diff --git a/Dockerfile b/Dockerfile index 13a619b..e5f32a7 100644 --- a/Dockerfile +++ b/Dockerfile @@ -19,9 +19,9 @@ RUN update-alternatives --set iptables /usr/sbin/iptables-nft RUN update-alternatives --set ip6tables /usr/sbin/ip6tables-nft #build crowdsec-custom-bouncer -FROM golang:1.21.4 AS build-stage +FROM golang:1.24.1 AS build-stage WORKDIR /app -RUN git clone --depth 1 https://github.com/crowdsecurity/cs-custom-bouncer.git +RUN git clone https://github.com/crowdsecurity/cs-custom-bouncer.git WORKDIR /app/cs-custom-bouncer RUN CGO_ENABLED=0 GOOS=linux make release diff --git a/bouncer.sh b/bouncer.sh index 711bcbe..34355d4 100755 --- a/bouncer.sh +++ b/bouncer.sh @@ -2,49 +2,38 @@ # # Script to add /remove IPs to iptables -: ${IPTABLES_CHAIN:=INPUT} +set -euo pipefail -function iptableAdd() { - #check if the rule already exist - if ! iptables $comment -C $IPTABLES_CHAIN -s "$1" -j DROP; then - #do we insert at a $IPTABLES_INSERT position or append to the chain - if [[ -z "${IPTABLES_INSERT}" ]]; then - iptables $comment -A $IPTABLES_CHAIN -s "$1" -j DROP - else - iptables $comment -I $IPTABLES_CHAIN "$IPTABLES_INSERT" -s "$1" -j DROP - fi - fi -} +main() ( + while read -r line; do + # echo processAction "$(echo "$line" | jq -r '.action')" \ + # "$(echo "$line" | jq -r .value)" \ + # "$(echo "$line" | jq -r .duration)" \ + # "$(echo "$line" | jq -r .scenario)" | + # tee bouncer.sh.out + processAction "$(echo "$line" | jq -r .action)" \ + "$(echo "$line" | jq -r .value)" \ + "$(echo "$line" | jq -r .duration)" \ + "$(echo "$line" | jq -r .scenario)" + done + #{"duration":"-1h1m9s","origin":"CAPI","scenario":"crowdsecurity/ssh-bf","scope":"Ip","type":"ban","value":"122.117.32.192","id":22739513,"action":"del"} +) -function iptableDel() { - iptables $comment -D $IPTABLES_CHAIN -s "$1" -j DROP -} - -function ip6tableAdd() { - #check if the rule already exist - if ! ip6tables $comment -C $IPTABLES_CHAIN -s "$1" -j DROP; then - #do we insert at a $IPTABLES_INSERT position or append to the chain - if [[ -z "${IPTABLES_INSERT}" ]]; then - ip6tables $comment -A $IPTABLES_CHAIN -s "$1" -j DROP - else - ip6tables $comment -I $IPTABLES_CHAIN "$IPTABLES_INSERT" -s "$1" -j DROP - fi - fi -} - -function ip6tableDel() { - ip6tables $comment -D $IPTABLES_CHAIN -s "$1" -j DROP -} +: "${IPTABLES_CHAIN:=INPUT}" function processAction() { - [[ -n "${IPTABLES_COMMENT}" ]] && comment="-m comment --comment \"$4\"" || comment="" + if [[ -n "${IPTABLES_COMMENT}" ]]; then + comment="-m comment --comment \"$4\"" + else + comment="" + fi #determine action if [ "$1" = "add" ]; then #add if [[ "$2" =~ .*[.].* ]]; then #ipv4 echo "add $2 for $3 with $4" - iptableAdd "$2" + iptablesAdd "$2" elif [[ "$2" =~ .*[:].* ]]; then #ipv6 echo "IPV6 : add $2 for $3 with $4" ip6tableAdd "$2" @@ -52,7 +41,7 @@ function processAction() { elif [ "$1" = "del" ]; then #del if [[ "$2" =~ .*[.].* ]]; then #ipv4 echo "del $2 for $3 with $4" - iptableDel "$2" + iptablesDel "$2" elif [[ "$2" =~ .*[:].* ]]; then #ipv6 echo "IPV6 : add $2 for $3 with $4" ip6tableDel "$2" @@ -62,8 +51,36 @@ function processAction() { fi } -while read line; do - echo processAction $(echo "$line" | jq -r .action) $(echo "$line" | jq -r .value) $(echo "$line" | jq -r .duration) $(echo "$line" | jq -r .scenario) | tee bouncer.sh.out - processAction $(echo "$line" | jq -r .action) $(echo "$line" | jq -r .value) $(echo "$line" | jq -r .duration) $(echo "$line" | jq -r .scenario) -done -#{"duration":"-1h1m9s","origin":"CAPI","scenario":"crowdsecurity/ssh-bf","scope":"Ip","type":"ban","value":"122.117.32.192","id":22739513,"action":"del"} +function iptablesAdd() ( + #check if the rule already exist + if ! iptables "$comment" -C "$IPTABLES_CHAIN" -s "$1" -j DROP; then + #do we insert at a $IPTABLES_INSERT position or append to the chain + if [[ -z "${IPTABLES_INSERT}" ]]; then + iptables "$comment" -A "$IPTABLES_CHAIN" -s "$1" -j DROP + else + iptables "$comment" -I "$IPTABLES_CHAIN" "$IPTABLES_INSERT" -s "$1" -j DROP + fi + fi +) + +function ip6tableAdd() ( + #check if the rule already exist + if ! ip6tables "$comment" -C "$IPTABLES_CHAIN" -s "$1" -j DROP; then + #do we insert at a $IPTABLES_INSERT position or append to the chain + if [[ -z "${IPTABLES_INSERT}" ]]; then + ip6tables "$comment" -A "$IPTABLES_CHAIN" -s "$1" -j DROP + else + ip6tables "$comment" -I "$IPTABLES_CHAIN" "$IPTABLES_INSERT" -s "$1" -j DROP + fi + fi +) + +function iptablesDel() ( + iptables "$comment" -D "$IPTABLES_CHAIN" -s "$1" -j DROP +) + +function ip6tableDel() ( + ip6tables "$comment" -D "$IPTABLES_CHAIN" -s "$1" -j DROP +) + +main "$@" diff --git a/publish-dev.sh b/publish-dev.sh index 910261e..9089125 100755 --- a/publish-dev.sh +++ b/publish-dev.sh @@ -1,3 +1,7 @@ #!/bin/bash -docker image tag gitea.ar2000.me/ar2000/crowdsec-legacy-firewall-bouncer:legacy gitea.ar2000.me/ar2000/crowdsec-legacy-firewall-bouncer:dev -docker push gitea.ar2000.me/ar2000/crowdsec-legacy-firewall-bouncer:dev +docker image tag gitea.ar2000.me/ar2000/crowdsec-legacy-firewall-bouncer:legacy gitea.ar2000.me/ar2000/crowdsec-legacy-firewall-bouncer:legacy-dev +docker image tag gitea.ar2000.me/ar2000/crowdsec-legacy-firewall-bouncer:nft gitea.ar2000.me/ar2000/crowdsec-legacy-firewall-bouncer:nft-dev +docker image tag gitea.ar2000.me/ar2000/crowdsec-legacy-firewall-bouncer:latest gitea.ar2000.me/ar2000/crowdsec-legacy-firewall-bouncer:latest-dev +docker push gitea.ar2000.me/ar2000/crowdsec-legacy-firewall-bouncer:nft-dev +docker push gitea.ar2000.me/ar2000/crowdsec-legacy-firewall-bouncer:legacy-dev +docker push gitea.ar2000.me/ar2000/crowdsec-legacy-firewall-bouncer:latest-dev \ No newline at end of file