wok annotate knock/stuff/usr/sbin/knockd-helper @ rev 18897
syslinux/isohybrid.exe add -r support
author | Pascal Bellard <pascal.bellard@slitaz.org> |
---|---|
date | Sun Feb 14 22:06:06 2016 +0100 (2016-02-14) |
parents | 8e4da8903b1c |
children |
rev | line source |
---|---|
pascal@4736 | 1 #!/bin/sh |
pascal@4736 | 2 |
pascal@17686 | 3 PERIOD=5 # minutes |
pascal@17686 | 4 |
pascal@4736 | 5 IP=$2 |
pascal@4736 | 6 PROT=$3 |
pascal@4736 | 7 PORT=$4 |
pascal@4736 | 8 |
pascal@4736 | 9 [ -d /var/lib/knockd ] || mkdir -p /var/lib/knockd |
pascal@4736 | 10 |
pascal@4736 | 11 disable() |
pascal@4736 | 12 { |
pascal@4736 | 13 while read IP PROT PORT MSG; do |
pascal@4736 | 14 iptables -t nat -D PREROUTING -s $IP -p $PROT --dport $PORT -j RETURN |
pascal@4736 | 15 iptables -D INPUT -s $IP -p $PROT --dport $PORT -j ACCEPT |
pascal@4736 | 16 logger "Disable $PROT:$PORT for $IP $MSG" |
pascal@4736 | 17 done < $1 |
pascal@4736 | 18 rm -rf $1 |
pascal@4736 | 19 } |
pascal@4736 | 20 |
pascal@4736 | 21 case "$1" in |
pascal@4736 | 22 on) |
pascal@4736 | 23 shift |
pascal@4736 | 24 echo "$@" >> /var/lib/knockd/$IP |
pascal@4736 | 25 iptables -t nat -I PREROUTING -s $IP -p $PROT --dport $PORT -j RETURN |
pascal@4736 | 26 iptables -I INPUT -s $IP -p $PROT --dport $PORT -j ACCEPT |
pascal@4736 | 27 shift 3 |
pascal@4737 | 28 logger "Enable $PROT:$PORT for $IP $@" |
pascal@4736 | 29 ;; |
pascal@4736 | 30 off) |
pascal@4736 | 31 [ -f /var/lib/knockd/$IP ] && disable /var/lib/knockd/$IP |
pascal@4736 | 32 ;; |
pascal@4736 | 33 check) |
pascal@17686 | 34 TIMEOUT=$(( $PERIOD * 120 )) |
pascal@4736 | 35 for i in /var/lib/knockd/*.*.*.*; do |
pascal@4736 | 36 [ -f "$i" ] || continue |
pascal@4736 | 37 while read ip prot port msg; do |
pascal@17686 | 38 if netstat -nut | grep -qe "^$prot .*:$port *$ip:[0-9]* " ; then |
pascal@4736 | 39 touch $i |
pascal@4736 | 40 break |
pascal@4736 | 41 fi |
pascal@4736 | 42 done < $i |
pascal@4736 | 43 [ $(date "+%s") -gt $(( $(date -r $i "+%s") + $TIMEOUT )) ] && |
pascal@4736 | 44 disable $i |
pascal@4736 | 45 done |
pascal@4736 | 46 ;; |
pascal@4736 | 47 purge) |
pascal@4736 | 48 for i in /var/lib/knockd/*.*.*.*; do |
pascal@4736 | 49 [ -f "$i" ] && disable $i |
pascal@4736 | 50 done |
pascal@4736 | 51 ;; |
pascal@4736 | 52 cron) |
pascal@4736 | 53 crontab -l 2> /dev/null | grep -q $0 || { |
pascal@4736 | 54 crontab - <<EOT |
pascal@4736 | 55 $(crontab -l) |
pascal@4736 | 56 |
pascal@4736 | 57 # Close old connections opened by knockd |
pascal@17686 | 58 */$PERIOD * * * * $0 check > /dev/null 2>&1 |
pascal@4736 | 59 EOT |
pascal@4736 | 60 /etc/init.d/crond stop |
pascal@4736 | 61 /etc/init.d/crond start |
pascal@4736 | 62 } |
pascal@4736 | 63 ;; |
pascal@4737 | 64 *) |
pascal@4737 | 65 PROG=$(basename $0) |
pascal@4737 | 66 cat <<EOT |
pascal@4737 | 67 Usage: $PROG [on|off|check|purge|cron] [args...] |
pascal@4737 | 68 |
pascal@4737 | 69 $PROG on ip_address protocol port enable access |
pascal@4737 | 70 $PROG off ip_address disable access |
pascal@4737 | 71 $PROG check verify timeouts |
pascal@4737 | 72 $PROG purge disable all accesses |
pascal@4737 | 73 $PROG cron install auto disable access |
pascal@4737 | 74 |
pascal@4737 | 75 Example for /etc/knockd.conf file : |
pascal@4737 | 76 |
pascal@4737 | 77 [options] |
pascal@4737 | 78 PidFile = /var/run/knockd.pid |
pascal@4737 | 79 logfile = /var/log/knockd.log |
pascal@4737 | 80 |
pascal@4737 | 81 [openSSH] |
pascal@4737 | 82 sequence = 7000,8000,9000 |
pascal@4737 | 83 seq_timeout = 5 |
pascal@4737 | 84 command = /usr/sbin/knockd-helper on %IP% tcp 22 |
pascal@4737 | 85 tcpflags = syn |
pascal@4737 | 86 EOT |
pascal@4737 | 87 exit 1 |
pascal@4737 | 88 ;; |
pascal@4736 | 89 esac |