANY=(gather_ASN0 gather_ASN1)
getNETfromASN=(gather_NET1)
local_asn_file="local_asn_list.txt"
local_net_file="local_net_list.txt"
gather_ASN0() { if [[ -f $local_asn_file ]]; then cat $local_asn_file | grep -i " $1 " | grep -Eo 'AS[0-9]+' ; fi; }
gather_ASN1() { curl --silent "https://www.ultratools.com/tools/asnInfoResult?domainName=$1" | grep -Eo 'AS[0-9]+' | uniq; }
gather_ASN2() { curl --silent "http://cidr-report.org/as2.0/autnums.html" | grep -i " $1 " | grep -Eo 'AS[0-9]+'; }
gather_ASN3() { curl --silent "http://www.bgplookingglass.com/list-of-autonomous-system-numbers" | sed 's/<br /\n/g' | grep -i " $1 " | grep -Eo 'AS[0-9]+'; }
gather_NET0() { if [[ -f $local_net_file ]]; then cat $local_net_file | grep -i " $1 " | grep -Eo '([0-9.]+){4}/[0-9]+' | sort -u ; fi; }
gather_NET1() { curl --silent "https://stat.ripe.net/data/announced-prefixes/data.json?preferred_version=1.1&resource=$1" | grep -Eo '([0-9.]+){4}/[0-9]+' | sort -u ; }
cdr2mask()
{
set -- $(( 5 - ($1 / 8) )) 255 255 255 255 $(( (255 << (8 - ($1 % 8))) & 255 )) 0 0 0
[ $1 -gt 1 ] && shift $1 || shift
echo ${1-0}.${2-0}.${3-0}.${4-0}
}
get_firstIP() { echo $1 | sed -e 's/\//\./' | awk -F"." '{ printf "%d", $1*2^24+$2*2^16+$3*2^8+$4 }'; }
get_IPrange() { echo $1 | awk -F"/" '{ printf "%d", 2^(32-$2)}'; }
get_lastIP() { echo $1 | sed -e 's/\//\./' | awk -F"." '{ printf "%d", $1*2^24+$2*2^16+$3*2^8+$4+2^(32-$5)}'; }
range2netmask () {
declare range=$1
declare range2=0
declare i=0
while [[ $range -gt `echo 2^$i | bc` ]]; do i=$[i+1]; done
if [[ $range -eq `echo 2^$i | bc` ]]; then
result="$result $[32-i]"
else
i=$[i-1]
range2=$[$range - `echo 2^$i | bc`]
result="$result $[32-i]"
range2netmask $range2
fi
}
dec2ip() {
ip1=`echo $1 | awk '{ printf "%i", $1 / (2^24) }'`
ip2=`echo $1 $ip1 | awk '{ printf "%i", ($1-$2*(2^24)) / (2^16) }'`
ip3=`echo $1 $ip1 $ip2 | awk '{ printf "%i", ($1-$2*(2^24)-$3*(2^16)) / (2^8) }'`
ip4=`echo $1 $ip1 $ip2 $ip3 | awk '{ printf "%i", $1-$2*(2^24)-$3*(2^16)-$4*(2^8) }'`
echo "$ip1.$ip2.$ip3.$ip4"
}
rm_redundantIP() {
declare -a array1=("${!1}")
declare -a array2=()
declare maxIP=0
declare n=0
for net in ${array1[@]}; do
lastIP=`get_lastIP $net`
if [[ $lastIP -gt $maxIP ]]; then
array2[$n]=$net
maxIP=$lastIP
n=$[n+1]
fi
done
for net in ${array2[@]}; do
if [ $net ]; then echo ${net}; fi
done
}
rm_adjacentIP() {
declare -a array1=("${!1}")
declare -a array2=()
declare oldlastIP=0
declare n=0
declare d=1
declare range=0
for net in ${array1[@]}; do
firstIP=`get_firstIP $net`
netmask=`get_IPrange $net`
lastIP=`get_lastIP $net`
if [ $firstIP -eq $oldlastIP ]; then
d=$[d+1]
if [ $d -eq 2 ]; then
range=`get_IPrange ${array2[$[n-1]]}`
fi
range=$[$range + $netmask]
elif [ $d -gt 1 ]; then
newfirstIP=`get_firstIP ${array2[$[n-d]]}`
result=""
range2netmask $range
for dicr in $result; do
array2[$[n-d]]=`dec2ip $newfirstIP`"/"$dicr
newfirstIP=`get_lastIP ${array2[$[n-d]]}`
d=$[d-1]
done
while [ $d -gt 0 ]; do
array2[$[n-d]]=""
d=$[d-1]
done
d=1
fi
array2[$n]=$net
oldlastIP=$lastIP
n=$[n+1]
done
for net in ${array2[@]} ; do
if [ $net ]; then echo ${net}; fi
done
}
addNetworks() {
if [ ! $1 ]; then
# Get highest number from existing objects in [customnetworks|customgroups]
if [[ -f $customnetworks ]]; then
network_object_number=$(cat $customnetworks | cut -f1 -d',' | awk '{for(i=1;i<=NF;i++) if($i>maxval) maxval=$i;}; END { print maxval;}')
else
echo "File $customnetworks not found. Check your IPFire installation."
exit 0
fi
if [[ -f $customgroups ]]; then
group_object_number=$(cat $customgroups | cut -f1 -d',' | awk '{for(i=1;i<=NF;i++) if($i>maxval) maxval=$i;}; END { print maxval;}')
else
echo "File $customgroups not found. Check your IPFire installation."
exit 0
fi
network_object_number=$[network_object_number +1]
group_object_number=$[group_object_number +1]
fi
for company in ${company_array[@]}; do
declare asn_array=()
declare asn_list=()
echo "---[Get all $company ASNs]---"
for asn_gather in ${getASNfromCOMPANY[@]}; do
asn_array=(`$asn_gather $company`)
asn_list=(`echo ${asn_list[@]} ${asn_array[@]} | sed 's/ /\n/g' | sort -u -tS -n -k2,2`)
done
if [ ! $asn_list ]; then
echo "---[No ASN found for $company]---"
else
declare net_array=()
declare net_list=()
for asn in ${asn_list[@]}; do
echo "---[Get $company networks for $asn]---"
for net_gather in ${getNETfromASN[@]}; do
net_array=(`$net_gather $asn`)
net_list=(`echo ${net_list[@]} ${net_array[@]} | sed 's/ /\n/g' | sort -u`)
done
done
if [ ! $net_list ]; then
echo "---[No networks found for $company]---"
else
echo "---[Remove adjacent and overlapping netblocks]---"
before=${#net_list[@]}
IFS=$'\n' net_list=($(echo "${net_list[*]//\//.}" | sort -t. -n -k1,1 -k2,2 -k3,3 -k4,4 -k5,5 | awk -F"." '{ printf "%d.%d.%d.%d/%d\n", $1, $2, $3, $4, $5 }'))
unset IFS
if [ "$1" != "network_raw" ]; then
net_list=(`rm_redundantIP net_list[@]`)
net_list=(`rm_adjacentIP net_list[@]`)
fi
after=${#net_list[@]}
echo "---[Creating objects for $company networks]---"
case "$1" in
"--asn") {
printf "### Company: ${company} ###\n" >> $output_file
for net in ${asn_list[@]}; do
printf "${net}\n" >> $output_file
done
};;
--network|--network_raw) {
printf "### Company: ${company} ###\n" >> $output_file
for net in ${net_list[@]}; do
printf "${net}\n" >> $output_file
done
};;
--iptable) {
printf "## Company: ${company}\n" >> $output_file
for net in ${net_list[@]}; do
printf "${iptable_path} -A OUTPUT -d ${net} -j REJECT\n" >> $output_file
done
};;
--afwall) {
printf "## Company: ${company}\n" >> $output_file
for net in ${net_list[@]}; do
printf "${afwall_path} -A \"afwall\" -d ${net} -j REJECT\n" >> $output_file
done
};;
*) {
counter=1
for net in ${net_list[@]}; do
# Seperate IP and netmask
ip=${net%/*}
if [ "$ip" != "0.0.0.0" ]; then
netmask=${net#*/}
printf "$network_object_number,$company-Network Nr.$counter,$ip,$(cdr2mask $netmask),$auto_remark\n" >> $customnetworks
printf "$group_object_number,$company,$auto_remark,$company-Network Nr.$counter,Custom Network\n" >> $customgroups
network_object_number=$[$network_object_number +1]
group_object_number=$[$group_object_number +1]
counter=$[$counter +1]
fi
done
};;
esac
fi
fi
done
}
cleanupNetworks() {
for ipfire_file in $customnetworks $customgroups; do
if [[ -f $ipfire_file ]]; then
if [[ ${company_array[0]} == "ALL" ]]; then
echo "---[Removing $company objects from $ipfire_file ]---"
sed -i "/,$auto_remark/Id" $ipfire_file;
else
for company in ${company_array[@]}; do
echo "---[Removing $company objects from $ipfire_file ]---"
sed -i "/$company.*$auto_remark/Id" $ipfire_file;
done
fi
fi
done
}
print_help() {
echo "Usage: asn_ipfire.sh [OPTION] [COMPANYs | -f FILE]"
echo "Add or remove networks to IPFire firewall Groups: Networks & Host Groups"
echo
echo "Options:"
echo " -a, --add Add new company networks"
echo " -r, --remove Remove company networks from customnetworks & customgroups"
echo " COMPANY='ALL' to remove all entries done by this script"
echo " -f, --file FILE Get company list from FILE"
echo " -l, --list List entries done by this script"
echo " --renumber Renumber lines of customnetworks & customgroups files"
echo " -h, --help Show this help"
echo
echo "Create special output files (Non-IPFire-Mode):"
echo " --network Create FILE '$file_network' with networks"
echo " --network_raw dito, but networks not consolidated"
echo " --asn Create FILE '$file_asn' with ASNs only"
echo " --iptable Create FILE '$file_iptable' with iptable rules"
echo " --afwall Create FILE '$file_afwall' with afwall rules"
echo
}
company_array=()
mode=""
helptext="Usage: asn_ipfire.sh [OPTION] [COMPANYs | -f FILE] \nTry 'asn_ipfire.sh --help' for more information."
if [[ $# -eq 0 ]]; then echo -e $helptext; exit 0; fi
if [[ $# -gt 4 ]]; then echo -e "Too many arguments.\n"$helptext; exit 0; fi
while [[ $# > 0 ]] ; do
case $1 in
-f | --file) {
if [[ -f $2 ]]; then
company_array_from_file=(`sed 's/[,]/ /g; s/[\/]//g' <<< cat $2`)
shift
else
echo "File not found."
echo -e $helptext
exit 0
fi
};;
-a|--add | -r|--remove | --asn | --network | --network_raw | --iptable | --afwall) {
if [[ $mode ]]; then
echo -e "Too many arguments.\n"$helptext
exit 0
else
mode=$1
fi
if [[ $2 && ${2:0:1} != "-" ]]; then
company_array_from_arg=(`sed 's/[,]/ /g; s/[\/]//g' <<< $2`)
shift
fi
};;
-l|--list | --renumber | -v|--version | -h|--help ) {
if [[ $mode || $2 ]]; then
echo -e "Too many arguments.\n"$helptext
exit 0
else
mode=$1
fi
};;
*) {
echo -e "Unknown argument.\n"$helptext
exit 0
};;
esac
shift
done
company_array=(`echo ${company_array_from_file[@]} ${company_array_from_arg[@]} | sed 's/ /\n/g' | sort -uf`)
case $mode in
-a|--add | -r|--remove) {
if [ ! $company_array ]; then
echo "No company names found. Nothing done!"
echo "Try 'asn_ipfire.sh --help' for more information."
exit 0
fi
cleanupNetworks
if [[ $mode == "-a" || $mode == "--add" ]]; then
addNetworks
fi
/etc/init.d/firewall restart
echo "---[All done!]---"
};;
-l|--list) {
if [[ -f $customnetworks ]]; then
# Show companies from customnetworks
echo "Company names in "$customnetworks":"
cat $customnetworks | grep "$auto_remark" | grep -Eo '[a-Z]*-Network Nr' | sort -u | sed 's/-Network Nr//'
else
echo "File $customnetworks not found."
fi
if [[ -f $customgroups ]]; then
# Show companies from customgroups
echo "Company names in "$customgroups":"
cat $customgroups | grep "$auto_remark" | grep -Eo '[a-Z]*-Network Nr' | sort -u | sed 's/-Network Nr//'
else
echo "File $customgroups not found."
fi
};;
--renumber) {
if [[ -f $customnetworks ]]; then
sed -i '/^$/d;=' $customnetworks
sed -i 'N;s/\n[0-9]\+//' $customnetworks
echo "File $customnetworks renumbered."
else
echo "File $customnetworks not found."
fi
if [[ -f $customgroups ]]; then
sed -i '/^$/d;=' $customgroups
sed -i 'N;s/\n[0-9]\+//' $customgroups
echo "File $customgroups renumbered."
else
echo "File $customgroups not found."
fi
};;
--asn | --network | --network_raw | --iptable | --afwall ) {
output_file="file_"${mode:2}
output_file="${!output_file}"
if [ $company_array ]; then
touch $output_file > $output_file
addNetworks $mode
echo "---[All done!]---"
else
echo "No company names found. Nothing done!"
echo "Try 'asn_ipfire.sh --help' for more information."
fi
};;
-v|--version) echo $revision;;
-h|--help) print_help;;
*) echo -e $helptext;;
esac
exit 0
Update
![](https://chefkochblog.wordpress.com/wp-content/uploads/2022/03/image-16.png?w=720)
I never deal with threats against my work or me as person. This Mike clown also never wrote jack-shit on my script.
No one contacted me or tried to discuss anything with me, they threatens me and I do not need to give credit to others for my own work.
I wrote parts of AFWall+ and practical the whole Wiki myself. If you want to spread lies on behalf of my back, actually check real facts and maybe contact me and do not send your goons or you own alt accounts on an issue ticket, how about that. Well abusing issue tickets seems to be a thing.
You must be logged in to post a comment.