# HG changeset patch # User heiko # Date 1223756324 0 # Node ID 26a429d60aae7208886083426cab4d74338c1d70 - besser hier diff -r 000000000000 -r 26a429d60aae insertRules --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/insertRules Sat Oct 11 20:18:44 2008 +0000 @@ -0,0 +1,159 @@ +#! /usr/bin/perl +# $Id$ +# $URL$ +# © 2008 Heiko Schlittermann +use constant USAGE => <<'#'; +{{ME}} [-n] [-v] +# + +use strict; +use warnings; +use File::Basename; +use AppConfig; + +use constant ME => basename $0; + +#use constant FI => { chain => "ipac~fi", parent => "FORWARD", iface => "--out" }; +#use constant FO => { chain => "ipac~fo", parent => "FORWARD", iface =>"--in" }; +#use constant I => { chain => "ipac~i", parent => "OUTPUT", iface => "--in" }; +#use constant O => { chain => "ipac~o", parent => "INPUT", iface => "--out" }; + +my %TARGETS = ( + "ipac~fi" => { chain => "ipac~fi", parent => "FORWARD", iface => "--in-interface" }, + "ipac~fo" => { chain => "ipac~fo", parent => "FORWARD", iface => "--out-interface" }, + "ipac~i" => { chain => "ipac~i", parent => "OUTPUT", iface => "--out-interface" }, + "ipac~o" => { chain => "ipac~o", parent => "INPUT", iface => "--in-interface" }, +); + +use constant FILE => $ENV{IPAC_RULES} ? $ENV{IPAC_RULES} : "/etc/ipac-ng/rules.conf"; + +use constant CONFIG => ( + { CASE => 1 }, + nothing => { ARGS => "!", DEFAULT => 0 }, + verbose => { ARGS => "!", DEFAULT => 0 }, +); + +my $Cf = new AppConfig CONFIG or die; + $Cf->getopt or die; + +sub checkTarget($); +sub insertTarget($); +sub cleanTarget($); +sub parseConfig($); +sub expand($); + +MAIN: { + my @cmds; + + # Check, if our rules exist + foreach (keys %TARGETS) { + checkTarget($TARGETS{$_}) + or push @cmds, insertTarget($TARGETS{$_}); + + push @cmds, cleanTarget($TARGETS{$_}); + } + + + my ($iptables, $rules) = parseConfig(FILE); + push @cmds, @$iptables; + + + foreach (@cmds) { + print "@$_\n" if $Cf->verbose or $Cf->nothing; + next if $Cf->nothing; + system @$_ and do { + warn "FAILED: @$_\n" if not $Cf->verbose; + }; + } + + if (!$Cf->nothing) { + open(RUNFILE, $_ = ">/var/run/ipac.rules") or die "Can't open $_: $!\n"; + print RUNFILE join "\n", @$rules; + close(RUNFILE); + } +} + +{ + my $dump; +sub checkTarget($) { + my $target = shift; + + if (!$dump) { + open(X, "iptables-save|") or die "Can't open iptables-save: $!\n"; + $dump = join "", grep /^:/, ; + close(X); + } + + return $dump =~ /^:$target->{chain}/m + +} } + +sub insertTarget($) { + my $target = shift; + + return ( + ["iptables", "--new-chain" => $target->{chain}], + ["iptables", + "--insert" => $target->{parent}, + "--jump" => $target->{chain}] + ); +} + +sub cleanTarget($) { + my $target = shift; + return ["iptables", + "--flush" => $target->{chain}]; +} + +sub parseConfig($) { + my (@iptables, @rules); + my $file = shift; + local(@ARGV) = ($file); + + die ME.": Can't open $file: $!\n" if not -r $file; + + @ARGV = ($file); + + # Read the config file and create the iptables statements + while (<>) { + s/#.*//; + s/^\s*$//; + next unless $_; + + chomp; + + + my (%src, %dst); + (my ($name, $target, $iface, $proto), $src{ip}, $dst{ip}) + = split /\s*\|\s*/, $_; + + # $src / $dst + foreach (\%src, \%dst) { + @{$_}{qw/ip port/} = split /[:\s]/, $_->{ip}; + } + + + my @cmd = ("iptables", + "--append" => $target, + $TARGETS{$target}->{iface} => $iface, + "--src" => expand($src{ip}), + "--dst" => expand($dst{ip}), + "--proto" => expand($proto), + $src{port} ? ("--sport" => $src{port}) : (), + $dst{port} ? ("--dport" => $dst{port}) : (), + ); + + push @iptables, \@cmd; + push @rules, "$target|$name"; + } + + return \@iptables, \@rules; +} + +sub expand($) { + local $_ = shift; + return ($_) if not /^!/; + return ("!", substr($_, 1)); +} + +# vim:sts=4 sw=4 aw ai sm: diff -r 000000000000 -r 26a429d60aae rules.conf --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/rules.conf Sat Oct 11 20:18:44 2008 +0000 @@ -0,0 +1,126 @@ +# Debian default ipac-ng configuration file +# 2001-12-09, Noel Koethe, noel@koethe.net +# /etc/ipac-ng/ipac.conf +# +# Format: +# Name of rule|direction|interface|protocol|source|destination|extension| +# WARNING!!!! spaces are not allowed before and after '|'. +# +# where +# Name of rule Any string to identify this rule +# direction ipac~fi - forward in +# ipac~fo - forward out +# ipac~i - outgoing from machine with ipac-ng to other host(/net) +# (or incoming to otherhost) +# ipac~o - incoming to machine with ipac-ng +# (or outgoing from otherhost) +# +# interface interface name, '+' means all interfaces (dont try to use ip numbers here!) +# protocol tcp | udp | icmp | all +# source \ +# destination both as described in ipfwadm(8), or empty + + +# +# W A R N I N G ! ! ! +# +# Don't use symbols other than '0-9A-z[space]' in rules names. You may encounter +# some strange troubles. +# +# Examples: /usr/share/doc/ipac-ng/examples/contrib/sample_configs/rule.iptables.gz + + +# total Traffic +# all +total in all|ipac~o|eth0|all|0/0|0/0 +total out all|ipac~i|eth0|all|0/0|0/0 + +forward in |ipac~fi|eth0|all|0/0|!212.80.235.128/26 +forward out |ipac~fo|eth0|all|!212.80.235.128/26|0/0 + +schlittermann tigger-eth0 in all|ipac~o|eth0|all|0/0|212.80.225.206 +schlittermann tigger-eth0 out all|ipac~i|eth0|all|212.80.225.206|0/0 + +# -- A + +schlittermann pu in all|ipac~fi|eth0|all|0/0|212.80.235.130 +schlittermann pu out all|ipac~fo|eth0|all|212.80.235.130|0/0 + +totocom lion in all|ipac~fi|eth0|all|0/0|212.80.235.131 +totocom lion out all|ipac~fo|eth0|all|212.80.235.131|0/0 + +radebeul radebeul in all|ipac~fi|eth0|all|0/0|212.80.235.132 +radebeul radebeul out all|ipac~fo|eth0|all|212.80.235.132|0/0 + +radebeul radebeul in smtp|ipac~fi|eth0|tcp|0/0|212.80.235.132 25 +radebeul radebeul out smtp|ipac~fo|eth0|tcp|212.80.235.132|0/0 25 +radebeul radebeul in http|ipac~fi|eth0|tcp|0/0|212.80.235.132 80 +radebeul radebeul out http|ipac~fo|eth0|tcp|212.80.235.132 80|0/0 +radebeul radebeul in pop3|ipac~fi|eth0|tcp|0/0|212.80.235.132 110 +radebeul radebeul out pop3|ipac~fo|eth0|tcp|212.80.235.132 110|0/0 + +schlittermann robin in all|ipac~fi|eth0|all|0/0|212.80.235.133 +schlittermann robin out all|ipac~fo|eth0|all|212.80.235.133|0/0 + +reproteam zett in all|ipac~fi|eth0|all|0/0|212.80.235.134 +reproteam zett out all|ipac~fo|eth0|all|212.80.235.134|0/0 + +schlittermann ssl135 in all|ipac~fi|eth0|all|0/0|212.80.235.135 +schlittermann ssl135 out all|ipac~fo|eth0|all|212.80.235.135|0/0 + +saga webian in all|ipac~fi|eth0|all|0/0|212.80.235.138 +saga webian out all|ipac~fo|eth0|all|212.80.235.138|0/0 + +# -- B + +schlittermann tigger-eth2 in all|ipac~fi|eth0|all|0/0|212.80.235.145 +schlittermann tigger-eth2 out all|ipac~fo|eth0|all|212.80.235.145|0/0 + +pixelfoto pixelfoto in all|ipac~fi|eth0|all|0/0|212.80.235.146 +pixelfoto pixelfoto out all|ipac~fo|eth0|all|212.80.235.146|0/0 + +webmaler maler in all|ipac~fi|eth0|all|0/0|212.80.235.147 +webmaler maler out all|ipac~fo|eth0|all|212.80.235.147|0/0 + +softeyes garkin in all|ipac~fi|eth0|all|0/0|212.80.235.149 +softeyes garkin out all|ipac~fo|eth0|all|212.80.235.149|0/0 +softeyes excalibur in all|ipac~fi|eth0|all|0/0|212.80.235.155 +softeyes excalibur out all|ipac~fo|eth0|all|212.80.235.155|0/0 + +webmaler gadget in all|ipac~fi|eth0|all|0/0|212.80.235.150 +webmaler gadget out all|ipac~fo|eth0|all|212.80.235.150|0/0 + +webmaler deflector in all|ipac~fi|eth0|all|0/0|212.80.235.151 +webmaler deflector out all|ipac~fo|eth0|all|212.80.235.151|0/0 + +webmaler forst in all|ipac~fi|eth0|all|0/0|212.80.235.153 +webmaler forst out all|ipac~fo|eth0|all|212.80.235.153|0/0 + +langer emv in all|ipac~fi|eth0|all|0/0|212.80.235.156 +langer emv out all|ipac~fo|eth0|all|212.80.235.156|0/0 + +kappler pc2 in all|ipac~fi|eth0|all|0/0|212.80.235.178 +kappler pc2 out all|ipac~fo|eth0|all|212.80.235.178|0/0 + +forst woodman in all|ipac~fi|eth0|all|0/0|212.80.235.154 +forst woodman out all|ipac~fo|eth0|all|212.80.235.154|0/0 + +damisys in all|ipac~fi|eth0|all|0/0|84.19.203.0/26 +damisys out all|ipac~fo|eth0|all|84.19.203.0/26|0/0 + +sax in all|ipac~fi|eth0|all|0/0|192.109.108.0/24 +sax out all|ipac~fo|eth0|all|192.109.108.0/24|0/0 + +# -- C + +schlittermann tigger-eth3 in all|ipac~fi|eth0|all|0/0|212.80.235.161 +schlittermann tigger-eth3 out all|ipac~fo|eth0|all|212.80.235.161|0/0 + +kesys in all|ipac~fi|eth0|all|0/0|212.80.235.160/28 +kesys out all|ipac~fo|eth0|all|212.80.235.160/28|0/0 + +#-- + +schlittermann tigger-eth4 in all|ipac~fi|eth0|all|0/0|212.80.235.177 +schlittermann tigger-eth4 out all|ipac~fo|eth0|all|212.80.235.177|0/0 +