Projekt

Obecné

Profil

« Předchozí | Další » 

Revize 1135

Přidáno uživatelem Jiří Sviták před více než 13 roky(ů)

presmerovani - skript pro centralni router

Zobrazit rozdíly:

freenetis/branches/testing/application/vendors/redirection/freenetis
#! /bin/bash
### BEGIN INIT INFO
# Provides: freenetis
# Required-Start: $remote_fs
# Required-Stop: $remote_fs
# Should-Start: $network $syslog
# Should-Stop: $network $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Start and stop freenetis synchronization daemon
# Description: FreeNetIS synchronization script.
### END INIT INFO
##################################################################################
# #
# This script serves for redirection ip policy of IS FreeNetIS #
# #
# auhtor Sevcik Roman 2011 #
# email sevcik.roman@slfree.net #
# #
# name freenetis #
# version 1.9 #
# #
##################################################################################
#Local variable contains path to iptables - mandatory
IPTABLES=/sbin/iptables
#Load variables from config file
CONFIG=/etc/freenetis.cfg
#Path to pid file
PIDFILE=/var/run/freenetis_synchronization.pid
#Load variables
if [ -f ${CONFIG} ]; then
. $CONFIG;
else
echo "No config file - giving up :-(";
exit 0
fi
# Function returns 1 if is ip valid
# @param ip adresa
# return 1 if is ip valid
valid_ip ()
{
local ip=$1
local stat=1
if [[ $ip =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
OIFS=$IFS
IFS='.'
ip=($ip)
IFS=$OIFS
[[ ${ip[0]} -le 255 && ${ip[1]} -le 255 && ${ip[2]} -le 255 && ${ip[3]} -le 255 ]]
stat=$?
fi;
return $stat
}
start ()
{
if [ -f ${PIDFILE} ]; then
echo "Already started"
return 1
fi
echo "Adding sets.";
ipset -N whitelist iphash --hashsize 10000 --probes 4 --resize 50
ipset -N allowed iphash --hashsize 10000 --probes 8 --resize 50
ipset -N self_cancel iphash --hashsize 10000 --probes 8 --resize 50
ipset -N seen iphash --hashsize 10000 --probes 8 --resize 50
ipset -N ranges nethash --hashsize 1024 --probes 4 --resize 50
echo "Adding firewall rules.";
#Rule for allowing access. If come packet to $IP_TARGET then we add souce address do set allowed and to set seen
#Set seen is used for ip synchronization with FreeNetIS.
$IPTABLES -i $INPUT_INTERFACE -t nat -A PREROUTING -m set --set self_cancel src -d $IP_TARGET -j SET --add-set allowed src
$IPTABLES -i $INPUT_INTERFACE -t nat -A PREROUTING -m set --set self_cancel src -d $IP_TARGET -j SET --add-set seen src
#If is IP in set whitelist or allowed then it is not redirected
$IPTABLES -i $INPUT_INTERFACE -t nat -A PREROUTING -m set --set whitelist src -j ACCEPT
$IPTABLES -i $INPUT_INTERFACE -t nat -A PREROUTING -m set --set allowed src -j ACCEPT
#Redirect everything trafic what has destination port $PORT_WEB to $PORT_REDIRECT
$IPTABLES -i $INPUT_INTERFACE -t nat -A PREROUTING -m set --set ranges src -p tcp --dport $PORT_WEB -j REDIRECT --to-port $PORT_REDIRECT
#If is IP in set whitelist or allowed then it is not redirected
$IPTABLES -i $INPUT_INTERFACE -I FORWARD 1 -m set --set whitelist src -j ACCEPT
$IPTABLES -i $INPUT_INTERFACE -I FORWARD 2 -m set --set allowed src -j ACCEPT
#Else everything drop
$IPTABLES -i $INPUT_INTERFACE -I FORWARD 3 -m set --set ranges src -j DROP
#Run update scritp on background
echo "Starting process."
nohup /usr/local/sbin/freenetis_synchronization.sh > /dev/null 2>&1 &
#Parse PID a save to file
ps -fe | grep freenetis_synchronization.sh | head -n1 | cut -d" " -f 6 > $PIDFILE
return 1
}
stop ()
{
if [ ! -f ${PIDFILE} ]; then
echo "Already stopped."
return 1
fi
#Killing of process by sigterm
echo "Killing process."
killall -q freenetis_synchronization.sh
#Delete pid file
rm -f $PIDFILE
echo "Deleting firewall rules.";
#Rule for allowing access. If come packet to $IP_TARGET then we add souce address do set allowed and to set seen
#Set seen is used for ip synchronization with FreeNetIS.
$IPTABLES -i $INPUT_INTERFACE -t nat -D PREROUTING -m set --set self_cancel src -d $IP_TARGET -j SET --add-set allowed src
$IPTABLES -i $INPUT_INTERFACE -t nat -D PREROUTING -m set --set self_cancel src -d $IP_TARGET -j SET --add-set seen src
#If is IP in set whitelist or allowed then it is not redirected
$IPTABLES -i $INPUT_INTERFACE -t nat -D PREROUTING -m set --set whitelist src -j ACCEPT
$IPTABLES -i $INPUT_INTERFACE -t nat -D PREROUTING -m set --set allowed src -j ACCEPT
#Redirect everything trafic what has destination port $PORT_WEB to $PORT_REDIRECT
$IPTABLES -i $INPUT_INTERFACE -t nat -D PREROUTING -m set --set ranges src -p tcp --dport $PORT_WEB -j REDIRECT --to-port $PORT_REDIRECT
#If is IP in set whitelist or allowed then it is not redirected
$IPTABLES -i $INPUT_INTERFACE -D FORWARD -m set --set whitelist src -j ACCEPT
$IPTABLES -i $INPUT_INTERFACE -D FORWARD -m set --set allowed src -j ACCEPT
#Else everything drop
$IPTABLES -i $INPUT_INTERFACE -D FORWARD -m set --set ranges src -j DROP
echo "Deleting sets.";
ipset -X whitelist
ipset -X allowed
ipset -X self_cancel
ipset -X seen
ipset -X ranges
return 1
}
# Function shows help
help ()
{
echo "usage : (start | update | stop | restart)"
echo "start - initialization of firewall rules"
echo "stop - clears firewall rules"
echo "restart - restarts firewall rules"
}
# Is parameter #1 zero length?
if [ -z "$1" ]; then
help
exit 1
fi;
case "$1" in
start)
start
exit 1
;;
restart)
stop
start
exit 1
;;
stop)
stop
exit 1
;;
*)
help
exit 1
;;
esac
exit 0
freenetis/branches/testing/application/vendors/redirection/README
Freenetis redirection system (last update 2011-03-25)
-----------------------------------------------------
author: Jiri Svitak (jsvitak@unart.cz)
It is necesarry to have installed ipset kernel module and lightweight http
server on central netowrk gateway. Recomended system is Linux, we use Debian.
In Debian 6 is ipset already in repository.
apt-get install ipset ipset-source
m-a a-i ipset
We use lighttpd server daemon, which contains only temporary http redirection
to freenetis server. We use port 36000 for this.
apt-get install lighttpd
We use lighttpd with following configuration in /etc/lighttpd/lighttpd.conf
server.port = 36000
url.redirect = ( "." => "http://freenetis.domain.ltd" )
url.redirect-code = 307
We do not need ipv6 yet, so we can comment out this
#include_shell "/usr/share/lighttpd/use-ipv6.pl"
All three files - freenetis, freenetis.cfg, freenetis_synchronization.sh should
be placed in locations specified in their headers. Proper access rights should
have been set.
chmod 755 /etc/init.d/freenetis
chmod "a+x" /usr/local/sbin/freenetis_synchronization.sh
Script freenetis should be launched on the system start. We use
update-rc.d freenetis defaults
We can control this synchronization system by
/etc/init.d/freenetis start|stop|restart
System does not need cron, after starting system, freenetis_synchronization.sh
runs in infinite loop. If you need to change delay between next cycle just edit variable DELAY in freenetis.cfg
freenetis/branches/testing/application/vendors/redirection/freenetis.cfg
#! /bin/bash
##################################################################################
# #
# This script serves for redirection ip policy of IS FreeNetIS #
# #
# auhtor Sevcik Roman 2011 #
# email sevcik.roman@slfree.net #
# #
# name freenetis.cfg #
# version 1.9 #
# #
##################################################################################
#Local variable contains ip address useful for self-canceling. More infos in doc
IP_TARGET=192.168.1.1
#Local variable contains port number to be redirect from - mandatory
PORT_WEB=80
#Local variable contains port number to be redirect to - mandatory
PORT_REDIRECT=36000
#Delay in seconds between next update cycle
DELAY=60
#Input interface on which will be rules aplicated
INPUT_INTERFACE=eth0
#URL of pages which we need to dowload from freenetis.
#SET_URL_RANGES - contains list of CIDR networks (e.g. 192.160.0/23) which we can regirect
#SET_URL_WHITELIST - contains list of "whitelisted" IP addresses of members will not be redirect. Never
#SET_URL_ALLOWED - contains list of IP allowed adresses will not be redirect
#SET_URL_SELF_CANCEL - contains list of IP adresses which can disable redirection itself
#SET_URL_SEEN - uploads list of IP adresses which have already disabled redirection itsef
SET_URL_RANGES=http://<hostname>/cs/web_interface/redirected_ranges
SET_URL_WHITELIST=http://<hostname>/cs/web_interface/whitelist
SET_URL_ALLOWED=http://<hostname>/cs/web_interface/allowed_ip_addresses
SET_URL_SELF_CANCEL=http://<hostname>/cs/web_interface/self_cancelable_ip_addresses
SET_URL_SEEN=http://<hostname>/cs/web_interface/already_seen
freenetis/branches/testing/application/vendors/redirection/freenetis_synchronization.sh
#!/bin/bash
##################################################################################
# #
# This script serves for redirection ip policy of IS FreeNetIS #
# #
# auhtor Sevcik Roman 2011 #
# email sevcik.roman@slfree.net #
# #
# name freenetis_synchronization.sh #
# version 1.9 #
# #
##################################################################################
#Load variables from config file
CONFIG=/etc/freenetis.cfg
#Paths where temporary data will be saved.
PATH_RANGES=/tmp/ranges
PATH_WHITELIST=/tmp/whitelist
PATH_ALLOWED=/tmp/allowed
PATH_SELF_CANCEL=/tmp/self_cancel
#Load variables
if [ -f ${CONFIG} ]; then
. $CONFIG;
else
echo "No config file - giving up :-(";
exit 0
fi
# Function returns 1 if is ip valid
# @param ip adresa
# return 1 if is ip valid
valid_ip ()
{
local ip=$1
local stat=1
if [[ $ip =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
OIFS=$IFS
IFS='.'
ip=($ip)
IFS=$OIFS
[[ ${ip[0]} -le 255 && ${ip[1]} -le 255 && ${ip[2]} -le 255 && ${ip[3]} -le 255 ]]
stat=$?
fi;
return $stat
}
update ()
{
echo "Updating..."
#Erase content of all sets
echo "Cleaning sets...";
ipset -F whitelist
ipset -F allowed
ipset -F self_cancel
ipset -F ranges
#Send data from seen set to server
oount=0
for i in $(ipset -L seen);
do
if valid_ip $i; then
seen[count]=$i
((count++))
fi
done
OIFS=$IFS
export IFS=";"
echo "Sending seen set data...";
wget -q -O /dev/null $SET_URL_SEEN --no-check-certificate --post-data "seen=${seen[*]}"
IFS=$OIFS
unset seen
echo "Downloading data...";
wget -q -O $PATH_WHITELIST $SET_URL_WHITELIST --no-check-certificate
wget -q -O $PATH_ALLOWED $SET_URL_ALLOWED --no-check-certificate
wget -q -O $PATH_SELF_CANCEL $SET_URL_SELF_CANCEL --no-check-certificate
wget -q -O $PATH_RANGES $SET_URL_RANGES --no-check-certificate
#Filling sets
for i in $(cat $PATH_WHITELIST);
do
echo "$i - added to set whitelist"
ipset -A whitelist $i
done
for i in $(cat $PATH_ALLOWED);
do
echo "$i - added to set allowed"
ipset -A allowed $i
done
for i in $(cat $PATH_SELF_CANCEL);
do
echo "$i - added to set self_cancel"
ipset -A self_cancel $i
done
for i in $(cat $PATH_RANGES);
do
echo "$i - added to set ranges"
ipset -A ranges $i
done
#Erase content of seen set
echo "Cleaning seen set...";
ipset -F seen
#Cleaning up...
rm -f $PATH_RANGES
rm -f $PATH_WHITELIST
rm -f $PATH_ALLOWED
rm -f $PATH_SELF_CANCEL
echo "Sleeping..."
sleep $DELAY;
}
while (true);
do
update
done
freenetis/branches/testing/application/vendors/redirection/frnts_ipset
##################################################################################
#! /bin/sh #
# #
# Skript pro presmerovani ip adres. Data jsou nacitana automaticky z freenetisu. #
# #
# autor Sevcik Roman 2009 #
# email sevcik.roman@slfree.net #
# #
##################################################################################
IPTABLES=/usr/local/sbin/iptables
IP_SELF=10.143.128.1
IP_SELF1=10.143.0.129
IP_TARGET=212.111.4.121
PORT_WEB=80
PORT_REDIRECT=36000
SET_URL_RANGES=http://freenetis.slfree.net/cs/web_interface/redirected_ranges
SET_URL_PARTNERS=http://freenetis.slfree.net/cs/redirect/ipset/partners
SET_URL_MEMBERS=http://freenetis.slfree.net/cs/web_interface/allowed_ip_addresses
# Funkce testuje jestli je dana ip validne zapsana
# @param ip adresa
# return 1 pokud je ip validni
function valid_ip()
{
local ip=$1
local stat=1
if [[ $ip =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
OIFS=$IFS
IFS='.'
ip=($ip)
IFS=$OIFS
[[ ${ip[0]} -le 255 && ${ip[1]} -le 255 && ${ip[2]} -le 255 && ${ip[3]} -le 255 ]]
stat=$?
fi
return $stat
}
# Funkce testuje jestli je dany subnet validne zapsany
# @param subnet
# return 1 pokud je subnet validni
function valid_subnet()
{
local subnet=$1
local stat=1
if [[ $subnet =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\/[0-9]{1,2}$ ]]; then
OIFS=$IFS
IFS='/'
subnet=($subnet)
IFS='.'
ip=${subnet[0]}
ip=($ip)
mask=${subnet[1]}
IFS=$OIFS
[[ ${ip[0]} -le 255 && ${ip[1]} -le 255 && ${ip[2]} -le 255 && ${ip[3]} -le 255 ]]
[[ $mask -le 31 ]]
stat=$?
fi
return $stat
}
function update()
{
#Vymazeme obsah vsech setu
echo "Erasing content of sets.";
ipset -F ranges
ipset -F partners
ipset -F members
echo "Downloading data";
wget -q -O /tmp/ranges $SET_URL_RANGES --no-check-certificate
wget -q -O /tmp/partners $SET_URL_PARTNERS --no-check-certificate
wget -q -O /tmp/members $SET_URL_MEMBERS --no-check-certificate
BAKIFS=$IFS
IFS=$(echo -en "\n\b")
exec 3<&0
#Plnime set partners
echo "Filling set partnets.";
exec 0</tmp/partners
while read LINE
do
if valid_subnet $LINE; then echo "$LINE - added to set partners."; ipset -A partners $LINE; else echo "$LINE - not valid subnet."; fi
done
#Plnime set members
echo "Filling set members.";
exec 0</tmp/members
while read LINE
do
if valid_ip $LINE; then echo "$LINE - added to set members."; ipset -A members $LINE; else echo "$LINE - not valid IP address."; fi
done
#Plnime set ranges - je nutne aby se plnil az na konci. Jinak by byly presmerovane ip v dobe kdy se set nenbers a partners teprve plni.
echo "Filling set ranges.";
exec 0</tmp/ranges
while read LINE
do
if valid_subnet $LINE; then echo "$LINE - added to set ranges."; ipset -A ranges $LINE; else echo "$LINE - not valid subnet."; fi
done
exec 0<&3
IFS=$BAKIFS
#Cleaning up
rm /tmp/ranges
rm /tmp/partners
rm /tmp/members
}
case "$1" in
start)
echo "Adding sets.";
ipset -N ranges nethash --hashsize 1024 --probes 4 --resize 50
ipset -N partners nethash --hashsize 1024 --probes 4 --resize 50
ipset -N members iphash --hashsize 10000 --probes 8 --resize 50
echo "Adding firewall rules.";
#Pravidlo pro pridani ip do setu members. Pokud projde firewallem packet na danou cilovou ip prida se zdrojova ip do setu members.
$IPTABLES -i eth0 -t nat -A PREROUTING -m set --set ranges src -d $IP_TARGET -j SET --add-set members src
#Pokud uz je ip v setu members nebo partners neaplikuje se presmerovani.
$IPTABLES -i eth0 -t nat -A PREROUTING -m set --set partners src -j ACCEPT
$IPTABLES -i eth0 -t nat -A PREROUTING -m set --set members src -j ACCEPT
#Povoleni portu 36000 pro potreby presmerovani. Na tomto portu nasloucha webserver a provede presmerovani na zvolenou url.
$IPTABLES -i eth0 -t nat -A PREROUTING -m set --set ranges src -p tcp --dport $PORT_REDIRECT -j ACCEPT
#Presmerovani vseho co miri do internetu a ma cilovy port 80 na port 36000.
$IPTABLES -i eth0 -t nat -A PREROUTING -m set --set ranges src -p tcp --dport $PORT_WEB -j REDIRECT --to-port $PORT_REDIRECT
#Vyjimky ip adres a portu ktere budou fungovat i po presmerovani.
$IPTABLES -i eth0 -t nat -A PREROUTING -m set --set ranges src -p icmp -d $IP_SELF -j ACCEPT
$IPTABLES -i eth0 -t nat -A PREROUTING -m set --set ranges src -p udp -d $IP_SELF --dport 53 -j ACCEPT
$IPTABLES -i eth0 -t nat -A PREROUTING -m set --set ranges src -p tcp -d $IP_SELF --dport 22 -j ACCEPT
$IPTABLES -i eth0 -t nat -A PREROUTING -m set --set ranges src -p icmp -d $IP_SELF1 -j ACCEPT
$IPTABLES -i eth0 -t nat -A PREROUTING -m set --set ranges src -p udp -d $IP_SELF1 --dport 53 -j ACCEPT
$IPTABLES -i eth0 -t nat -A PREROUTING -m set --set ranges src -p tcp -d $IP_SELF1 --dport 22 -j ACCEPT
#Vyjimka pro kecalka pro podporu
$IPTABLES -i eth0 -t nat -A PREROUTING -m set --set ranges src -p tcp -d 67.23.29.84 --dport 80 -j ACCEPT
$IPTABLES -i eth0 -t nat -A PREROUTING -m set --set ranges src -p tcp -d 67.23.27.61 --dport 80 -j ACCEPT
#Jinak vse ostatni zahod.
$IPTABLES -i eth0 -t nat -A PREROUTING -m set --set ranges src -j DROP
exit 1
;;
restart)
$0 stop
$0 start
exit 1
;;
update)
update
exit 1
;;
stop)
echo "Deleting firewall rules.";
#Pravidlo pro pridani ip do setu members. Pokud projde firewallem packet na danou cilovou ip prida se zdrojova ip do setu members.
$IPTABLES -i eth0 -t nat -D PREROUTING -m set --set ranges src -d $IP_TARGET -j SET --add-set members src
#Pokud uz je ip v setu members nebo partners neaplikuje se presmerovani.
$IPTABLES -i eth0 -t nat -D PREROUTING -m set --set partners src -j ACCEPT
$IPTABLES -i eth0 -t nat -D PREROUTING -m set --set members src -j ACCEPT
#Povoleni portu 36000 pro potreby presmerovani. Na tomto portu nasloucha webserver a provede presmerovani na zvolenou url.
$IPTABLES -i eth0 -t nat -D PREROUTING -m set --set ranges src -p tcp --dport $PORT_REDIRECT -j ACCEPT
#Presmerovani vseho co miri do internetu a ma cilovy port 80 na port 36000.
$IPTABLES -i eth0 -t nat -D PREROUTING -m set --set ranges src -p tcp --dport $PORT_WEB -j REDIRECT --to-port $PORT_REDIRECT
#Vyjimky ip adres a portu ktere budou fungovat i po presmerovani.
$IPTABLES -i eth0 -t nat -D PREROUTING -m set --set ranges src -p icmp -d $IP_SELF -j ACCEPT
$IPTABLES -i eth0 -t nat -D PREROUTING -m set --set ranges src -p udp -d $IP_SELF --dport 53 -j ACCEPT
$IPTABLES -i eth0 -t nat -D PREROUTING -m set --set ranges src -p tcp -d $IP_SELF --dport 22 -j ACCEPT
$IPTABLES -i eth0 -t nat -D PREROUTING -m set --set ranges src -p icmp -d $IP_SELF1 -j ACCEPT
$IPTABLES -i eth0 -t nat -D PREROUTING -m set --set ranges src -p udp -d $IP_SELF1 --dport 53 -j ACCEPT
$IPTABLES -i eth0 -t nat -D PREROUTING -m set --set ranges src -p tcp -d $IP_SELF1 --dport 22 -j ACCEPT
#Vyjimka pro kecalka pro podporu
$IPTABLES -i eth0 -t nat -D PREROUTING -m set --set ranges src -p tcp -d 67.23.29.84 --dport 80 -j ACCEPT
$IPTABLES -i eth0 -t nat -D PREROUTING -m set --set ranges src -p tcp -d 67.23.27.61 --dport 80 -j ACCEPT
#Jinak vse ostatni zahod.
$IPTABLES -i eth0 -t nat -D PREROUTING -m set --set ranges src -j DROP
echo "Deleting sets.";
ipset -X ranges
ipset -X partners
ipset -X members
exit 1
;;
esac
exit 0

Také k dispozici: Unified diff