"Fossies" - the Fresh Open Source Software Archive 
Member "aif-2.1.1/share/arno-iptables-firewall/plugins/parasitic-net-helper" (16 Sep 2020, 10266 Bytes) of package /linux/privat/aif-2.1.1.tar.gz:
As a special service "Fossies" has tried to format the requested text file into HTML format (style:
standard) with prefixed line numbers.
Alternatively you can here
view or
download the uninterpreted source code file.
See also the latest
Fossies "Diffs" side-by-side code changes report for "parasitic-net-helper":
2.1.0_vs_2.1.1.
1 # The plugin configuration file
2 ###############################
3 PLUGIN_CONF_FILE="parasitic-net.conf"
4
5 # Preinit return value for success
6 PLUGIN_RET_VAL=0
7
8 # Check sanity of environment
9 parasitic_net_helper_sanity_check()
10 {
11 # Check whether chain exists
12 if ! ip4tables -nL PARASITIC_NET_ACL >/dev/null 2>&1; then
13 echo "** ERROR: PARASITIC_NET_ACL does not exist! **" >&2
14 return 1
15 fi
16
17 return 0
18 }
19
20
21 parasitic_net_helper_do_work()
22 {
23 local RETVAL=0
24
25 # Flush the PARASITIC_NET_ACL
26 iptables -F PARASITIC_NET_ACL
27
28 unset IFS
29 for rule in $PARASITIC_NET_HOST_DENY_TCP; do
30 if parse_rule "$rule" PARASITIC_NET_HOST_DENY_TCP "shosts:ANYHOST-dhosts-ports:ANYPORT"; then
31 echo "${INDENT}Denying access from $shosts to $dhosts for TCP port(s): $ports"
32
33 IFS=' ,'
34 for dhost in `ip_range "$dhosts"`; do
35 if ! get_dynamic_host_cached $dhost || [ -z "$host_ip" ]; then
36 echo "** WARNING: Skipping TCP deny rule(s) for unresolvable host \"$dhost\"! **" >&2
37 RETVAL=1
38 continue
39 fi
40
41 for dhost_ip in $host_ip; do
42 for shost_ip in `ip_range "$shosts"`; do
43 for port in $ports; do
44 if [ "$PARASITIC_NET_DENY_LOG" = "1" ]; then
45 ip4tables -A PARASITIC_NET_ACL -s $shost_ip -d $dhost_ip -p tcp --dport $port -m limit --limit 1/m -j LOG \
46 --log-level $LOGLEVEL --log-prefix "AIF:Parasitic-net denied: "
47 fi
48
49 ip4tables -A PARASITIC_NET_ACL -s $shost_ip -d $dhost_ip -p tcp --dport $port -j $PARASITIC_NET_DENY_POLICY
50 done
51 done
52 done
53 done
54 fi
55 done
56
57 unset IFS
58 for rule in $PARASITIC_NET_HOST_DENY_UDP; do
59 if parse_rule "$rule" PARASITIC_NET_HOST_DENY_UDP "shosts:ANYHOST-dhosts-ports:ANYPORT"; then
60 echo "${INDENT}Denying access from $shosts to $dhosts for UDP port(s): $ports"
61
62 IFS=' ,'
63 for dhost in `ip_range "$dhosts"`; do
64 if ! get_dynamic_host_cached $dhost || [ -z "$host_ip" ]; then
65 echo "** WARNING: Skipping UDP deny rule(s) for unresolvable host \"$dhost\"! **" >&2
66 RETVAL=1
67 continue
68 fi
69
70 for dhost_ip in $host_ip; do
71 for shost_ip in `ip_range "$shosts"`; do
72 for port in $ports; do
73 if [ "$PARASITIC_NET_DENY_LOG" = "1" ]; then
74 ip4tables -A PARASITIC_NET_ACL -s $shost_ip -d $dhost_ip -p udp --dport $port -m limit --limit 1/m -j LOG \
75 --log-level $LOGLEVEL --log-prefix "AIF:Parasitic-net denied: "
76 fi
77
78 ip4tables -A PARASITIC_NET_ACL -s $shost_ip -d $dhost_ip -p udp --dport $port -j $PARASITIC_NET_DENY_POLICY
79 done
80 done
81 done
82 done
83 fi
84 done
85
86 unset IFS
87 for rule in $PARASITIC_NET_HOST_DENY_ICMP; do
88 if parse_rule "$rule" PARASITIC_NET_HOST_DENY_ICMP "shosts:ANYHOST-dhosts"; then
89 echo "${INDENT}Denying access from $shosts to $dhosts for ICMP requests"
90
91 IFS=' ,'
92 for dhost in `ip_range "$dhosts"`; do
93 if ! get_dynamic_host_cached $dhost || [ -z "$host_ip" ]; then
94 echo "** WARNING: Skipping ICMP deny rule(s) for unresolvable host \"$dhost\"! **" >&2
95 RETVAL=1
96 continue
97 fi
98
99 for dhost_ip in $host_ip; do
100 for shost_ip in `ip_range "$shosts"`; do
101 if [ "$PARASITIC_NET_DENY_LOG" = "1" ]; then
102 ip4tables -A PARASITIC_NET_ACL -s $shost_ip -d $dhost_ip -p icmp --icmp-type echo-request -m limit --limit 1/m -j LOG \
103 --log-level $LOGLEVEL --log-prefix "AIF:Parasitic-net denied: "
104 fi
105
106 ip4tables -A PARASITIC_NET_ACL -s $shost_ip -d $dhost_ip -p icmp --icmp-type echo-request -j $PARASITIC_NET_DENY_POLICY
107 done
108 done
109 done
110 fi
111 done
112
113 unset IFS
114 for rule in $PARASITIC_NET_HOST_DENY_IP; do
115 if parse_rule "$rule" PARASITIC_NET_HOST_DENY_IP "shosts:ANYHOST-dhosts-protos"; then
116 echo "${INDENT}Denying access from $shosts to $dhosts for IP protocol(s): $protos"
117
118 IFS=' ,'
119 for dhost in `ip_range "$dhosts"`; do
120 if ! get_dynamic_host_cached $dhost || [ -z "$host_ip" ]; then
121 echo "** WARNING: Skipping IP deny rule(s) for unresolvable host \"$dhost\"! **" >&2
122 RETVAL=1
123 continue
124 fi
125
126 for dhost_ip in $host_ip; do
127 for shost_ip in `ip_range "$shosts"`; do
128 for proto in $protos; do
129 if [ "$PARASITIC_NET_DENY_LOG" = "1" ]; then
130 ip4tables -A PARASITIC_NET_ACL -s $shost_ip -d $dhost_ip -p $proto -m limit --limit 1/m -j LOG \
131 --log-level $LOGLEVEL --log-prefix "AIF:Parasitic-net denied: "
132 fi
133
134 ip4tables -A PARASITIC_NET_ACL -s $shost_ip -d $dhost_ip -p $proto -j $PARASITIC_NET_DENY_POLICY
135 done
136 done
137 done
138 done
139 fi
140 done
141
142 unset IFS
143 for rule in $PARASITIC_NET_HOST_OPEN_TCP; do
144 if parse_rule "$rule" PARASITIC_NET_HOST_OPEN_TCP "shosts:ANYHOST-dhosts-ports"; then
145 echo "${INDENT}Allowing access from $shosts to $dhosts for TCP port(s): $ports"
146
147 IFS=' ,'
148 for dhost in `ip_range "$dhosts"`; do
149 if ! get_dynamic_host_cached $dhost || [ -z "$host_ip" ]; then
150 echo "** WARNING: Skipping TCP allow rule(s) for unresolvable host \"$dhost\"! **" >&2
151 RETVAL=1
152 continue
153 fi
154
155 for dhost_ip in $host_ip; do
156 for shost_ip in `ip_range "$shosts"`; do
157 for port in $ports; do
158 ip4tables -A PARASITIC_NET_ACL -s $shost_ip -d $dhost_ip -p tcp --dport $port -j ACCEPT
159 done
160 done
161 done
162 done
163 fi
164 done
165
166 unset IFS
167 for rule in $PARASITIC_NET_HOST_OPEN_UDP; do
168 if parse_rule "$rule" PARASITIC_NET_HOST_OPEN_UDP "shosts:ANYHOST-dhosts-ports"; then
169 echo "${INDENT}Allowing access from $shosts to $dhosts for UDP port(s): $ports"
170
171 IFS=' ,'
172 for dhost in `ip_range "$dhosts"`; do
173 if ! get_dynamic_host_cached $dhost || [ -z "$host_ip" ]; then
174 echo "** WARNING: Skipping UDP allow rule(s) for unresolvable host \"$dhost\"! **" >&2
175 RETVAL=1
176 continue
177 fi
178
179 for dhost_ip in $host_ip; do
180 for shost_ip in `ip_range "$shosts"`; do
181 for port in $ports; do
182 ip4tables -A PARASITIC_NET_ACL -s $shost_ip -d $dhost_ip -p udp --dport $port -j ACCEPT
183 done
184 done
185 done
186 done
187 fi
188 done
189
190 unset IFS
191
192 for rule in $PARASITIC_NET_HOST_OPEN_ICMP; do
193 if parse_rule "$rule" PARASITIC_NET_HOST_OPEN_ICMP "shosts:ANYHOST-dhosts"; then
194 echo "${INDENT}Allowing access from $shosts to $dhosts for ICMP requests"
195
196 IFS=' ,'
197 for dhost in `ip_range "$dhosts"`; do
198 if ! get_dynamic_host_cached $dhost || [ -z "$host_ip" ]; then
199 echo "** WARNING: Skipping ICMP allow rule(s) for unresolvable host \"$dhost\"! **" >&2
200 RETVAL=1
201 continue
202 fi
203
204 for dhost_ip in $host_ip; do
205 for shost_ip in $shosts; do
206 ip4tables -A PARASITIC_NET_ACL -s $shost_ip -d $dhost_ip -p icmp --icmp-type echo-request -j ACCEPT
207 done
208 done
209 done
210 fi
211 done
212
213 unset IFS
214 for rule in $PARASITIC_NET_HOST_OPEN_IP; do
215 if parse_rule "$rule" PARASITIC_NET_HOST_OPEN_IP "shosts:ANYHOST-dhosts-protos"; then
216 echo "${INDENT}Allowing access from $shosts to $dhosts for IP protocol(s): $protos"
217
218 IFS=' ,'
219 for dhost in `ip_range "$dhosts"`; do
220 if ! get_dynamic_host_cached $dhost || [ -z "$host_ip" ]; then
221 echo "** WARNING: Skipping IP allow rule(s) for unresolvable host \"$dhost\"! **" >&2
222 RETVAL=1
223 continue
224 fi
225
226 for dhost_ip in $host_ip; do
227 for shost_ip in $shosts; do
228 for proto in $protos; do
229 ip4tables -A PARASITIC_NET_ACL -d $dhost_ip -p $proto -j ACCEPT
230 done
231 done
232 done
233 done
234 fi
235 done
236
237 # Set default policy
238 if [ -z "$PARASITIC_NET_HOST_OPEN_TCP" ]; then
239 ip4tables -A PARASITIC_NET_ACL -p tcp -j ACCEPT
240 else
241 if [ "$PARASITIC_NET_DENY_LOG" != "0" ]; then
242 ip4tables -A PARASITIC_NET_ACL -p tcp -m limit --limit 12/m -j LOG \
243 --log-level $LOGLEVEL --log-prefix "AIF:Parasitic-net denied: "
244 fi
245
246 ip4tables -A PARASITIC_NET_ACL -p tcp -j $PARASITIC_NET_DENY_POLICY
247 fi
248
249 if [ -z "$PARASITIC_NET_HOST_OPEN_UDP" ]; then
250 ip4tables -A PARASITIC_NET_ACL -p udp -j ACCEPT
251 else
252 if [ "$PARASITIC_NET_DENY_LOG" != "0" ]; then
253 ip4tables -A PARASITIC_NET_ACL -p udp -m limit --limit 12/m -j LOG \
254 --log-level $LOGLEVEL --log-prefix "AIF:Parasitic-net denied: "
255 fi
256
257 ip4tables -A PARASITIC_NET_ACL -p udp -j $PARASITIC_NET_DENY_POLICY
258 fi
259
260 if [ -z "$PARASITIC_NET_HOST_OPEN_ICMP" ]; then
261 ip4tables -A PARASITIC_NET_ACL -p icmp --icmp-type echo-request -j ACCEPT
262 else
263 if [ "$PARASITIC_NET_DENY_LOG" != "0" ]; then
264 ip4tables -A PARASITIC_NET_ACL -p icmp --icmp-type echo-request -m limit --limit 12/m -j LOG \
265 --log-level $LOGLEVEL --log-prefix "AIF:Parasitic-net denied: "
266 fi
267
268 ip4tables -A PARASITIC_NET_ACL -p icmp --icmp-type echo-request -j $PARASITIC_NET_DENY_POLICY
269 fi
270
271 # Drop the rest ("Other" IP protocols always need to be specified explicitly)
272 if [ "$PARASITIC_NET_DENY_LOG" != "0" ]; then
273 ip4tables -A PARASITIC_NET_ACL -m limit --limit 12/m -j LOG \
274 --log-level $LOGLEVEL --log-prefix "AIF:Parasitic-net denied: "
275 fi
276 ip4tables -A PARASITIC_NET_ACL -j $PARASITIC_NET_DENY_POLICY
277
278 return $RETVAL
279 }
280
281
282 ############
283 # Mainline #
284 ############
285
286 # Check where to find the config file
287 CONF_FILE=""
288 if [ -n "$PLUGIN_CONF_PATH" ]; then
289 CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE"
290 fi
291
292 # Check if the config file exists
293 if [ ! -f "$CONF_FILE" ]; then
294 echo "** ERROR: Config file \"$CONF_FILE\" not found! **" >&2
295 PLUGIN_RET_VAL=1
296 else
297 # Source the plugin config file
298 . "$CONF_FILE"
299
300 # Only proceed if environment ok
301 if ! parasitic_net_helper_sanity_check; then
302 PLUGIN_RET_VAL=1
303 else
304 if ! parasitic_net_helper_do_work; then
305 PLUGIN_RET_VAL=1
306 fi
307 fi
308 fi