init III
This commit is contained in:
208
Linux Perl iptables init/ipta.pl
Normal file
208
Linux Perl iptables init/ipta.pl
Normal file
@@ -0,0 +1,208 @@
|
||||
#!/usr/bin/perl -w
|
||||
use strict;
|
||||
|
||||
my $RULESDIR = "rules";
|
||||
my $STATUSFILE = "$RULESDIR/status";
|
||||
|
||||
unless (-f $STATUSFILE) {
|
||||
print ">> NO STATUS FILE!\nI will reset Firewall to defaults and write a new minimal status file. After that I'll proceed as normal.\n";
|
||||
open FILE, ">$STATUSFILE";
|
||||
printf FILE "RUNNING 0";
|
||||
close FILE;
|
||||
stop();
|
||||
print "Reset done successfully. Proceeding...\n";
|
||||
}
|
||||
|
||||
my @GLOBAL_CHAINS = qw/INPUT OUTPUT/;
|
||||
|
||||
my @FILES;
|
||||
my @files = glob("$RULESDIR/*");
|
||||
foreach my $global (@GLOBAL_CHAINS) {
|
||||
foreach my $file (@files) {
|
||||
if ($file =~ /^.*\/$global[0-9_]*_[ a-zA-Z0-9_-]*$/) {
|
||||
push (@FILES, $file);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
my $ACTION = $ARGV[0];
|
||||
unless ($ARGV[0]) { wrong_syntax(); }
|
||||
if ($ACTION =~ /^start$/) { if (running() == 0) { start(); } else { print ">> FIREWALL ALREADY STARTED!\n"; } exit 0; }
|
||||
elsif ($ACTION =~ /^stop$/) { if (running()) { stop(); } else { print ">> FIREWALL ALREADY STOPPED!\n"; } exit 0; }
|
||||
elsif ($ACTION =~ /^reload$/) { if (running()) { stop(); start(); } else { start(); } exit 0; }
|
||||
elsif ($ACTION =~ /^restart$/) { if (running()) { stop(); start(); } else { start(); } exit 0; }
|
||||
elsif ($ACTION =~ /^status$/) { if (running()) { print ">> FIREWALL RUNNING!\n"; } else { print ">> FIREWALL NOT RUNNING!\n"; } exit 0; }
|
||||
elsif ($ACTION =~ /^detail$/) { my @d=`iptables -nvL`; print @d; exit 0; }
|
||||
else { wrong_syntax(); exit 0; }
|
||||
|
||||
sub running {
|
||||
if(read_status_file("RUNNING")) {
|
||||
return 1;
|
||||
} else {
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
|
||||
sub read_status_file {
|
||||
my $para = $_[0];
|
||||
open FILE, "<$STATUSFILE";
|
||||
my @lines = <FILE>;
|
||||
close FILE;
|
||||
my $value="";
|
||||
foreach my $line (@lines) {
|
||||
$line = format_lines($line);
|
||||
next if($line =~ /^#/);
|
||||
if ($line =~ /^$para/) {
|
||||
(undef, $value) = split / /, $line;
|
||||
}
|
||||
}
|
||||
return $value;
|
||||
}
|
||||
|
||||
sub write_status_file {
|
||||
my ($para, $value) = @_;
|
||||
my $file = "$STATUSFILE";
|
||||
my $written = 0;
|
||||
|
||||
open FILE, "<$STATUSFILE";
|
||||
my @lines = <FILE>;
|
||||
close FILE;
|
||||
|
||||
open FILE, ">$file";
|
||||
foreach my $line (@lines) {
|
||||
$line = format_lines($line);
|
||||
my ($old_para, $old_value) = split / /, $line;
|
||||
if ($old_para eq $para) {
|
||||
printf FILE "$para $value\n";
|
||||
$written = 1;
|
||||
} else {
|
||||
printf FILE "$line\n";
|
||||
}
|
||||
}
|
||||
printf FILE "$para $value\n" unless ($written);
|
||||
close FILE;
|
||||
}
|
||||
|
||||
|
||||
sub start {
|
||||
print ">> STARTING FIREWALL!\n";
|
||||
# policy INPUT und OUTPUT auf DROP
|
||||
my $iptables;
|
||||
foreach my $chain (@GLOBAL_CHAINS) {
|
||||
$iptables = "iptables -P $chain DROP";
|
||||
#print "$iptables\n";
|
||||
`$iptables`;
|
||||
}
|
||||
# Dateien parsen
|
||||
foreach my $file (@FILES) {
|
||||
# Regeln erstellen
|
||||
process_chainfile ($file);
|
||||
}
|
||||
write_status_file("RUNNING", "1");
|
||||
}
|
||||
|
||||
|
||||
sub stop {
|
||||
print ">> STOPPING FIREWALL!\n";
|
||||
my $iptables = "iptables -F";
|
||||
`$iptables`;
|
||||
$iptables = "iptables -X";
|
||||
`$iptables`;
|
||||
foreach my $chain (@GLOBAL_CHAINS) {
|
||||
$iptables = "iptables -P $chain ACCEPT";
|
||||
`$iptables`;
|
||||
}
|
||||
write_status_file("RUNNING", "0");
|
||||
}
|
||||
|
||||
|
||||
sub wrong_syntax {
|
||||
print "Syntax:\n $0 [start|stop|restart|reload|detail]\n";
|
||||
exit 1;
|
||||
}
|
||||
|
||||
|
||||
sub process_chainfile {
|
||||
my $file = $_[0];
|
||||
my ($chain, $nr, $comment) = split /_/, $file;
|
||||
my @tmp = split /\//, $chain;
|
||||
$chain = $tmp[-1];
|
||||
open FILE, "<$file";
|
||||
my @lines = <FILE>;
|
||||
close FILE;
|
||||
create_chain("$chain-$nr", $chain, "$comment");
|
||||
foreach my $line (@lines) {
|
||||
$line = format_lines($line);
|
||||
next if($line =~ /^#/);
|
||||
next if($line =~ /^$/); # action prot sip sport dip dport comment
|
||||
# deny tcp www.agadmin.de 123 localhost 456 #testregel 1
|
||||
my ($action, $proto, $s_ip, $s_port, $d_ip, $d_port, undef, $comment) = $line =~ /([a-z0-9]*) ([!a-z0-9]*) ([!a-z0-9\/.]*) ([a-z0-9]*) ([!a-z0-9\/\.]*) ([a-z0-9]*)( (#.*))/i;
|
||||
#print "$action, $proto, $s_ip, $s_port, $d_ip, $d_port, $comment\n";
|
||||
$comment =~ s/#//;
|
||||
create_rule("$chain-$nr", $s_ip, $s_port, $d_ip, $d_port, $proto, $action, "$comment");
|
||||
}
|
||||
}
|
||||
|
||||
sub create_chain {
|
||||
my ($chain, $parent_chain, $comment) = @_;
|
||||
my $iptables = "iptables -N $chain ";
|
||||
`$iptables`;
|
||||
$iptables = "iptables -A $parent_chain -j $chain -m comment --comment \"$comment\"";
|
||||
`$iptables`;
|
||||
}
|
||||
|
||||
sub create_rule {
|
||||
my ($chain, $source_ip, $source_port, $dest_ip, $dest_port, $proto, $action, $comment) = @_;
|
||||
my $iptables;
|
||||
$source_port = 0 if($source_port =~ /any/i);
|
||||
$dest_port = 0 if($dest_port =~ /any/i);
|
||||
$source_ip = "0.0.0.0/0" if($source_ip =~ /any/i);
|
||||
$dest_ip = "0.0.0.0/0" if($dest_ip =~ /any/i);
|
||||
$action = "ACCEPT" if($action =~ /permit/i);
|
||||
$action = "DROP" if($action =~ /deny/i);
|
||||
|
||||
$iptables = "iptables -A $chain ";
|
||||
my $neg;
|
||||
if ($proto) {
|
||||
if ($proto =~ /^!/) {
|
||||
$iptables .= "! ";
|
||||
}
|
||||
$proto =~ s/!//;
|
||||
$iptables .= "-p $proto ";
|
||||
}
|
||||
|
||||
if ($source_ip) {
|
||||
if ($source_ip =~ /^!/) {
|
||||
$iptables .= "! ";
|
||||
}
|
||||
$source_ip =~ s/!//;
|
||||
$iptables .= "-s $source_ip ";
|
||||
}
|
||||
|
||||
$iptables .= "--sport $source_port " if ($source_port);
|
||||
|
||||
if ($dest_ip) {
|
||||
if ($dest_ip =~ /^!/) {
|
||||
$iptables .= "! ";
|
||||
}
|
||||
$dest_ip =~ s/!//;
|
||||
$iptables .= "-d $dest_ip ";
|
||||
}
|
||||
|
||||
$iptables .= "--dport $dest_port " if ($dest_port);
|
||||
$iptables .= "-j $action ";
|
||||
$iptables .= "-m comment --comment \"$comment\"";
|
||||
print "$iptables\n";
|
||||
`$iptables`;
|
||||
}
|
||||
|
||||
|
||||
sub format_lines {
|
||||
my $line = $_[0];
|
||||
chomp $line;
|
||||
$line =~ s/^\s+|\s+$//g ;
|
||||
$line =~ s/(\s)+/ /g;
|
||||
#$line =~ tr/[a-z]/[A-Z]/;
|
||||
return $line;
|
||||
}
|
||||
10
Linux Perl iptables init/rules/INPUT_010_Admin
Normal file
10
Linux Perl iptables init/rules/INPUT_010_Admin
Normal file
@@ -0,0 +1,10 @@
|
||||
#
|
||||
# permit|deny [!]ip|tcp|udp|icmp [!]any|ip|hostname any|1-65535 [!]any|ip|hostname any|1-65535 [#comment]
|
||||
#
|
||||
permit tcp any any any any #allow tcp
|
||||
permit udp any any any any #allow udp
|
||||
permit ip any any any any #allow ip
|
||||
permit icmp any any any any #allow icmp
|
||||
permit !icmp !1.1.2.2 any !2.2.3.3 any #allow icmp
|
||||
|
||||
deny tcp !www.agadmin.de 123 localhost 456 #testregel 1
|
||||
2
Linux Perl iptables init/rules/OUTPUT_010_Default
Normal file
2
Linux Perl iptables init/rules/OUTPUT_010_Default
Normal file
@@ -0,0 +1,2 @@
|
||||
#action proto s_ip s_port d_ip d_port comment
|
||||
permit ip any any any any #allow all
|
||||
1
Linux Perl iptables init/rules/status
Normal file
1
Linux Perl iptables init/rules/status
Normal file
@@ -0,0 +1 @@
|
||||
RUNNING 0
|
||||
Reference in New Issue
Block a user