
#-----------------------------------------------------------------------
# README
#-----------------------------------------------------------------------
#
# Blacklist selected hosts and/or networks from ALL services. Both input 
# AND output packets are affected.
#
#-----------------------------------------------------------------------
# CHANGES
#-----------------------------------------------------------------------
#
# 2000-04-14  Dougal Holmes <dholmes@bigpond.net.au>
#             Added rules to reject incoming packets to blacklist hosts   
#             This catches packets which are being forwarded
# 2000-10-28  Jean-Sebastien Morisset <jsmoriss@mvlan.net>
#             Changed INTERFACE variable to INTOPT.
# 2000-10-14  Jean-Sebastien Morisset <jsmoriss@jsm-mv.dyndns.org>
#             Initial module written for v5.0.
#
#-----------------------------------------------------------------------
# MODULE CONFIGURATION
#-----------------------------------------------------------------------
#
#m# 123
#a# ignore deny
#n# blacklist
#t# hosts
#
#   |--------------------------------------------------------------------|
#d# The ignore-{int}-blacklist-hosts option will deny these hosts access 
#d# to all your interface's services. Rejected packets are NOT LOGGED. The 
#d# deny-{int}-blacklist-hosts option performs the same function, except
#d# that denied packets are logged.
#d#
#d# These variables can be used after detecting an attack on your 
#d# firewall. Other options (such as deny-{int}-smtp-clients, deny-{int}-
#d# http-clients, etc.) restrict access to specific services. The ignore
#d# option has precedence over the deny option.
#d#
#d# Input AND output packets will be denied from/to these hosts/networks
#d# (including outgoing traceroute and ping).
#   |--------------------------------------------------------------------|
#
#-----------------------------------------------------------------------
# START OF MODULE CODE
#-----------------------------------------------------------------------

# Ignore-deny order must be inversed since we're "inserting" rules.
for action in deny ignore
do
	case $action in
		ignore)	action_log_msg="$LOG_MSG"; action_log="$LOG";;
		deny)	action_log_msg="(logged)"; action_log="-l"  ;;
	esac
	for host in `Option_Value $action $INTOPT blacklist hosts`
	do
		# These rules are "inserted" instead of "appended" to over-ride
		# the default DNS access. Since these rules are "inserted", read
		# them from last to first.
		#
		echo "Deny/Reject <BLACKLIST> $INTOPT $IPADDR <-> $host $action_log_msg"
		ipchains -I $OUTCHAIN -j REJECT -p all -s $ANY  -d $host $action_log
		ipchains -I $INCHAIN  -j DENY   -p all -s $ANY  -d $host $action_log	# block before masq
		ipchains -I $INCHAIN  -j DENY   -p all -s $host -d $ANY  $action_log
	done
done
unset action action_log_msg action_log host

