contrib/package/freifunk-p2pblock/files/freifunk-p2pblock.init

   1 #!/bin/sh /etc/rc.common
   2
   3 START=82
   4 ME="freifunk-p2pblock"
   5 LOCK='/var/run/p2pblock.lock'
   6
   7 # helper-scripts
   8 ipt_add() {
   9         logger -t "$ME" "set 'iptables -I $1'"
  10         iptables -I $1
  11         echo "iptables -D $1" >> $LOCK
  12 }
  13
  14 start() {
  15         /etc/init.d/freifunk-p2pblock enabled || return
  16
  17         if [ ! -s "$LOCK" ]; then
  18                 logger -s -t "$ME" 'starting p2pblock...'
  19
  20                 config_load network
  21                 config_get wan wan ifname
  22                 config_load freifunk_p2pblock
  23                 config_get layer7 p2pblock layer7
  24                 config_get ipp2p p2pblock ipp2p
  25                 config_get portrange p2pblock portrange
  26                 config_get blocktime p2pblock blocktime
  27
  28                 # load modules
  29                 insmod ipt_ipp2p 2>&-
  30                 insmod ipt_layer7 2>&-
  31                 insmod ipt_recent ip_list_tot=400 ip_pkt_list_tot=3 2>&-
  32
  33                 # create new p2p-chain
  34                 iptables -N p2pblock
  35                 # pipe all incomming FORWARD with source-/destination-port 1024-65535 throu p2p-chain
  36                 ipt_add "FORWARD -i $wan -p tcp --sport $portrange --dport $portrange -j p2pblock"
  37                 ipt_add "FORWARD -i $wan -p udp --sport $portrange --dport $portrange -j p2pblock"
  38
  39                 # if p2p-traffic blocked 3 packages to a destination ip then block all traffic within the next 180 sec (port 1024-65535)
  40                 ipt_add "p2pblock -m recent --rdest --rcheck --name P2PBLOCK --seconds $blocktime --hitcount 3 -j DROP"
  41                 ipt_add "p2pblock -m recent --rdest --rcheck --name P2PBLOCK --seconds $blocktime --hitcount 3 -m limit --limit 1/minute -j LOG --log-prefix P2PBLOCK-DROP:"
  42
  43                 # create layer7-rules
  44                 for proto in $layer7; do
  45                         ipt_add "p2pblock -m layer7 --l7proto $proto -m recent --rdest --set --name P2PBLOCK"
  46                         ipt_add "p2pblock -m layer7 --l7proto $proto -m limit --limit 1/minute -j LOG --log-prefix P2PBLOCK-seen-$proto:"
  47                 done
  48
  49                 # create ipp2p-rules
  50                 for proto in $ipp2p; do
  51                         ipt_add "p2pblock -m ipp2p --$proto -m recent --rdest --set --name P2PBLOCK"
  52                         ipt_add "p2pblock -m ipp2p --$proto -m limit --limit 1/minute -j LOG --log-prefix P2PBLOCK-seen-$proto:"
  53                 done
  54
  55                 # insert whitelisted ips
  56                 for ip in $WHITELIST; do
  57                         ipt_add "p2pblock -d $ip -j RETURN"
  58                 done
  59
  60                 logger -s -t "$ME" 'Done.'; return 0
  61
  62         else
  63                 logger -s -t "$ME" 'WARNING! already running - Aborting!'; return 2
  64
  65         fi
  66 }
  67
  68 stop() {
  69         if [ -s "$LOCK" ]; then
  70                 logger -s -t "$ME" 'stopping p2pblock...'
  71
  72                 # unset all rules in $LOCK-file
  73                 cat $LOCK | sed -ne '1!G;h;$p' | while read line; do
  74                         logger -t "$ME" "unset $line"
  75                         while eval $line 2>&-; do :; done
  76                 done; : > "$LOCK"
  77
  78                 # flush and delete the p2p-chain
  79                 iptables -F p2pblock
  80                 iptables -X p2pblock
  81                 logger -s -t "$ME" 'Done.'; return 0
  82
  83         else
  84                 logger -s -t "$ME" 'WARNING! not running - Aborting!'; return 2
  85
  86         fi
  87 }
  88
  89 restart() {
  90         stop; sleep 1; start
  91 }