Revize 890
Přidáno uživatelem Roman Ševčík před více než 13 roky(ů)
freenetis/branches/redirection/scripts/frnts_synchronization.sh | ||
---|---|---|
#! /bin/bash
|
||
##################################################################################
|
||
# #
|
||
# This script serves for redirection ip policy of IS FreeNetIS #
|
||
# #
|
||
# auhtor Sevcik Roman 2011 #
|
||
# email sevcik.roman@slfree.net #
|
||
# #
|
||
# name frnts_synchronization.sh #
|
||
# version 1.9 #
|
||
# #
|
||
##################################################################################
|
||
|
||
|
||
#Local variable contains path to iptables - mandatory
|
||
IPTABLES=/sbin/iptables
|
||
|
||
#Local variable contains ip address useful for self-canceling. More infos in doc
|
||
IP_TARGET=212.111.4.121
|
||
|
||
#Local variable contains port number to be redirect from - mandatory
|
||
PORT_WEB=80
|
||
|
||
#Local variable contains port number to be redirect to - mandatory
|
||
PORT_REDIRECT=36000
|
||
|
||
|
||
#URL of pages which we need to dowload from freenetis.
|
||
#SET_URL_RANGES - contains list of CIDR networks (e.g. 192.160.0/23) which we can regirect
|
||
#SET_URL_WHITELIST - contains list of "whitelisted" IP addresses of members will not be redirect. Never
|
||
#SET_URL_ALLOWED - contains list of IP allowed adresses will not be redirect
|
||
#SET_URL_SELF_CANCEL - contains list of IP adresses which can disable redirection itself
|
||
#SET_URL_SEEN - ulpoads list of IP adresses which have already disabled redirection itsef
|
||
|
||
#SET_URL_RANGES=http://<hostname>/cs/web_interface/redirected_ranges
|
||
#SET_URL_WHITELIST=http://<hostname>/cs/web_interface/whitelist
|
||
#SET_URL_ALLOWED=http://<hostname>/cs/web_interface/allowed_ip_addresses
|
||
#SET_URL_SELF_CANCEL=http://<hostname>/cs/web_interface/self_cancelable_ip_addresses
|
||
#SET_URL_SEEN=http://<hostname>/cs/web_interface/already_seen
|
||
|
||
SET_URL_RANGES=http://10.144.0.1:8080/ranges
|
||
SET_URL_WHITELIST=http://10.144.0.1:8080/whitelist
|
||
SET_URL_ALLOWED=http://10.144.0.1:8080/allowed
|
||
SET_URL_SELF_CANCEL=http://10.144.0.1:8080/self_cancel
|
||
SET_URL_SEEN=http://10.144.0.1:8080/seen.php
|
||
|
||
#Paths where temporary data will be saved.
|
||
PATH_RANGES=/tmp/ranges
|
||
PATH_WHITELIST=/tmp/whitelist
|
||
PATH_ALLOWED=/tmp/allowed
|
||
PATH_SELF_CANCEL=/tmp/self_cancel
|
||
|
||
#######################################################################################
|
||
|
||
# Function returns 1 if is ip valid
|
||
# @param ip adresa
|
||
# return 1 if is ip valid
|
||
valid_ip ()
|
||
{
|
||
local ip=$1
|
||
local stat=1
|
||
|
||
if [[ $ip =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
|
||
OIFS=$IFS
|
||
IFS='.'
|
||
ip=($ip)
|
||
IFS=$OIFS
|
||
[[ ${ip[0]} -le 255 && ${ip[1]} -le 255 && ${ip[2]} -le 255 && ${ip[3]} -le 255 ]]
|
||
stat=$?
|
||
fi;
|
||
return $stat
|
||
}
|
||
|
||
|
||
start ()
|
||
{
|
||
echo "Adding sets.";
|
||
|
||
ipset -N whitelist iphash --hashsize 10000 --probes 4 --resize 50
|
||
ipset -N allowed iphash --hashsize 10000 --probes 8 --resize 50
|
||
ipset -N self_cancel iphash --hashsize 10000 --probes 8 --resize 50
|
||
ipset -N seen iphash --hashsize 10000 --probes 8 --resize 50
|
||
ipset -N ranges nethash --hashsize 1024 --probes 4 --resize 50
|
||
|
||
|
||
echo "Adding firewall rules.";
|
||
|
||
#Rule for allowing access. If come packet to $IP_TARGET then we add souce address do set allowed and to set seen
|
||
#Set seen is used for ip synchronization with FreeNetIS.
|
||
$IPTABLES -i eth1 -t nat -A PREROUTING -m set --set self_cancel src -d $IP_TARGET -j SET --add-set allowed src
|
||
$IPTABLES -i eth1 -t nat -A PREROUTING -m set --set self_cancel src -d $IP_TARGET -j SET --add-set seen src
|
||
|
||
#If is IP in set whitelist or allowed then it is not redirected
|
||
$IPTABLES -i eth1 -t nat -A PREROUTING -m set --set whitelist src -j ACCEPT
|
||
$IPTABLES -i eth1 -t nat -A PREROUTING -m set --set allowed src -j ACCEPT
|
||
|
||
#Redirect everything trafic what has destination port $PORT_WEB to $PORT_REDIRECT
|
||
$IPTABLES -i eth1 -t nat -A PREROUTING -m set --set ranges src -p tcp --dport $PORT_WEB -j REDIRECT --to-port $PORT_REDIRECT
|
||
|
||
#If is IP in set whitelist or allowed then it is not redirected
|
||
$IPTABLES -i eth1 -I FORWARD 1 -m set --set whitelist src -j ACCEPT
|
||
$IPTABLES -i eth1 -I FORWARD 2 -m set --set allowed src -j ACCEPT
|
||
|
||
#Else everything drop
|
||
$IPTABLES -i eth1 -I FORWARD 3 -m set --set ranges src -j DROP
|
||
}
|
||
|
||
stop ()
|
||
{
|
||
|
||
echo "Deleting firewall rules.";
|
||
|
||
#Rule for allowing access. If come packet to $IP_TARGET then we add souce address do set allowed and to set seen
|
||
#Set seen is used for ip synchronization with FreeNetIS.
|
||
$IPTABLES -i eth1 -t nat -D PREROUTING -m set --set self_cancel src -d $IP_TARGET -j SET --add-set allowed src
|
||
$IPTABLES -i eth1 -t nat -D PREROUTING -m set --set self_cancel src -d $IP_TARGET -j SET --add-set seen src
|
||
|
||
#If is IP in set whitelist or allowed then it is not redirected
|
||
$IPTABLES -i eth1 -t nat -D PREROUTING -m set --set whitelist src -j ACCEPT
|
||
$IPTABLES -i eth1 -t nat -D PREROUTING -m set --set allowed src -j ACCEPT
|
||
|
||
#Redirect everything trafic what has destination port $PORT_WEB to $PORT_REDIRECT
|
||
$IPTABLES -i eth1 -t nat -D PREROUTING -m set --set ranges src -p tcp --dport $PORT_WEB -j REDIRECT --to-port $PORT_REDIRECT
|
||
|
||
#If is IP in set whitelist or allowed then it is not redirected
|
||
$IPTABLES -i eth1 -D FORWARD -m set --set whitelist src -j ACCEPT
|
||
$IPTABLES -i eth1 -D FORWARD -m set --set allowed src -j ACCEPT
|
||
|
||
#Else everything drop
|
||
$IPTABLES -i eth1 -D FORWARD -m set --set ranges src -j DROP
|
||
|
||
echo "Deleting sets.";
|
||
|
||
ipset -X whitelist
|
||
ipset -X allowed
|
||
ipset -X self_cancel
|
||
ipset -X seen
|
||
ipset -X ranges
|
||
}
|
||
|
||
|
||
|
||
update ()
|
||
{
|
||
|
||
#Erase content of all sets
|
||
echo "Cleaning sets...";
|
||
ipset -F whitelist
|
||
ipset -F allowed
|
||
ipset -F self_cancel
|
||
ipset -F ranges
|
||
|
||
|
||
#Some stuff - do not delete!
|
||
#oldifs=$IFS
|
||
#export IFS=";" ; echo "pole je ${a[*]}"
|
||
#IFS=$oldifs
|
||
#echo "pole je ${a[*]}"
|
||
|
||
#Send data from seen set to server
|
||
for i in $(ipset -L seen);
|
||
do
|
||
if valid_ip $i; then
|
||
seen="$seen$i;";
|
||
fi
|
||
done
|
||
|
||
seen=${seen%;}
|
||
|
||
echo "Sending seen set data...";
|
||
wget -q -O /dev/null $SET_URL_SEEN --no-check-certificate --post-data "seen=$seen"
|
||
|
||
echo "Downloading data...";
|
||
wget -q -O $PATH_WHITELIST $SET_URL_WHITELIST --no-check-certificate
|
||
wget -q -O $PATH_ALLOWED $SET_URL_ALLOWED --no-check-certificate
|
||
wget -q -O $PATH_SELF_CANCEL $SET_URL_SELF_CANCEL --no-check-certificate
|
||
wget -q -O $PATH_RANGES $SET_URL_RANGES --no-check-certificate
|
||
|
||
|
||
#Filling sets
|
||
|
||
for i in $(cat $PATH_WHITELIST);
|
||
do
|
||
echo "$i - added to set whitelist"
|
||
ipset -A whitelist $i
|
||
done
|
||
|
||
for i in $(cat $PATH_ALLOWED);
|
||
do
|
||
echo "$i - added to set allowed"
|
||
ipset -A allowed $i
|
||
done
|
||
|
||
for i in $(cat $PATH_SELF_CANCEL);
|
||
do
|
||
echo "$i - added to set self_cancel"
|
||
ipset -A self_cancel $i
|
||
done
|
||
|
||
for i in $(cat $PATH_RANGES);
|
||
do
|
||
echo "$i - added to set ranges"
|
||
ipset -A ranges $i
|
||
done
|
||
|
||
#Erase content of seen set
|
||
echo "Cleaning seen set...";
|
||
ipset -F seen
|
||
|
||
#Cleaning up...
|
||
rm $PATH_RANGES
|
||
rm $PATH_WHITELIST
|
||
rm $PATH_ALLOWED
|
||
rm $PATH_SELF_CANCEL
|
||
}
|
||
|
||
|
||
# Function shows help
|
||
help ()
|
||
{
|
||
echo "usage : (start | update | stop | restart)"
|
||
echo "start - initialization of firewall rules"
|
||
echo "update - load ipset data from defined URLs"
|
||
echo "stop - clears firewall rules"
|
||
echo "restart - restarts firewall rules"
|
||
}
|
||
|
||
# Is parameter #1 zero length?
|
||
if [ -z "$1" ]; then
|
||
help
|
||
exit 1
|
||
fi;
|
||
|
||
case "$1" in
|
||
start)
|
||
|
||
start
|
||
exit 1
|
||
;;
|
||
|
||
restart)
|
||
|
||
stop
|
||
start
|
||
update
|
||
exit 1
|
||
;;
|
||
|
||
update)
|
||
|
||
update
|
||
exit 1
|
||
;;
|
||
|
||
*)
|
||
|
||
help
|
||
exit 1
|
||
;;
|
||
stop)
|
||
|
||
stop
|
||
exit 1
|
||
;;
|
||
|
||
esac
|
||
|
||
exit 0
|
Také k dispozici: Unified diff
Smazani nepotrebnych souboru