init

2024-11-14 21:11:06 +01:00
commit 5718e70f15
657 changed files with 9401652 additions and 0 deletions
--- a/root/country_block/StartTFTPDownload.pl
+++ b/root/country_block/StartTFTPDownload.pl
@@ -0,0 +1,75 @@
+#!/usr/bin/perl
+
+use strict;
+use warnings;
+
+use Net::SNMP;
+
+my $i=@ARGV;
+die "\nZu wenige Parameter!\n\nStartTftpDownload.pl <Router-IP> <TFTP-IP> <community> <Source> <Destination> <File>\n
+Source
+ 1: networkFile
+ 3: startupConfig
+ 4: runningConfig
+
+Destination
+ 1: networkFile
+ 3: startupConfig
+ 4: runningConfig
+
+Example
+C:\\>StartTftpDownload.pl 172.23.210.151 172.23.210.222 5NMP-Wr1t3-(0mm 1 4 getit.conf
+" if $i<6;
+
+print "\n";
+
+my $ROUT = $ARGV[0];
+my $TFTP = $ARGV[1];
+my $COMM = $ARGV[2];
+my $SOUR = $ARGV[3];
+my $DEST = $ARGV[4];
+my $FILE = $ARGV[5];
+
+
+my ($session, $error) = Net::SNMP->session(
+    -hostname     => $ROUT,
+    -version      => 'snmpv2',
+    -community    => $COMM,
+);
+
+if (!defined $session) {
+    printf "ERROR: %s.\n", $error;
+    exit 1;
+}
+
+my $SES=".123";
+my $OID="1.3.6.1.4.1.9.9.96.1.1.1.1.2" . $SES;
+$session->set_request(-varbindlist => [ $OID, INTEGER, '1' ], ); #The ConfigCopyProtocol is set to TFTP
+
+
+$OID="1.3.6.1.4.1.9.9.96.1.1.1.1.3" . $SES;
+$session->set_request(-varbindlist => [ $OID, INTEGER, $SOUR ], ); #Set the SourceFileType to networkfile #running-config
+
+
+$OID="1.3.6.1.4.1.9.9.96.1.1.1.1.4" . $SES;
+$session->set_request(-varbindlist => [ $OID, INTEGER, $DEST ], ); #Set the DestinationFileType to running-config #networkfile
+
+
+$OID="1.3.6.1.4.1.9.9.96.1.1.1.1.5" . $SES;
+$session->set_request(-varbindlist => [ $OID, IPADDRESS, $TFTP ], ); #Sets the ServerAddress to the IP address of the TFTP server
+
+
+$OID="1.3.6.1.4.1.9.9.96.1.1.1.1.6" . $SES;
+$session->set_request(-varbindlist => [ $OID, OCTET_STRING, $FILE ], ); #Sets the CopyFilename to your desired file name.
+
+
+$OID="1.3.6.1.4.1.9.9.96.1.1.1.1.14" . $SES;
+$session->set_request(-varbindlist => [ $OID, INTEGER, '1' ], ); #Sets the CopyStatus to active which starts the copy process.
+
+
+$OID="1.3.6.1.4.1.9.9.96.1.1.1.1.14" . $SES;
+$session->set_request(-varbindlist => [ $OID, INTEGER, '6' ], ); #Sets the CopyStatus to delete which cleans all saved informations out of the MIB
+
+exit;
+
+
--- a/root/country_block/convertZONE2ACL.pl
+++ b/root/country_block/convertZONE2ACL.pl
@@ -0,0 +1,245 @@
+#!/usr/bin/perl
+
+# nordkorea libanon
+@ct=qw/kp /;
+
+$OUTFILE="/tftp/block-country-acl";
+$INTERFACE="te0/0/0";
+$ACL="block-country-acl";
+$URL="http://www.ipdeny.com/ipblocks/data/countries/";
+
+open OUT, ">$OUTFILE";
+printf OUT "int $INTERFACE\n";
+printf OUT "no ip access-g $ACL in\n";
+printf OUT "exit\n";
+printf OUT "no ip access-list extended $ACL\n";
+printf OUT "ip access-list extended $ACL\n";
+
+printf OUT "remark ********************************************************************************\n";
+printf OUT "remark **** reflexive list allows established\n";
+printf OUT "permit tcp any any established\n";
+#printf OUT "evaluate iptraffic\n";
+printf OUT "permit tcp any lt 1024 any gt 1024 ack\n";
+
+printf OUT "remark ********************************************************************************\n";
+printf OUT "remark **** Cisco CSCup10024 CSCva95506 CSCve64219\n";
+printf OUT "deny udp any any eq 0\n";
+
+printf OUT "remark ********************************************************************************\n";
+printf OUT "remark **** BLOCK SNMP requests from outside\n";
+printf OUT "deny udp any any eq 161\n";
+
+printf OUT "remark ********************************************************************************\n";
+printf OUT "remark **** BLOCK rpc ports tcp/111 udp/111\n";
+printf OUT "deny tcp any any eq 111\n";
+printf OUT "deny udp any any eq 111\n";
+
+printf OUT "remark ********************************************************************************\n";
+printf OUT "remark **** BLOCK NETBIOS and SMB\n";
+printf OUT "deny udp any any eq 137\n";
+printf OUT "deny udp any any eq 138\n";
+printf OUT "deny tcp any any eq 139\n";
+printf OUT "deny tcp any any eq 445\n";
+
+printf OUT "remark ********************************************************************************\n";
+printf OUT "remark **** Deny connect to Firewall via ssh from the outside\n";
+printf OUT "deny tcp any host 195.20.133.6 eq 22\n";
+printf OUT "deny tcp any host 195.20.133.14 eq 22\n";
+
+printf OUT "remark ********************************************************************************\n";
+printf OUT "remark **** Deny DNS requests to ASA from the outside\n";
+printf OUT "deny udp any host 195.20.133.6 eq 53\n";
+printf OUT "deny udp any host 195.20.133.14 eq 53\n";
+
+printf OUT "remark ********************************************************************************\n";
+printf OUT "remark **** PREVENT ANTI-SPOOFING\n";
+printf OUT "deny ip 127.0.0.0 0.255.255.255 any\n";
+printf OUT "deny ip 192.0.2.0 0.0.0.255 any\n";
+printf OUT "deny ip 224.0.0.0 31.255.255.255 any\n";
+printf OUT "deny ip host 255.255.255.255 any\n";
+ 
+printf OUT "remark ********************************************************************************\n";
+printf OUT "remark **** BLOCK DHCP\n";
+printf OUT "deny ip host 0.0.0.0 any\n";
+
+printf OUT "remark ********************************************************************************\n";
+printf OUT "remark **** BLOCK MARSIAN PACKETS (RFC 1918)\n";
+printf OUT "deny ip 10.0.0.0 0.255.255.255 any\n";
+printf OUT "deny ip 172.16.0.0 0.15.255.255 any\n";
+printf OUT "deny ip 192.168.0.0 0.0.255.255 any\n";
+printf OUT "deny ip any 10.0.0.0 0.255.255.255\n";
+printf OUT "deny ip any 172.16.0.0 0.15.255.255\n";
+printf OUT "deny ip any 192.168.0.0 0.0.255.255\n";
+
+printf OUT "remark ********************************************************************************\n";
+printf OUT "remark **** ALLOW our Proxy to connect everywhere and the answers of course\n";
+#printf OUT "permit ip any host 195.20.133.4\n";
+
+printf OUT "remark ********************************************************************************\n";
+printf OUT "remark **** OUR OWN INTERNET IP ADDRESSES CAN'T BE THE SOURCE (RFC 2827)\n";
+printf OUT "deny ip 195.20.133.0 0.0.0.255 any\n";
+
+printf OUT "remark ********************************************************************************\n";
+printf OUT "remark **** ALLOW ping answer and traceroute\n";
+printf OUT "permit icmp any 195.20.133.0 0.0.0.255 echo-reply\n";
+printf OUT "permit icmp any 195.20.133.0 0.0.0.255 time-exceeded\n";
+printf OUT "permit icmp any 195.20.133.0 0.0.0.255 traceroute\n";
+printf OUT "remark Don't allow incoming icmp as it should be blocked based on the originating country\n";
+
+printf OUT "remark ********************************************************************************\n";
+printf OUT "remark **** ALLOW DNS answer\n";
+printf OUT "permit udp any eq 53 any\n";
+
+#printf OUT "remark ********************************************************************************\n";
+#printf OUT "remark **** ALLOW some connections despite from blocked countries\n";
+#printf OUT "remark MAIL Relays may connect everywhere and connected by everyone for mail traffic\n";
+
+#printf OUT "remark conlxmail5 in\n";
+#printf OUT "permit tcp any eq 25 host 195.20.133.148\n";
+#printf OUT "permit tcp any eq 465 host 195.20.133.148\n";
+#printf OUT "permit tcp any eq 587 host 195.20.133.148\n";
+
+#printf OUT "remark conlxmail6 in\n";
+#printf OUT "permit tcp any eq 25 host 195.20.133.149\n";
+#printf OUT "permit tcp any eq 465 host 195.20.133.149\n";
+#printf OUT "permit tcp any eq 587 host 195.20.133.149\n";
+
+printf OUT "remark ********************************************************************************\n";
+printf OUT "remark **** VWDts\n";
+printf OUT "permit ip any host 195.20.133.126\n";
+
+#printf OUT "permit tcp any host 195.20.133.100 eq 443\n";
+#printf OUT "deny ip any host 195.20.133.100\n";
+
+#printf OUT "permit tcp any host 195.20.133.101 eq 443\n";
+#printf OUT "deny ip any host 195.20.133.101\n";
+
+#printf OUT "permit tcp any host 195.20.133.102 eq 443\n";
+#printf OUT "deny ip any host 195.20.133.102\n";
+
+
+printf OUT "permit tcp host 193.228.154.9 host 195.20.133.103 eq 7437\n";
+printf OUT "permit tcp host 193.228.154.8 host 195.20.133.103 eq 7437\n";
+printf OUT "permit tcp host 193.228.154.14 host 195.20.133.103 eq 7437\n";
+printf OUT "deny ip any host 195.20.133.103\n";
+
+
+printf OUT "permit tcp host 193.19.114.100 host 195.20.133.104 eq 7439\n";
+printf OUT "permit tcp host 193.19.114.132 host 195.20.133.104 eq 7439\n";
+printf OUT "permit tcp host 193.19.114.133 host 195.20.133.104 eq 7439\n";
+printf OUT "permit tcp host 193.228.154.9 host 195.20.133.104 eq 7437\n";
+printf OUT "permit tcp host 193.228.154.8 host 195.20.133.104 eq 7437\n";
+printf OUT "permit tcp host 193.228.154.14 host 195.20.133.104 eq 7437\n";
+printf OUT "deny ip any host 195.20.133.104\n";
+
+
+printf OUT "permit tcp host 193.228.154.9 host 195.20.133.105 eq 1224\n";
+printf OUT "permit tcp host 193.19.114.132 host 195.20.133.105 eq 1224\n";
+printf OUT "permit tcp host 193.19.114.133 host 195.20.133.105 eq 1224\n";
+printf OUT "permit tcp host 91.25.247.100 host 195.20.133.105 eq 1224\n";
+printf OUT "permit tcp host 207.45.252.211 host 195.20.133.105 eq 1224\n";
+printf OUT "permit tcp host 91.202.49.210 host 195.20.133.105 eq 1224\n";
+printf OUT "deny ip any host 195.20.133.105\n";
+
+
+printf OUT "permit tcp host 193.228.154.9 host 195.20.133.106 eq 1224\n";
+printf OUT "permit tcp host 3.122.169.191 host 195.20.133.106 eq 1224\n";
+printf OUT "permit tcp host 3.68.62.58 host 195.20.133.106 eq 1224\n";
+printf OUT "permit tcp host 3.66.160.81 host 195.20.133.106 eq 1224\n";
+printf OUT "permit tcp host 18.184.40.207 host 195.20.133.106 eq 1224\n";
+printf OUT "permit tcp host 3.65.96.57 host 195.20.133.106 eq 1224\n";
+printf OUT "permit tcp host 18.156.66.86 host 195.20.133.106 eq 1224\n";
+printf OUT "permit tcp host 3.65.17.173 host 195.20.133.106 eq 1224\n";
+printf OUT "permit tcp host 3.120.95.52 host 195.20.133.106 eq 1224\n";
+printf OUT "permit tcp host 3.66.94.209 host 195.20.133.106 eq 1224\n";
+printf OUT "permit tcp host 3.65.238.54 host 195.20.133.106 eq 1224\n";
+printf OUT "permit tcp host 52.28.28.70 host 195.20.133.106 eq 1224\n";
+printf OUT "permit tcp host 3.127.155.28 host 195.20.133.106 eq 1224\n";
+printf OUT "permit tcp host 193.19.114.132 host 195.20.133.106 eq 1224\n";
+printf OUT "permit tcp host 193.19.114.133 host 195.20.133.106 eq 1224\n";
+printf OUT "permit tcp host 91.25.247.100 host 195.20.133.106 eq 1224\n";
+printf OUT "permit tcp host 207.45.240.155 host 195.20.133.106 eq 1224\n";
+printf OUT "permit tcp host 207.45.251.50 host 195.20.133.106 eq 1224\n";
+printf OUT "permit tcp host 91.202.49.210 host 195.20.133.106 eq 1224\n";
+printf OUT "deny ip any host 195.20.133.106\n";
+
+
+printf OUT "permit tcp host 193.228.154.9  host 195.20.133.107 eq 7444\n";
+printf OUT "permit tcp host 193.228.154.8  host 195.20.133.107 eq 7444\n";
+printf OUT "permit tcp host 193.228.154.14 host 195.20.133.107 eq 7444\n";
+printf OUT "deny ip any host 195.20.133.107\n";
+
+
+
+printf OUT "remark ********************************************************************************\n";
+printf OUT "remark **** A few smaller things\n";
+
+printf OUT "remark **** MkP IP\n";
+printf OUT "permit ip any host 195.20.133.30\n";
+
+printf OUT "remark **** Hongkong Stock Exchange\n";
+printf OUT "permit ip 203.78.4.0 0.0.3.255 any\n";
+
+#printf OUT "remark **** cloud.hosting-ffm.de\n";
+#printf OUT "permit ip any host 195.20.133.20\n";
+
+printf OUT "remark **** supportftp.veeam.com\n";
+printf OUT "permit ip host 80.249.186.4 any\n";
+
+
+
+
+printf OUT "remark ********************************************************************************\n";
+printf OUT "remark **** DENY SOME COUNTRIES\n";
+foreach (@ct) {
+# printf OUT "remark ********************************************************************************\n";
+ printf OUT "remark BAN COUNTRY $_\n";
+ `wget $URL$_.zone > /dev/null 2>&1`; 
+ open FILE, "<$_.zone";
+ foreach (<FILE>) {
+  chomp;
+  ($ip,$cidr) = split /\//,$_;
+  $mask=cidr2wildcard($cidr);
+  printf OUT "deny ip $ip $mask any\n";
+ }
+ close FILE;
+ unlink("$_.zone");
+}
+
+
+printf OUT "remark ALLOW ALL OTHER\n";
+printf OUT "permit ip any any\n";
+printf OUT "int $INTERFACE\n";
+printf OUT "ip access-group $ACL in\n";
+printf OUT "end\n";
+
+close OUT;
+1;
+
+sub cidr2mask {
+ ($length) = @_;
+ $i=0xffffffff;
+ $i=$i<<(32-$length);
+ $i=$i&0xffffffff;
+ $a=$i>>24; 
+ $b=$i>>16; $b=$b&0x000000ff;
+ $c=$i>>8;  $c=$c&0x000000ff;
+ $d=$i;     $d=$d&0x000000ff;
+ $i="$a.$b.$c.$d"; 
+ return $i;
+}
+
+sub cidr2wildcard {
+ ($length) = @_;
+ $i=0xffffffff;
+ $i=$i<<(32-$length);
+ $i=$i&0xffffffff;
+ $a=$i>>24; $a=255-$a;
+ $b=$i>>16; $b=$b&0x000000ff; $b=255-$b;
+ $c=$i>>8;  $c=$c&0x000000ff; $c=255-$c;
+ $d=$i;     $d=$d&0x000000ff; $d=255-$d;
+ $i="$a.$b.$c.$d";
+ return $i;
+}
+
+
--- a/root/country_block/run-convert-tftp.sh
+++ b/root/country_block/run-convert-tftp.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+cd /scripts/root/country_block/
+
+# für TenGig
+./convertZONE2ACL.pl
+./StartTFTPDownload.pl 10.99.0.224 10.99.0.99 5NMP-Wr1t3-C0mm 1 4 block-country-acl 
+./StartTFTPDownload.pl 10.99.0.225 10.99.0.99 5NMP-Wr1t3-C0mm 1 4 block-country-acl
+