Revize 2066
Přidáno uživatelem Michal Kliment před asi 11 roky(ů)
freenetis/branches/1.1/application/vendors/redirection/freenetis-redirection.conf | ||
---|---|---|
################################################################################
|
||
# #
|
||
# This script serves for IS FreenetIS (redirection and QoS) #
|
||
# This script serves for redirection IP policy of IS FreenetIS #
|
||
# #
|
||
# author Sevcik Roman, Kliment Michal 2011 #
|
||
# email sevcik.roman@slfree.net, kliment@freenetis.org #
|
||
# author Kliment Michal, Sevcik Roman #
|
||
# email kliment@freenetis.org, sevcik.roman@slfree.net #
|
||
# #
|
||
# name freenetis-redirection.conf #
|
||
# name freenetis-redirection.sh #
|
||
# version 2.1 #
|
||
# #
|
||
################################################################################
|
||
|
||
... | ... | |
# Log file for redirector deamon, change to /dev/null to disable logging
|
||
LOG_FILE_REDIRECTOR=/var/log/freenetis-http-redirection.log
|
||
|
||
# Input interface on which redirection rules are applicated on
|
||
INPUT_INTERFACE=eth0
|
||
|
||
################################################################################
|
||
# R E D I R E C T I O N S E T T I N G S #
|
||
################################################################################
|
||
|
||
# Local variable contains IP address useful for self-canceling. More info in doc
|
||
IP_TARGET=
|
||
|
||
# Local variable contains port number to be redirect from - mandatory
|
||
PORT_WEB=80
|
||
|
freenetis/branches/1.1/application/vendors/redirection/freenetis-redirection.init.sh | ||
---|---|---|
|
||
################################################################################
|
||
# #
|
||
# This script serves for FreenetIS redirection daemon #
|
||
# This script serves for redirection IP policy of IS FreenetIS #
|
||
# #
|
||
# Author Sevcik Roman 2011 #
|
||
# Email sevcik.roman@slfree.net #
|
||
# author Kliment Michal, Sevcik Roman #
|
||
# email kliment@freenetis.org, sevcik.roman@slfree.net #
|
||
# #
|
||
# Name freenetis-redirection.init.sh #
|
||
# Version 1.9.4 #
|
||
# name freenetis-redirection.sh #
|
||
# version 2.1 #
|
||
# #
|
||
################################################################################
|
||
|
||
... | ... | |
fi
|
||
}
|
||
|
||
# Prints version
|
||
version_redirection ()
|
||
{
|
||
VERSION=`"$REDIRECTION_FILE" version 2>/dev/null`
|
||
|
||
echo $VERSION
|
||
}
|
||
|
||
# Prints usage
|
||
usage_redirection ()
|
||
{
|
||
echo "usage : `echo $0` (start|stop|restart|status|help)"
|
||
echo "usage : `echo $0` (start|stop|restart|status|version|help)"
|
||
}
|
||
|
||
# Prints help
|
||
... | ... | |
echo " stop - stops FreenetIS redirection daemon"
|
||
echo " restart - restarts FreenetIS redirection daemon"
|
||
echo " status - returns actual status of FreenetIS redirection daemon"
|
||
echo " version - prints version"
|
||
echo " help - prints help"
|
||
}
|
||
|
||
... | ... | |
exit 0
|
||
;;
|
||
|
||
version)
|
||
version_redirection
|
||
exit 0
|
||
;;
|
||
|
||
help)
|
||
usage_redirection
|
||
help_redirection
|
freenetis/branches/1.1/application/vendors/redirection/freenetis-redirection.sh | ||
---|---|---|
# #
|
||
# This script serves for redirection IP policy of IS FreenetIS #
|
||
# #
|
||
# author Sevcik Roman 2011 #
|
||
# email sevcik.roman@slfree.net #
|
||
# author Kliment Michal, Sevcik Roman #
|
||
# email kliment@freenetis.org, sevcik.roman@slfree.net #
|
||
# #
|
||
# name freenetis-redirection.sh #
|
||
# version 1.9.4 #
|
||
# name freenetis-redirection.sh #
|
||
# version 2.1 #
|
||
# #
|
||
################################################################################
|
||
|
||
# Version
|
||
VERSION="2.1"
|
||
|
||
# Load variables from config file
|
||
CONFIG=/etc/freenetis/freenetis-redirection.conf
|
||
|
||
... | ... | |
{
|
||
echo -n "Adding iptables rule for self canceling..."
|
||
|
||
#Rule for allowing access. If come packet to $IP_TARGET then we add source address do set allowed and to set seen
|
||
#Rule for allowing access. If come packet to $PORT_SELF_CANCEL then we add source address do set allowed and to set seen
|
||
#Set seen is used for ip synchronization with FreenetIS.
|
||
if [ `rule_exists "PREROUTING -d $IP_TARGET/32 -i $INPUT_INTERFACE -p tcp -m set --match-set self_cancel src -m tcp --dport $PORT_SELF_CANCEL -j SET --add-set allowed src"` -eq 0 ];
|
||
if [ `rule_exists "PREROUTING -p tcp -m set --match-set self_cancel src -m tcp --dport $PORT_SELF_CANCEL -j SET --add-set allowed src"` -eq 0 ];
|
||
then
|
||
run_and_print_result "$IPTABLES -i $INPUT_INTERFACE -t nat -A PREROUTING -m set --match-set self_cancel src -d $IP_TARGET -p tcp --dport $PORT_SELF_CANCEL -j SET --add-set allowed src"
|
||
run_and_print_result "$IPTABLES -t nat -A PREROUTING -m set --match-set self_cancel src -p tcp --dport $PORT_SELF_CANCEL -j SET --add-set allowed src"
|
||
else
|
||
echo "already added"
|
||
fi
|
||
... | ... | |
echo -n "Adding iptables rule for allowed..."
|
||
|
||
#If IP is allowed then it is not redirected
|
||
if [ `rule_exists "PREROUTING -i $INPUT_INTERFACE -m set --match-set allowed src -j ACCEPT"` -eq 0 ];
|
||
if [ `rule_exists "PREROUTING -m set --match-set allowed src -j ACCEPT"` -eq 0 ];
|
||
then
|
||
run_and_print_result "$IPTABLES -i $INPUT_INTERFACE -t nat -A PREROUTING -m set --match-set allowed src -j ACCEPT"
|
||
run_and_print_result "$IPTABLES -t nat -A PREROUTING -m set --match-set allowed src -j ACCEPT"
|
||
else
|
||
echo "already added"
|
||
fi
|
||
|
||
echo -n "Adding iptables rule for allowed..."
|
||
|
||
#If IP is allowed then it is not redirected
|
||
if [ `rule_exists "PREROUTING -m set --match-set allowed dst -j ACCEPT"` -eq 0 ];
|
||
then
|
||
run_and_print_result "$IPTABLES -t nat -A PREROUTING -m set --match-set allowed dst -j ACCEPT"
|
||
else
|
||
echo "already added"
|
||
fi
|
||
|
||
echo -n "Adding iptables rule for redirection..."
|
||
|
||
#Redirect everything trafic what has destination port $PORT_WEB to $PORT_REDIRECT
|
||
if [ `rule_exists "PREROUTING -i $INPUT_INTERFACE -p tcp -m set --match-set ranges src -m tcp --dport $PORT_WEB -j REDIRECT --to-ports $PORT_REDIRECT"` -eq 0 ];
|
||
if [ `rule_exists "PREROUTING -p tcp -m set --match-set ranges src -m tcp --dport $PORT_WEB -j REDIRECT --to-ports $PORT_REDIRECT"` -eq 0 ];
|
||
then
|
||
run_and_print_result "$IPTABLES -i $INPUT_INTERFACE -t nat -A PREROUTING -m set --match-set ranges src -p tcp --dport $PORT_WEB -j REDIRECT --to-port $PORT_REDIRECT"
|
||
run_and_print_result "$IPTABLES -t nat -A PREROUTING -m set --match-set ranges src -p tcp --dport $PORT_WEB -j REDIRECT --to-port $PORT_REDIRECT"
|
||
else
|
||
echo "already added"
|
||
fi
|
||
... | ... | |
echo -n "Adding iptables rule for allowed..."
|
||
|
||
#If IP is allowed then it is not redirected
|
||
if [ `rule_exists "FORWARD -i $INPUT_INTERFACE -m set --match-set allowed src -j ACCEPT"` -eq 0 ];
|
||
if [ `rule_exists "FORWARD -m set --match-set allowed src -j ACCEPT"` -eq 0 ];
|
||
then
|
||
run_and_print_result "$IPTABLES -i $INPUT_INTERFACE -I FORWARD 1 -m set --match-set allowed src -j ACCEPT"
|
||
run_and_print_result "$IPTABLES -I FORWARD 1 -m set --match-set allowed src -j ACCEPT"
|
||
else
|
||
echo "already added"
|
||
fi
|
||
|
||
echo -n "Adding iptables rule for allowed..."
|
||
|
||
#If IP is allowed then it is not redirected
|
||
if [ `rule_exists "FORWARD -m set --match-set allowed dst -j ACCEPT"` -eq 0 ];
|
||
then
|
||
run_and_print_result "$IPTABLES -I FORWARD 2 -m set --match-set allowed dst -j ACCEPT"
|
||
else
|
||
echo "already added"
|
||
fi
|
||
|
||
echo -n "Adding iptables rule for block others..."
|
||
|
||
#Else everything drop
|
||
if [ `rule_exists "FORWARD -i $INPUT_INTERFACE -m set --match-set ranges src -j DROP"` -eq 0 ];
|
||
if [ `rule_exists "FORWARD -m set --match-set ranges src -j DROP"` -eq 0 ];
|
||
then
|
||
run_and_print_result "$IPTABLES -i $INPUT_INTERFACE -I FORWARD 2 -m set --match-set ranges src -j DROP"
|
||
run_and_print_result "$IPTABLES -I FORWARD 3 -m set --match-set ranges src -j DROP"
|
||
else
|
||
echo "already added"
|
||
fi
|
||
... | ... | |
delete_rules()
|
||
{
|
||
echo -n "Deleting iptables rule for self canceling..."
|
||
#Rule for allowing access. If come packet to $IP_TARGET then we add source address do set allowed and to set seen
|
||
#Rule for allowing access. If come packet to $PORT_SELF_CANCEL then we add source address do set allowed and to set seen
|
||
#Set seen is used for ip synchronization with FreenetIS.
|
||
if [ `rule_exists "PREROUTING -d $IP_TARGET/32 -i $INPUT_INTERFACE -p tcp -m set --match-set self_cancel src -m tcp --dport $PORT_SELF_CANCEL -j SET --add-set allowed src"` -eq 1 ];
|
||
if [ `rule_exists "PREROUTING -p tcp -m set --match-set self_cancel src -m tcp --dport $PORT_SELF_CANCEL -j SET --add-set allowed src"` -eq 1 ];
|
||
then
|
||
run_and_print_result "$IPTABLES -i $INPUT_INTERFACE -t nat -D PREROUTING -m set --match-set self_cancel src -d $IP_TARGET -p tcp --dport $PORT_SELF_CANCEL -j SET --add-set allowed src"
|
||
run_and_print_result "$IPTABLES -t nat -D PREROUTING -m set --match-set self_cancel src -p tcp --dport $PORT_SELF_CANCEL -j SET --add-set allowed src"
|
||
else
|
||
echo "already deleted"
|
||
fi
|
||
|
||
echo -n "Deleting iptables rule for allowed..."
|
||
#If IP is allowed then it is not redirected
|
||
if [ `rule_exists "PREROUTING -i $INPUT_INTERFACE -m set --match-set allowed src -j ACCEPT"` -eq 1 ];
|
||
if [ `rule_exists "PREROUTING -m set --match-set allowed src -j ACCEPT"` -eq 1 ];
|
||
then
|
||
run_and_print_result "$IPTABLES -i $INPUT_INTERFACE -t nat -D PREROUTING -m set --match-set allowed src -j ACCEPT"
|
||
run_and_print_result "$IPTABLES -t nat -D PREROUTING -m set --match-set allowed src -j ACCEPT"
|
||
else
|
||
echo "already deleted"
|
||
fi
|
||
|
||
echo -n "Deleting iptables rule for allowed..."
|
||
#If IP is allowed then it is not redirected
|
||
if [ `rule_exists "PREROUTING -m set --match-set allowed dst -j ACCEPT"` -eq 1 ];
|
||
then
|
||
run_and_print_result "$IPTABLES -t nat -D PREROUTING -m set --match-set allowed dst -j ACCEPT"
|
||
else
|
||
echo "already deleted"
|
||
fi
|
||
|
||
echo -n "Deleting iptables rule for redirection..."
|
||
#Redirect everything trafic what has destination port $PORT_WEB to $PORT_REDIRECT
|
||
if [ `rule_exists "PREROUTING -i $INPUT_INTERFACE -p tcp -m set --match-set ranges src -m tcp --dport $PORT_WEB -j REDIRECT --to-ports $PORT_REDIRECT"` -eq 1 ];
|
||
if [ `rule_exists "PREROUTING -p tcp -m set --match-set ranges src -m tcp --dport $PORT_WEB -j REDIRECT --to-ports $PORT_REDIRECT"` -eq 1 ];
|
||
then
|
||
run_and_print_result "$IPTABLES -i $INPUT_INTERFACE -t nat -D PREROUTING -m set --match-set ranges src -p tcp --dport $PORT_WEB -j REDIRECT --to-port $PORT_REDIRECT"
|
||
run_and_print_result "$IPTABLES -t nat -D PREROUTING -m set --match-set ranges src -p tcp --dport $PORT_WEB -j REDIRECT --to-port $PORT_REDIRECT"
|
||
else
|
||
echo "already deleted"
|
||
fi
|
||
|
||
echo -n "Deleting iptables rule for allowed..."
|
||
#If IP is allowed then it is not redirected
|
||
if [ `rule_exists "FORWARD -i $INPUT_INTERFACE -m set --match-set allowed src -j ACCEPT"` -eq 1 ];
|
||
if [ `rule_exists "FORWARD -m set --match-set allowed src -j ACCEPT"` -eq 1 ];
|
||
then
|
||
run_and_print_result "$IPTABLES -i $INPUT_INTERFACE -D FORWARD -m set --match-set allowed src -j ACCEPT"
|
||
run_and_print_result "$IPTABLES -D FORWARD -m set --match-set allowed src -j ACCEPT"
|
||
else
|
||
echo "already deleted"
|
||
fi
|
||
|
||
echo -n "Deleting iptables rule for allowed..."
|
||
#If IP is allowed then it is not redirected
|
||
if [ `rule_exists "FORWARD -m set --match-set allowed dst -j ACCEPT"` -eq 1 ];
|
||
then
|
||
run_and_print_result "$IPTABLES -D FORWARD -m set --match-set allowed dst -j ACCEPT"
|
||
else
|
||
echo "already deleted"
|
||
fi
|
||
|
||
echo -n "Deleting iptables rule for block others..."
|
||
#Else everything drop
|
||
if [ `rule_exists "FORWARD -i $INPUT_INTERFACE -m set --match-set ranges src -j DROP"` -eq 1 ];
|
||
if [ `rule_exists "FORWARD -m set --match-set ranges src -j DROP"` -eq 1 ];
|
||
then
|
||
run_and_print_result "$IPTABLES -i $INPUT_INTERFACE -D FORWARD -m set --match-set ranges src -j DROP"
|
||
run_and_print_result "$IPTABLES -D FORWARD -m set --match-set ranges src -j DROP"
|
||
else
|
||
echo "already deleted"
|
||
fi
|
||
... | ... | |
usage ()
|
||
{
|
||
echo "Usage : `echo $0` ACTION [ LOG FILE ]"
|
||
echo "where ACTION := { start | stop | restart | sync | run | help }"
|
||
echo "where ACTION := { start | stop | restart | sync | run | version | help }"
|
||
}
|
||
|
||
# Prints version
|
||
version ()
|
||
{
|
||
echo $VERSION
|
||
}
|
||
|
||
# Prints help
|
||
help ()
|
||
{
|
||
... | ... | |
echo " restart - deletes and recreates firewall rules and ipsets for redirection"
|
||
echo " sync - sync content of ipsets with FreenetIS"
|
||
echo " run - run complete redirection in endless loop"
|
||
echo " version - print version"
|
||
echo " help - prints help for redirection"
|
||
}
|
||
|
||
... | ... | |
exit 0
|
||
;;
|
||
|
||
version)
|
||
version
|
||
exit 0
|
||
;;
|
||
|
||
help)
|
||
usage
|
||
help
|
||
... | ... | |
|
||
esac
|
||
|
||
exit 0
|
||
exit 0
|
Také k dispozici: Unified diff
freenetis-redirection 2.1
Opravy:
- fixes #642: Vypsani verze
- fixes #683: Podpora vice vstupnich rozhrani