=================================================================== RCS file: /home/cvsd/home/cvs/scripts/shell/firewall/fw-universal.sh,v retrieving revision 2.51 retrieving revision 2.52 diff -u -p -r2.51 -r2.52 --- scripts/shell/firewall/fw-universal.sh 2007/12/12 23:30:10 2.51 +++ scripts/shell/firewall/fw-universal.sh 2008/01/16 23:45:08 2.52 @@ -9,16 +9,19 @@ # Licensed under terms of GNU General Public License. # All rights reserved. # -# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.50 2007-08-29 14:43:55 rajo Exp $ +# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.51 2007-12-12 23:30:10 rajo Exp $ # # Changelog: # 2003-10-24 - created # +umask 077 # security + DESC="firewall" PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin DEFAULT_FIREWALL_CONFIG="${DEFAULT_FIREWALL_CONFIG:=/etc/default/firewall}" +DEFAULT_FIREWALL_CONFIG_DIR="${DEFAULT_FIREWALL_CONFIG_DIR:=/etc/default/firewall.d}" DEFAULT_CACHE_DIR="${DEFAULT_CACHE_DIR:=/var/cache/firewall}" if [ -f "$DEFAULT_FIREWALL_CONFIG" ]; then @@ -92,6 +95,11 @@ get_first_ip_addr() print_first `echo ${!varname} | sort -g` } # }}} +read_config_ips() +{ # {{{ + PARSE_CONFIG=$1 perl -ne 'if (m/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\/(\d+)$/g) { print; } elsif ($_ !~ m/^\s*#/ && $_ !~ m/^\s*$/ ) { print STDERR "ERROR: $ENV{PARSE_CONFIG}:$.: ignored string $_\n"; }' $1 +} # }}} + # load necessary modules from $MODULES variable load_modules() { # {{{ @@ -111,7 +119,7 @@ load_cache() mkdir -p "$DEFAULT_CACHE_DIR"; fi - config=`cat $DEFAULT_FIREWALL_CONFIG $0`; # config file and firewalling script + config=`cat $DEFAULT_FIREWALL_CONFIG $0 $DEFAULT_FIREWALL_CONFIG_DIR/deploy-servers.list $DEFAULT_FIREWALL_CONFIG_DIR/BANNED_IP.conf `; # config file and firewalling script md5key=`echo "config = '$config' parsed_interfaces ='$parsed_interfaces' parsed_routes='$parsed_routes'" | md5sum | $AWK '{ print $1; }'`; CACHE_FILE="$DEFAULT_CACHE_DIR/$md5key" @@ -536,6 +544,10 @@ bann_ip_adresses() #IP address is: 146.48.97.11 146.48.97.13 # User Agent: "UbiCrawler/v0.4beta (http://ubi.iit.cnr.it/projects/ubicrawler/)" # + cf="$DEFAULT_FIREWALL_CONFIG_DIR/BANNED_IP.conf" + if [ -f $cf ]; then + BANNED_IP="$BANNED_IP `read_config_ips $cf`" + fi if [ ! -z "$BANNED_IP" ]; then echo -en "Dropping ALL packets from IP:" for banned_ip in $BANNED_IP; do @@ -959,6 +971,52 @@ accept_loopback() } # }}} +add_banned_ip() +{ # {{{ + echo "# `date '+%Y-%m-%d %X' ` - ${SSH_CLIENT:=local}" >> $DEFAULT_FIREWALL_CONFIG_DIR/BANNED_IP.conf + TMPFILE=`mktemp -t fw-universal.sh-XXXXXX` || exit 1 + trap 'rm -f $TMPFILE' 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 + if [ -z "$*" ]; then + echo "Reading banned IP's from STDIN:" + cat >> $TMPFILE + else + for IP in $*; do + echo $i >> $TMPFILE; + done + fi + read_config_ips $TMPFILE >> $DEFAULT_FIREWALL_CONFIG_DIR/BANNED_IP.conf + rm -f $TMPFILE +} # }}} + +deploy_block() +{ # {{{ + if [ -z "$*" ]; then + echo "Usage: $0 deploy-block IP1/netmask1 IP2/netmask2 ..." + exit 1; + fi + echo "Deploying to local rules ..." + add_banned_ip $* + # start the some script twice to refresh rules (new blocked IP's) + $0 start + TMPFILE=`mktemp -t fw-universal.sh-XXXXXX` || exit 1 + trap 'rm -f $TMPFILE' 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 + echo TMPFILE=$TMPFILE + for i in $*; do + echo $i >> $TMPFILE; + done + while read conn keyfile + do + case "$conn" in + ""|\#*) + continue + ;; + esac + echo "Deploying to $conn ..."; + cat $TMPFILE | ssh -i $keyfile $conn $0 block + done < $DEFAULT_FIREWALL_CONFIG_DIR/deploy-servers.list + rm -f $TMPFILE +} # }}} + # Parse output from ifconfig: - tested on Linux and FreeBSD # http://platon.sk/cvs/cvs.php/scripts/shell/firewall/ifconfig-parse.sh parse_ifconfig() @@ -1156,9 +1214,18 @@ case "$1" in purge) find $DEFAULT_CACHE_DIR -type f -ls -exec rm -f {} \; ;; - + block) + shift; + add_banned_ip $*; + # start the some script twice to refresh rules (new blocked IP's) + $0 start; + ;; + deploy-block) + shift; + deploy_block $*; + ;; *) - echo "Usage: $0 {start|stop|really-off|status|purge}" >&2 + echo "Usage: $0 {start|stop|really-off|status|purge|block|deploy-block}" >&2 exit 1 ;; esac