#!/usr/bin/perl # nordkorea libanon @ct=qw/kp /; $OUTFILE="/tftp/block-country-acl"; $INTERFACE="te0/0/0"; $ACL="block-country-acl"; $URL="http://www.ipdeny.com/ipblocks/data/countries/"; open OUT, ">$OUTFILE"; printf OUT "int $INTERFACE\n"; printf OUT "no ip access-g $ACL in\n"; printf OUT "exit\n"; printf OUT "no ip access-list extended $ACL\n"; printf OUT "ip access-list extended $ACL\n"; printf OUT "remark ********************************************************************************\n"; printf OUT "remark **** reflexive list allows established\n"; printf OUT "permit tcp any any established\n"; #printf OUT "evaluate iptraffic\n"; printf OUT "permit tcp any lt 1024 any gt 1024 ack\n"; printf OUT "remark ********************************************************************************\n"; printf OUT "remark **** Cisco CSCup10024 CSCva95506 CSCve64219\n"; printf OUT "deny udp any any eq 0\n"; printf OUT "remark ********************************************************************************\n"; printf OUT "remark **** BLOCK SNMP requests from outside\n"; printf OUT "deny udp any any eq 161\n"; printf OUT "remark ********************************************************************************\n"; printf OUT "remark **** BLOCK rpc ports tcp/111 udp/111\n"; printf OUT "deny tcp any any eq 111\n"; printf OUT "deny udp any any eq 111\n"; printf OUT "remark ********************************************************************************\n"; printf OUT "remark **** BLOCK NETBIOS and SMB\n"; printf OUT "deny udp any any eq 137\n"; printf OUT "deny udp any any eq 138\n"; printf OUT "deny tcp any any eq 139\n"; printf OUT "deny tcp any any eq 445\n"; printf OUT "remark ********************************************************************************\n"; printf OUT "remark **** Deny connect to Firewall via ssh from the outside\n"; printf OUT "deny tcp any host 195.20.133.6 eq 22\n"; printf OUT "deny tcp any host 195.20.133.14 eq 22\n"; printf OUT "remark ********************************************************************************\n"; printf OUT "remark **** Deny DNS requests to ASA from the outside\n"; printf OUT "deny udp any host 195.20.133.6 eq 53\n"; printf OUT "deny udp any host 195.20.133.14 eq 53\n"; printf OUT "remark ********************************************************************************\n"; printf OUT "remark **** PREVENT ANTI-SPOOFING\n"; printf OUT "deny ip 127.0.0.0 0.255.255.255 any\n"; printf OUT "deny ip 192.0.2.0 0.0.0.255 any\n"; printf OUT "deny ip 224.0.0.0 31.255.255.255 any\n"; printf OUT "deny ip host 255.255.255.255 any\n"; printf OUT "remark ********************************************************************************\n"; printf OUT "remark **** BLOCK DHCP\n"; printf OUT "deny ip host 0.0.0.0 any\n"; printf OUT "remark ********************************************************************************\n"; printf OUT "remark **** BLOCK MARSIAN PACKETS (RFC 1918)\n"; printf OUT "deny ip 10.0.0.0 0.255.255.255 any\n"; printf OUT "deny ip 172.16.0.0 0.15.255.255 any\n"; printf OUT "deny ip 192.168.0.0 0.0.255.255 any\n"; printf OUT "deny ip any 10.0.0.0 0.255.255.255\n"; printf OUT "deny ip any 172.16.0.0 0.15.255.255\n"; printf OUT "deny ip any 192.168.0.0 0.0.255.255\n"; printf OUT "remark ********************************************************************************\n"; printf OUT "remark **** ALLOW our Proxy to connect everywhere and the answers of course\n"; #printf OUT "permit ip any host 195.20.133.4\n"; printf OUT "remark ********************************************************************************\n"; printf OUT "remark **** OUR OWN INTERNET IP ADDRESSES CAN'T BE THE SOURCE (RFC 2827)\n"; printf OUT "deny ip 195.20.133.0 0.0.0.255 any\n"; printf OUT "remark ********************************************************************************\n"; printf OUT "remark **** ALLOW ping answer and traceroute\n"; printf OUT "permit icmp any 195.20.133.0 0.0.0.255 echo-reply\n"; printf OUT "permit icmp any 195.20.133.0 0.0.0.255 time-exceeded\n"; printf OUT "permit icmp any 195.20.133.0 0.0.0.255 traceroute\n"; printf OUT "remark Don't allow incoming icmp as it should be blocked based on the originating country\n"; printf OUT "remark ********************************************************************************\n"; printf OUT "remark **** ALLOW DNS answer\n"; printf OUT "permit udp any eq 53 any\n"; #printf OUT "remark ********************************************************************************\n"; #printf OUT "remark **** ALLOW some connections despite from blocked countries\n"; #printf OUT "remark MAIL Relays may connect everywhere and connected by everyone for mail traffic\n"; #printf OUT "remark conlxmail5 in\n"; #printf OUT "permit tcp any eq 25 host 195.20.133.148\n"; #printf OUT "permit tcp any eq 465 host 195.20.133.148\n"; #printf OUT "permit tcp any eq 587 host 195.20.133.148\n"; #printf OUT "remark conlxmail6 in\n"; #printf OUT "permit tcp any eq 25 host 195.20.133.149\n"; #printf OUT "permit tcp any eq 465 host 195.20.133.149\n"; #printf OUT "permit tcp any eq 587 host 195.20.133.149\n"; printf OUT "remark ********************************************************************************\n"; printf OUT "remark **** VWDts\n"; printf OUT "permit ip any host 195.20.133.126\n"; #printf OUT "permit tcp any host 195.20.133.100 eq 443\n"; #printf OUT "deny ip any host 195.20.133.100\n"; #printf OUT "permit tcp any host 195.20.133.101 eq 443\n"; #printf OUT "deny ip any host 195.20.133.101\n"; #printf OUT "permit tcp any host 195.20.133.102 eq 443\n"; #printf OUT "deny ip any host 195.20.133.102\n"; printf OUT "permit tcp host 193.228.154.9 host 195.20.133.103 eq 7437\n"; printf OUT "permit tcp host 193.228.154.8 host 195.20.133.103 eq 7437\n"; printf OUT "permit tcp host 193.228.154.14 host 195.20.133.103 eq 7437\n"; printf OUT "deny ip any host 195.20.133.103\n"; printf OUT "permit tcp host 193.19.114.100 host 195.20.133.104 eq 7439\n"; printf OUT "permit tcp host 193.19.114.132 host 195.20.133.104 eq 7439\n"; printf OUT "permit tcp host 193.19.114.133 host 195.20.133.104 eq 7439\n"; printf OUT "permit tcp host 193.228.154.9 host 195.20.133.104 eq 7437\n"; printf OUT "permit tcp host 193.228.154.8 host 195.20.133.104 eq 7437\n"; printf OUT "permit tcp host 193.228.154.14 host 195.20.133.104 eq 7437\n"; printf OUT "deny ip any host 195.20.133.104\n"; printf OUT "permit tcp host 193.228.154.9 host 195.20.133.105 eq 1224\n"; printf OUT "permit tcp host 193.19.114.132 host 195.20.133.105 eq 1224\n"; printf OUT "permit tcp host 193.19.114.133 host 195.20.133.105 eq 1224\n"; printf OUT "permit tcp host 91.25.247.100 host 195.20.133.105 eq 1224\n"; printf OUT "permit tcp host 207.45.252.211 host 195.20.133.105 eq 1224\n"; printf OUT "permit tcp host 91.202.49.210 host 195.20.133.105 eq 1224\n"; printf OUT "deny ip any host 195.20.133.105\n"; printf OUT "permit tcp host 193.228.154.9 host 195.20.133.106 eq 1224\n"; printf OUT "permit tcp host 3.122.169.191 host 195.20.133.106 eq 1224\n"; printf OUT "permit tcp host 3.68.62.58 host 195.20.133.106 eq 1224\n"; printf OUT "permit tcp host 3.66.160.81 host 195.20.133.106 eq 1224\n"; printf OUT "permit tcp host 18.184.40.207 host 195.20.133.106 eq 1224\n"; printf OUT "permit tcp host 3.65.96.57 host 195.20.133.106 eq 1224\n"; printf OUT "permit tcp host 18.156.66.86 host 195.20.133.106 eq 1224\n"; printf OUT "permit tcp host 3.65.17.173 host 195.20.133.106 eq 1224\n"; printf OUT "permit tcp host 3.120.95.52 host 195.20.133.106 eq 1224\n"; printf OUT "permit tcp host 3.66.94.209 host 195.20.133.106 eq 1224\n"; printf OUT "permit tcp host 3.65.238.54 host 195.20.133.106 eq 1224\n"; printf OUT "permit tcp host 52.28.28.70 host 195.20.133.106 eq 1224\n"; printf OUT "permit tcp host 3.127.155.28 host 195.20.133.106 eq 1224\n"; printf OUT "permit tcp host 193.19.114.132 host 195.20.133.106 eq 1224\n"; printf OUT "permit tcp host 193.19.114.133 host 195.20.133.106 eq 1224\n"; printf OUT "permit tcp host 91.25.247.100 host 195.20.133.106 eq 1224\n"; printf OUT "permit tcp host 207.45.240.155 host 195.20.133.106 eq 1224\n"; printf OUT "permit tcp host 207.45.251.50 host 195.20.133.106 eq 1224\n"; printf OUT "permit tcp host 91.202.49.210 host 195.20.133.106 eq 1224\n"; printf OUT "deny ip any host 195.20.133.106\n"; printf OUT "permit tcp host 193.228.154.9 host 195.20.133.107 eq 7444\n"; printf OUT "permit tcp host 193.228.154.8 host 195.20.133.107 eq 7444\n"; printf OUT "permit tcp host 193.228.154.14 host 195.20.133.107 eq 7444\n"; printf OUT "deny ip any host 195.20.133.107\n"; printf OUT "remark ********************************************************************************\n"; printf OUT "remark **** A few smaller things\n"; printf OUT "remark **** MkP IP\n"; printf OUT "permit ip any host 195.20.133.30\n"; printf OUT "remark **** Hongkong Stock Exchange\n"; printf OUT "permit ip 203.78.4.0 0.0.3.255 any\n"; #printf OUT "remark **** cloud.hosting-ffm.de\n"; #printf OUT "permit ip any host 195.20.133.20\n"; printf OUT "remark **** supportftp.veeam.com\n"; printf OUT "permit ip host 80.249.186.4 any\n"; printf OUT "remark ********************************************************************************\n"; printf OUT "remark **** DENY SOME COUNTRIES\n"; foreach (@ct) { # printf OUT "remark ********************************************************************************\n"; printf OUT "remark BAN COUNTRY $_\n"; `wget $URL$_.zone > /dev/null 2>&1`; open FILE, "<$_.zone"; foreach () { chomp; ($ip,$cidr) = split /\//,$_; $mask=cidr2wildcard($cidr); printf OUT "deny ip $ip $mask any\n"; } close FILE; unlink("$_.zone"); } printf OUT "remark ALLOW ALL OTHER\n"; printf OUT "permit ip any any\n"; printf OUT "int $INTERFACE\n"; printf OUT "ip access-group $ACL in\n"; printf OUT "end\n"; close OUT; 1; sub cidr2mask { ($length) = @_; $i=0xffffffff; $i=$i<<(32-$length); $i=$i&0xffffffff; $a=$i>>24; $b=$i>>16; $b=$b&0x000000ff; $c=$i>>8; $c=$c&0x000000ff; $d=$i; $d=$d&0x000000ff; $i="$a.$b.$c.$d"; return $i; } sub cidr2wildcard { ($length) = @_; $i=0xffffffff; $i=$i<<(32-$length); $i=$i&0xffffffff; $a=$i>>24; $a=255-$a; $b=$i>>16; $b=$b&0x000000ff; $b=255-$b; $c=$i>>8; $c=$c&0x000000ff; $c=255-$c; $d=$i; $d=$d&0x000000ff; $d=255-$d; $i="$a.$b.$c.$d"; return $i; }