95 lines
2.7 KiB
PHP
95 lines
2.7 KiB
PHP
# this skript is GPL software (http://www.fsf.org/licensing/licenses/gpl.html)
|
|
# suggestions and questions to: devel@sumpfralle.de
|
|
# homepage: https://systemausfall.org/toolforge/web-splash
|
|
#
|
|
# this file will be sourced by web-splash.sh
|
|
#
|
|
|
|
remove_old()
|
|
{
|
|
# remove the rules from PREROUTING
|
|
$IPT -t nat -F $CHAIN_FORWARD_CHECK 2>/dev/null && $IPT -t nat -D PREROUTING -i $IF_SRC -j $CHAIN_FORWARD_CHECK
|
|
$IPT -t nat -F $CHAIN_REDIRECT 2>/dev/null && $IPT -t nat -D PREROUTING -i $IF_SRC -j $CHAIN_REDIRECT
|
|
$IPT -t nat -F $CHAIN_SERVICES 2>/dev/null && $IPT -t nat -D PREROUTING -i $IF_SRC -j $CHAIN_SERVICES
|
|
|
|
# empty and remove chains if they exist
|
|
for a in $CHAIN_FORWARD_ACTION $CHAIN_FORWARD_CHECK $CHAIN_REDIRECT $CHAIN_SERVICES
|
|
do $IPT -t nat -F $a 2>/dev/null && $IPT -t nat -X $a
|
|
true
|
|
done
|
|
}
|
|
|
|
|
|
init_chains()
|
|
{
|
|
# create chains
|
|
for a in $CHAIN_FORWARD_ACTION $CHAIN_FORWARD_CHECK $CHAIN_REDIRECT $CHAIN_SERVICES
|
|
do $IPT -t nat -N $a
|
|
done
|
|
|
|
# all packets from the specified interface go to the general chain
|
|
$IPT -t nat -A PREROUTING -i $IF_SRC -j $CHAIN_SERVICES
|
|
$IPT -t nat -A PREROUTING -i $IF_SRC -j $CHAIN_FORWARD_CHECK
|
|
$IPT -t nat -A PREROUTING -i $IF_SRC -j $CHAIN_REDIRECT
|
|
|
|
# rules for CHAIN_REDIRECT
|
|
$IPT -t nat -A $CHAIN_REDIRECT -p tcp --dport 80 -j DNAT --to-destination $INTERN_IP
|
|
$IPT -t nat -A $CHAIN_REDIRECT -p tcp --dport 80 -j ACCEPT
|
|
$IPT -t nat -A $CHAIN_REDIRECT -j $REJECT_ACTION
|
|
|
|
# all registered senders are simply accepted
|
|
$IPT -t nat -A $CHAIN_FORWARD_ACTION -j ACCEPT
|
|
|
|
# allowed packets (services like dns, dhcp and ssh (to the router only))
|
|
$IPT -t nat -A $CHAIN_SERVICES -p udp --dport 53 -j ACCEPT
|
|
$IPT -t nat -A $CHAIN_SERVICES -p udp --dport 67 -j ACCEPT
|
|
$IPT -t nat -A $CHAIN_SERVICES -p tcp --dport 67 -j ACCEPT
|
|
$IPT -t nat -A $CHAIN_SERVICES -p tcp -d $INTERN_IP --dport 22 -j ACCEPT
|
|
|
|
# user defined "privileged" source IPs
|
|
for a in $ALLOW_IP_LIST
|
|
do $IPT -t nat -A $CHAIN_SERVICES -s $a -j ACCEPT
|
|
done
|
|
|
|
# user defined forbidden source IPs
|
|
for a in $DENY_IP_LIST
|
|
do $IPT -t nat -I $CHAIN_SERVICES -s $a -j $REJECT_ACTION
|
|
done
|
|
}
|
|
|
|
|
|
get_IPs()
|
|
# prints out all active forwards line by line
|
|
# every line consists of: "Number of Packets" and "IP"
|
|
{
|
|
iptables -t nat -L "$CHAIN_FORWARD_CHECK" -vnx | sed "1,2d; s/ */ /g" | cut -d " " -f 2,9
|
|
# get all active forward chains
|
|
# remove the first two lines
|
|
# remove multiple spaces
|
|
# take only the number of packets and the IP
|
|
}
|
|
|
|
|
|
register_IP()
|
|
# add a new allowed IP
|
|
{
|
|
eval `echo "$RULE_ADD" | sed "s/_IP_/$1/g"`
|
|
}
|
|
|
|
|
|
unregister_IP()
|
|
# remove the specified IP
|
|
{
|
|
eval `echo "$RULE_DEL" | sed "s/_IP_/$1/g"`
|
|
}
|
|
|
|
|
|
refresh_IP_list()
|
|
{
|
|
local NUM
|
|
local IP
|
|
get_IPs | while read NUM IP
|
|
do [ "$NUM" = "0" ] && unregister_IP "$IP"
|
|
done
|
|
}
|
|
|