jablonka.czprosek.czf

hotsanic

Subversion Repositories:
[/] [trunk/] [modules/] [networks/] [init] - Rev 22 Go to most recent revision

Compare with Previous - Blame - Download


#!/usr/bin/env perl
use warnings;
use diagnostics;

use lib "../../lib";
use HotSaNICparser;

# read global settings
#
$MODNAME=HotSaNICparser::get_module_name();

# read module-specific settings
#

foreach (HotSaNICparser::read_settings(".")) {
  ($var,$value)=HotSaNICparser::parse_line($_);
  if ($var eq "INTIF") { $INTIF=$value; }
  if ($var eq "IPTABLES") { $IPTABLES=$value; }
  if ($var eq "EXTIF") { $EXTIF=$value; }
  if ($var eq "DEVEXT") {
    ($dev,$maxin,$maxout,$descr)=split(/,/,$value);
    push @WORLDDEST,$dev;
    }
  if ($var eq "DEVINT") {
    ($dev,$maxin,$maxout,$descr)=split(/,/,$value);
    push @LOCALDEST,$dev;
    }
  }

if ( ! defined $IPTABLES) { die time," ",$MODNAME,": IPTABLES not configured in module settings...\n"; }

print "\nclearing old and setting up new accounting chains\n";
#removing links in main chains
system("$IPTABLES -D INPUT -j acct_input > /dev/null");
system("$IPTABLES -D OUTPUT -j acct_output > /dev/null");
system("$IPTABLES -D FORWARD -j acct_forward > /dev/null");

#recreating main accounting tables
foreach $chain ("input","output","forward") {
  system("$IPTABLES -F acct_$chain > /dev/null");
  system("$IPTABLES -X acct_$chain > /dev/null");
  system("$IPTABLES -N acct_$chain > /dev/null");
  }

#recreating particular accounting tables
foreach $prt ("tcp","udp","other") {
  system("$IPTABLES -F acct_ext_$prt > /dev/null");
  system("$IPTABLES -F acct_int_$prt > /dev/null");
  system("$IPTABLES -X acct_ext_$prt > /dev/null");
  system("$IPTABLES -X acct_int_$prt > /dev/null");
  system("$IPTABLES -N acct_ext_$prt > /dev/null");
  system("$IPTABLES -N acct_int_$prt > /dev/null");
  }

#linking back accounting to main chains
system("$IPTABLES -I INPUT -j acct_input > /dev/null");
system("$IPTABLES -I OUTPUT -j acct_output > /dev/null");
system("$IPTABLES -I FORWARD -j acct_forward > /dev/null");

#
# set up Accounting for unique IPs in subnet...
#

print "\naccounting for local targets\n";

foreach $host (@LOCALDEST) {
  print "  ",$host,"\n";
  foreach $prt ("tcp","udp") {
    system("$IPTABLES -A acct_int_$prt -s $host");
    system("$IPTABLES -A acct_int_$prt -d $host");
    }
  system("$IPTABLES -A acct_int_other -s $host");
  system("$IPTABLES -A acct_int_other -d $host");
  }
#this will kick out all tcp and udp from other accounting chain
system("$IPTABLES -I acct_int_other -p tcp -j RETURN");
system("$IPTABLES -I acct_int_other -p udp -j RETURN");

#
# set up accounting for dedicated networks to local subnet
#

print "\naccounting for externel targets\n";

foreach $host (@WORLDDEST) {
  print "  ",$host,"\n";
  foreach $prt ("tcp","udp") {
    system("$IPTABLES -A acct_ext_$prt -s $host");
    system("$IPTABLES -A acct_ext_$prt -d $host");
    }
  system("$IPTABLES -A acct_ext_other -s $host");
  system("$IPTABLES -A acct_ext_other -d $host");
  }
#this will kick out all tcp and udp from other accounting chain
system("$IPTABLES -I acct_ext_other -p tcp -j RETURN");
system("$IPTABLES -I acct_ext_other -p udp -j RETURN");

print "\nlinking accounting chains to INPUT/OUTPUT chain\n";
foreach $dev (split(/,/,$EXTIF)) {
  if ($IPTABLES =~ /ipchains/) {
    system("$IPTABLES -I input -i $dev -j acct_ext > /dev/null");
    system("$IPTABLES -I output -i $dev -j acct_ext > /dev/null");
    }
  else {
    #this will sent ALL to other chain
    system("$IPTABLES -I acct_input -i $dev -p all -j acct_ext_other > /dev/null");
    system("$IPTABLES -I acct_output -o $dev -p all  -j acct_ext_other > /dev/null");
    system("$IPTABLES -I acct_forward -i $dev -p all  -j acct_ext_other > /dev/null");
    system("$IPTABLES -I acct_forward -o $dev -p all  -j acct_ext_other > /dev/null");
    foreach $prt ("tcp","udp") {
      system("$IPTABLES -I acct_input -i $dev -p $prt -j acct_ext_$prt > /dev/null");
      system("$IPTABLES -I acct_output -o $dev -p $prt  -j acct_ext_$prt > /dev/null");
      system("$IPTABLES -I acct_forward -i $dev -p $prt  -j acct_ext_$prt > /dev/null");
      system("$IPTABLES -I acct_forward -o $dev -p $prt  -j acct_ext_$prt > /dev/null");
      }
    }
  }

foreach $dev (split(/,/,$INTIF)) {
  if ($IPTABLES =~ /ipchains/) {
    system("$IPTABLES -I input -i $dev -j acct_int > /dev/null");
    system("$IPTABLES -I output -i $dev -j acct_int > /dev/null");
    }
  else {
    #this will sent ALL to other chain
    system("$IPTABLES -I acct_input -i $dev -p all -j acct_int_other > /dev/null");
    system("$IPTABLES -I acct_output -o $dev -p all  -j acct_int_other > /dev/null");
    system("$IPTABLES -I acct_forward -i $dev -p all  -j acct_int_other > /dev/null");
    system("$IPTABLES -I acct_forward -o $dev -p all  -j acct_int_other > /dev/null");
    foreach $prt ("tcp","udp") {
      system("$IPTABLES -I acct_input -i $dev -p $prt -j acct_int_$prt > /dev/null");
      system("$IPTABLES -I acct_output -o $dev -p $prt  -j acct_int_$prt > /dev/null");
      system("$IPTABLES -I acct_forward -i $dev -p $prt  -j acct_int_$prt > /dev/null");
      system("$IPTABLES -I acct_forward -o $dev -p $prt  -j acct_int_$prt > /dev/null");
      }
    }
  }
print "\n\nAll done! - accounting should be running now!\n";


Powered by WebSVN 2.2.1