FreenetIS

#! /bin/bash

##################################################################################

# #

# This script serves for redirection ip policy of IS FreeNetIS #

# #

# auhtor Sevcik Roman 2011 #

# email sevcik.roman@slfree.net #

# #

# name frnts_synchronization.sh #

# version 1.9 #

# #

##################################################################################

#Local variable contains path to iptables - mandatory

IPTABLES=/sbin/iptables

#Local variable contains ip address useful for self-canceling. More infos in doc

IP_TARGET=212.111.4.121

#Local variable contains port number to be redirect from - mandatory

PORT_WEB=80

#Local variable contains port number to be redirect to - mandatory

PORT_REDIRECT=36000

#URL of pages which we need to dowload from freenetis.

#SET_URL_RANGES - contains list of CIDR networks (e.g. 192.160.0/23) which we can regirect

#SET_URL_WHITELIST - contains list of "whitelisted" IP addresses of members will not be redirect. Never

#SET_URL_ALLOWED - contains list of IP allowed adresses will not be redirect

#SET_URL_SELF_CANCEL - contains list of IP adresses which can disable redirection itself

#SET_URL_SEEN - ulpoads list of IP adresses which have already disabled redirection itsef

#SET_URL_RANGES=http://<hostname>/cs/web_interface/redirected_ranges

#SET_URL_WHITELIST=http://<hostname>/cs/web_interface/whitelist

#SET_URL_ALLOWED=http://<hostname>/cs/web_interface/allowed_ip_addresses

#SET_URL_SELF_CANCEL=http://<hostname>/cs/web_interface/self_cancelable_ip_addresses

#SET_URL_SEEN=http://<hostname>/cs/web_interface/already_seen

SET_URL_RANGES=http://10.144.0.1:8080/ranges

SET_URL_WHITELIST=http://10.144.0.1:8080/whitelist

SET_URL_ALLOWED=http://10.144.0.1:8080/allowed

SET_URL_SELF_CANCEL=http://10.144.0.1:8080/self_cancel

SET_URL_SEEN=http://10.144.0.1:8080/seen.php

#Paths where temporary data will be saved.

PATH_RANGES=/tmp/ranges

PATH_WHITELIST=/tmp/whitelist

PATH_ALLOWED=/tmp/allowed

PATH_SELF_CANCEL=/tmp/self_cancel

#######################################################################################

# Function returns 1 if is ip valid

# @param ip adresa

# return 1 if is ip valid

valid_ip ()

{

local ip=$1

local stat=1

if [[ $ip =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then

OIFS=$IFS

IFS='.'

ip=($ip)

IFS=$OIFS

[[ ${ip[0]} -le 255 && ${ip[1]} -le 255 && ${ip[2]} -le 255 && ${ip[3]} -le 255 ]]

stat=$?

fi;

return $stat

}

start ()

{

echo "Adding sets.";

ipset -N whitelist iphash --hashsize 10000 --probes 4 --resize 50

ipset -N allowed iphash --hashsize 10000 --probes 8 --resize 50

ipset -N self_cancel iphash --hashsize 10000 --probes 8 --resize 50

ipset -N seen iphash --hashsize 10000 --probes 8 --resize 50

ipset -N ranges nethash --hashsize 1024 --probes 4 --resize 50

echo "Adding firewall rules.";

#Rule for allowing access. If come packet to $IP_TARGET then we add souce address do set allowed and to set seen

#Set seen is used for ip synchronization with FreeNetIS.

$IPTABLES -i eth1 -t nat -A PREROUTING -m set --set self_cancel src -d $IP_TARGET -j SET --add-set allowed src

$IPTABLES -i eth1 -t nat -A PREROUTING -m set --set self_cancel src -d $IP_TARGET -j SET --add-set seen src

#If is IP in set whitelist or allowed then it is not redirected

$IPTABLES -i eth1 -t nat -A PREROUTING -m set --set whitelist src -j ACCEPT

$IPTABLES -i eth1 -t nat -A PREROUTING -m set --set allowed src -j ACCEPT

#Redirect everything trafic what has destination port $PORT_WEB to $PORT_REDIRECT

$IPTABLES -i eth1 -t nat -A PREROUTING -m set --set ranges src -p tcp --dport $PORT_WEB -j REDIRECT --to-port $PORT_REDIRECT

#If is IP in set whitelist or allowed then it is not redirected

$IPTABLES -i eth1 -I FORWARD 1 -m set --set whitelist src -j ACCEPT

$IPTABLES -i eth1 -I FORWARD 2 -m set --set allowed src -j ACCEPT

#Else everything drop

$IPTABLES -i eth1 -I FORWARD 3 -m set --set ranges src -j DROP

}

stop ()

{

echo "Deleting firewall rules.";

#Rule for allowing access. If come packet to $IP_TARGET then we add souce address do set allowed and to set seen

#Set seen is used for ip synchronization with FreeNetIS.

$IPTABLES -i eth1 -t nat -D PREROUTING -m set --set self_cancel src -d $IP_TARGET -j SET --add-set allowed src

$IPTABLES -i eth1 -t nat -D PREROUTING -m set --set self_cancel src -d $IP_TARGET -j SET --add-set seen src

#If is IP in set whitelist or allowed then it is not redirected

$IPTABLES -i eth1 -t nat -D PREROUTING -m set --set whitelist src -j ACCEPT

$IPTABLES -i eth1 -t nat -D PREROUTING -m set --set allowed src -j ACCEPT

#Redirect everything trafic what has destination port $PORT_WEB to $PORT_REDIRECT

$IPTABLES -i eth1 -t nat -D PREROUTING -m set --set ranges src -p tcp --dport $PORT_WEB -j REDIRECT --to-port $PORT_REDIRECT

#If is IP in set whitelist or allowed then it is not redirected

$IPTABLES -i eth1 -D FORWARD -m set --set whitelist src -j ACCEPT

$IPTABLES -i eth1 -D FORWARD -m set --set allowed src -j ACCEPT

#Else everything drop

$IPTABLES -i eth1 -D FORWARD -m set --set ranges src -j DROP

echo "Deleting sets.";

ipset -X whitelist

ipset -X allowed

ipset -X self_cancel

ipset -X seen

ipset -X ranges

}

update ()

{

#Erase content of all sets

echo "Cleaning sets...";

ipset -F whitelist

ipset -F allowed

ipset -F self_cancel

ipset -F ranges

#Some stuff - do not delete!

#oldifs=$IFS

#export IFS=";" ; echo "pole je ${a[*]}"

#IFS=$oldifs

#echo "pole je ${a[*]}"

#Send data from seen set to server

for i in $(ipset -L seen);

do

if valid_ip $i; then

seen="$seen$i;";

fi

done

seen=${seen%;}

echo "Sending seen set data...";

wget -q -O /dev/null $SET_URL_SEEN --no-check-certificate --post-data "seen=$seen"

echo "Downloading data...";

wget -q -O $PATH_WHITELIST $SET_URL_WHITELIST --no-check-certificate

wget -q -O $PATH_ALLOWED $SET_URL_ALLOWED --no-check-certificate

wget -q -O $PATH_SELF_CANCEL $SET_URL_SELF_CANCEL --no-check-certificate

wget -q -O $PATH_RANGES $SET_URL_RANGES --no-check-certificate

#Filling sets

for i in $(cat $PATH_WHITELIST);

do

echo "$i - added to set whitelist"

ipset -A whitelist $i

done

for i in $(cat $PATH_ALLOWED);

do

echo "$i - added to set allowed"

ipset -A allowed $i

done

for i in $(cat $PATH_SELF_CANCEL);

do

echo "$i - added to set self_cancel"

ipset -A self_cancel $i

done

for i in $(cat $PATH_RANGES);

do

echo "$i - added to set ranges"

ipset -A ranges $i

done

#Erase content of seen set

echo "Cleaning seen set...";

ipset -F seen

#Cleaning up...

rm $PATH_RANGES

rm $PATH_WHITELIST

rm $PATH_ALLOWED

rm $PATH_SELF_CANCEL

}

# Function shows help

help ()

{

echo "usage : (start | update | stop | restart)"

echo "start - initialization of firewall rules"

echo "update - load ipset data from defined URLs"

echo "stop - clears firewall rules"

echo "restart - restarts firewall rules"

}

# Is parameter #1 zero length?

if [ -z "$1" ]; then

help

exit 1

fi;

case "$1" in

start)

start

exit 1

;;

restart)

stop

start

update

exit 1

;;

update)

update

exit 1

;;

*)

help

exit 1

;;

stop)

stop

exit 1

;;

esac

exit 0