1 | 2 | simandl | #! /bin/sh |
2 | | | # Firewall nove generace pro Czela Debian 3.0 |
3 | | | # Autor: Mirek Slugen |
4 | | | # Spoluatori: Michal Perlik, Michal Vondracek, Jan Chmelensky |
5 | | | # Vytvoreno: 06.11.2006 |
6 | | | # Naposledy zmeneno: 17.09.2007 |
7 | | | # Tento skript muzete volne sirit a upravovat. |
8 | | | |
9 | | | # Protokoly, kterĂŠ budou zakĂĄzĂĄny |
10 | | | P2P_PROTOCOLS="bittorrent directconnect edonkey http-itunes soulseek" |
11 | | | |
12 | | | # implementace zakazani P2P paketu |
13 | | | p2p_start() { |
14 | | | p2p_stop |
15 | | | echo -n "Rejecting P2P packets on: " |
16 | | | # Zjisitime kde chceme mit zakazane P2P site |
17 | | | I="0" |
18 | | | NO_P2P_DEVS="" |
19 | | | while [ "$I" -lt 15 ]; do |
20 | | | DEV=DEV${I}_IFACE |
21 | | | DEV=${!DEV} |
22 | | | NO_P2P_DEV=DEV${I}_NO_P2P |
23 | | | NO_P2P_DEV=${!NO_P2P_DEV} |
24 | | | if [ "$NO_P2P_DEV" == "yes" ] && [ "$DEV" != "" ]; then |
25 | | | # A pro dana rozhrani opravdu P2P site zakazeme |
26 | | | echo -n "$DEV" |
27 | | | for protocol in $P2P_PROTOCOLS; do |
28 | | | $IPTABLES -I FORWARD -i "$DEV" -m layer7 --l7proto "$protocol" -j REJECT |
29 | | | $IPTABLES -I FORWARD -o "$DEV" -m layer7 --l7proto "$protocol" -j REJECT |
30 | | | done |
31 | | | fi |
32 | | | I="`expr $I + 1`" |
33 | | | done |
34 | | | echo "." |
35 | | | } |
36 | | | |
37 | | | p2p_stop() { |
38 | | | for I in `$IPTABLES -L FORWARD -n -v --line-numbers | grep REJECT | grep LAYER7 | awk '{print $1}' | sort -r -n`; do |
39 | | | $IPTABLES -D FORWARD $I |
40 | | | done |
41 | | | } |
42 | | | |
43 | | | p2p_allow_all() { |
44 | | | p2p_stop |
45 | | | } |
46 | | | |
47 | | | p2p_deny_all() { |
48 | | | for protocol in $P2P_PROTOCOLS; do |
49 | | | $IPTABLES -I FORWARD -m layer7 --l7proto "$protocol" -j REJECT |
50 | | | done |
51 | | | } |
52 | | | |
53 | | | p2p_allow_ip() { |
54 | | | [ "$1" == "" ] && return 0 |
55 | | | |
56 | | | for I in `$IPTABLES -L FORWARD -n -v --line-numbers | grep $1 | grep LAYER7 | awk '{print $1}' | sort -r -n`; do |
57 | | | $IPTABLES -D FORWARD $I |
58 | | | done |
59 | | | for protocol in $P2P_PROTOCOLS; do |
60 | | | $IPTABLES -I FORWARD -d $1 -m layer7 --l7proto "$protocol" -j ACCEPT |
61 | | | $IPTABLES -I FORWARD -s $1 -m layer7 --l7proto "$protocol" -j ACCEPT |
62 | | | done |
63 | | | } |
64 | | | |
65 | | | p2p_deny_ip() { |
66 | | | [ "$1" == "" ] && return 0 |
67 | | | |
68 | | | for I in `$IPTABLES -L FORWARD -n -v --line-numbers | grep $1 | grep LAYER7 | awk '{print $1}' | sort -r -n`; do |
69 | | | $IPTABLES -D FORWARD $I |
70 | | | done |
71 | | | for protocol in $P2P_PROTOCOLS; do |
72 | | | $IPTABLES -I FORWARD -d $1 -m layer7 --l7proto "$protocol" -j REJECT |
73 | | | $IPTABLES -I FORWARD -s $1 -m layer7 --l7proto "$protocol" -j REJECT |
74 | | | done |
75 | | | } |