contrib/package/freifunk-p2pblock/files/freifunk-p2pblock.init


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95

#!/bin/sh /etc/rc.common

START=82
ME="freifunk-p2pblock"
LOCK='/var/run/p2pblock.lock'

# helper-scripts
ipt_add() {
	logger -t "$ME" "set 'iptables -I $1'"
	iptables -I $1
	echo "iptables -D $1" >> $LOCK
}

start() {
	/etc/init.d/freifunk-p2pblock enabled || return

	if [ ! -s "$LOCK" ]; then
		logger -s -t "$ME" 'starting p2pblock...'

		config_load network
		config_get wan wan ifname

		if [ -n "$wan" ]; then
			config_load freifunk_p2pblock
			config_get layer7 p2pblock layer7
			config_get ipp2p p2pblock ipp2p
			config_get portrange p2pblock portrange
			config_get blocktime p2pblock blocktime
			config_get whitelist p2pblock whitelist

			# load modules
			insmod ipt_ipp2p 2>&-
			insmod ipt_layer7 2>&-
			insmod ipt_recent ip_list_tot=400 ip_pkt_list_tot=3 2>&-

			# create new p2p-chain
			iptables -N p2pblock
			# pipe all incoming FORWARD with source-/destination-port 1024-65535 throu p2p-chain
			ipt_add "FORWARD -i $wan -p tcp --sport $portrange --dport $portrange -j p2pblock"
			ipt_add "FORWARD -i $wan -p udp --sport $portrange --dport $portrange -j p2pblock"

			# if p2p-traffic blocked 3 packages to a destination ip then block all traffic within the next 180 sec (port 1024-65535)
			ipt_add "p2pblock -m recent --rdest --rcheck --name P2PBLOCK --seconds $blocktime --hitcount 3 -j DROP"
			ipt_add "p2pblock -m recent --rdest --rcheck --name P2PBLOCK --seconds $blocktime --hitcount 3 -m limit --limit 1/minute -j LOG --log-prefix P2PBLOCK-DROP:"

			# create layer7-rules
			for proto in $layer7; do
				ipt_add "p2pblock -m layer7 --l7proto $proto -m recent --rdest --set --name P2PBLOCK"
				ipt_add "p2pblock -m layer7 --l7proto $proto -m limit --limit 1/minute -j LOG --log-prefix P2PBLOCK-seen-$proto:"
			done

			# create ipp2p-rules
			for proto in $ipp2p; do
				ipt_add "p2pblock -m ipp2p --$proto -m recent --rdest --set --name P2PBLOCK"
				ipt_add "p2pblock -m ipp2p --$proto -m limit --limit 1/minute -j LOG --log-prefix P2PBLOCK-seen-$proto:"
			done

			# insert whitelisted ips
			for ip in $whitelist; do
				ipt_add "p2pblock -d $ip -j RETURN"
			done

			logger -s -t "$ME" 'Done.'; return 0
		else
			logger -s -t "$ME" 'No wan interface present.'; return 0
		fi
	else
		logger -s -t "$ME" 'WARNING! already running - Aborting!'; return 2
	fi
}

stop() {
	if [ -s "$LOCK" ]; then
		logger -s -t "$ME" 'stopping p2pblock...'

		# unset all rules in $LOCK-file
		cat $LOCK | sed -ne '1!G;h;$p' | while read line; do
			logger -t "$ME" "unset $line"
			while eval $line 2>&-; do :; done
		done; : > "$LOCK"

		# flush and delete the p2p-chain
		iptables -F p2pblock
		iptables -X p2pblock
		logger -s -t "$ME" 'Done.'; return 0

	else
		logger -s -t "$ME" 'WARNING! not running - Aborting!'; return 2

	fi
}

restart() {
	stop; sleep 1; start
}