"Fossies" - the Fresh Open Source Software Archive

Member "aif-2.1.1/share/arno-iptables-firewall/plugins/parasitic-net-helper" (16 Sep 2020, 10266 Bytes) of package /linux/privat/aif-2.1.1.tar.gz:


As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "parasitic-net-helper": 2.1.0_vs_2.1.1.

    1 # The plugin configuration file
    2 ###############################
    3 PLUGIN_CONF_FILE="parasitic-net.conf"
    4 
    5 # Preinit return value for success
    6 PLUGIN_RET_VAL=0
    7 
    8 # Check sanity of environment
    9 parasitic_net_helper_sanity_check()
   10 {
   11   # Check whether chain exists
   12   if ! ip4tables -nL PARASITIC_NET_ACL >/dev/null 2>&1; then
   13     echo "** ERROR: PARASITIC_NET_ACL does not exist! **" >&2
   14     return 1
   15   fi
   16 
   17   return 0
   18 }
   19 
   20 
   21 parasitic_net_helper_do_work()
   22 {
   23   local RETVAL=0
   24 
   25   # Flush the PARASITIC_NET_ACL
   26   iptables -F PARASITIC_NET_ACL
   27 
   28   unset IFS
   29   for rule in $PARASITIC_NET_HOST_DENY_TCP; do
   30     if parse_rule "$rule" PARASITIC_NET_HOST_DENY_TCP "shosts:ANYHOST-dhosts-ports:ANYPORT"; then
   31       echo "${INDENT}Denying access from $shosts to $dhosts for TCP port(s): $ports"
   32 
   33       IFS=' ,'
   34       for dhost in `ip_range "$dhosts"`; do
   35         if ! get_dynamic_host_cached $dhost || [ -z "$host_ip" ]; then
   36           echo "** WARNING: Skipping TCP deny rule(s) for unresolvable host \"$dhost\"! **" >&2
   37           RETVAL=1
   38           continue
   39         fi
   40 
   41         for dhost_ip in $host_ip; do
   42           for shost_ip in `ip_range "$shosts"`; do
   43             for port in $ports; do
   44               if [ "$PARASITIC_NET_DENY_LOG" = "1" ]; then
   45                 ip4tables -A PARASITIC_NET_ACL -s $shost_ip -d $dhost_ip -p tcp --dport $port -m limit --limit 1/m -j LOG \
   46                   --log-level $LOGLEVEL --log-prefix "AIF:Parasitic-net denied: "
   47               fi
   48 
   49               ip4tables -A PARASITIC_NET_ACL -s $shost_ip -d $dhost_ip -p tcp --dport $port -j $PARASITIC_NET_DENY_POLICY
   50             done
   51           done
   52         done
   53       done
   54     fi
   55   done
   56 
   57   unset IFS
   58   for rule in $PARASITIC_NET_HOST_DENY_UDP; do
   59     if parse_rule "$rule" PARASITIC_NET_HOST_DENY_UDP "shosts:ANYHOST-dhosts-ports:ANYPORT"; then
   60       echo "${INDENT}Denying access from $shosts to $dhosts for UDP port(s): $ports"
   61 
   62       IFS=' ,'
   63       for dhost in `ip_range "$dhosts"`; do
   64         if ! get_dynamic_host_cached $dhost || [ -z "$host_ip" ]; then
   65           echo "** WARNING: Skipping UDP deny rule(s) for unresolvable host \"$dhost\"! **" >&2
   66           RETVAL=1
   67           continue
   68         fi
   69 
   70         for dhost_ip in $host_ip; do
   71           for shost_ip in `ip_range "$shosts"`; do
   72             for port in $ports; do
   73               if [ "$PARASITIC_NET_DENY_LOG" = "1" ]; then
   74                 ip4tables -A PARASITIC_NET_ACL -s $shost_ip -d $dhost_ip -p udp --dport $port -m limit --limit 1/m -j LOG \
   75                   --log-level $LOGLEVEL --log-prefix "AIF:Parasitic-net denied: "
   76               fi
   77 
   78               ip4tables -A PARASITIC_NET_ACL -s $shost_ip -d $dhost_ip -p udp --dport $port -j $PARASITIC_NET_DENY_POLICY
   79             done
   80           done
   81         done
   82       done
   83     fi
   84   done
   85 
   86   unset IFS
   87   for rule in $PARASITIC_NET_HOST_DENY_ICMP; do
   88     if parse_rule "$rule" PARASITIC_NET_HOST_DENY_ICMP "shosts:ANYHOST-dhosts"; then
   89       echo "${INDENT}Denying access from $shosts to $dhosts for ICMP requests"
   90 
   91       IFS=' ,'
   92       for dhost in `ip_range "$dhosts"`; do
   93         if ! get_dynamic_host_cached $dhost || [ -z "$host_ip" ]; then
   94           echo "** WARNING: Skipping ICMP deny rule(s) for unresolvable host \"$dhost\"! **" >&2
   95           RETVAL=1
   96           continue
   97         fi
   98 
   99         for dhost_ip in $host_ip; do
  100           for shost_ip in `ip_range "$shosts"`; do
  101             if [ "$PARASITIC_NET_DENY_LOG" = "1" ]; then
  102               ip4tables -A PARASITIC_NET_ACL -s $shost_ip -d $dhost_ip -p icmp --icmp-type echo-request -m limit --limit 1/m -j LOG \
  103                 --log-level $LOGLEVEL --log-prefix "AIF:Parasitic-net denied: "
  104             fi
  105 
  106             ip4tables -A PARASITIC_NET_ACL -s $shost_ip -d $dhost_ip -p icmp --icmp-type echo-request -j $PARASITIC_NET_DENY_POLICY
  107           done
  108         done
  109       done
  110     fi
  111   done
  112 
  113   unset IFS
  114   for rule in $PARASITIC_NET_HOST_DENY_IP; do
  115     if parse_rule "$rule" PARASITIC_NET_HOST_DENY_IP "shosts:ANYHOST-dhosts-protos"; then
  116       echo "${INDENT}Denying access from $shosts to $dhosts for IP protocol(s): $protos"
  117 
  118       IFS=' ,'
  119       for dhost in `ip_range "$dhosts"`; do
  120         if ! get_dynamic_host_cached $dhost || [ -z "$host_ip" ]; then
  121           echo "** WARNING: Skipping IP deny rule(s) for unresolvable host \"$dhost\"! **" >&2
  122           RETVAL=1
  123           continue
  124         fi
  125 
  126         for dhost_ip in $host_ip; do
  127           for shost_ip in `ip_range "$shosts"`; do
  128             for proto in $protos; do
  129               if [ "$PARASITIC_NET_DENY_LOG" = "1" ]; then
  130                 ip4tables -A PARASITIC_NET_ACL -s $shost_ip -d $dhost_ip -p $proto -m limit --limit 1/m -j LOG \
  131                   --log-level $LOGLEVEL --log-prefix "AIF:Parasitic-net denied: "
  132               fi
  133 
  134               ip4tables -A PARASITIC_NET_ACL -s $shost_ip -d $dhost_ip -p $proto -j $PARASITIC_NET_DENY_POLICY
  135             done
  136           done
  137         done
  138       done
  139     fi
  140   done
  141 
  142   unset IFS
  143   for rule in $PARASITIC_NET_HOST_OPEN_TCP; do
  144     if parse_rule "$rule" PARASITIC_NET_HOST_OPEN_TCP "shosts:ANYHOST-dhosts-ports"; then
  145       echo "${INDENT}Allowing access from $shosts to $dhosts for TCP port(s): $ports"
  146 
  147       IFS=' ,'
  148       for dhost in `ip_range "$dhosts"`; do
  149         if ! get_dynamic_host_cached $dhost || [ -z "$host_ip" ]; then
  150           echo "** WARNING: Skipping TCP allow rule(s) for unresolvable host \"$dhost\"! **" >&2
  151           RETVAL=1
  152           continue
  153         fi
  154 
  155         for dhost_ip in $host_ip; do
  156           for shost_ip in `ip_range "$shosts"`; do
  157             for port in $ports; do
  158               ip4tables -A PARASITIC_NET_ACL -s $shost_ip -d $dhost_ip -p tcp --dport $port -j ACCEPT
  159             done
  160           done
  161         done
  162       done
  163     fi
  164   done
  165 
  166   unset IFS
  167   for rule in $PARASITIC_NET_HOST_OPEN_UDP; do
  168     if parse_rule "$rule" PARASITIC_NET_HOST_OPEN_UDP "shosts:ANYHOST-dhosts-ports"; then
  169       echo "${INDENT}Allowing access from $shosts to $dhosts for UDP port(s): $ports"
  170 
  171       IFS=' ,'
  172       for dhost in `ip_range "$dhosts"`; do
  173         if ! get_dynamic_host_cached $dhost || [ -z "$host_ip" ]; then
  174           echo "** WARNING: Skipping UDP allow rule(s) for unresolvable host \"$dhost\"! **" >&2
  175           RETVAL=1
  176           continue
  177         fi
  178 
  179         for dhost_ip in $host_ip; do
  180           for shost_ip in `ip_range "$shosts"`; do
  181             for port in $ports; do
  182               ip4tables -A PARASITIC_NET_ACL -s $shost_ip -d $dhost_ip -p udp --dport $port -j ACCEPT
  183             done
  184           done
  185         done
  186       done
  187     fi
  188   done
  189 
  190   unset IFS
  191 
  192   for rule in $PARASITIC_NET_HOST_OPEN_ICMP; do
  193     if parse_rule "$rule" PARASITIC_NET_HOST_OPEN_ICMP "shosts:ANYHOST-dhosts"; then
  194       echo "${INDENT}Allowing access from $shosts to $dhosts for ICMP requests"
  195 
  196       IFS=' ,'
  197       for dhost in `ip_range "$dhosts"`; do
  198         if ! get_dynamic_host_cached $dhost || [ -z "$host_ip" ]; then
  199           echo "** WARNING: Skipping ICMP allow rule(s) for unresolvable host \"$dhost\"! **" >&2
  200           RETVAL=1
  201           continue
  202         fi
  203 
  204         for dhost_ip in $host_ip; do
  205           for shost_ip in $shosts; do
  206             ip4tables -A PARASITIC_NET_ACL -s $shost_ip -d $dhost_ip -p icmp --icmp-type echo-request -j ACCEPT
  207           done
  208         done
  209       done
  210     fi
  211   done
  212 
  213   unset IFS
  214   for rule in $PARASITIC_NET_HOST_OPEN_IP; do
  215     if parse_rule "$rule" PARASITIC_NET_HOST_OPEN_IP "shosts:ANYHOST-dhosts-protos"; then
  216       echo "${INDENT}Allowing access from $shosts to $dhosts for IP protocol(s): $protos"
  217 
  218       IFS=' ,'
  219       for dhost in `ip_range "$dhosts"`; do
  220         if ! get_dynamic_host_cached $dhost || [ -z "$host_ip" ]; then
  221           echo "** WARNING: Skipping IP allow rule(s) for unresolvable host \"$dhost\"! **" >&2
  222           RETVAL=1
  223           continue
  224         fi
  225 
  226         for dhost_ip in $host_ip; do
  227           for shost_ip in $shosts; do
  228             for proto in $protos; do
  229               ip4tables -A PARASITIC_NET_ACL -d $dhost_ip -p $proto -j ACCEPT
  230             done
  231           done
  232         done
  233       done
  234     fi
  235   done
  236 
  237   # Set default policy
  238   if [ -z "$PARASITIC_NET_HOST_OPEN_TCP" ]; then
  239     ip4tables -A PARASITIC_NET_ACL -p tcp -j ACCEPT
  240   else
  241     if [ "$PARASITIC_NET_DENY_LOG" != "0" ]; then
  242       ip4tables -A PARASITIC_NET_ACL -p tcp -m limit --limit 12/m -j LOG \
  243         --log-level $LOGLEVEL --log-prefix "AIF:Parasitic-net denied: "
  244     fi
  245 
  246     ip4tables -A PARASITIC_NET_ACL -p tcp -j $PARASITIC_NET_DENY_POLICY
  247   fi
  248 
  249   if [ -z "$PARASITIC_NET_HOST_OPEN_UDP" ]; then
  250     ip4tables -A PARASITIC_NET_ACL -p udp -j ACCEPT
  251   else
  252     if [ "$PARASITIC_NET_DENY_LOG" != "0" ]; then
  253       ip4tables -A PARASITIC_NET_ACL -p udp -m limit --limit 12/m -j LOG \
  254         --log-level $LOGLEVEL --log-prefix "AIF:Parasitic-net denied: "
  255     fi
  256 
  257     ip4tables -A PARASITIC_NET_ACL -p udp -j $PARASITIC_NET_DENY_POLICY
  258   fi
  259 
  260   if [ -z "$PARASITIC_NET_HOST_OPEN_ICMP" ]; then
  261     ip4tables -A PARASITIC_NET_ACL -p icmp --icmp-type echo-request -j ACCEPT
  262   else
  263     if [ "$PARASITIC_NET_DENY_LOG" != "0" ]; then
  264       ip4tables -A PARASITIC_NET_ACL -p icmp --icmp-type echo-request -m limit --limit 12/m -j LOG \
  265         --log-level $LOGLEVEL --log-prefix "AIF:Parasitic-net denied: "
  266     fi
  267 
  268     ip4tables -A PARASITIC_NET_ACL -p icmp --icmp-type echo-request -j $PARASITIC_NET_DENY_POLICY
  269   fi
  270 
  271   # Drop the rest ("Other" IP protocols always need to be specified explicitly)
  272   if [ "$PARASITIC_NET_DENY_LOG" != "0" ]; then
  273     ip4tables -A PARASITIC_NET_ACL -m limit --limit 12/m -j LOG \
  274       --log-level $LOGLEVEL --log-prefix "AIF:Parasitic-net denied: "
  275   fi
  276   ip4tables -A PARASITIC_NET_ACL -j $PARASITIC_NET_DENY_POLICY
  277 
  278   return $RETVAL
  279 }
  280 
  281 
  282 ############
  283 # Mainline #
  284 ############
  285 
  286 # Check where to find the config file
  287 CONF_FILE=""
  288 if [ -n "$PLUGIN_CONF_PATH" ]; then
  289   CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE"
  290 fi
  291 
  292 # Check if the config file exists
  293 if [ ! -f "$CONF_FILE" ]; then
  294   echo "** ERROR: Config file \"$CONF_FILE\" not found! **" >&2
  295   PLUGIN_RET_VAL=1
  296 else
  297   # Source the plugin config file
  298   . "$CONF_FILE"
  299 
  300   # Only proceed if environment ok
  301   if ! parasitic_net_helper_sanity_check; then
  302     PLUGIN_RET_VAL=1
  303   else
  304     if ! parasitic_net_helper_do_work; then
  305       PLUGIN_RET_VAL=1
  306     fi
  307   fi
  308 fi