# HG changeset patch
# User Michiel Broek <mbroek@mbse.eu>
# Date 1428938573 -7200
# Node ID c846ebedfff3b092c3ba8bc83020ab702ee03060
# Parent  be2d7c1427261ec1c7e633a35421df95a3b7f6f7
Added global block ipset tables. Bumped to version 0.0.18

diff -r be2d7c142726 -r c846ebedfff3 etc/firewall.conf
--- a/etc/firewall.conf	Fri Dec 19 09:45:21 2014 +0100
+++ b/etc/firewall.conf	Mon Apr 13 17:22:53 2015 +0200
@@ -1,7 +1,7 @@
 # /etc/mbse-firewall/firewall.conf
 
 # ---------------------------------------------------------------------------
-# Copyright (C) 2013-2014 by Michiel Broek.
+# Copyright (C) 2013-2015 by Michiel Broek.
 # Homepage                   http://www.mbse.eu
 # Email                      mbse At mbse dOt eu
 #
@@ -49,6 +49,11 @@
 # These hosts are blocked using ipset for one hour.
 #IF_EXT_AUTO_BLOCK="1"
 
+# Use global blocking table. This just inserts rules to block hosts that
+# are found in the sets global-blk4 or global-blk6. Other programs like
+# ossec, fail2ban etc need to put the bad hosts in these tables.
+#IF_EXT_GLOBAL_BLOCK="1"
+
 # Block time in seconds when a host is blocked. Default is 3600.
 #IF_EXT_AUTO_TO=172800
 
diff -r be2d7c142726 -r c846ebedfff3 sbin/mbse-firewall
--- a/sbin/mbse-firewall	Fri Dec 19 09:45:21 2014 +0100
+++ b/sbin/mbse-firewall	Mon Apr 13 17:22:53 2015 +0200
@@ -1,7 +1,7 @@
 #!/bin/bash
 
 # ---------------------------------------------------------------------------
-# Copyright (C) 2013-2014 by Michiel Broek.
+# Copyright (C) 2013-2015 by Michiel Broek.
 # Homepage                   http://www.mbse.eu
 # Email                      mbse At mbse dOt eu
 #
@@ -22,7 +22,7 @@
 # Software Foundation, 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA.
 # ---------------------------------------------------------------------------
 
-MBSEFW_VERSION="0.0.17"
+MBSEFW_VERSION="0.0.18"
 
 # Sanity checks
 if [ "$(id -u)" != "0" ]; then
@@ -276,6 +276,26 @@
     echo -n "."
   fi
 
+  # If we use the global blocktables.
+  if [ "$IF_EXT_GLOBAL_BLOCK" == "1" ]; then
+    $IPTABLES -A INPUT -i $IF_EXT -m state --state NEW -m set --match-set global-blk4 src -j DROP
+    if [ "$FW_FORWARD" = "1" ]; then
+      $IPTABLES -A FORWARD -i $IF_EXT -m state --state NEW -m set --match-set global-blk4 src -j DROP
+    fi
+    if [ "$USE_IPV6" == "1" ]; then
+      if [ -n "$IF_EXT6" ]; then
+        IF6=$IF_EXT6
+      else
+        IF6=$IF_EXT
+      fi
+      $IP6TABLES -A INPUT -i $IF6 -m state --state NEW -m set --match-set global-blk6 src -j DROP
+      if [ "$FW_FORWARD" = "1" ]; then
+        $IP6TABLES -A FORWARD -i $IF6 -m state --state NEW -m set --match-set global-blk6 src -j DROP
+      fi
+    fi
+    echo -n "."
+  fi
+
   fw_init_nfacct
   echo -n "."