1 | 1 | simandl | #!/usr/bin/env perl |
2 | | | use warnings; |
3 | | | use diagnostics; |
4 | | | |
5 | | | use lib "../../lib"; |
6 | | | use HotSaNICparser; |
7 | | | |
8 | | | # read global settings |
9 | | | # |
10 | | | $MODNAME=HotSaNICparser::get_module_name(); |
11 | | | |
12 | | | # read module-specific settings |
13 | | | # |
14 | | | |
15 | | | foreach (HotSaNICparser::read_settings(".")) { |
16 | | | ($var,$value)=HotSaNICparser::parse_line($_); |
17 | | | if ($var eq "INTIF") { $INTIF=$value; } |
18 | | | if ($var eq "IPTABLES") { $IPTABLES=$value; } |
19 | | | if ($var eq "EXTIF") { $EXTIF=$value; } |
20 | | | if ($var eq "DEVEXT") { |
21 | | | ($dev,$maxin,$maxout,$descr)=split(/,/,$value); |
22 | | | push @WORLDDEST,$dev; |
23 | | | } |
24 | | | if ($var eq "DEVINT") { |
25 | | | ($dev,$maxin,$maxout,$descr)=split(/,/,$value); |
26 | | | push @LOCALDEST,$dev; |
27 | | | } |
28 | | | } |
29 | | | |
30 | | | if ( ! defined $IPTABLES) { die time," ",$MODNAME,": IPTABLES not configured in module settings...\n"; } |
31 | | | |
32 | 5 | simandl | print "\nclearing old and setting up new accounting chains\n"; |
33 | 9 | simandl | #removing links in main chains |
34 | | | system("$IPTABLES -D INPUT -j acct_input > /dev/null"); |
35 | | | system("$IPTABLES -D OUTPUT -j acct_output > /dev/null"); |
36 | | | system("$IPTABLES -D FORWARD -j acct_forward > /dev/null"); |
37 | | | |
38 | | | #recreating main accounting tables |
39 | | | foreach $chain ("input","output","forward") { |
40 | | | system("$IPTABLES -F acct_$chain > /dev/null"); |
41 | | | system("$IPTABLES -X acct_$chain > /dev/null"); |
42 | | | system("$IPTABLES -N acct_$chain > /dev/null"); |
43 | | | } |
44 | | | |
45 | | | #recreating particular accounting tables |
46 | 6 | simandl | foreach $prt ("tcp","udp","other") { |
47 | 5 | simandl | system("$IPTABLES -F acct_ext_$prt > /dev/null"); |
48 | 9 | simandl | system("$IPTABLES -F acct_int_$prt > /dev/null"); |
49 | 5 | simandl | system("$IPTABLES -X acct_ext_$prt > /dev/null"); |
50 | | | system("$IPTABLES -X acct_int_$prt > /dev/null"); |
51 | | | system("$IPTABLES -N acct_ext_$prt > /dev/null"); |
52 | | | system("$IPTABLES -N acct_int_$prt > /dev/null"); |
53 | 1 | simandl | } |
54 | | | |
55 | 9 | simandl | #linking back accounting to main chains |
56 | | | system("$IPTABLES -I INPUT -j acct_input > /dev/null"); |
57 | | | system("$IPTABLES -I OUTPUT -j acct_output > /dev/null"); |
58 | | | system("$IPTABLES -I FORWARD -j acct_forward > /dev/null"); |
59 | | | |
60 | 1 | simandl | # |
61 | | | # set up Accounting for unique IPs in subnet... |
62 | | | # |
63 | | | |
64 | | | print "\naccounting for local targets\n"; |
65 | | | |
66 | | | foreach $host (@LOCALDEST) { |
67 | | | print " ",$host,"\n"; |
68 | 6 | simandl | foreach $prt ("tcp","udp") { |
69 | 5 | simandl | system("$IPTABLES -A acct_int_$prt -s $host"); |
70 | | | system("$IPTABLES -A acct_int_$prt -d $host"); |
71 | 1 | simandl | } |
72 | 6 | simandl | system("$IPTABLES -A acct_int_other -s $host"); |
73 | | | system("$IPTABLES -A acct_int_other -d $host"); |
74 | 1 | simandl | } |
75 | 6 | simandl | #this will kick out all tcp and udp from other accounting chain |
76 | | | system("$IPTABLES -I acct_int_other -p tcp -j RETURN"); |
77 | | | system("$IPTABLES -I acct_int_other -p udp -j RETURN"); |
78 | 1 | simandl | |
79 | | | # |
80 | 5 | simandl | # set up accounting for dedicated networks to local subnet |
81 | 1 | simandl | # |
82 | | | |
83 | | | print "\naccounting for externel targets\n"; |
84 | | | |
85 | | | foreach $host (@WORLDDEST) { |
86 | | | print " ",$host,"\n"; |
87 | 6 | simandl | foreach $prt ("tcp","udp") { |
88 | 5 | simandl | system("$IPTABLES -A acct_ext_$prt -s $host"); |
89 | | | system("$IPTABLES -A acct_ext_$prt -d $host"); |
90 | 1 | simandl | } |
91 | 6 | simandl | system("$IPTABLES -A acct_ext_other -s $host"); |
92 | | | system("$IPTABLES -A acct_ext_other -d $host"); |
93 | 1 | simandl | } |
94 | 6 | simandl | #this will kick out all tcp and udp from other accounting chain |
95 | | | system("$IPTABLES -I acct_ext_other -p tcp -j RETURN"); |
96 | | | system("$IPTABLES -I acct_ext_other -p udp -j RETURN"); |
97 | 1 | simandl | |
98 | | | print "\nlinking accounting chains to INPUT/OUTPUT chain\n"; |
99 | | | foreach $dev (split(/,/,$EXTIF)) { |
100 | | | if ($IPTABLES =~ /ipchains/) { |
101 | | | system("$IPTABLES -I input -i $dev -j acct_ext > /dev/null"); |
102 | | | system("$IPTABLES -I output -i $dev -j acct_ext > /dev/null"); |
103 | | | } |
104 | | | else { |
105 | 6 | simandl | #this will sent ALL to other chain |
106 | 9 | simandl | system("$IPTABLES -I acct_input -i $dev -p all -j acct_ext_other > /dev/null"); |
107 | | | system("$IPTABLES -I acct_output -o $dev -p all -j acct_ext_other > /dev/null"); |
108 | | | system("$IPTABLES -I acct_forward -i $dev -p all -j acct_ext_other > /dev/null"); |
109 | | | system("$IPTABLES -I acct_forward -o $dev -p all -j acct_ext_other > /dev/null"); |
110 | 6 | simandl | foreach $prt ("tcp","udp") { |
111 | 9 | simandl | system("$IPTABLES -I acct_input -i $dev -p $prt -j acct_ext_$prt > /dev/null"); |
112 | | | system("$IPTABLES -I acct_output -o $dev -p $prt -j acct_ext_$prt > /dev/null"); |
113 | | | system("$IPTABLES -I acct_forward -i $dev -p $prt -j acct_ext_$prt > /dev/null"); |
114 | | | system("$IPTABLES -I acct_forward -o $dev -p $prt -j acct_ext_$prt > /dev/null"); |
115 | 5 | simandl | } |
116 | 1 | simandl | } |
117 | | | } |
118 | 5 | simandl | |
119 | 1 | simandl | foreach $dev (split(/,/,$INTIF)) { |
120 | | | if ($IPTABLES =~ /ipchains/) { |
121 | | | system("$IPTABLES -I input -i $dev -j acct_int > /dev/null"); |
122 | | | system("$IPTABLES -I output -i $dev -j acct_int > /dev/null"); |
123 | | | } |
124 | | | else { |
125 | 6 | simandl | #this will sent ALL to other chain |
126 | 9 | simandl | system("$IPTABLES -I acct_input -i $dev -p all -j acct_int_other > /dev/null"); |
127 | | | system("$IPTABLES -I acct_output -o $dev -p all -j acct_int_other > /dev/null"); |
128 | | | system("$IPTABLES -I acct_forward -i $dev -p all -j acct_int_other > /dev/null"); |
129 | | | system("$IPTABLES -I acct_forward -o $dev -p all -j acct_int_other > /dev/null"); |
130 | 6 | simandl | foreach $prt ("tcp","udp") { |
131 | 9 | simandl | system("$IPTABLES -I acct_input -i $dev -p $prt -j acct_int_$prt > /dev/null"); |
132 | | | system("$IPTABLES -I acct_output -o $dev -p $prt -j acct_int_$prt > /dev/null"); |
133 | | | system("$IPTABLES -I acct_forward -i $dev -p $prt -j acct_int_$prt > /dev/null"); |
134 | | | system("$IPTABLES -I acct_forward -o $dev -p $prt -j acct_int_$prt > /dev/null"); |
135 | 5 | simandl | } |
136 | 1 | simandl | } |
137 | | | } |
138 | | | print "\n\nAll done! - accounting should be running now!\n"; |
139 | | | |