wok-next view knock/stuff/usr/sbin/knockd-helper @ rev 4737
knock/knockd-helper: add help
author | Pascal Bellard <pascal.bellard@slitaz.org> |
---|---|
date | Thu Jan 07 12:40:20 2010 +0100 (2010-01-07) |
parents | 23fde46c8679 |
children | 216fe5c85b71 |
line source
1 #!/bin/sh
3 IP=$2
4 PROT=$3
5 PORT=$4
7 [ -d /var/lib/knockd ] || mkdir -p /var/lib/knockd
9 disable()
10 {
11 while read IP PROT PORT MSG; do
12 iptables -t nat -D PREROUTING -s $IP -p $PROT --dport $PORT -j RETURN
13 iptables -D INPUT -s $IP -p $PROT --dport $PORT -j ACCEPT
14 logger "Disable $PROT:$PORT for $IP $MSG"
15 done < $1
16 rm -rf $1
17 }
19 case "$1" in
20 on)
21 shift
22 echo "$@" >> /var/lib/knockd/$IP
23 iptables -t nat -I PREROUTING -s $IP -p $PROT --dport $PORT -j RETURN
24 iptables -I INPUT -s $IP -p $PROT --dport $PORT -j ACCEPT
25 shift 3
26 logger "Enable $PROT:$PORT for $IP $@"
27 ;;
28 off)
29 [ -f /var/lib/knockd/$IP ] && disable /var/lib/knockd/$IP
30 ;;
31 check)
32 TIMEOUT=$(( 6 * 60 ))
33 for i in /var/lib/knockd/*.*.*.*; do
34 [ -f "$i" ] || continue
35 while read ip prot port msg; do
36 if grep -qe "^$prot.* src=$ip .* dport=$port" /proc/net/ip_conntrack ; then
37 touch $i
38 break
39 fi
40 done < $i
41 [ $(date "+%s") -gt $(( $(date -r $i "+%s") + $TIMEOUT )) ] &&
42 disable $i
43 done
44 ;;
45 purge)
46 for i in /var/lib/knockd/*.*.*.*; do
47 [ -f "$i" ] && disable $i
48 done
49 ;;
50 cron)
51 crontab -l 2> /dev/null | grep -q $0 || {
52 crontab - <<EOT
53 $(crontab -l)
55 # Close old connections opened by knockd
56 */5 * * * * $0 check > /dev/null 2>&1
57 EOT
58 /etc/init.d/crond stop
59 /etc/init.d/crond start
60 }
61 ;;
62 *)
63 PROG=$(basename $0)
64 cat <<EOT
65 Usage: $PROG [on|off|check|purge|cron] [args...]
67 $PROG on ip_address protocol port enable access
68 $PROG off ip_address disable access
69 $PROG check verify timeouts
70 $PROG purge disable all accesses
71 $PROG cron install auto disable access
73 Example for /etc/knockd.conf file :
75 [options]
76 PidFile = /var/run/knockd.pid
77 logfile = /var/log/knockd.log
79 [openSSH]
80 sequence = 7000,8000,9000
81 seq_timeout = 5
82 command = /usr/sbin/knockd-helper on %IP% tcp 22
83 tcpflags = syn
84 EOT
85 exit 1
86 ;;
87 esac