Freenetis: Porovnání verzí
Z Freenetis Wiki
(Založena nová stránka: #! /bin/bash ### BEGIN INIT INFO # Provides: freenetis # Required-Start: $remote_fs # Required-Stop: $remote_fs # Should-Start: $network $syslo...) |
|||
(Není zobrazena jedna mezilehlá verze od jednoho dalšího uživatele.) | |||
Řádek 9: | Řádek 9: | ||
# Default-Start: 2 3 4 5 | # Default-Start: 2 3 4 5 | ||
# Default-Stop: 0 1 6 | # Default-Stop: 0 1 6 | ||
− | # Short-Description: Start and stop | + | # Short-Description: Start and stop FreenetIS synchronization daemon |
− | # Description: | + | # Description: FreenetIS synchronization script. |
### END INIT INFO | ### END INIT INFO | ||
################################################################################## | ################################################################################## | ||
# # | # # | ||
− | # This script serves for redirection ip policy of IS | + | # This script serves for redirection ip policy of IS FreenetIS # |
# # | # # | ||
# auhtor Sevcik Roman 2011 # | # auhtor Sevcik Roman 2011 # | ||
Řádek 82: | Řádek 82: | ||
#Rule for allowing access. If come packet to $IP_TARGET then we add souce address do set allowed and to set seen | #Rule for allowing access. If come packet to $IP_TARGET then we add souce address do set allowed and to set seen | ||
− | #Set seen is used for ip synchronization with | + | #Set seen is used for ip synchronization with FreenetIS. |
$IPTABLES -i $INPUT_INTERFACE -t nat -A PREROUTING -m set --set self_cancel src -d $IP_TARGET -j SET --add-set allowed src | $IPTABLES -i $INPUT_INTERFACE -t nat -A PREROUTING -m set --set self_cancel src -d $IP_TARGET -j SET --add-set allowed src | ||
$IPTABLES -i $INPUT_INTERFACE -t nat -A PREROUTING -m set --set self_cancel src -d $IP_TARGET -j SET --add-set seen src | $IPTABLES -i $INPUT_INTERFACE -t nat -A PREROUTING -m set --set self_cancel src -d $IP_TARGET -j SET --add-set seen src | ||
Řádek 128: | Řádek 128: | ||
#Rule for allowing access. If come packet to $IP_TARGET then we add souce address do set allowed and to set seen | #Rule for allowing access. If come packet to $IP_TARGET then we add souce address do set allowed and to set seen | ||
− | #Set seen is used for ip synchronization with | + | #Set seen is used for ip synchronization with FreenetIS. |
$IPTABLES -i $INPUT_INTERFACE -t nat -D PREROUTING -m set --set self_cancel src -d $IP_TARGET -j SET --add-set allowed src | $IPTABLES -i $INPUT_INTERFACE -t nat -D PREROUTING -m set --set self_cancel src -d $IP_TARGET -j SET --add-set allowed src | ||
$IPTABLES -i $INPUT_INTERFACE -t nat -D PREROUTING -m set --set self_cancel src -d $IP_TARGET -j SET --add-set seen src | $IPTABLES -i $INPUT_INTERFACE -t nat -D PREROUTING -m set --set self_cancel src -d $IP_TARGET -j SET --add-set seen src | ||
Řádek 160: | Řádek 160: | ||
help () | help () | ||
{ | { | ||
− | echo "usage : (start | + | echo "usage : (start | stop | restart)" |
echo "start - initialization of firewall rules" | echo "start - initialization of firewall rules" | ||
echo "stop - clears firewall rules" | echo "stop - clears firewall rules" |
Aktuální verze z 2. 8. 2012, 10:15
#! /bin/bash ### BEGIN INIT INFO # Provides: freenetis # Required-Start: $remote_fs # Required-Stop: $remote_fs # Should-Start: $network $syslog # Should-Stop: $network $syslog # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Start and stop FreenetIS synchronization daemon # Description: FreenetIS synchronization script. ### END INIT INFO ################################################################################## # # # This script serves for redirection ip policy of IS FreenetIS # # # # auhtor Sevcik Roman 2011 # # email sevcik.roman@slfree.net # # # # name freenetis # # version 1.9 # # # ################################################################################## #Local variable contains path to iptables - mandatory IPTABLES=/sbin/iptables #Load variables from config file CONFIG=/etc/freenetis.cfg #Path to pid file PIDFILE=/var/run/freenetis_synchronization.pid #Load variables if [ -f ${CONFIG} ]; then . $CONFIG; else echo "No config file - giving up :-("; exit 0 fi # Function returns 1 if is ip valid # @param ip adresa # return 1 if is ip valid valid_ip () { local ip=$1 local stat=1 if [[ $ip =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then OIFS=$IFS IFS='.' ip=($ip) IFS=$OIFS [[ ${ip[0]} -le 255 && ${ip[1]} -le 255 && ${ip[2]} -le 255 && ${ip[3]} -le 255 ]] stat=$? fi; return $stat } start () { if [ -f ${PIDFILE} ]; then echo "Already started" return 1 fi echo "Adding sets."; ipset -N whitelist iphash --hashsize 10000 --probes 4 --resize 50 ipset -N allowed iphash --hashsize 10000 --probes 8 --resize 50 ipset -N self_cancel iphash --hashsize 10000 --probes 8 --resize 50 ipset -N seen iphash --hashsize 10000 --probes 8 --resize 50 ipset -N ranges nethash --hashsize 1024 --probes 4 --resize 50 echo "Adding firewall rules."; #Rule for allowing access. If come packet to $IP_TARGET then we add souce address do set allowed and to set seen #Set seen is used for ip synchronization with FreenetIS. $IPTABLES -i $INPUT_INTERFACE -t nat -A PREROUTING -m set --set self_cancel src -d $IP_TARGET -j SET --add-set allowed src $IPTABLES -i $INPUT_INTERFACE -t nat -A PREROUTING -m set --set self_cancel src -d $IP_TARGET -j SET --add-set seen src #If is IP in set whitelist or allowed then it is not redirected $IPTABLES -i $INPUT_INTERFACE -t nat -A PREROUTING -m set --set whitelist src -j ACCEPT $IPTABLES -i $INPUT_INTERFACE -t nat -A PREROUTING -m set --set allowed src -j ACCEPT #Redirect everything trafic what has destination port $PORT_WEB to $PORT_REDIRECT $IPTABLES -i $INPUT_INTERFACE -t nat -A PREROUTING -m set --set ranges src -p tcp --dport $PORT_WEB -j REDIRECT --to-port $PORT_REDIRECT #If is IP in set whitelist or allowed then it is not redirected $IPTABLES -i $INPUT_INTERFACE -I FORWARD 1 -m set --set whitelist src -j ACCEPT $IPTABLES -i $INPUT_INTERFACE -I FORWARD 2 -m set --set allowed src -j ACCEPT #Else everything drop $IPTABLES -i $INPUT_INTERFACE -I FORWARD 3 -m set --set ranges src -j DROP #Run update scritp on background echo "Starting process." nohup /usr/local/sbin/freenetis_synchronization.sh > /dev/null 2>&1 & #Parse PID a save to file ps -fe | grep freenetis_synchronization.sh | head -n1 | cut -d" " -f 6 > $PIDFILE return 1 } stop () { if [ ! -f ${PIDFILE} ]; then echo "Already stopped." return 1 fi #Killing of process by sigterm echo "Killing process." cat $PIDFILE | xargs kill #Detete pid file rm $PIDFILE echo "Deleting firewall rules."; #Rule for allowing access. If come packet to $IP_TARGET then we add souce address do set allowed and to set seen #Set seen is used for ip synchronization with FreenetIS. $IPTABLES -i $INPUT_INTERFACE -t nat -D PREROUTING -m set --set self_cancel src -d $IP_TARGET -j SET --add-set allowed src $IPTABLES -i $INPUT_INTERFACE -t nat -D PREROUTING -m set --set self_cancel src -d $IP_TARGET -j SET --add-set seen src #If is IP in set whitelist or allowed then it is not redirected $IPTABLES -i $INPUT_INTERFACE -t nat -D PREROUTING -m set --set whitelist src -j ACCEPT $IPTABLES -i $INPUT_INTERFACE -t nat -D PREROUTING -m set --set allowed src -j ACCEPT #Redirect everything trafic what has destination port $PORT_WEB to $PORT_REDIRECT $IPTABLES -i $INPUT_INTERFACE -t nat -D PREROUTING -m set --set ranges src -p tcp --dport $PORT_WEB -j REDIRECT --to-port $PORT_REDIRECT #If is IP in set whitelist or allowed then it is not redirected $IPTABLES -i $INPUT_INTERFACE -D FORWARD -m set --set whitelist src -j ACCEPT $IPTABLES -i $INPUT_INTERFACE -D FORWARD -m set --set allowed src -j ACCEPT #Else everything drop $IPTABLES -i $INPUT_INTERFACE -D FORWARD -m set --set ranges src -j DROP echo "Deleting sets."; ipset -X whitelist ipset -X allowed ipset -X self_cancel ipset -X seen ipset -X ranges return 1 } # Function shows help help () { echo "usage : (start | stop | restart)" echo "start - initialization of firewall rules" echo "stop - clears firewall rules" echo "restart - restarts firewall rules" } # Is parameter #1 zero length? if [ -z "$1" ]; then help exit 1 fi; case "$1" in start) start exit 1 ;; restart) stop start exit 1 ;; stop) stop exit 1 ;; *) help exit 1 ;; esac exit 0