wok-next annotate knock/stuff/usr/sbin/knockd-helper @ rev 13597

Up get-flash-plugin (1.4)
author Pascal Bellard <pascal.bellard@slitaz.org>
date Fri Nov 09 13:13:08 2012 +0100 (2012-11-09)
parents 23fde46c8679
children 216fe5c85b71
rev   line source
pascal@4736 1 #!/bin/sh
pascal@4736 2
pascal@4736 3 IP=$2
pascal@4736 4 PROT=$3
pascal@4736 5 PORT=$4
pascal@4736 6
pascal@4736 7 [ -d /var/lib/knockd ] || mkdir -p /var/lib/knockd
pascal@4736 8
pascal@4736 9 disable()
pascal@4736 10 {
pascal@4736 11 while read IP PROT PORT MSG; do
pascal@4736 12 iptables -t nat -D PREROUTING -s $IP -p $PROT --dport $PORT -j RETURN
pascal@4736 13 iptables -D INPUT -s $IP -p $PROT --dport $PORT -j ACCEPT
pascal@4736 14 logger "Disable $PROT:$PORT for $IP $MSG"
pascal@4736 15 done < $1
pascal@4736 16 rm -rf $1
pascal@4736 17 }
pascal@4736 18
pascal@4736 19 case "$1" in
pascal@4736 20 on)
pascal@4736 21 shift
pascal@4736 22 echo "$@" >> /var/lib/knockd/$IP
pascal@4736 23 iptables -t nat -I PREROUTING -s $IP -p $PROT --dport $PORT -j RETURN
pascal@4736 24 iptables -I INPUT -s $IP -p $PROT --dport $PORT -j ACCEPT
pascal@4736 25 shift 3
pascal@4737 26 logger "Enable $PROT:$PORT for $IP $@"
pascal@4736 27 ;;
pascal@4736 28 off)
pascal@4736 29 [ -f /var/lib/knockd/$IP ] && disable /var/lib/knockd/$IP
pascal@4736 30 ;;
pascal@4736 31 check)
pascal@4736 32 TIMEOUT=$(( 6 * 60 ))
pascal@4736 33 for i in /var/lib/knockd/*.*.*.*; do
pascal@4736 34 [ -f "$i" ] || continue
pascal@4736 35 while read ip prot port msg; do
pascal@4736 36 if grep -qe "^$prot.* src=$ip .* dport=$port" /proc/net/ip_conntrack ; then
pascal@4736 37 touch $i
pascal@4736 38 break
pascal@4736 39 fi
pascal@4736 40 done < $i
pascal@4736 41 [ $(date "+%s") -gt $(( $(date -r $i "+%s") + $TIMEOUT )) ] &&
pascal@4736 42 disable $i
pascal@4736 43 done
pascal@4736 44 ;;
pascal@4736 45 purge)
pascal@4736 46 for i in /var/lib/knockd/*.*.*.*; do
pascal@4736 47 [ -f "$i" ] && disable $i
pascal@4736 48 done
pascal@4736 49 ;;
pascal@4736 50 cron)
pascal@4736 51 crontab -l 2> /dev/null | grep -q $0 || {
pascal@4736 52 crontab - <<EOT
pascal@4736 53 $(crontab -l)
pascal@4736 54
pascal@4736 55 # Close old connections opened by knockd
pascal@4736 56 */5 * * * * $0 check > /dev/null 2>&1
pascal@4736 57 EOT
pascal@4736 58 /etc/init.d/crond stop
pascal@4736 59 /etc/init.d/crond start
pascal@4736 60 }
pascal@4736 61 ;;
pascal@4737 62 *)
pascal@4737 63 PROG=$(basename $0)
pascal@4737 64 cat <<EOT
pascal@4737 65 Usage: $PROG [on|off|check|purge|cron] [args...]
pascal@4737 66
pascal@4737 67 $PROG on ip_address protocol port enable access
pascal@4737 68 $PROG off ip_address disable access
pascal@4737 69 $PROG check verify timeouts
pascal@4737 70 $PROG purge disable all accesses
pascal@4737 71 $PROG cron install auto disable access
pascal@4737 72
pascal@4737 73 Example for /etc/knockd.conf file :
pascal@4737 74
pascal@4737 75 [options]
pascal@4737 76 PidFile = /var/run/knockd.pid
pascal@4737 77 logfile = /var/log/knockd.log
pascal@4737 78
pascal@4737 79 [openSSH]
pascal@4737 80 sequence = 7000,8000,9000
pascal@4737 81 seq_timeout = 5
pascal@4737 82 command = /usr/sbin/knockd-helper on %IP% tcp 22
pascal@4737 83 tcpflags = syn
pascal@4737 84 EOT
pascal@4737 85 exit 1
pascal@4737 86 ;;
pascal@4736 87 esac