wok-next annotate knock/stuff/usr/sbin/knockd-helper @ rev 4736
knock: add knockd-helper
| author | Pascal Bellard <pascal.bellard@slitaz.org> |
|---|---|
| date | Thu Jan 07 12:10:30 2010 +0100 (2010-01-07) |
| parents | |
| children | 8e4da8903b1c |
| rev | line source |
|---|---|
| pascal@4736 | 1 #!/bin/sh |
| pascal@4736 | 2 |
| pascal@4736 | 3 IP=$2 |
| pascal@4736 | 4 PROT=$3 |
| pascal@4736 | 5 PORT=$4 |
| pascal@4736 | 6 |
| pascal@4736 | 7 [ -d /var/lib/knockd ] || mkdir -p /var/lib/knockd |
| pascal@4736 | 8 |
| pascal@4736 | 9 disable() |
| pascal@4736 | 10 { |
| pascal@4736 | 11 while read IP PROT PORT MSG; do |
| pascal@4736 | 12 iptables -t nat -D PREROUTING -s $IP -p $PROT --dport $PORT -j RETURN |
| pascal@4736 | 13 iptables -D INPUT -s $IP -p $PROT --dport $PORT -j ACCEPT |
| pascal@4736 | 14 logger "Disable $PROT:$PORT for $IP $MSG" |
| pascal@4736 | 15 done < $1 |
| pascal@4736 | 16 rm -rf $1 |
| pascal@4736 | 17 } |
| pascal@4736 | 18 |
| pascal@4736 | 19 case "$1" in |
| pascal@4736 | 20 on) |
| pascal@4736 | 21 shift |
| pascal@4736 | 22 echo "$@" >> /var/lib/knockd/$IP |
| pascal@4736 | 23 iptables -t nat -I PREROUTING -s $IP -p $PROT --dport $PORT -j RETURN |
| pascal@4736 | 24 iptables -I INPUT -s $IP -p $PROT --dport $PORT -j ACCEPT |
| pascal@4736 | 25 shift 3 |
| pascal@4736 | 26 logger "Ensable $PROT:$PORT for $IP $@" |
| pascal@4736 | 27 ;; |
| pascal@4736 | 28 off) |
| pascal@4736 | 29 [ -f /var/lib/knockd/$IP ] && disable /var/lib/knockd/$IP |
| pascal@4736 | 30 ;; |
| pascal@4736 | 31 check) |
| pascal@4736 | 32 TIMEOUT=$(( 6 * 60 )) |
| pascal@4736 | 33 for i in /var/lib/knockd/*.*.*.*; do |
| pascal@4736 | 34 [ -f "$i" ] || continue |
| pascal@4736 | 35 while read ip prot port msg; do |
| pascal@4736 | 36 if grep -qe "^$prot.* src=$ip .* dport=$port" /proc/net/ip_conntrack ; then |
| pascal@4736 | 37 touch $i |
| pascal@4736 | 38 break |
| pascal@4736 | 39 fi |
| pascal@4736 | 40 done < $i |
| pascal@4736 | 41 [ $(date "+%s") -gt $(( $(date -r $i "+%s") + $TIMEOUT )) ] && |
| pascal@4736 | 42 disable $i |
| pascal@4736 | 43 done |
| pascal@4736 | 44 ;; |
| pascal@4736 | 45 purge) |
| pascal@4736 | 46 for i in /var/lib/knockd/*.*.*.*; do |
| pascal@4736 | 47 [ -f "$i" ] && disable $i |
| pascal@4736 | 48 done |
| pascal@4736 | 49 ;; |
| pascal@4736 | 50 cron) |
| pascal@4736 | 51 crontab -l 2> /dev/null | grep -q $0 || { |
| pascal@4736 | 52 crontab - <<EOT |
| pascal@4736 | 53 $(crontab -l) |
| pascal@4736 | 54 |
| pascal@4736 | 55 # Close old connections opened by knockd |
| pascal@4736 | 56 */5 * * * * $0 check > /dev/null 2>&1 |
| pascal@4736 | 57 EOT |
| pascal@4736 | 58 /etc/init.d/crond stop |
| pascal@4736 | 59 /etc/init.d/crond start |
| pascal@4736 | 60 } |
| pascal@4736 | 61 ;; |
| pascal@4736 | 62 esac |