diff options
-rw-r--r-- | contrib/package/freifunk-p2pblock/files/freifunk-p2pblock.init | 83 |
1 files changed, 43 insertions, 40 deletions
diff --git a/contrib/package/freifunk-p2pblock/files/freifunk-p2pblock.init b/contrib/package/freifunk-p2pblock/files/freifunk-p2pblock.init index 5c89fce26..b615962b0 100644 --- a/contrib/package/freifunk-p2pblock/files/freifunk-p2pblock.init +++ b/contrib/package/freifunk-p2pblock/files/freifunk-p2pblock.init @@ -19,49 +19,52 @@ start() { config_load network config_get wan wan ifname - config_load freifunk_p2pblock - config_get layer7 p2pblock layer7 - config_get ipp2p p2pblock ipp2p - config_get portrange p2pblock portrange - config_get blocktime p2pblock blocktime - - # load modules - insmod ipt_ipp2p 2>&- - insmod ipt_layer7 2>&- - insmod ipt_recent ip_list_tot=400 ip_pkt_list_tot=3 2>&- - - # create new p2p-chain - iptables -N p2pblock - # pipe all incomming FORWARD with source-/destination-port 1024-65535 throu p2p-chain - ipt_add "FORWARD -i $wan -p tcp --sport $portrange --dport $portrange -j p2pblock" - ipt_add "FORWARD -i $wan -p udp --sport $portrange --dport $portrange -j p2pblock" - - # if p2p-traffic blocked 3 packages to a destination ip then block all traffic within the next 180 sec (port 1024-65535) - ipt_add "p2pblock -m recent --rdest --rcheck --name P2PBLOCK --seconds $blocktime --hitcount 3 -j DROP" - ipt_add "p2pblock -m recent --rdest --rcheck --name P2PBLOCK --seconds $blocktime --hitcount 3 -m limit --limit 1/minute -j LOG --log-prefix P2PBLOCK-DROP:" - - # create layer7-rules - for proto in $layer7; do - ipt_add "p2pblock -m layer7 --l7proto $proto -m recent --rdest --set --name P2PBLOCK" - ipt_add "p2pblock -m layer7 --l7proto $proto -m limit --limit 1/minute -j LOG --log-prefix P2PBLOCK-seen-$proto:" - done - - # create ipp2p-rules - for proto in $ipp2p; do - ipt_add "p2pblock -m ipp2p --$proto -m recent --rdest --set --name P2PBLOCK" - ipt_add "p2pblock -m ipp2p --$proto -m limit --limit 1/minute -j LOG --log-prefix P2PBLOCK-seen-$proto:" - done - - # insert whitelisted ips - for ip in $WHITELIST; do - ipt_add "p2pblock -d $ip -j RETURN" - done - - logger -s -t "$ME" 'Done.'; return 0 + if [ -n "$wan" ]; then + config_load freifunk_p2pblock + config_get layer7 p2pblock layer7 + config_get ipp2p p2pblock ipp2p + config_get portrange p2pblock portrange + config_get blocktime p2pblock blocktime + + # load modules + insmod ipt_ipp2p 2>&- + insmod ipt_layer7 2>&- + insmod ipt_recent ip_list_tot=400 ip_pkt_list_tot=3 2>&- + + # create new p2p-chain + iptables -N p2pblock + # pipe all incomming FORWARD with source-/destination-port 1024-65535 throu p2p-chain + ipt_add "FORWARD -i $wan -p tcp --sport $portrange --dport $portrange -j p2pblock" + ipt_add "FORWARD -i $wan -p udp --sport $portrange --dport $portrange -j p2pblock" + + # if p2p-traffic blocked 3 packages to a destination ip then block all traffic within the next 180 sec (port 1024-65535) + ipt_add "p2pblock -m recent --rdest --rcheck --name P2PBLOCK --seconds $blocktime --hitcount 3 -j DROP" + ipt_add "p2pblock -m recent --rdest --rcheck --name P2PBLOCK --seconds $blocktime --hitcount 3 -m limit --limit 1/minute -j LOG --log-prefix P2PBLOCK-DROP:" + + # create layer7-rules + for proto in $layer7; do + ipt_add "p2pblock -m layer7 --l7proto $proto -m recent --rdest --set --name P2PBLOCK" + ipt_add "p2pblock -m layer7 --l7proto $proto -m limit --limit 1/minute -j LOG --log-prefix P2PBLOCK-seen-$proto:" + done + + # create ipp2p-rules + for proto in $ipp2p; do + ipt_add "p2pblock -m ipp2p --$proto -m recent --rdest --set --name P2PBLOCK" + ipt_add "p2pblock -m ipp2p --$proto -m limit --limit 1/minute -j LOG --log-prefix P2PBLOCK-seen-$proto:" + done + + # insert whitelisted ips + for ip in $WHITELIST; do + ipt_add "p2pblock -d $ip -j RETURN" + done + + logger -s -t "$ME" 'Done.'; return 0 + else + logger -s -t "$ME" 'No wan interface present.'; return 0 + fi else logger -s -t "$ME" 'WARNING! already running - Aborting!'; return 2 - fi } |