wok-6.x view knock/stuff/usr/sbin/knockd-helper @ rev 18408
open-vm-tools: add wget and cacerts as deps
author | Nathan Neulinger <nneul@neulinger.org> |
---|---|
date | Sat Sep 19 14:21:42 2015 +0000 (2015-09-19) |
parents | 8e4da8903b1c |
children |
line source
1 #!/bin/sh
3 PERIOD=5 # minutes
5 IP=$2
6 PROT=$3
7 PORT=$4
9 [ -d /var/lib/knockd ] || mkdir -p /var/lib/knockd
11 disable()
12 {
13 while read IP PROT PORT MSG; do
14 iptables -t nat -D PREROUTING -s $IP -p $PROT --dport $PORT -j RETURN
15 iptables -D INPUT -s $IP -p $PROT --dport $PORT -j ACCEPT
16 logger "Disable $PROT:$PORT for $IP $MSG"
17 done < $1
18 rm -rf $1
19 }
21 case "$1" in
22 on)
23 shift
24 echo "$@" >> /var/lib/knockd/$IP
25 iptables -t nat -I PREROUTING -s $IP -p $PROT --dport $PORT -j RETURN
26 iptables -I INPUT -s $IP -p $PROT --dport $PORT -j ACCEPT
27 shift 3
28 logger "Enable $PROT:$PORT for $IP $@"
29 ;;
30 off)
31 [ -f /var/lib/knockd/$IP ] && disable /var/lib/knockd/$IP
32 ;;
33 check)
34 TIMEOUT=$(( $PERIOD * 120 ))
35 for i in /var/lib/knockd/*.*.*.*; do
36 [ -f "$i" ] || continue
37 while read ip prot port msg; do
38 if netstat -nut | grep -qe "^$prot .*:$port *$ip:[0-9]* " ; then
39 touch $i
40 break
41 fi
42 done < $i
43 [ $(date "+%s") -gt $(( $(date -r $i "+%s") + $TIMEOUT )) ] &&
44 disable $i
45 done
46 ;;
47 purge)
48 for i in /var/lib/knockd/*.*.*.*; do
49 [ -f "$i" ] && disable $i
50 done
51 ;;
52 cron)
53 crontab -l 2> /dev/null | grep -q $0 || {
54 crontab - <<EOT
55 $(crontab -l)
57 # Close old connections opened by knockd
58 */$PERIOD * * * * $0 check > /dev/null 2>&1
59 EOT
60 /etc/init.d/crond stop
61 /etc/init.d/crond start
62 }
63 ;;
64 *)
65 PROG=$(basename $0)
66 cat <<EOT
67 Usage: $PROG [on|off|check|purge|cron] [args...]
69 $PROG on ip_address protocol port enable access
70 $PROG off ip_address disable access
71 $PROG check verify timeouts
72 $PROG purge disable all accesses
73 $PROG cron install auto disable access
75 Example for /etc/knockd.conf file :
77 [options]
78 PidFile = /var/run/knockd.pid
79 logfile = /var/log/knockd.log
81 [openSSH]
82 sequence = 7000,8000,9000
83 seq_timeout = 5
84 command = /usr/sbin/knockd-helper on %IP% tcp 22
85 tcpflags = syn
86 EOT
87 exit 1
88 ;;
89 esac