Script freenetis ipset
Z Freenetis Wiki
################################################################################## #! /bin/sh # # # # Skript pro presmerovani ip adres. Data jsou nacitana automaticky z freenetisu. # # # # autor Sevcik Roman 2009 # # email sevcik.roman@slfree.net # # # ################################################################################## IPTABLES=/usr/local/sbin/iptables IP_SELF=10.143.128.1 IP_SELF1=10.143.129.0 IP_TARGET=212.111.4.121 PORT_WEB=80 PORT_REDIRECT=36000 SET_URL_RANGES=http://freenetis.slfree.net/cs/redirect/ipset/ranges SET_URL_PARTNERS=http://freenetis.slfree.net/cs/redirect/ipset/partners SET_URL_MEMBERS=http://freenetis.slfree.net/cs/redirect/ipset/members # Funkce testuje jestli je dana ip validne zapsana # @param ip adresa # return 1 pokud je ip validni function valid_ip() { local ip=$1 local stat=1 if [[ $ip =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then OIFS=$IFS IFS='.' ip=($ip) IFS=$OIFS [[ ${ip[0]} -le 255 && ${ip[1]} -le 255 && ${ip[2]} -le 255 && ${ip[3]} -le 255 ]] stat=$? fi return $stat } # Funkce testuje jestli je dany subnet validne zapsany # @param subnet # return 1 pokud je subnet validni function valid_subnet() { local subnet=$1 local stat=1 if [[ $subnet =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\/[0-9]{1,2}$ ]]; then OIFS=$IFS IFS='/' subnet=($subnet) IFS='.' ip=${subnet[0]} ip=($ip) mask=${subnet[1]} IFS=$OIFS [[ ${ip[0]} -le 255 && ${ip[1]} -le 255 && ${ip[2]} -le 255 && ${ip[3]} -le 255 ]] $mask -le 31 stat=$? fi return $stat } function update() { #Vymazeme obsah vsech setu echo "Erasing content of sets."; ipset -F ranges ipset -F partners ipset -F members echo "Downloading data"; wget -q -O /tmp/ranges $SET_URL_RANGES wget -q -O /tmp/partners $SET_URL_PARTNERS wget -q -O /tmp/members $SET_URL_MEMBERS BAKIFS=$IFS IFS=$(echo -en "\n\b") exec 3<&0 #Plnime set partners echo "Filling set partnets."; exec 0</tmp/partners while read LINE do if valid_subnet $LINE; then echo "$LINE - added to set partners."; ipset -A partners $LINE; else echo "$LINE - not valid subnet."; fi done #Plnime set members echo "Filling set members."; exec 0</tmp/members while read LINE do if valid_ip $LINE; then echo "$LINE - added to set members."; ipset -A members $LINE; else echo "$LINE - not valid IP address."; fi done #Plnime set ranges - je nutne aby se plnil az na konci. Jinak by byly presmerovane ip v dobe kdy se set nenbers a partners teprve plni. echo "Filling set ranges."; exec 0</tmp/ranges while read LINE do if valid_subnet $LINE; then echo "$LINE - added to set ranges."; ipset -A ranges $LINE; else echo "$LINE - not valid subnet."; fi done exec 0<&3 IFS=$BAKIFS #Cleaning up rm /tmp/ranges rm /tmp/partners rm /tmp/members } case "$1" in start) echo "Adding sets."; ipset -N ranges nethash --hashsize 1024 --probes 4 --resize 50 ipset -N partners nethash --hashsize 1024 --probes 4 --resize 50 ipset -N members iphash --hashsize 10000 --probes 8 --resize 50 echo "Adding firewall rules."; #Pravidlo pro pridani ip do setu members. Pokud projde firewallem packet na danou cilovou ip prida se zdrojova ip do setu members. $IPTABLES -t nat -A PREROUTING -m set --set ranges src -d $IP_TARGET -j SET --add-set members src #Pokud uz je ip v setu members nebo partners neaplikuje se presmerovani. $IPTABLES -t nat -A PREROUTING -m set --set partners src -j ACCEPT $IPTABLES -t nat -A PREROUTING -m set --set members src -j ACCEPT #Povoleni portu 36000 pro potreby presmerovani. Na tomto portu nasloucha webserver a provede presmerovani na zvolenou url. $IPTABLES -t nat -A PREROUTING -m set --set ranges src -p tcp --dport $PORT_REDIRECT -j ACCEPT #Presmerovani vseho co miri do internetu a ma cilovy port 80 na port 36000. $IPTABLES -t nat -A PREROUTING -m set --set ranges src -p tcp --dport $PORT_WEB -j REDIRECT --to-port $PORT_REDIRECT #Vyjimky ip adres a portu ktere budou fungovat i po presmerovani. $IPTABLES -t nat -A PREROUTING -m set --set ranges src -p icmp -d $IP_SELF -j ACCEPT $IPTABLES -t nat -A PREROUTING -m set --set ranges src -p udp -d $IP_SELF --dport 53 -j ACCEPT $IPTABLES -t nat -A PREROUTING -m set --set ranges src -p tcp -d $IP_SELF --dport 22 -j ACCEPT $IPTABLES -t nat -A PREROUTING -m set --set ranges src -p icmp -d $IP_SELF1 -j ACCEPT $IPTABLES -t nat -A PREROUTING -m set --set ranges src -p udp -d $IP_SELF1 --dport 53 -j ACCEPT $IPTABLES -t nat -A PREROUTING -m set --set ranges src -p tcp -d $IP_SELF1 --dport 22 -j ACCEPT #Vyjimka pro kecalka pro podporu $IPTABLES -t nat -A PREROUTING -m set --set ranges src -p tcp -d 67.23.29.84 --dport 80 -j ACCEPT $IPTABLES -t nat -A PREROUTING -m set --set ranges src -p tcp -d 67.23.27.61 --dport 80 -j ACCEPT #Jinak vse ostatni zahod. $IPTABLES -t nat -A PREROUTING -m set --set ranges src -j DROP exit 1 ;; restart) $0 stop $0 start exit 1 ;; update) update exit 1 ;; stop) echo "Deleting firewall rules."; #Pravidlo pro pridani ip do setu members. Pokud projde firewallem packet na danou cilovou ip prida se zdrojova ip do setu members. $IPTABLES -t nat -D PREROUTING -m set --set ranges src -d $IP_TARGET -j SET --add-set members src #Pokud uz je ip v setu members nebo partners neaplikuje se presmerovani. $IPTABLES -t nat -D PREROUTING -m set --set partners src -j ACCEPT $IPTABLES -t nat -D PREROUTING -m set --set members src -j ACCEPT #Povoleni portu 36000 pro potreby presmerovani. Na tomto portu nasloucha webserver a provede presmerovani na zvolenou url. $IPTABLES -t nat -D PREROUTING -m set --set ranges src -p tcp --dport $PORT_REDIRECT -j ACCEPT #Presmerovani vseho co miri do internetu a ma cilovy port 80 na port 36000. $IPTABLES -t nat -D PREROUTING -m set --set ranges src -p tcp --dport $PORT_WEB -j REDIRECT --to-port $PORT_REDIRECT #Vyjimky ip adres a portu ktere budou fungovat i po presmerovani. $IPTABLES -t nat -D PREROUTING -m set --set ranges src -p icmp -d $IP_SELF -j ACCEPT $IPTABLES -t nat -D PREROUTING -m set --set ranges src -p udp -d $IP_SELF --dport 53 -j ACCEPT $IPTABLES -t nat -D PREROUTING -m set --set ranges src -p tcp -d $IP_SELF --dport 22 -j ACCEPT $IPTABLES -t nat -D PREROUTING -m set --set ranges src -p icmp -d $IP_SELF1 -j ACCEPT $IPTABLES -t nat -D PREROUTING -m set --set ranges src -p udp -d $IP_SELF1 --dport 53 -j ACCEPT $IPTABLES -t nat -D PREROUTING -m set --set ranges src -p tcp -d $IP_SELF1 --dport 22 -j ACCEPT #Vyjimka pro kecalka pro podporu $IPTABLES -t nat -D PREROUTING -m set --set ranges src -p tcp -d 67.23.29.84 --dport 80 -j ACCEPT $IPTABLES -t nat -D PREROUTING -m set --set ranges src -p tcp -d 67.23.27.61 --dport 80 -j ACCEPT #Jinak vse ostatni zahod. $IPTABLES -t nat -D PREROUTING -m set --set ranges src -j DROP echo "Deleting sets."; ipset -X ranges ipset -X partners ipset -X members exit 1 ;; esac exit 0
