|
|
Řádek 1: |
Řádek 1: |
− | ##################################################################################
| + | Zastaralé. viz [[Přesměrování]] |
− | #! /bin/sh #
| |
− | # #
| |
− | # Skript pro presmerovani ip adres. Data jsou nacitana automaticky z freenetisu. #
| |
− | # #
| |
− | # autor Sevcik Roman 2009 #
| |
− | # email sevcik.roman@slfree.net #
| |
− | # #
| |
− | ##################################################################################
| |
− |
| |
− | IPTABLES=/usr/local/sbin/iptables
| |
− | IP_SELF=10.143.128.1
| |
− | IP_SELF1=10.143.129.0
| |
− | IP_TARGET=212.111.4.121
| |
− | PORT_WEB=80
| |
− | PORT_REDIRECT=36000
| |
− |
| |
− | SET_URL_RANGES=http://freenetis.slfree.net/cs/redirect/ipset/ranges
| |
− | SET_URL_PARTNERS=http://freenetis.slfree.net/cs/redirect/ipset/partners
| |
− | SET_URL_MEMBERS=http://freenetis.slfree.net/cs/redirect/ipset/members
| |
− |
| |
− | # Funkce testuje jestli je dana ip validne zapsana
| |
− | # @param ip adresa
| |
− | # return 1 pokud je ip validni
| |
− | function valid_ip()
| |
− | {
| |
− | local ip=$1
| |
− | local stat=1
| |
− |
| |
− | if [[ $ip =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
| |
− | OIFS=$IFS
| |
− | IFS='.'
| |
− | ip=($ip)
| |
− | IFS=$OIFS
| |
− | [[ ${ip[0]} -le 255 && ${ip[1]} -le 255 && ${ip[2]} -le 255 && ${ip[3]} -le 255 ]]
| |
− | stat=$?
| |
− | fi
| |
− | return $stat
| |
− | }
| |
− |
| |
− | # Funkce testuje jestli je dany subnet validne zapsany
| |
− | # @param subnet
| |
− | # return 1 pokud je subnet validni
| |
− | function valid_subnet()
| |
− | {
| |
− | local subnet=$1
| |
− | local stat=1
| |
− |
| |
− | if [[ $subnet =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\/[0-9]{1,2}$ ]]; then
| |
− | OIFS=$IFS
| |
− | IFS='/'
| |
− | subnet=($subnet)
| |
− | IFS='.'
| |
− | ip=${subnet[0]}
| |
− | ip=($ip)
| |
− | mask=${subnet[1]}
| |
− | IFS=$OIFS
| |
− | [[ ${ip[0]} -le 255 && ${ip[1]} -le 255 && ${ip[2]} -le 255 && ${ip[3]} -le 255 ]]
| |
− | [[ $mask -le 31 ]]
| |
− | stat=$?
| |
− | fi
| |
− | return $stat
| |
− | }
| |
− |
| |
− | function update()
| |
− | {
| |
− | #Vymazeme obsah vsech setu
| |
− | echo "Erasing content of sets.";
| |
− | ipset -F ranges
| |
− | ipset -F partners
| |
− | ipset -F members
| |
− |
| |
− | echo "Downloading data";
| |
− | wget -q -O /tmp/ranges $SET_URL_RANGES
| |
− | wget -q -O /tmp/partners $SET_URL_PARTNERS
| |
− | wget -q -O /tmp/members $SET_URL_MEMBERS
| |
− |
| |
− | BAKIFS=$IFS
| |
− | IFS=$(echo -en "\n\b")
| |
− | exec 3<&0
| |
− |
| |
− | #Plnime set partners
| |
− | echo "Filling set partnets.";
| |
− | exec 0</tmp/partners
| |
− | while read LINE
| |
− | do
| |
− | if valid_subnet $LINE; then echo "$LINE - added to set partners."; ipset -A partners $LINE; else echo "$LINE - not valid subnet."; fi
| |
− | done
| |
− |
| |
− | #Plnime set members
| |
− | echo "Filling set members.";
| |
− | exec 0</tmp/members
| |
− | while read LINE
| |
− | do
| |
− | if valid_ip $LINE; then echo "$LINE - added to set members."; ipset -A members $LINE; else echo "$LINE - not valid IP address."; fi
| |
− | done
| |
− |
| |
− | #Plnime set ranges - je nutne aby se plnil az na konci. Jinak by byly presmerovane ip v dobe kdy se set nenbers a partners teprve plni.
| |
− | echo "Filling set ranges.";
| |
− | exec 0</tmp/ranges
| |
− | while read LINE
| |
− | do
| |
− | if valid_subnet $LINE; then echo "$LINE - added to set ranges."; ipset -A ranges $LINE; else echo "$LINE - not valid subnet."; fi
| |
− | done
| |
− |
| |
− | exec 0<&3
| |
− | IFS=$BAKIFS
| |
− |
| |
− | #Cleaning up
| |
− | rm /tmp/ranges
| |
− | rm /tmp/partners
| |
− | rm /tmp/members
| |
− | }
| |
− |
| |
− | case "$1" in
| |
− | start)
| |
− | echo "Adding sets.";
| |
− | ipset -N ranges nethash --hashsize 1024 --probes 4 --resize 50
| |
− | ipset -N partners nethash --hashsize 1024 --probes 4 --resize 50
| |
− | ipset -N members iphash --hashsize 10000 --probes 8 --resize 50
| |
− |
| |
− | echo "Adding firewall rules.";
| |
− | #Pravidlo pro pridani ip do setu members. Pokud projde firewallem packet na danou cilovou ip prida se zdrojova ip do setu members.
| |
− | $IPTABLES -t nat -A PREROUTING -m set --set ranges src -d $IP_TARGET -j SET --add-set members src
| |
− |
| |
− | #Pokud uz je ip v setu members nebo partners neaplikuje se presmerovani.
| |
− | $IPTABLES -t nat -A PREROUTING -m set --set partners src -j ACCEPT
| |
− | $IPTABLES -t nat -A PREROUTING -m set --set members src -j ACCEPT
| |
− |
| |
− | #Povoleni portu 36000 pro potreby presmerovani. Na tomto portu nasloucha webserver a provede presmerovani na zvolenou url.
| |
− | $IPTABLES -t nat -A PREROUTING -m set --set ranges src -p tcp --dport $PORT_REDIRECT -j ACCEPT
| |
− |
| |
− | #Presmerovani vseho co miri do internetu a ma cilovy port 80 na port 36000.
| |
− | $IPTABLES -t nat -A PREROUTING -m set --set ranges src -p tcp --dport $PORT_WEB -j REDIRECT --to-port $PORT_REDIRECT
| |
− |
| |
− | #Vyjimky ip adres a portu ktere budou fungovat i po presmerovani.
| |
− | $IPTABLES -t nat -A PREROUTING -m set --set ranges src -p icmp -d $IP_SELF -j ACCEPT
| |
− | $IPTABLES -t nat -A PREROUTING -m set --set ranges src -p udp -d $IP_SELF --dport 53 -j ACCEPT
| |
− | $IPTABLES -t nat -A PREROUTING -m set --set ranges src -p tcp -d $IP_SELF --dport 22 -j ACCEPT
| |
− |
| |
− | $IPTABLES -t nat -A PREROUTING -m set --set ranges src -p icmp -d $IP_SELF1 -j ACCEPT
| |
− | $IPTABLES -t nat -A PREROUTING -m set --set ranges src -p udp -d $IP_SELF1 --dport 53 -j ACCEPT
| |
− | $IPTABLES -t nat -A PREROUTING -m set --set ranges src -p tcp -d $IP_SELF1 --dport 22 -j ACCEPT
| |
− |
| |
− | #Vyjimka pro kecalka pro podporu
| |
− | $IPTABLES -t nat -A PREROUTING -m set --set ranges src -p tcp -d 67.23.29.84 --dport 80 -j ACCEPT
| |
− | $IPTABLES -t nat -A PREROUTING -m set --set ranges src -p tcp -d 67.23.27.61 --dport 80 -j ACCEPT
| |
− |
| |
− | #Jinak vse ostatni zahod.
| |
− | $IPTABLES -t nat -A PREROUTING -m set --set ranges src -j DROP
| |
− |
| |
− | exit 1
| |
− | ;;
| |
− |
| |
− | restart)
| |
− | $0 stop
| |
− | $0 start
| |
− | exit 1
| |
− | ;;
| |
− |
| |
− | update)
| |
− | update
| |
− | exit 1
| |
− | ;;
| |
− |
| |
− | stop)
| |
− |
| |
− | echo "Deleting firewall rules.";
| |
− | #Pravidlo pro pridani ip do setu members. Pokud projde firewallem packet na danou cilovou ip prida se zdrojova ip do setu members.
| |
− | $IPTABLES -t nat -D PREROUTING -m set --set ranges src -d $IP_TARGET -j SET --add-set members src
| |
− |
| |
− | #Pokud uz je ip v setu members nebo partners neaplikuje se presmerovani.
| |
− | $IPTABLES -t nat -D PREROUTING -m set --set partners src -j ACCEPT
| |
− | $IPTABLES -t nat -D PREROUTING -m set --set members src -j ACCEPT
| |
− |
| |
− | #Povoleni portu 36000 pro potreby presmerovani. Na tomto portu nasloucha webserver a provede presmerovani na zvolenou url.
| |
− | $IPTABLES -t nat -D PREROUTING -m set --set ranges src -p tcp --dport $PORT_REDIRECT -j ACCEPT
| |
− |
| |
− | #Presmerovani vseho co miri do internetu a ma cilovy port 80 na port 36000.
| |
− | $IPTABLES -t nat -D PREROUTING -m set --set ranges src -p tcp --dport $PORT_WEB -j REDIRECT --to-port $PORT_REDIRECT
| |
− |
| |
− | #Vyjimky ip adres a portu ktere budou fungovat i po presmerovani.
| |
− | $IPTABLES -t nat -D PREROUTING -m set --set ranges src -p icmp -d $IP_SELF -j ACCEPT
| |
− | $IPTABLES -t nat -D PREROUTING -m set --set ranges src -p udp -d $IP_SELF --dport 53 -j ACCEPT
| |
− | $IPTABLES -t nat -D PREROUTING -m set --set ranges src -p tcp -d $IP_SELF --dport 22 -j ACCEPT
| |
− |
| |
− | $IPTABLES -t nat -D PREROUTING -m set --set ranges src -p icmp -d $IP_SELF1 -j ACCEPT
| |
− | $IPTABLES -t nat -D PREROUTING -m set --set ranges src -p udp -d $IP_SELF1 --dport 53 -j ACCEPT
| |
− | $IPTABLES -t nat -D PREROUTING -m set --set ranges src -p tcp -d $IP_SELF1 --dport 22 -j ACCEPT
| |
− |
| |
− | #Vyjimka pro kecalka pro podporu
| |
− | $IPTABLES -t nat -D PREROUTING -m set --set ranges src -p tcp -d 67.23.29.84 --dport 80 -j ACCEPT
| |
− | $IPTABLES -t nat -D PREROUTING -m set --set ranges src -p tcp -d 67.23.27.61 --dport 80 -j ACCEPT
| |
− |
| |
− | #Jinak vse ostatni zahod.
| |
− | $IPTABLES -t nat -D PREROUTING -m set --set ranges src -j DROP
| |
− |
| |
− | echo "Deleting sets.";
| |
− | ipset -X ranges
| |
− | ipset -X partners
| |
− | ipset -X members
| |
− |
| |
− | exit 1
| |
− | ;;
| |
− | esac
| |
− |
| |
− | exit 0
| |