mxrouter: Add primitive blacklist

With the current Emotet outbreak, I want at least temporarily to maintain and apply a blacklist of the IP addresses of its C&C servers. https://www.dfn-cert.de/aktuell/emotet-aktuell.html Add a rudimentary blacklist feature. IPs from /etc/local/mxrouter/ip-blacklist are loaded into the ipset ip-blacklist on router start or reload. This ipset can be used by netfilter rules to block traffic to/from that ip.
mariux64 · Sep 29, 2019 · 9c725e5 · 9c725e5
1 parent 42f232a
commit 9c725e5
Showing 1 changed file with 14 additions and 0 deletions.
diff --git a/mxrouter/mxrouterctl b/mxrouter/mxrouterctl
@@ -358,6 +358,18 @@ sub disable_ipv4_rp_filter {
 	$disable_ipv4_rp_filter{$if}=1;
 }
 
+sub reload_ip_blacklist {
+	sys('ipset','flush','ip-blacklist');
+	if (-e '/etc/local/mxrouter/ip-blacklist') {
+		open my $in,'<','/etc/local/mxrouter/ip-blacklist' or die "/etc/local/mxrouter/ip-blacklist: $!\n";
+		while (<$in>) {
+			s/#.*//;
+			/^\s*(\d+\.\d+\.\d+\.\d+)\s*$/ or next;
+			system('ipset','add','ip-blacklist',$1);
+		}
+	}
+}
+
 sub start {
 
 	-d "/var/run/mxrouter/$NETNS" or sys ('mkdir','-p',"/var/run/mxrouter/$NETNS");
@@ -519,6 +531,8 @@ sub start {
 	start_process_if($process_radvd);
 
 	unless ($opt_noop) {
+		sys('ipset','create','-exist','ip-blacklist','hash:ip','counters');
+		reload_ip_blacklist();
 		open my $pipe,'|-','iptables-restore' or die "$!\n";
 		print $pipe rules_in_restore_format();
 		close $pipe or die "$!\n";