wok-next annotate knock/stuff/usr/sbin/knockd-helper @ rev 13597
Up get-flash-plugin (1.4)
author | Pascal Bellard <pascal.bellard@slitaz.org> |
---|---|
date | Fri Nov 09 13:13:08 2012 +0100 (2012-11-09) |
parents | 23fde46c8679 |
children | 216fe5c85b71 |
rev | line source |
---|---|
pascal@4736 | 1 #!/bin/sh |
pascal@4736 | 2 |
pascal@4736 | 3 IP=$2 |
pascal@4736 | 4 PROT=$3 |
pascal@4736 | 5 PORT=$4 |
pascal@4736 | 6 |
pascal@4736 | 7 [ -d /var/lib/knockd ] || mkdir -p /var/lib/knockd |
pascal@4736 | 8 |
pascal@4736 | 9 disable() |
pascal@4736 | 10 { |
pascal@4736 | 11 while read IP PROT PORT MSG; do |
pascal@4736 | 12 iptables -t nat -D PREROUTING -s $IP -p $PROT --dport $PORT -j RETURN |
pascal@4736 | 13 iptables -D INPUT -s $IP -p $PROT --dport $PORT -j ACCEPT |
pascal@4736 | 14 logger "Disable $PROT:$PORT for $IP $MSG" |
pascal@4736 | 15 done < $1 |
pascal@4736 | 16 rm -rf $1 |
pascal@4736 | 17 } |
pascal@4736 | 18 |
pascal@4736 | 19 case "$1" in |
pascal@4736 | 20 on) |
pascal@4736 | 21 shift |
pascal@4736 | 22 echo "$@" >> /var/lib/knockd/$IP |
pascal@4736 | 23 iptables -t nat -I PREROUTING -s $IP -p $PROT --dport $PORT -j RETURN |
pascal@4736 | 24 iptables -I INPUT -s $IP -p $PROT --dport $PORT -j ACCEPT |
pascal@4736 | 25 shift 3 |
pascal@4737 | 26 logger "Enable $PROT:$PORT for $IP $@" |
pascal@4736 | 27 ;; |
pascal@4736 | 28 off) |
pascal@4736 | 29 [ -f /var/lib/knockd/$IP ] && disable /var/lib/knockd/$IP |
pascal@4736 | 30 ;; |
pascal@4736 | 31 check) |
pascal@4736 | 32 TIMEOUT=$(( 6 * 60 )) |
pascal@4736 | 33 for i in /var/lib/knockd/*.*.*.*; do |
pascal@4736 | 34 [ -f "$i" ] || continue |
pascal@4736 | 35 while read ip prot port msg; do |
pascal@4736 | 36 if grep -qe "^$prot.* src=$ip .* dport=$port" /proc/net/ip_conntrack ; then |
pascal@4736 | 37 touch $i |
pascal@4736 | 38 break |
pascal@4736 | 39 fi |
pascal@4736 | 40 done < $i |
pascal@4736 | 41 [ $(date "+%s") -gt $(( $(date -r $i "+%s") + $TIMEOUT )) ] && |
pascal@4736 | 42 disable $i |
pascal@4736 | 43 done |
pascal@4736 | 44 ;; |
pascal@4736 | 45 purge) |
pascal@4736 | 46 for i in /var/lib/knockd/*.*.*.*; do |
pascal@4736 | 47 [ -f "$i" ] && disable $i |
pascal@4736 | 48 done |
pascal@4736 | 49 ;; |
pascal@4736 | 50 cron) |
pascal@4736 | 51 crontab -l 2> /dev/null | grep -q $0 || { |
pascal@4736 | 52 crontab - <<EOT |
pascal@4736 | 53 $(crontab -l) |
pascal@4736 | 54 |
pascal@4736 | 55 # Close old connections opened by knockd |
pascal@4736 | 56 */5 * * * * $0 check > /dev/null 2>&1 |
pascal@4736 | 57 EOT |
pascal@4736 | 58 /etc/init.d/crond stop |
pascal@4736 | 59 /etc/init.d/crond start |
pascal@4736 | 60 } |
pascal@4736 | 61 ;; |
pascal@4737 | 62 *) |
pascal@4737 | 63 PROG=$(basename $0) |
pascal@4737 | 64 cat <<EOT |
pascal@4737 | 65 Usage: $PROG [on|off|check|purge|cron] [args...] |
pascal@4737 | 66 |
pascal@4737 | 67 $PROG on ip_address protocol port enable access |
pascal@4737 | 68 $PROG off ip_address disable access |
pascal@4737 | 69 $PROG check verify timeouts |
pascal@4737 | 70 $PROG purge disable all accesses |
pascal@4737 | 71 $PROG cron install auto disable access |
pascal@4737 | 72 |
pascal@4737 | 73 Example for /etc/knockd.conf file : |
pascal@4737 | 74 |
pascal@4737 | 75 [options] |
pascal@4737 | 76 PidFile = /var/run/knockd.pid |
pascal@4737 | 77 logfile = /var/log/knockd.log |
pascal@4737 | 78 |
pascal@4737 | 79 [openSSH] |
pascal@4737 | 80 sequence = 7000,8000,9000 |
pascal@4737 | 81 seq_timeout = 5 |
pascal@4737 | 82 command = /usr/sbin/knockd-helper on %IP% tcp 22 |
pascal@4737 | 83 tcpflags = syn |
pascal@4737 | 84 EOT |
pascal@4737 | 85 exit 1 |
pascal@4737 | 86 ;; |
pascal@4736 | 87 esac |