- besser hier
authorheiko
Sat, 11 Oct 2008 20:18:44 +0000
changeset 0 26a429d60aae
child 1 41ee31674980
- besser hier
insertRules
rules.conf
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/insertRules	Sat Oct 11 20:18:44 2008 +0000
@@ -0,0 +1,159 @@
+#! /usr/bin/perl
+# $Id$
+# $URL$
+# © 2008 Heiko Schlittermann <hs@schlittermann.de>
+use constant USAGE => <<'#';
+{{ME}} [-n] [-v]
+#
+
+use strict;
+use warnings;
+use File::Basename;
+use AppConfig;
+
+use constant ME => basename $0;
+
+#use constant FI => { chain => "ipac~fi", parent => "FORWARD", iface => "--out" };
+#use constant FO => { chain => "ipac~fo", parent => "FORWARD", iface =>"--in" };
+#use constant I  => { chain => "ipac~i", parent => "OUTPUT", iface => "--in" };
+#use constant O  => { chain => "ipac~o", parent => "INPUT", iface => "--out" };
+
+my %TARGETS = (
+    "ipac~fi" => { chain => "ipac~fi", parent => "FORWARD", iface => "--in-interface" },
+    "ipac~fo" => { chain => "ipac~fo", parent => "FORWARD", iface => "--out-interface" },
+    "ipac~i" => { chain => "ipac~i", parent => "OUTPUT", iface => "--out-interface" },
+    "ipac~o" => { chain => "ipac~o", parent => "INPUT", iface => "--in-interface" },
+);
+
+use constant FILE => $ENV{IPAC_RULES} ? $ENV{IPAC_RULES} : "/etc/ipac-ng/rules.conf";
+
+use constant CONFIG => (
+    { CASE => 1 },
+    nothing => { ARGS => "!", DEFAULT => 0 },
+    verbose => { ARGS => "!", DEFAULT => 0 },
+);
+
+my $Cf = new AppConfig CONFIG or die;
+   $Cf->getopt or die;
+
+sub checkTarget($);
+sub insertTarget($);
+sub cleanTarget($);
+sub parseConfig($);
+sub expand($);
+
+MAIN: {
+    my @cmds; 
+
+    # Check, if our rules exist
+    foreach (keys %TARGETS) {
+	checkTarget($TARGETS{$_})
+	    or push @cmds, insertTarget($TARGETS{$_});
+
+	push @cmds, cleanTarget($TARGETS{$_});
+    }
+    
+    
+    my ($iptables, $rules) = parseConfig(FILE);
+    push @cmds, @$iptables;
+
+
+    foreach (@cmds) {
+	print "@$_\n" if $Cf->verbose or $Cf->nothing;
+	next if $Cf->nothing;
+	system @$_ and do {
+	    warn "FAILED: @$_\n" if not $Cf->verbose;
+	};
+    }
+
+    if (!$Cf->nothing) {
+	open(RUNFILE, $_ = ">/var/run/ipac.rules") or die "Can't open $_: $!\n";
+	print RUNFILE join "\n", @$rules;
+	close(RUNFILE);
+    }
+}
+
+{
+    my $dump;
+sub checkTarget($) {
+    my $target = shift;
+
+    if (!$dump) {
+	open(X, "iptables-save|") or die "Can't open iptables-save: $!\n";
+	$dump = join "", grep /^:/, <X>;
+	close(X);
+    }
+
+    return $dump =~ /^:$target->{chain}/m
+
+} }
+
+sub insertTarget($) {
+    my $target = shift;
+
+    return (
+	["iptables", "--new-chain" => $target->{chain}],
+	["iptables", 
+	    "--insert" => $target->{parent}, 
+	    "--jump" => $target->{chain}]
+	);
+}
+
+sub cleanTarget($) {
+    my $target = shift;
+    return ["iptables",
+	"--flush" => $target->{chain}];
+}
+
+sub parseConfig($) {
+    my (@iptables, @rules);
+    my $file = shift;
+    local(@ARGV) = ($file);
+
+    die ME.": Can't open $file: $!\n" if not -r $file;
+
+    @ARGV = ($file);
+
+    # Read the config file and create the iptables statements
+    while (<>) {
+	s/#.*//;
+	s/^\s*$//;
+	next unless $_;
+
+	chomp;
+
+
+	my (%src, %dst);
+	(my ($name, $target, $iface, $proto), $src{ip}, $dst{ip}) 
+		= split /\s*\|\s*/, $_;
+
+	# $src / $dst
+	foreach (\%src, \%dst) {
+	    @{$_}{qw/ip port/} = split /[:\s]/, $_->{ip};
+	}
+
+
+	my @cmd = ("iptables", 
+	    "--append" => $target, 
+	    $TARGETS{$target}->{iface} => $iface,
+	    "--src" => expand($src{ip}),
+	    "--dst" => expand($dst{ip}),
+	    "--proto" => expand($proto),
+	    $src{port} ? ("--sport" => $src{port}) : (),
+	    $dst{port} ? ("--dport" => $dst{port}) : (),
+	);
+
+	push @iptables, \@cmd;
+	push @rules, "$target|$name";
+    }
+
+    return \@iptables, \@rules;
+}
+
+sub expand($) {
+    local $_ = shift;
+    return ($_) if not /^!/;
+    return ("!", substr($_, 1));
+}
+
+# vim:sts=4 sw=4 aw ai sm:
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/rules.conf	Sat Oct 11 20:18:44 2008 +0000
@@ -0,0 +1,126 @@
+# Debian default ipac-ng configuration file
+# 2001-12-09, Noel Koethe, noel@koethe.net
+# /etc/ipac-ng/ipac.conf
+#
+# Format:
+# Name of rule|direction|interface|protocol|source|destination|extension|
+# WARNING!!!! spaces are not allowed before and after '|'.
+#
+# where
+# Name of rule          Any string to identify this rule
+# direction             ipac~fi  - forward in
+#                       ipac~fo  - forward out
+#                       ipac~i   - outgoing from machine with ipac-ng to other host(/net)
+#                                       (or incoming to otherhost)
+#                       ipac~o   - incoming to machine with ipac-ng
+#                                       (or outgoing from otherhost)
+#
+# interface             interface name, '+' means all interfaces (dont try to use ip numbers here!)
+# protocol              tcp | udp | icmp | all
+# source                \
+# destination           both as described in ipfwadm(8), or empty
+
+
+#
+#    W A R N I N G ! ! !
+#
+# Don't use symbols other than '0-9A-z[space]' in rules names. You may encounter
+# some strange troubles.
+#
+# Examples: /usr/share/doc/ipac-ng/examples/contrib/sample_configs/rule.iptables.gz
+
+
+# total Traffic
+# all
+total in all|ipac~o|eth0|all|0/0|0/0
+total out all|ipac~i|eth0|all|0/0|0/0
+
+forward in |ipac~fi|eth0|all|0/0|!212.80.235.128/26
+forward out |ipac~fo|eth0|all|!212.80.235.128/26|0/0
+
+schlittermann tigger-eth0 in all|ipac~o|eth0|all|0/0|212.80.225.206
+schlittermann tigger-eth0 out all|ipac~i|eth0|all|212.80.225.206|0/0
+
+# -- A
+
+schlittermann pu in all|ipac~fi|eth0|all|0/0|212.80.235.130
+schlittermann pu out all|ipac~fo|eth0|all|212.80.235.130|0/0
+
+totocom lion in all|ipac~fi|eth0|all|0/0|212.80.235.131
+totocom lion out all|ipac~fo|eth0|all|212.80.235.131|0/0
+
+radebeul radebeul in all|ipac~fi|eth0|all|0/0|212.80.235.132
+radebeul radebeul out all|ipac~fo|eth0|all|212.80.235.132|0/0
+
+radebeul radebeul in smtp|ipac~fi|eth0|tcp|0/0|212.80.235.132 25
+radebeul radebeul out smtp|ipac~fo|eth0|tcp|212.80.235.132|0/0 25
+radebeul radebeul in http|ipac~fi|eth0|tcp|0/0|212.80.235.132 80
+radebeul radebeul out http|ipac~fo|eth0|tcp|212.80.235.132 80|0/0
+radebeul radebeul in pop3|ipac~fi|eth0|tcp|0/0|212.80.235.132 110
+radebeul radebeul out pop3|ipac~fo|eth0|tcp|212.80.235.132 110|0/0
+
+schlittermann robin in all|ipac~fi|eth0|all|0/0|212.80.235.133
+schlittermann robin out all|ipac~fo|eth0|all|212.80.235.133|0/0
+
+reproteam zett in all|ipac~fi|eth0|all|0/0|212.80.235.134
+reproteam zett out all|ipac~fo|eth0|all|212.80.235.134|0/0
+
+schlittermann ssl135 in all|ipac~fi|eth0|all|0/0|212.80.235.135
+schlittermann ssl135 out all|ipac~fo|eth0|all|212.80.235.135|0/0
+
+saga webian in all|ipac~fi|eth0|all|0/0|212.80.235.138
+saga webian out all|ipac~fo|eth0|all|212.80.235.138|0/0
+
+# -- B
+
+schlittermann tigger-eth2 in all|ipac~fi|eth0|all|0/0|212.80.235.145
+schlittermann tigger-eth2 out all|ipac~fo|eth0|all|212.80.235.145|0/0
+
+pixelfoto pixelfoto in all|ipac~fi|eth0|all|0/0|212.80.235.146
+pixelfoto pixelfoto out all|ipac~fo|eth0|all|212.80.235.146|0/0
+
+webmaler maler in all|ipac~fi|eth0|all|0/0|212.80.235.147
+webmaler maler out all|ipac~fo|eth0|all|212.80.235.147|0/0
+
+softeyes garkin in all|ipac~fi|eth0|all|0/0|212.80.235.149
+softeyes garkin out all|ipac~fo|eth0|all|212.80.235.149|0/0
+softeyes excalibur in all|ipac~fi|eth0|all|0/0|212.80.235.155
+softeyes excalibur out all|ipac~fo|eth0|all|212.80.235.155|0/0
+
+webmaler gadget in all|ipac~fi|eth0|all|0/0|212.80.235.150
+webmaler gadget out all|ipac~fo|eth0|all|212.80.235.150|0/0
+
+webmaler deflector in all|ipac~fi|eth0|all|0/0|212.80.235.151
+webmaler deflector out all|ipac~fo|eth0|all|212.80.235.151|0/0
+
+webmaler forst in all|ipac~fi|eth0|all|0/0|212.80.235.153
+webmaler forst out all|ipac~fo|eth0|all|212.80.235.153|0/0
+
+langer emv in all|ipac~fi|eth0|all|0/0|212.80.235.156
+langer emv out all|ipac~fo|eth0|all|212.80.235.156|0/0
+
+kappler pc2 in all|ipac~fi|eth0|all|0/0|212.80.235.178
+kappler pc2 out all|ipac~fo|eth0|all|212.80.235.178|0/0
+
+forst woodman in all|ipac~fi|eth0|all|0/0|212.80.235.154
+forst woodman out all|ipac~fo|eth0|all|212.80.235.154|0/0
+
+damisys in all|ipac~fi|eth0|all|0/0|84.19.203.0/26
+damisys out all|ipac~fo|eth0|all|84.19.203.0/26|0/0
+
+sax in all|ipac~fi|eth0|all|0/0|192.109.108.0/24
+sax out all|ipac~fo|eth0|all|192.109.108.0/24|0/0
+
+# -- C
+
+schlittermann tigger-eth3 in all|ipac~fi|eth0|all|0/0|212.80.235.161
+schlittermann tigger-eth3 out all|ipac~fo|eth0|all|212.80.235.161|0/0
+
+kesys in all|ipac~fi|eth0|all|0/0|212.80.235.160/28
+kesys out all|ipac~fo|eth0|all|212.80.235.160/28|0/0
+
+#--
+
+schlittermann tigger-eth4 in all|ipac~fi|eth0|all|0/0|212.80.235.177
+schlittermann tigger-eth4 out all|ipac~fo|eth0|all|212.80.235.177|0/0
+