home *** CD-ROM | disk | FTP | other *** search

---

/ ftp.jcu.edu.au / 2014.06.ftp.jcu.edu.au.tar / ftp.jcu.edu.au / v6.3.2b / SWBD63 / fabos-6.3.2b-10.ppc.rpm / fabos-6.3.2b.10.cpio.gz / fabos-6.3.2b.10.cpio / fabos / libexec / createipfchains

< prev

next >

Wrap

Text File  |  2010-11-10  |  5KB  |  193 lines

---

1. #!/bin/sh
2. #
3. # Usage: createipfchains.sh
4. #
5. # script to enforce iptable rules
6. # follow these steps. 
7. # 1. First get the Active, Standby CP status
8.  
9. echo_debug()
10. {
11.     if [ "$debug_on" = "1" ]; then
12.         echo $* 1>&2
13.     fi
14. }
15.  
16. iptab_create_default_rules()
17. {
18.     # ordering of rules is important, do not change arbitrarily
19.  
20.     ## TCP common rules
21.     echo "$IPTABLES -A $R_TCPCOMMON -p $PROTO_TCP -m $PROTO_TCP --dport 1024: -j ACCEPT" >> $RULE_FILE
22.     #echo "$IPTABLES -A $R_TCPCOMMON -p $PROTO_TCP -m $PROTO_TCP --dport 49152: -j ACCEPT" >> $RULE_FILE
23.  
24.     # UDP common rules
25.     # Never delete the ntp rule   
26.     echo "$IPTABLES -A $R_UDPCOMMON -p $PROTO_UDP -m $PROTO_UDP --dport 1024: -j ACCEPT" >> $RULE_FILE
27.     #echo "$IPTABLES -A $R_UDPCOMMON -p $PROTO_UDP -m $PROTO_UDP --dport 49152: -j ACCEPT" >> $RULE_FILE
28.  
29. }
30.  
31. iptab_create_generic_rules()
32. {
33.     # Create tcp/udp rules for ports other than specified in policies
34.     echo "$IPTABLES -A $R_TCP -p tcp -j $R_TCPCOMMON" >> $RULE_FILE
35.     echo "$IPTABLES -A $R_UDP -p udp -j $R_UDPCOMMON" >> $RULE_FILE
36. }
37.  
38. iptab_create_policy_rules()
39. {
40.     
41.     echo_debug
42.     echo_debug "debug: entering iptab_create_policy_rules"
43.     echo_debug
44.  
45.     POLICYFILE=$1
46.     echo_debug "debug: policyfile=$POLICYFILE"
47.     LIMIT_RATE=20/minute
48.     BURST_RATE=20
49.  
50.     # check if text policy file exists. If not, exit.
51.     if [ ! -f $POLICYFILE ]; then
52.         exit 1
53.     fi
54.  
55.     OLD_IFS=$IFS
56.     # make the separator as newline
57.     IFS='
58. '
59.     for line in `cat $POLICYFILE`
60.     do      
61.     # get protocol
62.         PROTO=${line%% *}
63.         echo_debug "debug proto: $PROTO"
64.         rem_line=${line#${PROTO} }
65.         echo_debug "debug: rem_line=$rem_line"
66.  
67.     # get port number
68.         PORT=${rem_line%% *}
69.         echo_debug debug port: $PORT
70.  
71.         rem_line=${rem_line#${PORT} }
72.  
73.         echo_debug debug: rem_line=$rem_line
74.  
75.         case "$PORT" in
76.             22)
77.                 RULE=$R_SSH
78.                 PROTOCHAIN=$R_TCP
79.                 VIOLATED_APP="SSH"
80.                 ;;
81.  
82.             23)
83.                 RULE=$R_TELNET
84.                 PROTOCHAIN=$R_TCP
85.                 VIOLATED_APP="TELNET"
86.                 ;;
87.  
88.             111)
89.                 if [ "$PROTO"  = "tcp" ]; then
90.                     RULE=$R_APIRPCTCP
91.                     PROTOCHAIN=$R_TCP
92.                 else
93.                     RULE=$R_APIRPCUDP
94.                     PROTOCHAIN=$R_UDP
95.                 fi
96.                 VIOLATED_APP="API"
97.                 ;;
98.             897 | 898)
99.                 RULE=$R_APIPMAP
100.                 PROTOCHAIN=$R_TCP
101.                 VIOLATED_APP="API"
102.                 ;;
103.  
104.     # add ports for API in future if new API comes up
105.  
106.             *) 
107.                 if [ "$PROTO"  = "tcp" ]; then
108.                     RULE=$R_TCPCOMMON
109.                     PROTOCHAIN=$R_TCP
110.                     VIOLATED_APP="TCP"
111.                 else    
112.                     RULE=$R_UDPCOMMON
113.                     PROTOCHAIN=$R_UDP
114.                     VIOLATED_APP="UDP"
115.                 fi
116.                 ;; 
117.         esac # end of case
118.  
119.         # check PROTOCHAIN and set the values.
120.         echo "$IPTABLES -A $PROTOCHAIN -p $PROTO -m $PROTO --dport $PORT -j $RULE" >> $RULE_FILE
121.         
122.         IFS=' '
123.  
124.         IPADDR="" 
125.             for ARG in $rem_line
126.             do
127.                 if [ "$ARG" = "DROP" ]; then
128.                     if [ "$IPADDR" == "" ]; then
129.                         if [ "$POLICY_TYPE" = "v4" ]; then
130.                             echo "$IPTABLES -A $RULE -p $PROTO -m $PROTO --dport $PORT \
131.                                     -m limit --limit $LIMIT_RATE --limit-burst $BURST_RATE -j ULOG --ulog-prefix \
132.                                 "\"$VIOLATED_APP violation-port $PORT\"" --ulog-cprange 20 \
133.                                 --ulog-nlgroup $NLGROUP" >> $RULE_FILE
134.                         fi
135.                         echo "$IPTABLES -A $RULE -p $PROTO -m $PROTO --dport $PORT -j DROP" >> $RULE_FILE
136.                         break    
137.                     else 
138.                         if [ "$POLICY_TYPE" = "v4" ]; then
139.                             echo "$IPTABLES -A $RULE -p $PROTO -m $PROTO --dport $PORT -s $IPADDR \
140.                                 -m limit --limit $LIMIT_RATE  --limit-burst $BURST_RATE -j ULOG --ulog-prefix \
141.                                 "\"$VIOLATED_APP violation-port $PORT\"" --ulog-cprange 20 \
142.                                 --ulog-nlgroup $NLGROUP" >> $RULE_FILE
143.                         fi
144.                         echo "$IPTABLES -A $RULE -p $PROTO -m $PROTO --dport $PORT -s $IPADDR -j DROP" >> $RULE_FILE
145.                         break    
146.                     fi
147.                 elif [ "$ARG" = "ACCEPT" ]; then
148.                     if [ "$IPADDR" == "" ]; then
149.                         echo "$IPTABLES -A $RULE -p $PROTO -m $PROTO --dport $PORT -j ACCEPT" >> $RULE_FILE
150.                         break
151.                     else 
152.                         echo "$IPTABLES -A $RULE -p $PROTO -m $PROTO --dport $PORT -s $IPADDR -j ACCEPT" >> $RULE_FILE
153.                         break    
154.                     fi
155.                 else
156.                     IPADDR=$ARG
157.                 fi
158.             done #inner for loop
159.         IFS='
160. '
161.     done   # for
162.  
163.     IFS=$OLD_IFS
164.  
165.     echo_debug
166.     echo_debug "debug: exiting iptab_create_policy_rules"
167.     echo_debug
168. } # iptab_create_policy_rules
169.  
170. #////////////////////////////////////////
171. ########################################
172. # This is the start of this script
173. ########################################
174. #////////////////////////////////////////
175.  
176.  
177. export POLICY_TYPE=$1;
178.  
179. export NLGROUP=1
180.  
181.  
182. POLICYFILE="/etc/fabos/ipfpolicy."$POLICY_TYPE"."$CPSTATE".txt"
183.  
184. echo_debug "debug createrules time"
185.  
186. iptab_create_default_rules ;
187.  
188. iptab_create_policy_rules $POLICYFILE ;
189.  
190. iptab_create_generic_rules ;
191.  
192. exit 0
193.