96 lines
2.7 KiB
Bash
96 lines
2.7 KiB
Bash
#!/bin/sh /etc/rc.common
|
|
|
|
START=82
|
|
ME="freifunk-p2pblock"
|
|
LOCK='/var/run/p2pblock.lock'
|
|
|
|
# helper-scripts
|
|
ipt_add() {
|
|
logger -t "$ME" "set 'iptables -I $1'"
|
|
iptables -I $1
|
|
echo "iptables -D $1" >> $LOCK
|
|
}
|
|
|
|
start() {
|
|
/etc/init.d/freifunk-p2pblock enabled || return
|
|
|
|
if [ ! -s "$LOCK" ]; then
|
|
logger -s -t "$ME" 'starting p2pblock...'
|
|
|
|
config_load network
|
|
config_get wan wan ifname
|
|
|
|
if [ -n "$wan" ]; then
|
|
config_load freifunk_p2pblock
|
|
config_get layer7 p2pblock layer7
|
|
config_get ipp2p p2pblock ipp2p
|
|
config_get portrange p2pblock portrange
|
|
config_get blocktime p2pblock blocktime
|
|
config_get whitelist p2pblock whitelist
|
|
|
|
# load modules
|
|
insmod ipt_ipp2p 2>&-
|
|
insmod ipt_layer7 2>&-
|
|
insmod ipt_recent ip_list_tot=400 ip_pkt_list_tot=3 2>&-
|
|
|
|
# create new p2p-chain
|
|
iptables -N p2pblock
|
|
# pipe all incoming FORWARD with source-/destination-port 1024-65535 throu p2p-chain
|
|
ipt_add "FORWARD -i $wan -p tcp --sport $portrange --dport $portrange -j p2pblock"
|
|
ipt_add "FORWARD -i $wan -p udp --sport $portrange --dport $portrange -j p2pblock"
|
|
|
|
# if p2p-traffic blocked 3 packages to a destination ip then block all traffic within the next 180 sec (port 1024-65535)
|
|
ipt_add "p2pblock -m recent --rdest --rcheck --name P2PBLOCK --seconds $blocktime --hitcount 3 -j DROP"
|
|
ipt_add "p2pblock -m recent --rdest --rcheck --name P2PBLOCK --seconds $blocktime --hitcount 3 -m limit --limit 1/minute -j LOG --log-prefix P2PBLOCK-DROP:"
|
|
|
|
# create layer7-rules
|
|
for proto in $layer7; do
|
|
ipt_add "p2pblock -m layer7 --l7proto $proto -m recent --rdest --set --name P2PBLOCK"
|
|
ipt_add "p2pblock -m layer7 --l7proto $proto -m limit --limit 1/minute -j LOG --log-prefix P2PBLOCK-seen-$proto:"
|
|
done
|
|
|
|
# create ipp2p-rules
|
|
for proto in $ipp2p; do
|
|
ipt_add "p2pblock -m ipp2p --$proto -m recent --rdest --set --name P2PBLOCK"
|
|
ipt_add "p2pblock -m ipp2p --$proto -m limit --limit 1/minute -j LOG --log-prefix P2PBLOCK-seen-$proto:"
|
|
done
|
|
|
|
# insert whitelisted ips
|
|
for ip in $whitelist; do
|
|
ipt_add "p2pblock -d $ip -j RETURN"
|
|
done
|
|
|
|
logger -s -t "$ME" 'Done.'; return 0
|
|
else
|
|
logger -s -t "$ME" 'No wan interface present.'; return 0
|
|
fi
|
|
else
|
|
logger -s -t "$ME" 'WARNING! already running - Aborting!'; return 2
|
|
fi
|
|
}
|
|
|
|
stop() {
|
|
if [ -s "$LOCK" ]; then
|
|
logger -s -t "$ME" 'stopping p2pblock...'
|
|
|
|
# unset all rules in $LOCK-file
|
|
cat $LOCK | sed -ne '1!G;h;$p' | while read line; do
|
|
logger -t "$ME" "unset $line"
|
|
while eval $line 2>&-; do :; done
|
|
done; : > "$LOCK"
|
|
|
|
# flush and delete the p2p-chain
|
|
iptables -F p2pblock
|
|
iptables -X p2pblock
|
|
logger -s -t "$ME" 'Done.'; return 0
|
|
|
|
else
|
|
logger -s -t "$ME" 'WARNING! not running - Aborting!'; return 2
|
|
|
|
fi
|
|
}
|
|
|
|
restart() {
|
|
stop; sleep 1; start
|
|
}
|