#!/usr/bin/env python3
#
# asn-banhammer.py - Firewalld ASN ban utility
#
# Copyright (C) 2025 ViciDial Group
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see .
#
import sys
import os
import subprocess
import tempfile
import ipaddress
import xml.etree.ElementTree as ET
import argparse
def fetch_asn_prefixes(asn):
"""Fetch IPv4 prefixes for the given ASN using whois.radb.net."""
try:
result = subprocess.run(
["whois", "-h", "whois.radb.net", "-i", "origin", asn],
stdout=subprocess.PIPE, stderr=subprocess.PIPE, check=True, text=True
)
except subprocess.CalledProcessError as e:
print(f"[!] Whois query failed: {e.stderr}")
sys.exit(1)
# Extract IPv4 CIDRs and per-prefix description
prefix_descr = []
current_descr = None
for line in result.stdout.splitlines():
if line.lower().startswith('descr:'):
current_descr = line.split(':', 1)[1].strip()
elif '/' in line:
# Try to find a route: line
parts = line.split()
for part in parts:
if '/' in part:
try:
net = ipaddress.IPv4Network(part, strict=False)
prefix_descr.append((str(net), current_descr))
except ValueError:
continue
return prefix_descr
def consolidate_prefixes(prefixes):
"""Consolidate overlapping/adjacent CIDRs using ipaddress.collapse_addresses."""
return list(ipaddress.collapse_addresses(prefixes))
def write_ipset_xml(asn, prefixes):
"""Write the ipset XML file for firewalld."""
ipset_path = f"/etc/firewalld/ipsets/{asn.lower()}.xml"
xml_decl = '\n'
# Use global args for short/description/type/option if present
ipset_type = getattr(args, 'ipset_type', 'hash:net')
short = getattr(args, 'short', None)
desc = getattr(args, 'description', None)
option = getattr(args, 'option', None)
with open(ipset_path, "w", encoding="utf-8") as f:
f.write(xml_decl)
f.write(f'\n')
if short:
f.write(f' {short}\n')
if desc:
f.write(f' {desc}\n')
if option:
f.write(f' \n')
for net, descr in prefixes:
if net:
if descr:
f.write(f' {net} \n')
else:
f.write(f' {net}\n')
f.write('\n')
print(f"[*] Wrote {len(prefixes)} prefixes to {ipset_path}")
def main():
parser = argparse.ArgumentParser(description="Generate firewalld ipset from ASN prefixes.")
parser.add_argument("ASN", nargs="?", help="Autonomous System Number (e.g. AS132203)")
parser.add_argument("--zone", default="drop", help="Firewalld zone to add the ipset to (default: drop)")
parser.add_argument("--short", help="Short name for the ipset (optional)")
parser.add_argument("--description", help="Description for the ipset (optional)")
parser.add_argument("--ipset-type", default="hash:net", help="Type for the ipset (default: hash:net)")
parser.add_argument("--option", nargs=2, metavar=("NAME", "VALUE"), help="Add an