Freenetis
Z Freenetis Wiki
#! /bin/bash
### BEGIN INIT INFO
# Provides: freenetis
# Required-Start: $remote_fs
# Required-Stop: $remote_fs
# Should-Start: $network $syslog
# Should-Stop: $network $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Start and stop FreenetIS synchronization daemon
# Description: FreenetIS synchronization script.
### END INIT INFO
##################################################################################
# #
# This script serves for redirection ip policy of IS FreenetIS #
# #
# auhtor Sevcik Roman 2011 #
# email sevcik.roman@slfree.net #
# #
# name freenetis #
# version 1.9 #
# #
##################################################################################
#Local variable contains path to iptables - mandatory
IPTABLES=/sbin/iptables
#Load variables from config file
CONFIG=/etc/freenetis.cfg
#Path to pid file
PIDFILE=/var/run/freenetis_synchronization.pid
#Load variables
if [ -f ${CONFIG} ]; then
. $CONFIG;
else
echo "No config file - giving up :-(";
exit 0
fi
# Function returns 1 if is ip valid
# @param ip adresa
# return 1 if is ip valid
valid_ip ()
{
local ip=$1
local stat=1
if [[ $ip =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
OIFS=$IFS
IFS='.'
ip=($ip)
IFS=$OIFS
[[ ${ip[0]} -le 255 && ${ip[1]} -le 255 && ${ip[2]} -le 255 && ${ip[3]} -le 255 ]]
stat=$?
fi;
return $stat
}
start ()
{
if [ -f ${PIDFILE} ]; then
echo "Already started"
return 1
fi
echo "Adding sets.";
ipset -N whitelist iphash --hashsize 10000 --probes 4 --resize 50
ipset -N allowed iphash --hashsize 10000 --probes 8 --resize 50
ipset -N self_cancel iphash --hashsize 10000 --probes 8 --resize 50
ipset -N seen iphash --hashsize 10000 --probes 8 --resize 50
ipset -N ranges nethash --hashsize 1024 --probes 4 --resize 50
echo "Adding firewall rules.";
#Rule for allowing access. If come packet to $IP_TARGET then we add souce address do set allowed and to set seen
#Set seen is used for ip synchronization with FreenetIS.
$IPTABLES -i $INPUT_INTERFACE -t nat -A PREROUTING -m set --set self_cancel src -d $IP_TARGET -j SET --add-set allowed src
$IPTABLES -i $INPUT_INTERFACE -t nat -A PREROUTING -m set --set self_cancel src -d $IP_TARGET -j SET --add-set seen src
#If is IP in set whitelist or allowed then it is not redirected
$IPTABLES -i $INPUT_INTERFACE -t nat -A PREROUTING -m set --set whitelist src -j ACCEPT
$IPTABLES -i $INPUT_INTERFACE -t nat -A PREROUTING -m set --set allowed src -j ACCEPT
#Redirect everything trafic what has destination port $PORT_WEB to $PORT_REDIRECT
$IPTABLES -i $INPUT_INTERFACE -t nat -A PREROUTING -m set --set ranges src -p tcp --dport $PORT_WEB -j REDIRECT --to-port $PORT_REDIRECT
#If is IP in set whitelist or allowed then it is not redirected
$IPTABLES -i $INPUT_INTERFACE -I FORWARD 1 -m set --set whitelist src -j ACCEPT
$IPTABLES -i $INPUT_INTERFACE -I FORWARD 2 -m set --set allowed src -j ACCEPT
#Else everything drop
$IPTABLES -i $INPUT_INTERFACE -I FORWARD 3 -m set --set ranges src -j DROP
#Run update scritp on background
echo "Starting process."
nohup /usr/local/sbin/freenetis_synchronization.sh > /dev/null 2>&1 &
#Parse PID a save to file
ps -fe | grep freenetis_synchronization.sh | head -n1 | cut -d" " -f 6 > $PIDFILE
return 1
}
stop ()
{
if [ ! -f ${PIDFILE} ]; then
echo "Already stopped."
return 1
fi
#Killing of process by sigterm
echo "Killing process."
cat $PIDFILE | xargs kill
#Detete pid file
rm $PIDFILE
echo "Deleting firewall rules.";
#Rule for allowing access. If come packet to $IP_TARGET then we add souce address do set allowed and to set seen
#Set seen is used for ip synchronization with FreenetIS.
$IPTABLES -i $INPUT_INTERFACE -t nat -D PREROUTING -m set --set self_cancel src -d $IP_TARGET -j SET --add-set allowed src
$IPTABLES -i $INPUT_INTERFACE -t nat -D PREROUTING -m set --set self_cancel src -d $IP_TARGET -j SET --add-set seen src
#If is IP in set whitelist or allowed then it is not redirected
$IPTABLES -i $INPUT_INTERFACE -t nat -D PREROUTING -m set --set whitelist src -j ACCEPT
$IPTABLES -i $INPUT_INTERFACE -t nat -D PREROUTING -m set --set allowed src -j ACCEPT
#Redirect everything trafic what has destination port $PORT_WEB to $PORT_REDIRECT
$IPTABLES -i $INPUT_INTERFACE -t nat -D PREROUTING -m set --set ranges src -p tcp --dport $PORT_WEB -j REDIRECT --to-port $PORT_REDIRECT
#If is IP in set whitelist or allowed then it is not redirected
$IPTABLES -i $INPUT_INTERFACE -D FORWARD -m set --set whitelist src -j ACCEPT
$IPTABLES -i $INPUT_INTERFACE -D FORWARD -m set --set allowed src -j ACCEPT
#Else everything drop
$IPTABLES -i $INPUT_INTERFACE -D FORWARD -m set --set ranges src -j DROP
echo "Deleting sets.";
ipset -X whitelist
ipset -X allowed
ipset -X self_cancel
ipset -X seen
ipset -X ranges
return 1
}
# Function shows help
help ()
{
echo "usage : (start | stop | restart)"
echo "start - initialization of firewall rules"
echo "stop - clears firewall rules"
echo "restart - restarts firewall rules"
}
# Is parameter #1 zero length?
if [ -z "$1" ]; then
help
exit 1
fi;
case "$1" in
start)
start
exit 1
;;
restart)
stop
start
exit 1
;;
stop)
stop
exit 1
;;
*)
help
exit 1
;;
esac
exit 0
