verzia 2.115, 2018/06/28 22:46:00 |
verzia 2.117, 2018/08/23 04:34:58 |
|
|
# Licensed under terms of GNU General Public License. |
# Licensed under terms of GNU General Public License. |
# All rights reserved. |
# All rights reserved. |
# |
# |
# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.114 2018/06/28 16:50:18 nepto Exp $ |
# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.116 2018/06/28 23:13:42 nepto Exp $ |
# |
# |
# Changelog: |
# Changelog: |
# 2003-10-24 - created |
# 2003-10-24 - created |
Riadok 43 DEFAULT_CACHE_DIR="${DEFAULT_CACHE_DIR:= |
|
Riadok 43 DEFAULT_CACHE_DIR="${DEFAULT_CACHE_DIR:= |
|
DIST_FIREWALL_CONFIG_DIR="${DIST_FIREWALL_CONFIG_DIR:=/etc/firewall/firewall.d}" |
DIST_FIREWALL_CONFIG_DIR="${DIST_FIREWALL_CONFIG_DIR:=/etc/firewall/firewall.d}" |
|
|
# quiet output? {{{ |
# quiet output? {{{ |
if [ "x$1" = "xblock" ] || [ "x$QUIET" = "xyes" ]; then |
if [ "x$QUIET" = "xyes" ]; then |
print_info() |
print_info() |
{ |
{ |
echo -n "" |
echo -n "" |
|
|
print_info " done." |
print_info " done." |
fi |
fi |
done |
done |
|
} # }}} |
|
|
|
do_ban_single_ip() |
|
{ # {{{ |
|
if [ -z "$1" ]; then |
|
print_info "do_ban_single_ip(): empty banned_ip"; |
|
return; |
|
fi |
|
for banned_ip in $*; do |
|
$IPTABLES -A INPUT -s $banned_ip -j DROP; |
|
if [ "X$XEN_MODE" = "Xon" ]; then |
|
print_info -ne " XEN_MODE "; |
|
else |
|
# This does immediate connection termination, but it must be |
|
# inserted (not appended) into chain, otherwise connection |
|
# will still remain alive -- Nepto [2018-08-23] |
|
$IPTABLES -I FORWARD -s $banned_ip -j DROP; |
|
fi |
|
done |
} # }}} |
} # }}} |
|
|
bann_ip_adresses() |
bann_ip_adresses() |
Riadok 776 bann_ip_adresses() |
|
Riadok 794 bann_ip_adresses() |
|
if [ ! -z "$BANNED_IP" ]; then |
if [ ! -z "$BANNED_IP" ]; then |
print_info -en "Dropping ALL packets from IP:" |
print_info -en "Dropping ALL packets from IP:" |
for banned_ip in $BANNED_IP; do |
for banned_ip in $BANNED_IP; do |
print_info -en " $banned_ip" |
print_info -en " $banned_ip"; |
$IPTABLES -A INPUT -s $banned_ip -j DROP |
do_ban_single_ip "$banned_ip"; |
|
|
if [ "X$XEN_MODE" = "Xon" ]; then |
|
print_info -ne " XEN_MODE "; |
|
else |
|
$IPTABLES -A FORWARD -s $banned_ip -j DROP |
|
fi |
|
done |
done |
print_info " done." |
print_info " done." |
fi |
fi |
Riadok 1616 shaping_status() |
|
Riadok 1628 shaping_status() |
|
|
|
# }}} |
# }}} |
|
|
|
check_banned_ip() |
|
{ # {{{ |
|
output="`grep \"$1\" $DEFAULT_FIREWALL_CONFIG_DIR/BANNED_IP.conf`"; |
|
if [ "$?" -eq 0 -a -n "$output" ]; then |
|
return 0; |
|
fi |
|
return 1; |
|
} # }}} |
|
|
add_banned_ip() |
add_banned_ip() |
{ # {{{ |
{ # {{{ |
echo "# `date '+%F %T'`" >> $DEFAULT_FIREWALL_CONFIG_DIR/BANNED_IP.conf |
echo "# `date '+%F %T'`" >> $DEFAULT_FIREWALL_CONFIG_DIR/BANNED_IP.conf |
Riadok 1631 add_banned_ip() |
|
Riadok 1652 add_banned_ip() |
|
fi |
fi |
read_config_ips $TMPFILE >> $DEFAULT_FIREWALL_CONFIG_DIR/BANNED_IP.conf |
read_config_ips $TMPFILE >> $DEFAULT_FIREWALL_CONFIG_DIR/BANNED_IP.conf |
rm -f $TMPFILE |
rm -f $TMPFILE |
# start with new firewalling rules |
|
$0 start |
|
} # }}} |
} # }}} |
|
|
deploy_block() |
deploy_block() |
|
|
REAL_INTERFACES="`echo $x_REAL_INTERFACES | awk -v RS=' ' '{ print; }' | sort -u`" |
REAL_INTERFACES="`echo $x_REAL_INTERFACES | awk -v RS=' ' '{ print; }' | sort -u`" |
INTERFACES_ACCEPT_ALL="$IFACE_ACCEPT_ALL" |
INTERFACES_ACCEPT_ALL="$IFACE_ACCEPT_ALL" |
|
|
|
retcode=0; |
case "$1" in |
case "$1" in |
start) |
start) |
print_info -n "Starting $DESC: " |
print_info -n "Starting $DESC: " |
|
|
purge) |
purge) |
find $DEFAULT_CACHE_DIR -type f -ls -exec rm -f {} \; |
find $DEFAULT_CACHE_DIR -type f -ls -exec rm -f {} \; |
;; |
;; |
|
|
block) |
block) |
shift; |
shift; |
add_banned_ip $*; |
for banned_ip in $*; do |
# start the some script twice to refresh rules (new blocked IP's) |
check_banned_ip "$banned_ip"; |
QUIET=yes $0 start; |
if [ "$?" -eq 0 ]; then |
|
print_info "Already blocked IP address: $banned_ip"; |
|
retcode=1; |
|
else |
|
print_info "Blocking IP address: $banned_ip"; |
|
add_banned_ip "$banned_ip"; |
|
do_ban_single_ip "$banned_ip"; |
|
fi |
|
done |
;; |
;; |
update) |
update) |
update; |
update; |
|
|
;; |
;; |
esac |
esac |
|
|
exit 0 |
exit "$retcode"; |
|
|
# vim600: fdm=marker fdl=0 fdc=3 |
# vim600: fdm=marker fdl=0 fdc=3 |
|
|