#!/bin/sh
# Author: redhat27, Version 2.5
# snbforums thread: https://www.snbforums.com/threads/yet-another-malware-block-script-using-ipset-v4-and-v6.38935/

URLList=/jffs/ipset_lists/ya-malware-block.urls # Change to an appropriate download location if needed (This file has the list of URLs of files that has the blocking IP and CIDR soures)
WhiteList=/jffs/ipset_lists/ya-malware-block.whites # Change to an appropriate download location if needed (This file must exist. Append to this file your own whitelisted discrete IPs)
BlackList=/jffs/ipset_lists/ya-malware-block.blacks # Change to an appropriate location if needed (This file is optional. You may put your manual IPs and CIDR ranges to block)
GitURLBase=https://raw.githubusercontent.com/shounak-de/misc-scripts/master/

case $(ipset -v | grep -o "v[4,6]") in
  v6) MATCH_SET='--match-set'; CREATE='n'; DESTROY='destroy'; RESTORE='restore'; ADD='add'; SWAP='swap'; IPHASH='hash:ip'; NETHASH='hash:net'; ESL=7
      lsmod | grep -q "xt_set" || for module in ip_set ip_set_hash_net ip_set_hash_ip xt_set; do modprobe $module; done;;
  v4) MATCH_SET='--set'; CREATE='-N'; DESTROY='--destroy'; RESTORE='--restore'; ADD='-A'; SWAP='--swap'; IPHASH='iphash'; NETHASH='nethash'; ESL=6
      lsmod | grep -q "ipt_set" || for module in ip_set ip_set_nethash ip_set_iphash ipt_set; do modprobe $module; done;;
  *) logger -t Firewall "$0: Unknown ipset version. Exiting." && exit 1;;
esac
startTS=$(date +%s); logger -t Firewall "$0: Adding ya-malware-block rules to firewall..." && [ -t 1 ] && echo "$0: Adding ya-malware-block rules to firewall..."
[ ! -d $(dirname $URLList) ] && mkdir -p $(dirname $URLList)
[ ! -s $URLList ] && curl -sk "${GitURLBase}$(basename $URLList)" -o $URLList
[ ! -s $WhiteList ] && curl -sk "${GitURLBase}$(basename $WhiteList)" -o $WhiteList
lastTS=$(date +%s); [ -t 1 ] && echo -n ">>> Downloading and aggregating malware sources (also processing whitelists)..."; ((while read -r url; do nice -n 15 curl -sk $url; done <$URLList); [ -s $BlackList ] && cat $BlackList) | nice -n 15 sed -n "s/\r//;/^$/d;/^[0-9,\.,\/]*$/p" | nice -n 15 grep -vf $WhiteList | nice -n 15 awk '!a[$0]++' >/tmp/ya-malware-block.sources; TotalCount=$(wc -l </tmp/ya-malware-block.sources); CIDRCount=$(grep "/" /tmp/ya-malware-block.sources | wc -l); DiscreteIPCount=$(($TotalCount-$CIDRCount)); Sets=$((($DiscreteIPCount/65535)+1)); this=5; FinalMessage="$0: Loaded sets"; [ -t 1 ] && echo -n "[$TotalCount/$DiscreteIPCount/$CIDRCount]"
while [ $this -gt $Sets ]; do $(ipset -q $SWAP YAMalwareBlock${this}IP YAMalwareBlock${this}IP) && iptables -t raw -D PREROUTING -m set $MATCH_SET YAMalwareBlock${this}IP src -j DROP && ipset $DESTROY YAMalwareBlock${this}IP; this=$((this-1)); done; this=1
while [ $this -le $Sets ]; do [ -t 1 ] && (elapsed=$(($(date +%s)-$lastTS)); echo -en " ~${elapsed}s\n>>> Adding data and processing rule for YAMalwareBlock${this}IP..."); lastTS=$(date +%s); ipset -q $CREATE YAMalwareBlock${this}IP $IPHASH; ipset -q $DESTROY tYAMB; (echo "$CREATE tYAMB $IPHASH"; sed -n "/\//!p" /tmp/ya-malware-block.sources | sed -n "$(((($this-1)*65535)+1)),$(($this*65535)) s/^/$ADD tYAMB /p"; echo "COMMIT") | nice -n 15 ipset $RESTORE && ipset $SWAP tYAMB YAMalwareBlock${this}IP; iptables-save | grep -q YAMalwareBlock${this}IP || iptables -t raw -I PREROUTING -m set $MATCH_SET YAMalwareBlock${this}IP src -j DROP; FinalMessage="$FinalMessage YAMalwareBlock${this}IP ($(expr $(ipset -L YAMalwareBlock${this}IP | wc -l) - $ESL))"; this=$((this+1)); done
[ -t 1 ] && (elapsed=$(($(date +%s)-$lastTS)); echo -en " ~${elapsed}s\n>>> Adding data and processing rule for YAMalwareBlockCIDR..."); lastTS=$(date +%s); ipset -q $CREATE YAMalwareBlockCIDR $NETHASH; ipset -q $DESTROY tYAMB; (echo "$CREATE tYAMB $NETHASH"; sed -n "/\//s/^/$ADD tYAMB /p" /tmp/ya-malware-block.sources; echo "COMMIT") | nice -n 15 ipset $RESTORE && ipset $SWAP tYAMB YAMalwareBlockCIDR; iptables-save | grep -q YAMalwareBlockCIDR || iptables -t raw -I PREROUTING -m set $MATCH_SET YAMalwareBlockCIDR src -j DROP; FinalMessage="$FinalMessage and YAMalwareBlockCIDR ($(expr $(ipset -L YAMalwareBlockCIDR | wc -l) - $ESL)) in $(($(date +%s)-$startTS)) seconds"
[ -t 1 ] && (elapsed=$(($(date +%s)-$lastTS)); echo -en " ~${elapsed}s\n>>> Cleaning up..."); ipset $DESTROY tYAMB; rm /tmp/ya-malware-block.sources; lastTS=$(date +%s)
logger -t Firewall $FinalMessage && [ -t 1 ] && (elapsed=$(($(date +%s)-$lastTS)); echo -e " ~${elapsed}s\n$FinalMessage")