Revize 1121
Přidáno uživatelem Jiří Sviták před asi 13 roky(ů)
freenetis/branches/testing/application/vendors/redirection/freenetis.cfg | ||
---|---|---|
#! /bin/bash
|
||
##################################################################################
|
||
# #
|
||
# This script serves for redirection ip policy of IS FreeNetIS #
|
||
# #
|
||
# auhtor Sevcik Roman 2011 #
|
||
# email sevcik.roman@slfree.net #
|
||
# #
|
||
# name freenetis.cfg #
|
||
# version 1.9 #
|
||
# #
|
||
##################################################################################
|
||
|
||
|
||
#Local variable contains ip address useful for self-canceling. More infos in doc
|
||
IP_TARGET=192.168.1.1
|
||
|
||
#Local variable contains port number to be redirect from - mandatory
|
||
PORT_WEB=80
|
||
|
||
#Local variable contains port number to be redirect to - mandatory
|
||
PORT_REDIRECT=36000
|
||
|
||
#Delay in seconds between next update cycle
|
||
DELAY=60
|
||
|
||
#Input interface on which will be rules aplicated
|
||
INPUT_INTERFACE=eth0
|
||
|
||
#URL of pages which we need to dowload from freenetis.
|
||
#SET_URL_RANGES - contains list of CIDR networks (e.g. 192.160.0/23) which we can regirect
|
||
#SET_URL_WHITELIST - contains list of "whitelisted" IP addresses of members will not be redirect. Never
|
||
#SET_URL_ALLOWED - contains list of IP allowed adresses will not be redirect
|
||
#SET_URL_SELF_CANCEL - contains list of IP adresses which can disable redirection itself
|
||
#SET_URL_SEEN - uploads list of IP adresses which have already disabled redirection itsef
|
||
|
||
SET_URL_RANGES=http://<hostname>/cs/web_interface/redirected_ranges
|
||
SET_URL_WHITELIST=http://<hostname>/cs/web_interface/whitelist
|
||
SET_URL_ALLOWED=http://<hostname>/cs/web_interface/allowed_ip_addresses
|
||
SET_URL_SELF_CANCEL=http://<hostname>/cs/web_interface/self_cancelable_ip_addresses
|
||
SET_URL_SEEN=http://<hostname>/cs/web_interface/already_seen
|
freenetis/branches/testing/application/vendors/redirection/freenetis | ||
---|---|---|
#! /bin/bash
|
||
|
||
### BEGIN INIT INFO
|
||
# Provides: freenetis
|
||
# Required-Start: $remote_fs
|
||
# Required-Stop: $remote_fs
|
||
# Should-Start: $network $syslog
|
||
# Should-Stop: $network $syslog
|
||
# Default-Start: 2 3 4 5
|
||
# Default-Stop: 0 1 6
|
||
# Short-Description: Start and stop freenetis synchronization daemon
|
||
# Description: FreeNetIS synchronization script.
|
||
### END INIT INFO
|
||
|
||
##################################################################################
|
||
# #
|
||
# This script serves for redirection ip policy of IS FreeNetIS #
|
||
# #
|
||
# auhtor Sevcik Roman 2011 #
|
||
# email sevcik.roman@slfree.net #
|
||
# #
|
||
# name freenetis #
|
||
# version 1.9 #
|
||
# #
|
||
##################################################################################
|
||
|
||
#Local variable contains path to iptables - mandatory
|
||
IPTABLES=/sbin/iptables
|
||
|
||
#Load variables from config file
|
||
CONFIG=/etc/freenetis.cfg
|
||
|
||
#Path to pid file
|
||
PIDFILE=/var/run/freenetis_synchronization.pid
|
||
|
||
#Load variables
|
||
if [ -f ${CONFIG} ]; then
|
||
. $CONFIG;
|
||
else
|
||
echo "No config file - giving up :-(";
|
||
exit 0
|
||
fi
|
||
|
||
|
||
# Function returns 1 if is ip valid
|
||
# @param ip adresa
|
||
# return 1 if is ip valid
|
||
valid_ip ()
|
||
{
|
||
local ip=$1
|
||
local stat=1
|
||
|
||
if [[ $ip =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
|
||
OIFS=$IFS
|
||
IFS='.'
|
||
ip=($ip)
|
||
IFS=$OIFS
|
||
[[ ${ip[0]} -le 255 && ${ip[1]} -le 255 && ${ip[2]} -le 255 && ${ip[3]} -le 255 ]]
|
||
stat=$?
|
||
fi;
|
||
return $stat
|
||
}
|
||
|
||
|
||
start ()
|
||
{
|
||
if [ -f ${PIDFILE} ]; then
|
||
echo "Already started"
|
||
return 1
|
||
fi
|
||
|
||
echo "Adding sets.";
|
||
|
||
ipset -N whitelist iphash --hashsize 10000 --probes 4 --resize 50
|
||
ipset -N allowed iphash --hashsize 10000 --probes 8 --resize 50
|
||
ipset -N self_cancel iphash --hashsize 10000 --probes 8 --resize 50
|
||
ipset -N seen iphash --hashsize 10000 --probes 8 --resize 50
|
||
ipset -N ranges nethash --hashsize 1024 --probes 4 --resize 50
|
||
|
||
echo "Adding firewall rules.";
|
||
|
||
#Rule for allowing access. If come packet to $IP_TARGET then we add souce address do set allowed and to set seen
|
||
#Set seen is used for ip synchronization with FreeNetIS.
|
||
$IPTABLES -i $INPUT_INTERFACE -t nat -A PREROUTING -m set --set self_cancel src -d $IP_TARGET -j SET --add-set allowed src
|
||
$IPTABLES -i $INPUT_INTERFACE -t nat -A PREROUTING -m set --set self_cancel src -d $IP_TARGET -j SET --add-set seen src
|
||
|
||
#If is IP in set whitelist or allowed then it is not redirected
|
||
$IPTABLES -i $INPUT_INTERFACE -t nat -A PREROUTING -m set --set whitelist src -j ACCEPT
|
||
$IPTABLES -i $INPUT_INTERFACE -t nat -A PREROUTING -m set --set allowed src -j ACCEPT
|
||
|
||
#Redirect everything trafic what has destination port $PORT_WEB to $PORT_REDIRECT
|
||
$IPTABLES -i $INPUT_INTERFACE -t nat -A PREROUTING -m set --set ranges src -p tcp --dport $PORT_WEB -j REDIRECT --to-port $PORT_REDIRECT
|
||
|
||
#If is IP in set whitelist or allowed then it is not redirected
|
||
$IPTABLES -i $INPUT_INTERFACE -I FORWARD 1 -m set --set whitelist src -j ACCEPT
|
||
$IPTABLES -i $INPUT_INTERFACE -I FORWARD 2 -m set --set allowed src -j ACCEPT
|
||
|
||
#Else everything drop
|
||
$IPTABLES -i $INPUT_INTERFACE -I FORWARD 3 -m set --set ranges src -j DROP
|
||
|
||
|
||
#Run update scritp on background
|
||
echo "Starting process."
|
||
nohup /usr/local/sbin/freenetis_synchronization.sh > /dev/null 2>&1 &
|
||
|
||
#Parse PID a save to file
|
||
ps -fe | grep freenetis_synchronization.sh | head -n1 | cut -d" " -f 6 > $PIDFILE
|
||
|
||
return 1
|
||
}
|
||
|
||
stop ()
|
||
{
|
||
if [ ! -f ${PIDFILE} ]; then
|
||
echo "Already stopped."
|
||
return 1
|
||
fi
|
||
|
||
#Killing of process by sigterm
|
||
echo "Killing process."
|
||
killall -q freenetis_synchronization.sh
|
||
|
||
#Delete pid file
|
||
rm -f $PIDFILE
|
||
|
||
echo "Deleting firewall rules.";
|
||
|
||
#Rule for allowing access. If come packet to $IP_TARGET then we add souce address do set allowed and to set seen
|
||
#Set seen is used for ip synchronization with FreeNetIS.
|
||
$IPTABLES -i $INPUT_INTERFACE -t nat -D PREROUTING -m set --set self_cancel src -d $IP_TARGET -j SET --add-set allowed src
|
||
$IPTABLES -i $INPUT_INTERFACE -t nat -D PREROUTING -m set --set self_cancel src -d $IP_TARGET -j SET --add-set seen src
|
||
|
||
#If is IP in set whitelist or allowed then it is not redirected
|
||
$IPTABLES -i $INPUT_INTERFACE -t nat -D PREROUTING -m set --set whitelist src -j ACCEPT
|
||
$IPTABLES -i $INPUT_INTERFACE -t nat -D PREROUTING -m set --set allowed src -j ACCEPT
|
||
|
||
#Redirect everything trafic what has destination port $PORT_WEB to $PORT_REDIRECT
|
||
$IPTABLES -i $INPUT_INTERFACE -t nat -D PREROUTING -m set --set ranges src -p tcp --dport $PORT_WEB -j REDIRECT --to-port $PORT_REDIRECT
|
||
|
||
#If is IP in set whitelist or allowed then it is not redirected
|
||
$IPTABLES -i $INPUT_INTERFACE -D FORWARD -m set --set whitelist src -j ACCEPT
|
||
$IPTABLES -i $INPUT_INTERFACE -D FORWARD -m set --set allowed src -j ACCEPT
|
||
|
||
#Else everything drop
|
||
$IPTABLES -i $INPUT_INTERFACE -D FORWARD -m set --set ranges src -j DROP
|
||
|
||
echo "Deleting sets.";
|
||
|
||
ipset -X whitelist
|
||
ipset -X allowed
|
||
ipset -X self_cancel
|
||
ipset -X seen
|
||
ipset -X ranges
|
||
|
||
return 1
|
||
}
|
||
|
||
# Function shows help
|
||
help ()
|
||
{
|
||
echo "usage : (start | update | stop | restart)"
|
||
echo "start - initialization of firewall rules"
|
||
echo "stop - clears firewall rules"
|
||
echo "restart - restarts firewall rules"
|
||
}
|
||
|
||
# Is parameter #1 zero length?
|
||
if [ -z "$1" ]; then
|
||
help
|
||
exit 1
|
||
fi;
|
||
|
||
case "$1" in
|
||
start)
|
||
|
||
start
|
||
exit 1
|
||
;;
|
||
|
||
restart)
|
||
|
||
stop
|
||
start
|
||
exit 1
|
||
;;
|
||
|
||
stop)
|
||
|
||
stop
|
||
exit 1
|
||
;;
|
||
|
||
*)
|
||
|
||
help
|
||
exit 1
|
||
;;
|
||
|
||
esac
|
||
|
||
exit 0
|
||
|
freenetis/branches/testing/application/vendors/redirection/README | ||
---|---|---|
Freenetis redirection system (last update 2011-03-25)
|
||
-----------------------------------------------------
|
||
author: Jiri Svitak (jsvitak@unart.cz)
|
||
|
||
It is necesarry to have installed ipset kernel module and lightweight http
|
||
server on central netowrk gateway. Recomended system is Linux, we use Debian.
|
||
|
||
In Debian 6 is ipset already in repository.
|
||
apt-get install ipset ipset-source
|
||
m-a a-i ipset
|
||
|
||
We use lighttpd server daemon, which contains only temporary http redirection
|
||
to freenetis server. We use port 36000 for this.
|
||
apt-get install lighttpd
|
||
|
||
We use lighttpd with following configuration in /etc/lighttpd/lighttpd.conf
|
||
server.port = 36000
|
||
url.redirect = ( "." => "http://freenetis.domain.ltd" )
|
||
url.redirect-code = 307
|
||
|
||
We do not need ipv6 yet, so we can comment out this
|
||
#include_shell "/usr/share/lighttpd/use-ipv6.pl"
|
||
|
||
All three files - freenetis, freenetis.cfg, freenetis_synchronization.sh should
|
||
be placed in locations specified in their headers. Proper access rights should
|
||
have been set.
|
||
|
||
chmod 755 /etc/init.d/freenetis
|
||
chmod "a+x" /usr/local/sbin/freenetis_synchronization.sh
|
||
|
||
Script freenetis should be launched on the system start. We use
|
||
update-rc.d freenetis defaults
|
||
|
||
We can control this synchronization system by
|
||
/etc/init.d/freenetis start|stop|restart
|
||
|
||
System does not need cron, after starting system, freenetis_synchronization.sh
|
||
runs in infinite loop. If you need to change delay between next cycle just edit variable DELAY in freenetis.cfg
|
freenetis/branches/testing/application/vendors/redirection/freenetis_synchronization.sh | ||
---|---|---|
#!/bin/bash
|
||
##################################################################################
|
||
# #
|
||
# This script serves for redirection ip policy of IS FreeNetIS #
|
||
# #
|
||
# auhtor Sevcik Roman 2011 #
|
||
# email sevcik.roman@slfree.net #
|
||
# #
|
||
# name freenetis_synchronization.sh #
|
||
# version 1.9 #
|
||
# #
|
||
##################################################################################
|
||
|
||
#Load variables from config file
|
||
CONFIG=/etc/freenetis.cfg
|
||
|
||
#Paths where temporary data will be saved.
|
||
PATH_RANGES=/tmp/ranges
|
||
PATH_WHITELIST=/tmp/whitelist
|
||
PATH_ALLOWED=/tmp/allowed
|
||
PATH_SELF_CANCEL=/tmp/self_cancel
|
||
|
||
|
||
#Load variables
|
||
if [ -f ${CONFIG} ]; then
|
||
. $CONFIG;
|
||
else
|
||
echo "No config file - giving up :-(";
|
||
exit 0
|
||
fi
|
||
|
||
# Function returns 1 if is ip valid
|
||
# @param ip adresa
|
||
# return 1 if is ip valid
|
||
valid_ip ()
|
||
{
|
||
local ip=$1
|
||
local stat=1
|
||
|
||
if [[ $ip =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
|
||
OIFS=$IFS
|
||
IFS='.'
|
||
ip=($ip)
|
||
IFS=$OIFS
|
||
[[ ${ip[0]} -le 255 && ${ip[1]} -le 255 && ${ip[2]} -le 255 && ${ip[3]} -le 255 ]]
|
||
stat=$?
|
||
fi;
|
||
return $stat
|
||
}
|
||
|
||
update ()
|
||
{
|
||
echo "Updating..."
|
||
|
||
#Erase content of all sets
|
||
echo "Cleaning sets...";
|
||
ipset -F whitelist
|
||
ipset -F allowed
|
||
ipset -F self_cancel
|
||
ipset -F ranges
|
||
|
||
#Send data from seen set to server
|
||
|
||
oount=0
|
||
for i in $(ipset -L seen);
|
||
do
|
||
if valid_ip $i; then
|
||
seen[count]=$i
|
||
((count++))
|
||
fi
|
||
done
|
||
|
||
OIFS=$IFS
|
||
export IFS=";"
|
||
|
||
echo "Sending seen set data...";
|
||
wget -q -O /dev/null $SET_URL_SEEN --no-check-certificate --post-data "seen=${seen[*]}"
|
||
|
||
IFS=$OIFS
|
||
|
||
unset seen
|
||
|
||
echo "Downloading data...";
|
||
wget -q -O $PATH_WHITELIST $SET_URL_WHITELIST --no-check-certificate
|
||
wget -q -O $PATH_ALLOWED $SET_URL_ALLOWED --no-check-certificate
|
||
wget -q -O $PATH_SELF_CANCEL $SET_URL_SELF_CANCEL --no-check-certificate
|
||
wget -q -O $PATH_RANGES $SET_URL_RANGES --no-check-certificate
|
||
|
||
#Filling sets
|
||
|
||
for i in $(cat $PATH_WHITELIST);
|
||
do
|
||
echo "$i - added to set whitelist"
|
||
ipset -A whitelist $i
|
||
done
|
||
|
||
for i in $(cat $PATH_ALLOWED);
|
||
do
|
||
echo "$i - added to set allowed"
|
||
ipset -A allowed $i
|
||
done
|
||
|
||
for i in $(cat $PATH_SELF_CANCEL);
|
||
do
|
||
echo "$i - added to set self_cancel"
|
||
ipset -A self_cancel $i
|
||
done
|
||
|
||
for i in $(cat $PATH_RANGES);
|
||
do
|
||
echo "$i - added to set ranges"
|
||
ipset -A ranges $i
|
||
done
|
||
|
||
#Erase content of seen set
|
||
echo "Cleaning seen set...";
|
||
ipset -F seen
|
||
|
||
#Cleaning up...
|
||
rm -f $PATH_RANGES
|
||
rm -f $PATH_WHITELIST
|
||
rm -f $PATH_ALLOWED
|
||
rm -f $PATH_SELF_CANCEL
|
||
|
||
echo "Sleeping..."
|
||
sleep $DELAY;
|
||
}
|
||
|
||
while (true);
|
||
do
|
||
update
|
||
done
|
Také k dispozici: Unified diff
vetev presmerovani zahrnuta do testingu... podpisy az na letisti