"Fossies" - the Fresh Open Source Software Archive

Member "aif-2.1.1/share/arno-iptables-firewall/plugins/50dsl-ppp-modem.plugin" (16 Sep 2020, 7887 Bytes) of package /linux/privat/aif-2.1.1.tar.gz:

As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "50dsl-ppp-modem.plugin": 2.1.0_vs_2.1.1.

    1 # ------------------------------------------------------------------------------
    2 #         -= Arno's Iptables Firewall(AIF) - (A)DSL PPP Modem plugin =-
    3 #
    4 PLUGIN_NAME="(A)DSL PPP Modem plugin"
    5 PLUGIN_VERSION="1.0g"
    6 PLUGIN_CONF_FILE="dsl-ppp-modem.conf"
    7 #
    8 # Last changed          : October 20, 2011
    9 # Requirements          : aif 1.9.2i+ & kernel 2.6 & iptable_nat & ip_nat & ipt_MASQUERADE
   10 # Comments              : This implements support for (A)DSL PPP modems
   11 #
   12 # Author                : (C) Copyright 2008-2011 by Arno van Amersfoort
   13 # Homepage              : https://rocky.eld.leidenuniv.nl/
   14 # Email                 : a r n o v a AT r o c k y DOT e l d DOT l e i d e n u n i v DOT n l
   15 #                         (note: you must remove all spaces and substitute the @ and the .
   16 #                         at the proper locations!)
   17 # ------------------------------------------------------------------------------
   18 # This program is free software; you can redistribute it and/or
   19 # modify it under the terms of the GNU General Public License
   20 # version 2 as published by the Free Software Foundation.
   21 #
   22 # This program is distributed in the hope that it will be useful,
   23 # but WITHOUT ANY WARRANTY; without even the implied warranty of
   24 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   25 # GNU General Public License for more details.
   26 #
   27 # You should have received a copy of the GNU General Public License
   28 # along with this program; if not, write to the Free Software
   29 # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
   30 # ------------------------------------------------------------------------------
   31 
   32 # Plugin start function
   33 plugin_start()
   34 {
   35   echo "${INDENT}Applying rules for (A)DSL modem on interface: $MODEM_IF"
   36 
   37   if [ -n "$MODEM_IF_IP" ]; then
   38     echo "${INDENT}Setting up (antispoof) MODEM net: $MODEM_IF_IP/24"
   39 
   40     # Anti spoof protection for the modem net
   41     #########################################
   42     ip4tables -A SPOOF_CHK ! -i $MODEM_IF -s "$MODEM_IF_IP/24" \
   43         -m limit --limit 3/m -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Spoofed (MODEM) packet: "
   44     ip4tables -A SPOOF_CHK ! -i $MODEM_IF -s "$MODEM_IF_IP/24" -j DROP
   45   fi
   46 
   47   # Create & flush our modem chain
   48   ip4tables -N MODEM_CHAIN 2>/dev/null
   49   ip4tables -F MODEM_CHAIN
   50   ip4tables -N MODEM_CHAIN_HOOK 2>/dev/null
   51   ip4tables -F MODEM_CHAIN_HOOK
   52 
   53 
   54   # This is only used if you have a (A)DSL modem using ppp (connected to an
   55   # ethernet interface)
   56   #########################################################################
   57   if [ -n "$MODEM_IF_IP" ]; then
   58     if [ -n "$MODEM_IP" ]; then
   59       echo "${INDENT}Using MODEM IP $MODEM_IP"
   60 
   61       # Only allow traffic from the MODEM (check IP) to this machine
   62       ##############################################################
   63       ip4tables -A MODEM_CHAIN -s $MODEM_IP -d $MODEM_IF_IP -j ACCEPT
   64     else
   65       # Only allow traffic from the MODEM (no IP, so no checking) to this machine
   66       ###########################################################################
   67       ip4tables -A MODEM_CHAIN -d $MODEM_IF_IP -j ACCEPT
   68     fi
   69   elif [ -n "$MODEM_IP" ]; then
   70     echo "${INDENT}Using MODEM IP $MODEM_IP"
   71 
   72     # Only allow traffic from the MODEM (check IP) to this machine
   73     ##############################################################
   74     ip4tables -A MODEM_CHAIN -s $MODEM_IP -j ACCEPT
   75   else
   76     # Only allow traffic from the MODEM (no IP, so no checking) to this machine
   77     ###########################################################################
   78     ip4tables -A MODEM_CHAIN -j ACCEPT
   79   fi
   80 
   81   # Allow DHCP packets
   82   ip4tables -A MODEM_CHAIN -s 0.0.0.0 -d 255.255.255.255 -p udp --sport 68 --dport 67 -j ACCEPT
   83   
   84   # Everything else is logged & dropped
   85   ip4tables -A MODEM_CHAIN \
   86     -m limit --limit 1/s -j LOG --log-level $LOGLEVEL --log-prefix "AIF:Dropped MODEM packet: "
   87   ip4tables -A MODEM_CHAIN -j DROP
   88   
   89   IFS=' ,'
   90   for interface in $MODEM_IF; do
   91     ip4tables -A MODEM_CHAIN_HOOK -i $interface -j MODEM_CHAIN
   92   done
   93 
   94   # Add our MODEM chain hook
   95   ip4tables -A INPUT -j MODEM_CHAIN_HOOK
   96 
   97   # Manage your modemsettings from computers on your LAN. For example with your browser via http://{MODEM_IP}
   98   ###########################################################################################################
   99   if [ -n "$MODEM_IP" -a -n "$MODEM_INTERNAL_NET" ]; then
  100     echo "${INDENT}Enabling (ADSL) modem (@$MODEM_IP) management for hosts(s): $MODEM_INTERNAL_NET"
  101     IFS=' ,'
  102     for net in `ip_range "$MODEM_INTERNAL_NET"`; do
  103       ip4tables -A FORWARD -o $MODEM_IF -s $net -j ACCEPT
  104       ip4tables -t nat -A POSTROUTING -o $MODEM_IF -s $net -d $MODEM_IP -j MASQUERADE
  105     done
  106   fi
  107 
  108   return 0
  109 }
  110 
  111 
  112 # Plugin stop function
  113 plugin_stop()
  114 {
  115   ip4tables -D INPUT -j MODEM_CHAIN_HOOK 2>/dev/null
  116   
  117   ip4tables -F MODEM_CHAIN_HOOK
  118   ip4tables -X MODEM_CHAIN_HOOK 2>/dev/null
  119 
  120   ip4tables -F MODEM_CHAIN
  121   ip4tables -X MODEM_CHAIN 2>/dev/null
  122   
  123   return 0
  124 }
  125 
  126 
  127 # Plugin status function
  128 plugin_status()
  129 {
  130   return 0
  131 }
  132 
  133 
  134 # Check sanity of eg. environment
  135 plugin_sanity_check()
  136 {
  137   if [ -z "$MODEM_IF" ]; then
  138     printf "\033[40m\033[1;31m${INDENT}ERROR: The plugin config file is not properly set!\033[0m\n" >&2
  139     return 1
  140   fi
  141 
  142   # Check whether MODEM_IF exists
  143   ###############################
  144   if ! check_interface $MODEM_IF; then
  145     printf "\033[40m\033[1;31m${INDENT}NOTE: Modem interface \"$MODEM_IF\" does NOT exist (yet?)\033[0m\n" >&2
  146   fi
  147 
  148   # Make sure EXT_IF != MODEM_IF
  149   ##############################
  150   IFS=' ,'
  151   for eif in $EXT_IF; do
  152     if [ "$eif" = "$MODEM_IF" ]; then
  153       printf "\033[40m\033[1;31m${INDENT}ERROR: One or more interfaces specified in EXT_IF is the same as the\033[0m\n" >&2
  154       printf "\033[40m\033[1;31m${INDENT}       MODEM_IF! Please, check the configuration file.\033[0m\n" >&2
  155       return 1
  156     fi
  157   done
  158 
  159   # Make sure INT_IF != MODEM_IF
  160   ##############################
  161   IFS=' ,'
  162   for iif in $INT_IF; do
  163     if [ "$iif" = "$MODEM_IF" ]; then
  164       printf "\033[40m\033[1;31m${INDENT}ERROR: One or more interfaces specified in INT_IF is the same as the one in\033[0m\n" >&2
  165       printf "\033[40m\033[1;31m${INDENT}       MODEM_IF! Please, check the configuration file.\033[0m\n" >&2
  166       return 1
  167     fi
  168   done
  169 
  170   # Make sure MODEM_IF != lo / 127.0.0.1
  171   ######################################
  172   if [ "$MODEM_IF" = "lo" -o "$MODEM_IF" = "127.0.0.1" ]; then
  173     printf "\033[40m\033[1;31m${INDENT}ERROR: The interface specified in MODEM_IF has the address or name of the local\033[0m\n" >&2
  174     printf "\033[40m\033[1;31m${INDENT}       loopback device! Please, check the configuration file.\033[0m\n" >&2
  175     return 1
  176   fi
  177 
  178   return 0
  179 }
  180 
  181 
  182 ############
  183 # Mainline #
  184 ############
  185 
  186 # Check where to find the config file
  187 CONF_FILE=""
  188 if [ -n "$PLUGIN_CONF_PATH" ]; then
  189   CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE"
  190 fi
  191 
  192 # Preinit to success:
  193 PLUGIN_RET_VAL=0
  194 
  195 # Check if the config file exists
  196 if [ ! -f "$CONF_FILE" ]; then
  197   printf "NOTE: Config file \"$CONF_FILE\" not found!\n        Plugin \"$PLUGIN_NAME v$PLUGIN_VERSION\" ignored!\n" >&2
  198 else
  199   # Source the plugin config file
  200   . "$CONF_FILE"
  201 
  202   if [ "$ENABLED" = "1" ] ||
  203      [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "stop" ] ||
  204      [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "status" ]; then
  205     # Show who we are:
  206     echo "${INDENT}$PLUGIN_NAME v$PLUGIN_VERSION"
  207 
  208     # Increment indention
  209     INDENT="$INDENT "
  210 
  211     # Only proceed if environment ok
  212     if ! plugin_sanity_check; then
  213       PLUGIN_RET_VAL=1
  214     else
  215       case $PLUGIN_CMD in
  216         start|'') plugin_start; PLUGIN_RET_VAL=$? ;;
  217         stop    ) plugin_stop; PLUGIN_RET_VAL=$? ;;
  218         status  ) plugin_status; PLUGIN_RET_VAL=$? ;;
  219         *       ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m${INDENT}ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2 ;;
  220       esac
  221     fi
  222   fi
  223 fi