"Fossies" - the Fresh Open Source Software Archive

Member "aif-2.1.1/share/arno-iptables-firewall/plugins/10mac-address-filter.plugin" (16 Sep 2020, 6363 Bytes) of package /linux/privat/aif-2.1.1.tar.gz:


As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "10mac-address-filter.plugin": 2.1.0_vs_2.1.1.

    1 # ------------------------------------------------------------------------------
    2 #        -= Arno's Iptables Firewall(AIF) - MAC Address Filter plugin =-
    3 #
    4 PLUGIN_NAME="MAC Address Filter plugin"
    5 PLUGIN_VERSION="1.1b"
    6 PLUGIN_CONF_FILE="mac-address-filter.conf"
    7 #
    8 # Last changed          : July 21, 2015
    9 # Requirements          : ipt_mac module
   10 # Comments              : This plugin allows you to select the MAC addresses
   11 #                         that are allowed access for the specified interfaces
   12 #                         (eg. INT_IF)
   13 #
   14 # Author                : (C) Copyright 2010-2015 by Arno van Amersfoort
   15 # Homepage              : https://rocky.eld.leidenuniv.nl/
   16 # Email                 : a r n o v a AT r o c k y DOT e l d DOT l e i d e n u n i v DOT n l
   17 #                         (note: you must remove all spaces and substitute the @ and the .
   18 #                         at the proper locations!)
   19 # ------------------------------------------------------------------------------
   20 # This program is free software; you can redistribute it and/or
   21 # modify it under the terms of the GNU General Public License
   22 # version 2 as published by the Free Software Foundation.
   23 #
   24 # This program is distributed in the hope that it will be useful,
   25 # but WITHOUT ANY WARRANTY; without even the implied warranty of
   26 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   27 # GNU General Public License for more details.
   28 #
   29 # You should have received a copy of the GNU General Public License
   30 # along with this program; if not, write to the Free Software
   31 # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
   32 # ------------------------------------------------------------------------------
   33 
   34 # Plugin start function
   35 plugin_start()
   36 {
   37   # Probe module ipt_recent (Allows checking for recent packets):
   38   modprobe_multi xt_mac ipt_mac               # Allows specifying MAC address
   39 
   40   # Create new chains
   41   iptables -N MAC_FILTER_HOOK 2>/dev/null
   42   iptables -F MAC_FILTER_HOOK
   43   iptables -N MAC_FILTER 2>/dev/null
   44   iptables -F MAC_FILTER
   45 
   46   echo " Using interface(s): $MAC_ADDRESS_IF"
   47 
   48   # Here we filter the internal hosts using their MAC address (if used)
   49   #####################################################################
   50 
   51   # Setup the mac addresses from our file
   52   printf "${INDENT}(Re)loading allowed internal MAC addresses from $MAC_ADDRESS_FILE: "
   53 
   54   # Allow IPv4 broadcasts and IPv6 "link-scope all-hosts multicast"
   55   ip4tables -A MAC_FILTER -d 255.255.255.255 -j RETURN
   56   if [ "$IPV6_SUPPORT" = "1" ]; then
   57     ip6tables -A MAC_FILTER -d ff02::1 -j RETURN
   58   fi
   59 
   60   #iptables -A MAC_FILTER -m pkttype --pkt-type ! unicast -j RETURN
   61   #iptables -A MAC_FILTER -m addrtype --dst-type BROADCAST -j RETURN
   62   if [ -n "$INT_NET_BCAST_ADDRESS" ]; then
   63     IFS=' ,'
   64     for address in $INT_NET_BCAST_ADDRESS; do
   65       iptables -A MAC_FILTER -d $address -j RETURN
   66     done
   67   else
   68     IFS=' ,'
   69     for net in $INTERNAL_NET; do
   70       get_numeric_ip_version "$net"
   71       case $? in
   72       4)
   73         # Class C net
   74         ip4tables -A MAC_FILTER -d $(echo "$net" |awk -F. '{ print $1"."$2"."$3".255" }') -j RETURN
   75 
   76         # Class B net
   77         ip4tables -A MAC_FILTER -d $(echo "$net" |awk -F. '{ print $1"."$2".255.255" }') -j RETURN
   78 
   79         # Class A net
   80         ip4tables -A MAC_FILTER -d $(echo "$net" |awk -F. '{ print $1".255.255.255" }') -j RETURN
   81         ;;
   82       esac
   83     done
   84   fi
   85 
   86   MCOUNT=0
   87 
   88 IFS='
   89 '
   90   for LINE in `cat "$MAC_ADDRESS_FILE" |sed -e 's|#.*||' -e 's| *$||'`; do
   91     if [ -n "$LINE" ]; then
   92       src_mac="$(echo "$LINE" |awk '{ print $1 }')"
   93       src_ip="$(echo "$LINE" |awk '{ print $2 }')"
   94 
   95       if [ -z "$src_ip" ]; then
   96         src_ip="0/0"
   97       fi
   98 
   99       MCOUNT=$((MCOUNT + 1))
  100       iptables -A MAC_FILTER -m mac --mac-source $src_mac -s $src_ip -j RETURN
  101     fi
  102   done
  103 
  104   if [ "$MAC_ADDRESS_LOG" = "1" ]; then
  105     iptables -A MAC_FILTER \
  106       -m limit --limit 3/m --limit-burst 5 -j LOG --log-level $LOGLEVEL --log-prefix "AIF:MAC address dropped: "
  107   fi
  108 
  109 
  110   # Anyone else is dropped
  111   iptables -A MAC_FILTER -j POST_INPUT_DROP_CHAIN
  112 
  113   IFS=' ,'
  114   for interface in $MAC_ADDRESS_IF; do
  115     iptables -A MAC_FILTER_HOOK -i $interface -j MAC_FILTER
  116   done
  117 
  118   # Insert chains
  119   iptables -A INPUT -j MAC_FILTER_HOOK
  120   iptables -A FORWARD -j MAC_FILTER_HOOK
  121 
  122   echo "$MCOUNT loaded"
  123 
  124   return 0
  125 }
  126 
  127 
  128 # Plugin stop function
  129 plugin_stop()
  130 {
  131   iptables -D INPUT -j MAC_FILTER_HOOK 2>/dev/null
  132   iptables -D FORWARD -j MAC_FILTER_HOOK 2>/dev/null
  133 
  134   iptables -F MAC_FILTER_HOOK
  135   iptables -X MAC_FILTER_HOOK 2>/dev/null
  136 
  137   iptables -F MAC_FILTER
  138   iptables -X MAC_FILTER 2>/dev/null
  139 
  140   return 0
  141 }
  142 
  143 
  144 # Plugin status function
  145 plugin_status()
  146 {
  147 #  iptables -xnvL MAC_FILTER |sed -e "s/^/$INDENT/"
  148   return 0
  149 }
  150 
  151 
  152 # Check sanity of eg. environment
  153 plugin_sanity_check()
  154 {
  155   if [ ! -f "$MAC_ADDRESS_FILE" ]; then
  156     printf "\033[40m\033[1;31m${INDENT}NOTE: Cannot read the allowed internal MAC address file \"$MAC_ADDRESS_FILE\".\033[0m\n" >&2
  157     return 1
  158   fi
  159 
  160   if [ -z "$MAC_ADDRESS_IF" ]; then
  161     printf "\033[40m\033[1;31m${INDENT}ERROR: The plugin config file is not properly set!\033[0m\n" >&2
  162     return 1
  163   fi
  164 
  165   return 0
  166 }
  167 
  168 
  169 ############
  170 # Mainline #
  171 ############
  172 
  173 # Check where to find the config file
  174 CONF_FILE=""
  175 if [ -n "$PLUGIN_CONF_PATH" ]; then
  176   CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE"
  177 fi
  178 
  179 # Preinit to success:
  180 PLUGIN_RET_VAL=0
  181 
  182 # Check if the config file exists
  183 if [ ! -f "$CONF_FILE" ]; then
  184   printf "NOTE: Config file \"$CONF_FILE\" not found!\n        Plugin \"$PLUGIN_NAME v$PLUGIN_VERSION\" ignored!\n" >&2
  185 else
  186   # Source the plugin config file
  187   . "$CONF_FILE"
  188 
  189   if [ "$ENABLED" = "1" ] ||
  190      [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "stop" ] ||
  191      [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "status" ]; then
  192     # Show who we are:
  193     echo "${INDENT}$PLUGIN_NAME v$PLUGIN_VERSION"
  194 
  195     # Increment indention
  196     INDENT="$INDENT "
  197 
  198     # Only proceed if environment ok
  199     if ! plugin_sanity_check; then
  200       PLUGIN_RET_VAL=1
  201     else
  202       case $PLUGIN_CMD in
  203         start|'') plugin_start; PLUGIN_RET_VAL=$? ;;
  204         stop    ) plugin_stop; PLUGIN_RET_VAL=$? ;;
  205         status  ) plugin_status; PLUGIN_RET_VAL=$? ;;
  206         *       ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m${INDENT}ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2 ;;
  207       esac
  208     fi
  209   fi
  210 fi