yanistyle/AS_Network_List
1
0
Fork 0
mirror of https://github.com/C24Be/AS_Network_List.git synced 2026-03-25 19:09:48 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d7e0f9c7b770fadafa8e1d434ee393caae440340
AS_Network_List/blacklists_updater_iptables.sh
C24Be d7e0f9c7b7 Block VK / usage
2026-03-24 19:06:26 +01:00

168 lines
7.3 KiB
Bash
Executable File
Raw Blame History

#!/bin/sh
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
# Input files (generated by blacklists_updater_txt.sh)
blacklist_file="${SCRIPT_DIR}/blacklists/blacklist.txt"
blacklist_v4_file="${SCRIPT_DIR}/blacklists/blacklist-v4.txt"
blacklist_v6_file="${SCRIPT_DIR}/blacklists/blacklist-v6.txt"
# Source files for name-based VK filtering
auto_all_v4_file="${SCRIPT_DIR}/auto/all-ru-ipv4.txt"
auto_all_v6_file="${SCRIPT_DIR}/auto/all-ru-ipv6.txt"
auto_ripe_v4_file="${SCRIPT_DIR}/auto/ripe-ru-ipv4.txt"
vk_name_pattern='VK[[:space:]-]*CLOUD|VKCOMPANY|VKONTAKTE'
# Additional VK-only text blacklists
blacklist_vk_file="${SCRIPT_DIR}/blacklists/blacklist-vk.txt"
blacklist_vk_v4_file="${SCRIPT_DIR}/blacklists/blacklist-vk-v4.txt"
blacklist_vk_v6_file="${SCRIPT_DIR}/blacklists/blacklist-vk-v6.txt"
# Output directory and files
iptables_output_dir="${SCRIPT_DIR}/blacklists_iptables"
iptables_output_file="${iptables_output_dir}/blacklist.ipset"
iptables_v4_output_file="${iptables_output_dir}/blacklist-v4.ipset"
iptables_v6_output_file="${iptables_output_dir}/blacklist-v6.ipset"
iptables_vk_output_file="${iptables_output_dir}/blacklist-vk.ipset"
iptables_vk_v4_output_file="${iptables_output_dir}/blacklist-vk-v4.ipset"
iptables_vk_v6_output_file="${iptables_output_dir}/blacklist-vk-v6.ipset"
# Create iptables directory if it doesn't exist
mkdir -p "${iptables_output_dir}"
# Build additional VK-only blacklist from network names in auto/*.txt files
tmp_vk_file="$(mktemp "${SCRIPT_DIR}/blacklists/.blacklist-vk.XXXXXX")"
for source_file in "${auto_all_v4_file}" "${auto_all_v6_file}" "${auto_ripe_v4_file}"; do
[ -f "${source_file}" ] || continue
awk -v pattern="${vk_name_pattern}" 'BEGIN { IGNORECASE = 1 } $0 ~ pattern { print $1 }' "${source_file}" >> "${tmp_vk_file}"
done
sort -u "${tmp_vk_file}" > "${blacklist_vk_file}"
grep ':' "${blacklist_vk_file}" | sort -u > "${blacklist_vk_v6_file}" || true
grep -v ':' "${blacklist_vk_file}" | sort -u > "${blacklist_vk_v4_file}" || true
rm -f "${tmp_vk_file}"
# Function to generate ipset config from input file
generate_ipset_config() {
local input_file="$1"
local output_file="$2"
local ip_version="$3"
local set_name="$4"
local family="$5"
# Count entries for hash size calculation
local count=$(wc -l < "${input_file}" | tr -d ' ')
local hashsize=$((count > 1024 ? count : 1024))
local maxelem=$((count * 2))
# Generate ipset configuration with header
cat > "${output_file}" << EOF
# IPSet blacklist configuration ${ip_version}
# Auto-generated from $(basename ${input_file})
# Last updated: $(date -u +"%Y-%m-%d %H:%M:%S UTC")
#
# Usage:
# 1. Load the ipset:
# ipset restore < $(basename ${output_file})
#
# 2. Use with iptables/ip6tables:
# iptables -I INPUT -m set --match-set ${set_name} src -m conntrack --ctstate NEW -j DROP
# iptables -I FORWARD -m set --match-set ${set_name} src -m conntrack --ctstate NEW -j DROP
#
# 3. To flush/delete the set:
# ipset flush ${set_name}
# ipset destroy ${set_name}
#
create ${set_name} hash:net family ${family} hashsize ${hashsize} maxelem ${maxelem}
EOF
# Add entries for each network/IP
while IFS= read -r network; do
# Skip empty lines
[ -z "${network}" ] && continue
echo "add ${set_name} ${network}" >> "${output_file}"
done < "${input_file}"
echo "✓ Generated ${ip_version}: ${output_file}"
echo " Total entries: ${count}"
}
# Generate ipset configurations from blacklist files
generate_ipset_config "${blacklist_v4_file}" "${iptables_v4_output_file}" "(IPv4 only)" "blacklist-v4" "inet"
generate_ipset_config "${blacklist_v6_file}" "${iptables_v6_output_file}" "(IPv6 only)" "blacklist-v6" "inet6"
generate_ipset_config "${blacklist_vk_v4_file}" "${iptables_vk_v4_output_file}" "(VK names, IPv4 only)" "blacklist-vk-v4" "inet"
generate_ipset_config "${blacklist_vk_v6_file}" "${iptables_vk_v6_output_file}" "(VK names, IPv6 only)" "blacklist-vk-v6" "inet6"
# For mixed file, we need to create two sets (IPv4 and IPv6) as ipset doesn't support mixed families
cat > "${iptables_output_file}" << EOF
# IPSet blacklist configuration (mixed IPv4/IPv6)
# Auto-generated from $(basename ${blacklist_file})
# Last updated: $(date -u +"%Y-%m-%d %H:%M:%S UTC")
#
# Usage:
# 1. Load the ipset:
# ipset restore < $(basename ${iptables_output_file})
#
# 2. Use with iptables/ip6tables:
# iptables -I INPUT -m set --match-set blacklist-v4 src -m conntrack --ctstate NEW -j DROP
# iptables -I FORWARD -m set --match-set blacklist-v4 src -m conntrack --ctstate NEW -j DROP
# ip6tables -I INPUT -m set --match-set blacklist-v6 src -m conntrack --ctstate NEW -j DROP
# ip6tables -I FORWARD -m set --match-set blacklist-v6 src -m conntrack --ctstate NEW -j DROP
#
# 3. To flush/delete the sets:
# ipset flush blacklist-v4 && ipset destroy blacklist-v4
# ipset flush blacklist-v6 && ipset destroy blacklist-v6
#
EOF
# Append both IPv4 and IPv6 sets to the mixed file
tail -n +2 "${iptables_v4_output_file}" | grep -E "^(create|add)" >> "${iptables_output_file}"
echo "" >> "${iptables_output_file}"
tail -n +2 "${iptables_v6_output_file}" | grep -E "^(create|add)" >> "${iptables_output_file}"
echo "✓ Generated (mixed IPv4/IPv6): ${iptables_output_file}"
echo " Total entries: $(wc -l < "${blacklist_file}" | tr -d ' ')"
# Generate mixed VK-only ipset file (contains both v4 and v6 sets)
cat > "${iptables_vk_output_file}" << EOF
# IPSet blacklist configuration (VK names: VK Cloud / VKCOMPANY / VKONTAKTE)
# Auto-generated from name-filtered auto/*.txt sources
# Last updated: $(date -u +"%Y-%m-%d %H:%M:%S UTC")
#
# Usage:
# 1. Load the ipset:
# ipset restore < $(basename "${iptables_vk_output_file}")
#
# 2. Use with iptables/ip6tables:
# iptables -I INPUT -m set --match-set blacklist-vk-v4 src -m conntrack --ctstate NEW -j DROP
# iptables -I FORWARD -m set --match-set blacklist-vk-v4 src -m conntrack --ctstate NEW -j DROP
# ip6tables -I INPUT -m set --match-set blacklist-vk-v6 src -m conntrack --ctstate NEW -j DROP
# ip6tables -I FORWARD -m set --match-set blacklist-vk-v6 src -m conntrack --ctstate NEW -j DROP
#
# 2a. Block outgoing traffic to VK destination networks:
# iptables -I OUTPUT -m set --match-set blacklist-vk-v4 dst -m conntrack --ctstate NEW -j REJECT
# ip6tables -I OUTPUT -m set --match-set blacklist-vk-v6 dst -m conntrack --ctstate NEW -j REJECT
#
# 3. To flush/delete the sets:
# ipset flush blacklist-vk-v4 && ipset destroy blacklist-vk-v4
# ipset flush blacklist-vk-v6 && ipset destroy blacklist-vk-v6
#
EOF
tail -n +2 "${iptables_vk_v4_output_file}" | grep -E "^(create|add)" >> "${iptables_vk_output_file}"
echo "" >> "${iptables_vk_output_file}"
tail -n +2 "${iptables_vk_v6_output_file}" | grep -E "^(create|add)" >> "${iptables_vk_output_file}"
echo "✓ Generated (VK names, mixed IPv4/IPv6): ${iptables_vk_output_file}"
echo " Total entries: $(wc -l < "${blacklist_vk_file}" | tr -d ' ')"
echo ""
echo "VK outgoing block examples (iptables/ipset):"
echo " ipset restore < ${iptables_vk_output_file}"
echo " iptables -I OUTPUT -m set --match-set blacklist-vk-v4 dst -m conntrack --ctstate NEW -j REJECT"
echo " ip6tables -I OUTPUT -m set --match-set blacklist-vk-v6 dst -m conntrack --ctstate NEW -j REJECT"
echo ""
echo "Tip: Do not install Messenger MAX on the same phone/device that has VPN access configured."
Reference in New Issue View Git Blame Copy Permalink