andre/scripts-conlxsyslog03
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
scripts-conlxsyslog03/root/country_block/convertZONE2ACL.pl
conetadm 5718e70f15 init
2024-11-14 21:11:06 +01:00

246 lines
10 KiB
Raku
Executable File
Raw Permalink Blame History

#!/usr/bin/perl
# nordkorea libanon
@ct=qw/kp /;
$OUTFILE="/tftp/block-country-acl";
$INTERFACE="te0/0/0";
$ACL="block-country-acl";
$URL="http://www.ipdeny.com/ipblocks/data/countries/";
open OUT, ">$OUTFILE";
printf OUT "int $INTERFACE\n";
printf OUT "no ip access-g $ACL in\n";
printf OUT "exit\n";
printf OUT "no ip access-list extended $ACL\n";
printf OUT "ip access-list extended $ACL\n";
printf OUT "remark ********************************************************************************\n";
printf OUT "remark **** reflexive list allows established\n";
printf OUT "permit tcp any any established\n";
#printf OUT "evaluate iptraffic\n";
printf OUT "permit tcp any lt 1024 any gt 1024 ack\n";
printf OUT "remark ********************************************************************************\n";
printf OUT "remark **** Cisco CSCup10024 CSCva95506 CSCve64219\n";
printf OUT "deny udp any any eq 0\n";
printf OUT "remark ********************************************************************************\n";
printf OUT "remark **** BLOCK SNMP requests from outside\n";
printf OUT "deny udp any any eq 161\n";
printf OUT "remark ********************************************************************************\n";
printf OUT "remark **** BLOCK rpc ports tcp/111 udp/111\n";
printf OUT "deny tcp any any eq 111\n";
printf OUT "deny udp any any eq 111\n";
printf OUT "remark ********************************************************************************\n";
printf OUT "remark **** BLOCK NETBIOS and SMB\n";
printf OUT "deny udp any any eq 137\n";
printf OUT "deny udp any any eq 138\n";
printf OUT "deny tcp any any eq 139\n";
printf OUT "deny tcp any any eq 445\n";
printf OUT "remark ********************************************************************************\n";
printf OUT "remark **** Deny connect to Firewall via ssh from the outside\n";
printf OUT "deny tcp any host 195.20.133.6 eq 22\n";
printf OUT "deny tcp any host 195.20.133.14 eq 22\n";
printf OUT "remark ********************************************************************************\n";
printf OUT "remark **** Deny DNS requests to ASA from the outside\n";
printf OUT "deny udp any host 195.20.133.6 eq 53\n";
printf OUT "deny udp any host 195.20.133.14 eq 53\n";
printf OUT "remark ********************************************************************************\n";
printf OUT "remark **** PREVENT ANTI-SPOOFING\n";
printf OUT "deny ip 127.0.0.0 0.255.255.255 any\n";
printf OUT "deny ip 192.0.2.0 0.0.0.255 any\n";
printf OUT "deny ip 224.0.0.0 31.255.255.255 any\n";
printf OUT "deny ip host 255.255.255.255 any\n";
printf OUT "remark ********************************************************************************\n";
printf OUT "remark **** BLOCK DHCP\n";
printf OUT "deny ip host 0.0.0.0 any\n";
printf OUT "remark ********************************************************************************\n";
printf OUT "remark **** BLOCK MARSIAN PACKETS (RFC 1918)\n";
printf OUT "deny ip 10.0.0.0 0.255.255.255 any\n";
printf OUT "deny ip 172.16.0.0 0.15.255.255 any\n";
printf OUT "deny ip 192.168.0.0 0.0.255.255 any\n";
printf OUT "deny ip any 10.0.0.0 0.255.255.255\n";
printf OUT "deny ip any 172.16.0.0 0.15.255.255\n";
printf OUT "deny ip any 192.168.0.0 0.0.255.255\n";
printf OUT "remark ********************************************************************************\n";
printf OUT "remark **** ALLOW our Proxy to connect everywhere and the answers of course\n";
#printf OUT "permit ip any host 195.20.133.4\n";
printf OUT "remark ********************************************************************************\n";
printf OUT "remark **** OUR OWN INTERNET IP ADDRESSES CAN'T BE THE SOURCE (RFC 2827)\n";
printf OUT "deny ip 195.20.133.0 0.0.0.255 any\n";
printf OUT "remark ********************************************************************************\n";
printf OUT "remark **** ALLOW ping answer and traceroute\n";
printf OUT "permit icmp any 195.20.133.0 0.0.0.255 echo-reply\n";
printf OUT "permit icmp any 195.20.133.0 0.0.0.255 time-exceeded\n";
printf OUT "permit icmp any 195.20.133.0 0.0.0.255 traceroute\n";
printf OUT "remark Don't allow incoming icmp as it should be blocked based on the originating country\n";
printf OUT "remark ********************************************************************************\n";
printf OUT "remark **** ALLOW DNS answer\n";
printf OUT "permit udp any eq 53 any\n";
#printf OUT "remark ********************************************************************************\n";
#printf OUT "remark **** ALLOW some connections despite from blocked countries\n";
#printf OUT "remark MAIL Relays may connect everywhere and connected by everyone for mail traffic\n";
#printf OUT "remark conlxmail5 in\n";
#printf OUT "permit tcp any eq 25 host 195.20.133.148\n";
#printf OUT "permit tcp any eq 465 host 195.20.133.148\n";
#printf OUT "permit tcp any eq 587 host 195.20.133.148\n";
#printf OUT "remark conlxmail6 in\n";
#printf OUT "permit tcp any eq 25 host 195.20.133.149\n";
#printf OUT "permit tcp any eq 465 host 195.20.133.149\n";
#printf OUT "permit tcp any eq 587 host 195.20.133.149\n";
printf OUT "remark ********************************************************************************\n";
printf OUT "remark **** VWDts\n";
printf OUT "permit ip any host 195.20.133.126\n";
#printf OUT "permit tcp any host 195.20.133.100 eq 443\n";
#printf OUT "deny ip any host 195.20.133.100\n";
#printf OUT "permit tcp any host 195.20.133.101 eq 443\n";
#printf OUT "deny ip any host 195.20.133.101\n";
#printf OUT "permit tcp any host 195.20.133.102 eq 443\n";
#printf OUT "deny ip any host 195.20.133.102\n";
printf OUT "permit tcp host 193.228.154.9 host 195.20.133.103 eq 7437\n";
printf OUT "permit tcp host 193.228.154.8 host 195.20.133.103 eq 7437\n";
printf OUT "permit tcp host 193.228.154.14 host 195.20.133.103 eq 7437\n";
printf OUT "deny ip any host 195.20.133.103\n";
printf OUT "permit tcp host 193.19.114.100 host 195.20.133.104 eq 7439\n";
printf OUT "permit tcp host 193.19.114.132 host 195.20.133.104 eq 7439\n";
printf OUT "permit tcp host 193.19.114.133 host 195.20.133.104 eq 7439\n";
printf OUT "permit tcp host 193.228.154.9 host 195.20.133.104 eq 7437\n";
printf OUT "permit tcp host 193.228.154.8 host 195.20.133.104 eq 7437\n";
printf OUT "permit tcp host 193.228.154.14 host 195.20.133.104 eq 7437\n";
printf OUT "deny ip any host 195.20.133.104\n";
printf OUT "permit tcp host 193.228.154.9 host 195.20.133.105 eq 1224\n";
printf OUT "permit tcp host 193.19.114.132 host 195.20.133.105 eq 1224\n";
printf OUT "permit tcp host 193.19.114.133 host 195.20.133.105 eq 1224\n";
printf OUT "permit tcp host 91.25.247.100 host 195.20.133.105 eq 1224\n";
printf OUT "permit tcp host 207.45.252.211 host 195.20.133.105 eq 1224\n";
printf OUT "permit tcp host 91.202.49.210 host 195.20.133.105 eq 1224\n";
printf OUT "deny ip any host 195.20.133.105\n";
printf OUT "permit tcp host 193.228.154.9 host 195.20.133.106 eq 1224\n";
printf OUT "permit tcp host 3.122.169.191 host 195.20.133.106 eq 1224\n";
printf OUT "permit tcp host 3.68.62.58 host 195.20.133.106 eq 1224\n";
printf OUT "permit tcp host 3.66.160.81 host 195.20.133.106 eq 1224\n";
printf OUT "permit tcp host 18.184.40.207 host 195.20.133.106 eq 1224\n";
printf OUT "permit tcp host 3.65.96.57 host 195.20.133.106 eq 1224\n";
printf OUT "permit tcp host 18.156.66.86 host 195.20.133.106 eq 1224\n";
printf OUT "permit tcp host 3.65.17.173 host 195.20.133.106 eq 1224\n";
printf OUT "permit tcp host 3.120.95.52 host 195.20.133.106 eq 1224\n";
printf OUT "permit tcp host 3.66.94.209 host 195.20.133.106 eq 1224\n";
printf OUT "permit tcp host 3.65.238.54 host 195.20.133.106 eq 1224\n";
printf OUT "permit tcp host 52.28.28.70 host 195.20.133.106 eq 1224\n";
printf OUT "permit tcp host 3.127.155.28 host 195.20.133.106 eq 1224\n";
printf OUT "permit tcp host 193.19.114.132 host 195.20.133.106 eq 1224\n";
printf OUT "permit tcp host 193.19.114.133 host 195.20.133.106 eq 1224\n";
printf OUT "permit tcp host 91.25.247.100 host 195.20.133.106 eq 1224\n";
printf OUT "permit tcp host 207.45.240.155 host 195.20.133.106 eq 1224\n";
printf OUT "permit tcp host 207.45.251.50 host 195.20.133.106 eq 1224\n";
printf OUT "permit tcp host 91.202.49.210 host 195.20.133.106 eq 1224\n";
printf OUT "deny ip any host 195.20.133.106\n";
printf OUT "permit tcp host 193.228.154.9 host 195.20.133.107 eq 7444\n";
printf OUT "permit tcp host 193.228.154.8 host 195.20.133.107 eq 7444\n";
printf OUT "permit tcp host 193.228.154.14 host 195.20.133.107 eq 7444\n";
printf OUT "deny ip any host 195.20.133.107\n";
printf OUT "remark ********************************************************************************\n";
printf OUT "remark **** A few smaller things\n";
printf OUT "remark **** MkP IP\n";
printf OUT "permit ip any host 195.20.133.30\n";
printf OUT "remark **** Hongkong Stock Exchange\n";
printf OUT "permit ip 203.78.4.0 0.0.3.255 any\n";
#printf OUT "remark **** cloud.hosting-ffm.de\n";
#printf OUT "permit ip any host 195.20.133.20\n";
printf OUT "remark **** supportftp.veeam.com\n";
printf OUT "permit ip host 80.249.186.4 any\n";
printf OUT "remark ********************************************************************************\n";
printf OUT "remark **** DENY SOME COUNTRIES\n";
foreach (@ct) {
# printf OUT "remark ********************************************************************************\n";
printf OUT "remark BAN COUNTRY $_\n";
`wget $URL$_.zone > /dev/null 2>&1`;
open FILE, "<$_.zone";
foreach (<FILE>) {
chomp;
($ip,$cidr) = split /\//,$_;
$mask=cidr2wildcard($cidr);
printf OUT "deny ip $ip $mask any\n";
}
close FILE;
unlink("$_.zone");
}
printf OUT "remark ALLOW ALL OTHER\n";
printf OUT "permit ip any any\n";
printf OUT "int $INTERFACE\n";
printf OUT "ip access-group $ACL in\n";
printf OUT "end\n";
close OUT;
1;
sub cidr2mask {
($length) = @_;
$i=0xffffffff;
$i=$i<<(32-$length);
$i=$i&0xffffffff;
$a=$i>>24;
$b=$i>>16; $b=$b&0x000000ff;
$c=$i>>8; $c=$c&0x000000ff;
$d=$i; $d=$d&0x000000ff;
$i="$a.$b.$c.$d";
return $i;
}
sub cidr2wildcard {
($length) = @_;
$i=0xffffffff;
$i=$i<<(32-$length);
$i=$i&0xffffffff;
$a=$i>>24; $a=255-$a;
$b=$i>>16; $b=$b&0x000000ff; $b=255-$b;
$c=$i>>8; $c=$c&0x000000ff; $c=255-$c;
$d=$i; $d=$d&0x000000ff; $d=255-$d;
$i="$a.$b.$c.$d";
return $i;
}
Reference in New Issue View Git Blame Copy Permalink