Projekt

Obecné

Profil

« Předchozí | Další » 

Revize 2066

Přidáno uživatelem Michal Kliment před asi 11 roky(ů)

freenetis-redirection 2.1

Opravy:
- fixes #642: Vypsani verze
- fixes #683: Podpora vice vstupnich rozhrani

Zobrazit rozdíly:

freenetis/branches/1.1/application/vendors/redirection/freenetis-redirection.conf
################################################################################
# #
# This script serves for IS FreenetIS (redirection and QoS) #
# This script serves for redirection IP policy of IS FreenetIS #
# #
# author Sevcik Roman, Kliment Michal 2011 #
# email sevcik.roman@slfree.net, kliment@freenetis.org #
# author Kliment Michal, Sevcik Roman #
# email kliment@freenetis.org, sevcik.roman@slfree.net #
# #
# name freenetis-redirection.conf #
# name freenetis-redirection.sh #
# version 2.1 #
# #
################################################################################
......
# Log file for redirector deamon, change to /dev/null to disable logging
LOG_FILE_REDIRECTOR=/var/log/freenetis-http-redirection.log
# Input interface on which redirection rules are applicated on
INPUT_INTERFACE=eth0
################################################################################
# R E D I R E C T I O N S E T T I N G S #
################################################################################
# Local variable contains IP address useful for self-canceling. More info in doc
IP_TARGET=
# Local variable contains port number to be redirect from - mandatory
PORT_WEB=80
freenetis/branches/1.1/application/vendors/redirection/freenetis-redirection.init.sh
################################################################################
# #
# This script serves for FreenetIS redirection daemon #
# This script serves for redirection IP policy of IS FreenetIS #
# #
# Author Sevcik Roman 2011 #
# Email sevcik.roman@slfree.net #
# author Kliment Michal, Sevcik Roman #
# email kliment@freenetis.org, sevcik.roman@slfree.net #
# #
# Name freenetis-redirection.init.sh #
# Version 1.9.4 #
# name freenetis-redirection.sh #
# version 2.1 #
# #
################################################################################
......
fi
}
# Prints version
version_redirection ()
{
VERSION=`"$REDIRECTION_FILE" version 2>/dev/null`
echo $VERSION
}
# Prints usage
usage_redirection ()
{
echo "usage : `echo $0` (start|stop|restart|status|help)"
echo "usage : `echo $0` (start|stop|restart|status|version|help)"
}
# Prints help
......
echo " stop - stops FreenetIS redirection daemon"
echo " restart - restarts FreenetIS redirection daemon"
echo " status - returns actual status of FreenetIS redirection daemon"
echo " version - prints version"
echo " help - prints help"
}
......
exit 0
;;
version)
version_redirection
exit 0
;;
help)
usage_redirection
help_redirection
freenetis/branches/1.1/application/vendors/redirection/freenetis-redirection.sh
# #
# This script serves for redirection IP policy of IS FreenetIS #
# #
# author Sevcik Roman 2011 #
# email sevcik.roman@slfree.net #
# author Kliment Michal, Sevcik Roman #
# email kliment@freenetis.org, sevcik.roman@slfree.net #
# #
# name freenetis-redirection.sh #
# version 1.9.4 #
# name freenetis-redirection.sh #
# version 2.1 #
# #
################################################################################
# Version
VERSION="2.1"
# Load variables from config file
CONFIG=/etc/freenetis/freenetis-redirection.conf
......
{
echo -n "Adding iptables rule for self canceling..."
#Rule for allowing access. If come packet to $IP_TARGET then we add source address do set allowed and to set seen
#Rule for allowing access. If come packet to $PORT_SELF_CANCEL then we add source address do set allowed and to set seen
#Set seen is used for ip synchronization with FreenetIS.
if [ `rule_exists "PREROUTING -d $IP_TARGET/32 -i $INPUT_INTERFACE -p tcp -m set --match-set self_cancel src -m tcp --dport $PORT_SELF_CANCEL -j SET --add-set allowed src"` -eq 0 ];
if [ `rule_exists "PREROUTING -p tcp -m set --match-set self_cancel src -m tcp --dport $PORT_SELF_CANCEL -j SET --add-set allowed src"` -eq 0 ];
then
run_and_print_result "$IPTABLES -i $INPUT_INTERFACE -t nat -A PREROUTING -m set --match-set self_cancel src -d $IP_TARGET -p tcp --dport $PORT_SELF_CANCEL -j SET --add-set allowed src"
run_and_print_result "$IPTABLES -t nat -A PREROUTING -m set --match-set self_cancel src -p tcp --dport $PORT_SELF_CANCEL -j SET --add-set allowed src"
else
echo "already added"
fi
......
echo -n "Adding iptables rule for allowed..."
#If IP is allowed then it is not redirected
if [ `rule_exists "PREROUTING -i $INPUT_INTERFACE -m set --match-set allowed src -j ACCEPT"` -eq 0 ];
if [ `rule_exists "PREROUTING -m set --match-set allowed src -j ACCEPT"` -eq 0 ];
then
run_and_print_result "$IPTABLES -i $INPUT_INTERFACE -t nat -A PREROUTING -m set --match-set allowed src -j ACCEPT"
run_and_print_result "$IPTABLES -t nat -A PREROUTING -m set --match-set allowed src -j ACCEPT"
else
echo "already added"
fi
echo -n "Adding iptables rule for allowed..."
#If IP is allowed then it is not redirected
if [ `rule_exists "PREROUTING -m set --match-set allowed dst -j ACCEPT"` -eq 0 ];
then
run_and_print_result "$IPTABLES -t nat -A PREROUTING -m set --match-set allowed dst -j ACCEPT"
else
echo "already added"
fi
echo -n "Adding iptables rule for redirection..."
#Redirect everything trafic what has destination port $PORT_WEB to $PORT_REDIRECT
if [ `rule_exists "PREROUTING -i $INPUT_INTERFACE -p tcp -m set --match-set ranges src -m tcp --dport $PORT_WEB -j REDIRECT --to-ports $PORT_REDIRECT"` -eq 0 ];
if [ `rule_exists "PREROUTING -p tcp -m set --match-set ranges src -m tcp --dport $PORT_WEB -j REDIRECT --to-ports $PORT_REDIRECT"` -eq 0 ];
then
run_and_print_result "$IPTABLES -i $INPUT_INTERFACE -t nat -A PREROUTING -m set --match-set ranges src -p tcp --dport $PORT_WEB -j REDIRECT --to-port $PORT_REDIRECT"
run_and_print_result "$IPTABLES -t nat -A PREROUTING -m set --match-set ranges src -p tcp --dport $PORT_WEB -j REDIRECT --to-port $PORT_REDIRECT"
else
echo "already added"
fi
......
echo -n "Adding iptables rule for allowed..."
#If IP is allowed then it is not redirected
if [ `rule_exists "FORWARD -i $INPUT_INTERFACE -m set --match-set allowed src -j ACCEPT"` -eq 0 ];
if [ `rule_exists "FORWARD -m set --match-set allowed src -j ACCEPT"` -eq 0 ];
then
run_and_print_result "$IPTABLES -i $INPUT_INTERFACE -I FORWARD 1 -m set --match-set allowed src -j ACCEPT"
run_and_print_result "$IPTABLES -I FORWARD 1 -m set --match-set allowed src -j ACCEPT"
else
echo "already added"
fi
echo -n "Adding iptables rule for allowed..."
#If IP is allowed then it is not redirected
if [ `rule_exists "FORWARD -m set --match-set allowed dst -j ACCEPT"` -eq 0 ];
then
run_and_print_result "$IPTABLES -I FORWARD 2 -m set --match-set allowed dst -j ACCEPT"
else
echo "already added"
fi
echo -n "Adding iptables rule for block others..."
#Else everything drop
if [ `rule_exists "FORWARD -i $INPUT_INTERFACE -m set --match-set ranges src -j DROP"` -eq 0 ];
if [ `rule_exists "FORWARD -m set --match-set ranges src -j DROP"` -eq 0 ];
then
run_and_print_result "$IPTABLES -i $INPUT_INTERFACE -I FORWARD 2 -m set --match-set ranges src -j DROP"
run_and_print_result "$IPTABLES -I FORWARD 3 -m set --match-set ranges src -j DROP"
else
echo "already added"
fi
......
delete_rules()
{
echo -n "Deleting iptables rule for self canceling..."
#Rule for allowing access. If come packet to $IP_TARGET then we add source address do set allowed and to set seen
#Rule for allowing access. If come packet to $PORT_SELF_CANCEL then we add source address do set allowed and to set seen
#Set seen is used for ip synchronization with FreenetIS.
if [ `rule_exists "PREROUTING -d $IP_TARGET/32 -i $INPUT_INTERFACE -p tcp -m set --match-set self_cancel src -m tcp --dport $PORT_SELF_CANCEL -j SET --add-set allowed src"` -eq 1 ];
if [ `rule_exists "PREROUTING -p tcp -m set --match-set self_cancel src -m tcp --dport $PORT_SELF_CANCEL -j SET --add-set allowed src"` -eq 1 ];
then
run_and_print_result "$IPTABLES -i $INPUT_INTERFACE -t nat -D PREROUTING -m set --match-set self_cancel src -d $IP_TARGET -p tcp --dport $PORT_SELF_CANCEL -j SET --add-set allowed src"
run_and_print_result "$IPTABLES -t nat -D PREROUTING -m set --match-set self_cancel src -p tcp --dport $PORT_SELF_CANCEL -j SET --add-set allowed src"
else
echo "already deleted"
fi
echo -n "Deleting iptables rule for allowed..."
#If IP is allowed then it is not redirected
if [ `rule_exists "PREROUTING -i $INPUT_INTERFACE -m set --match-set allowed src -j ACCEPT"` -eq 1 ];
if [ `rule_exists "PREROUTING -m set --match-set allowed src -j ACCEPT"` -eq 1 ];
then
run_and_print_result "$IPTABLES -i $INPUT_INTERFACE -t nat -D PREROUTING -m set --match-set allowed src -j ACCEPT"
run_and_print_result "$IPTABLES -t nat -D PREROUTING -m set --match-set allowed src -j ACCEPT"
else
echo "already deleted"
fi
echo -n "Deleting iptables rule for allowed..."
#If IP is allowed then it is not redirected
if [ `rule_exists "PREROUTING -m set --match-set allowed dst -j ACCEPT"` -eq 1 ];
then
run_and_print_result "$IPTABLES -t nat -D PREROUTING -m set --match-set allowed dst -j ACCEPT"
else
echo "already deleted"
fi
echo -n "Deleting iptables rule for redirection..."
#Redirect everything trafic what has destination port $PORT_WEB to $PORT_REDIRECT
if [ `rule_exists "PREROUTING -i $INPUT_INTERFACE -p tcp -m set --match-set ranges src -m tcp --dport $PORT_WEB -j REDIRECT --to-ports $PORT_REDIRECT"` -eq 1 ];
if [ `rule_exists "PREROUTING -p tcp -m set --match-set ranges src -m tcp --dport $PORT_WEB -j REDIRECT --to-ports $PORT_REDIRECT"` -eq 1 ];
then
run_and_print_result "$IPTABLES -i $INPUT_INTERFACE -t nat -D PREROUTING -m set --match-set ranges src -p tcp --dport $PORT_WEB -j REDIRECT --to-port $PORT_REDIRECT"
run_and_print_result "$IPTABLES -t nat -D PREROUTING -m set --match-set ranges src -p tcp --dport $PORT_WEB -j REDIRECT --to-port $PORT_REDIRECT"
else
echo "already deleted"
fi
echo -n "Deleting iptables rule for allowed..."
#If IP is allowed then it is not redirected
if [ `rule_exists "FORWARD -i $INPUT_INTERFACE -m set --match-set allowed src -j ACCEPT"` -eq 1 ];
if [ `rule_exists "FORWARD -m set --match-set allowed src -j ACCEPT"` -eq 1 ];
then
run_and_print_result "$IPTABLES -i $INPUT_INTERFACE -D FORWARD -m set --match-set allowed src -j ACCEPT"
run_and_print_result "$IPTABLES -D FORWARD -m set --match-set allowed src -j ACCEPT"
else
echo "already deleted"
fi
echo -n "Deleting iptables rule for allowed..."
#If IP is allowed then it is not redirected
if [ `rule_exists "FORWARD -m set --match-set allowed dst -j ACCEPT"` -eq 1 ];
then
run_and_print_result "$IPTABLES -D FORWARD -m set --match-set allowed dst -j ACCEPT"
else
echo "already deleted"
fi
echo -n "Deleting iptables rule for block others..."
#Else everything drop
if [ `rule_exists "FORWARD -i $INPUT_INTERFACE -m set --match-set ranges src -j DROP"` -eq 1 ];
if [ `rule_exists "FORWARD -m set --match-set ranges src -j DROP"` -eq 1 ];
then
run_and_print_result "$IPTABLES -i $INPUT_INTERFACE -D FORWARD -m set --match-set ranges src -j DROP"
run_and_print_result "$IPTABLES -D FORWARD -m set --match-set ranges src -j DROP"
else
echo "already deleted"
fi
......
usage ()
{
echo "Usage : `echo $0` ACTION [ LOG FILE ]"
echo "where ACTION := { start | stop | restart | sync | run | help }"
echo "where ACTION := { start | stop | restart | sync | run | version | help }"
}
# Prints version
version ()
{
echo $VERSION
}
# Prints help
help ()
{
......
echo " restart - deletes and recreates firewall rules and ipsets for redirection"
echo " sync - sync content of ipsets with FreenetIS"
echo " run - run complete redirection in endless loop"
echo " version - print version"
echo " help - prints help for redirection"
}
......
exit 0
;;
version)
version
exit 0
;;
help)
usage
help
......
esac
exit 0
exit 0

Také k dispozici: Unified diff