diff options
| author | Jo-Philipp Wich <jow@openwrt.org> | 2009-06-07 11:48:37 +0000 |
|---|---|---|
| committer | Jo-Philipp Wich <jow@openwrt.org> | 2009-06-07 11:48:37 +0000 |
| commit | 5ae86ebc3f8ee13ef7c267e2de16fbe6664f8cf0 (patch) | |
| tree | 84cf9ecee070c2b19a14e65a1c47245aa064a70f /contrib/package/freifunk-p2pblock/files/freifunk-p2pblock.init | |
| parent | dc850f5f96b8d09d3be3687e2b4cb2f75f1d7d8d (diff) | |
contrib/package: add freifunk-p2pblock firewall addon
Diffstat (limited to 'contrib/package/freifunk-p2pblock/files/freifunk-p2pblock.init')
| -rw-r--r-- | contrib/package/freifunk-p2pblock/files/freifunk-p2pblock.init | 89 |
1 files changed, 89 insertions, 0 deletions
diff --git a/contrib/package/freifunk-p2pblock/files/freifunk-p2pblock.init b/contrib/package/freifunk-p2pblock/files/freifunk-p2pblock.init new file mode 100644 index 000000000..95193aa62 --- /dev/null +++ b/contrib/package/freifunk-p2pblock/files/freifunk-p2pblock.init @@ -0,0 +1,89 @@ +#!/bin/sh /etc/rc.common + +START=82 +ME="freifunk-p2pblock" +LOCK='/var/run/p2pblock.lock' + +# helper-scripts +ipt_add() { + logger -t "$ME" "set 'iptables -I $1'" + iptables -I $1 + echo "iptables -D $1" >> $LOCK +} + +start() { + if [ ! -s "$LOCK" ]; then + logger -s -t "$ME" 'starting p2pblock...' + + config_load network + config_get wan wan ifname + config_load freifunk-p2pblock + config_get layer7 p2pblock layer7 + config_get ipp2p p2pblock ipp2p + config_get portrange p2pblock portrange + config_get blocktime p2pblock blocktime + + # load modules + insmod ipt_ipp2p 2>&- + insmod ipt_layer7 2>&- + insmod ipt_recent ip_list_tot=400 ip_pkt_list_tot=3 2>&- + + # create new p2p-chain + iptables -N p2pblock + # pipe all incomming FORWARD with source-/destination-port 1024-65535 throu p2p-chain + ipt_add "FORWARD -i $wan -p tcp --sport $portrange --dport $portrange -j p2pblock" + ipt_add "FORWARD -i $wan -p udp --sport $portrange --dport $portrange -j p2pblock" + + # if p2p-traffic blocked 3 packages to a destination ip then block all traffic within the next 180 sec (port 1024-65535) + ipt_add "p2pblock -m recent --rdest --rcheck --name P2PBLOCK --seconds $blocktime --hitcount 3 -j DROP" + ipt_add "p2pblock -m recent --rdest --rcheck --name P2PBLOCK --seconds $blocktime --hitcount 3 -m limit --limit 1/minute -j LOG --log-prefix P2PBLOCK-DROP:" + + # create layer7-rules + for proto in $layer7; do + ipt_add "p2pblock -m layer7 --l7proto $proto -m recent --rdest --set --name P2PBLOCK" + ipt_add "p2pblock -m layer7 --l7proto $proto -m limit --limit 1/minute -j LOG --log-prefix P2PBLOCK-seen-$proto:" + done + + # create ipp2p-rules + for proto in $ipp2p; do + ipt_add "p2pblock -m ipp2p --$proto -m recent --rdest --set --name P2PBLOCK" + ipt_add "p2pblock -m ipp2p --$proto -m limit --limit 1/minute -j LOG --log-prefix P2PBLOCK-seen-$proto:" + done + + # insert whitelisted ips + for ip in $WHITELIST; do + ipt_add "p2pblock -d $ip -j RETURN" + done + + logger -s -t "$ME" 'Done.'; return 0 + + else + logger -s -t "$ME" 'WARNING! already running - Aborting!'; return 2 + + fi +} + +stop() { + if [ -s "$LOCK" ]; then + logger -s -t "$ME" 'stopping p2pblock...' + + # unset all rules in $LOCK-file + cat $LOCK | sed -ne '1!G;h;$p' | while read line; do + logger -t "$ME" "unset $line" + while eval $line 2>&-; do :; done + done; : > "$LOCK" + + # flush and delete the p2p-chain + iptables -F p2pblock + iptables -X p2pblock + logger -s -t "$ME" 'Done.'; return 0 + + else + logger -s -t "$ME" 'WARNING! not running - Aborting!'; return 2 + + fi +} + +restart() { + stop; sleep 1; start +} |