--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/insertRules Sat Oct 11 20:18:44 2008 +0000
@@ -0,0 +1,159 @@
+#! /usr/bin/perl
+# $Id$
+# $URL$
+# © 2008 Heiko Schlittermann <hs@schlittermann.de>
+use constant USAGE => <<'#';
+{{ME}} [-n] [-v]
+#
+
+use strict;
+use warnings;
+use File::Basename;
+use AppConfig;
+
+use constant ME => basename $0;
+
+#use constant FI => { chain => "ipac~fi", parent => "FORWARD", iface => "--out" };
+#use constant FO => { chain => "ipac~fo", parent => "FORWARD", iface =>"--in" };
+#use constant I => { chain => "ipac~i", parent => "OUTPUT", iface => "--in" };
+#use constant O => { chain => "ipac~o", parent => "INPUT", iface => "--out" };
+
+my %TARGETS = (
+ "ipac~fi" => { chain => "ipac~fi", parent => "FORWARD", iface => "--in-interface" },
+ "ipac~fo" => { chain => "ipac~fo", parent => "FORWARD", iface => "--out-interface" },
+ "ipac~i" => { chain => "ipac~i", parent => "OUTPUT", iface => "--out-interface" },
+ "ipac~o" => { chain => "ipac~o", parent => "INPUT", iface => "--in-interface" },
+);
+
+use constant FILE => $ENV{IPAC_RULES} ? $ENV{IPAC_RULES} : "/etc/ipac-ng/rules.conf";
+
+use constant CONFIG => (
+ { CASE => 1 },
+ nothing => { ARGS => "!", DEFAULT => 0 },
+ verbose => { ARGS => "!", DEFAULT => 0 },
+);
+
+my $Cf = new AppConfig CONFIG or die;
+ $Cf->getopt or die;
+
+sub checkTarget($);
+sub insertTarget($);
+sub cleanTarget($);
+sub parseConfig($);
+sub expand($);
+
+MAIN: {
+ my @cmds;
+
+ # Check, if our rules exist
+ foreach (keys %TARGETS) {
+ checkTarget($TARGETS{$_})
+ or push @cmds, insertTarget($TARGETS{$_});
+
+ push @cmds, cleanTarget($TARGETS{$_});
+ }
+
+
+ my ($iptables, $rules) = parseConfig(FILE);
+ push @cmds, @$iptables;
+
+
+ foreach (@cmds) {
+ print "@$_\n" if $Cf->verbose or $Cf->nothing;
+ next if $Cf->nothing;
+ system @$_ and do {
+ warn "FAILED: @$_\n" if not $Cf->verbose;
+ };
+ }
+
+ if (!$Cf->nothing) {
+ open(RUNFILE, $_ = ">/var/run/ipac.rules") or die "Can't open $_: $!\n";
+ print RUNFILE join "\n", @$rules;
+ close(RUNFILE);
+ }
+}
+
+{
+ my $dump;
+sub checkTarget($) {
+ my $target = shift;
+
+ if (!$dump) {
+ open(X, "iptables-save|") or die "Can't open iptables-save: $!\n";
+ $dump = join "", grep /^:/, <X>;
+ close(X);
+ }
+
+ return $dump =~ /^:$target->{chain}/m
+
+} }
+
+sub insertTarget($) {
+ my $target = shift;
+
+ return (
+ ["iptables", "--new-chain" => $target->{chain}],
+ ["iptables",
+ "--insert" => $target->{parent},
+ "--jump" => $target->{chain}]
+ );
+}
+
+sub cleanTarget($) {
+ my $target = shift;
+ return ["iptables",
+ "--flush" => $target->{chain}];
+}
+
+sub parseConfig($) {
+ my (@iptables, @rules);
+ my $file = shift;
+ local(@ARGV) = ($file);
+
+ die ME.": Can't open $file: $!\n" if not -r $file;
+
+ @ARGV = ($file);
+
+ # Read the config file and create the iptables statements
+ while (<>) {
+ s/#.*//;
+ s/^\s*$//;
+ next unless $_;
+
+ chomp;
+
+
+ my (%src, %dst);
+ (my ($name, $target, $iface, $proto), $src{ip}, $dst{ip})
+ = split /\s*\|\s*/, $_;
+
+ # $src / $dst
+ foreach (\%src, \%dst) {
+ @{$_}{qw/ip port/} = split /[:\s]/, $_->{ip};
+ }
+
+
+ my @cmd = ("iptables",
+ "--append" => $target,
+ $TARGETS{$target}->{iface} => $iface,
+ "--src" => expand($src{ip}),
+ "--dst" => expand($dst{ip}),
+ "--proto" => expand($proto),
+ $src{port} ? ("--sport" => $src{port}) : (),
+ $dst{port} ? ("--dport" => $dst{port}) : (),
+ );
+
+ push @iptables, \@cmd;
+ push @rules, "$target|$name";
+ }
+
+ return \@iptables, \@rules;
+}
+
+sub expand($) {
+ local $_ = shift;
+ return ($_) if not /^!/;
+ return ("!", substr($_, 1));
+}
+
+# vim:sts=4 sw=4 aw ai sm:
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/rules.conf Sat Oct 11 20:18:44 2008 +0000
@@ -0,0 +1,126 @@
+# Debian default ipac-ng configuration file
+# 2001-12-09, Noel Koethe, noel@koethe.net
+# /etc/ipac-ng/ipac.conf
+#
+# Format:
+# Name of rule|direction|interface|protocol|source|destination|extension|
+# WARNING!!!! spaces are not allowed before and after '|'.
+#
+# where
+# Name of rule Any string to identify this rule
+# direction ipac~fi - forward in
+# ipac~fo - forward out
+# ipac~i - outgoing from machine with ipac-ng to other host(/net)
+# (or incoming to otherhost)
+# ipac~o - incoming to machine with ipac-ng
+# (or outgoing from otherhost)
+#
+# interface interface name, '+' means all interfaces (dont try to use ip numbers here!)
+# protocol tcp | udp | icmp | all
+# source \
+# destination both as described in ipfwadm(8), or empty
+
+
+#
+# W A R N I N G ! ! !
+#
+# Don't use symbols other than '0-9A-z[space]' in rules names. You may encounter
+# some strange troubles.
+#
+# Examples: /usr/share/doc/ipac-ng/examples/contrib/sample_configs/rule.iptables.gz
+
+
+# total Traffic
+# all
+total in all|ipac~o|eth0|all|0/0|0/0
+total out all|ipac~i|eth0|all|0/0|0/0
+
+forward in |ipac~fi|eth0|all|0/0|!212.80.235.128/26
+forward out |ipac~fo|eth0|all|!212.80.235.128/26|0/0
+
+schlittermann tigger-eth0 in all|ipac~o|eth0|all|0/0|212.80.225.206
+schlittermann tigger-eth0 out all|ipac~i|eth0|all|212.80.225.206|0/0
+
+# -- A
+
+schlittermann pu in all|ipac~fi|eth0|all|0/0|212.80.235.130
+schlittermann pu out all|ipac~fo|eth0|all|212.80.235.130|0/0
+
+totocom lion in all|ipac~fi|eth0|all|0/0|212.80.235.131
+totocom lion out all|ipac~fo|eth0|all|212.80.235.131|0/0
+
+radebeul radebeul in all|ipac~fi|eth0|all|0/0|212.80.235.132
+radebeul radebeul out all|ipac~fo|eth0|all|212.80.235.132|0/0
+
+radebeul radebeul in smtp|ipac~fi|eth0|tcp|0/0|212.80.235.132 25
+radebeul radebeul out smtp|ipac~fo|eth0|tcp|212.80.235.132|0/0 25
+radebeul radebeul in http|ipac~fi|eth0|tcp|0/0|212.80.235.132 80
+radebeul radebeul out http|ipac~fo|eth0|tcp|212.80.235.132 80|0/0
+radebeul radebeul in pop3|ipac~fi|eth0|tcp|0/0|212.80.235.132 110
+radebeul radebeul out pop3|ipac~fo|eth0|tcp|212.80.235.132 110|0/0
+
+schlittermann robin in all|ipac~fi|eth0|all|0/0|212.80.235.133
+schlittermann robin out all|ipac~fo|eth0|all|212.80.235.133|0/0
+
+reproteam zett in all|ipac~fi|eth0|all|0/0|212.80.235.134
+reproteam zett out all|ipac~fo|eth0|all|212.80.235.134|0/0
+
+schlittermann ssl135 in all|ipac~fi|eth0|all|0/0|212.80.235.135
+schlittermann ssl135 out all|ipac~fo|eth0|all|212.80.235.135|0/0
+
+saga webian in all|ipac~fi|eth0|all|0/0|212.80.235.138
+saga webian out all|ipac~fo|eth0|all|212.80.235.138|0/0
+
+# -- B
+
+schlittermann tigger-eth2 in all|ipac~fi|eth0|all|0/0|212.80.235.145
+schlittermann tigger-eth2 out all|ipac~fo|eth0|all|212.80.235.145|0/0
+
+pixelfoto pixelfoto in all|ipac~fi|eth0|all|0/0|212.80.235.146
+pixelfoto pixelfoto out all|ipac~fo|eth0|all|212.80.235.146|0/0
+
+webmaler maler in all|ipac~fi|eth0|all|0/0|212.80.235.147
+webmaler maler out all|ipac~fo|eth0|all|212.80.235.147|0/0
+
+softeyes garkin in all|ipac~fi|eth0|all|0/0|212.80.235.149
+softeyes garkin out all|ipac~fo|eth0|all|212.80.235.149|0/0
+softeyes excalibur in all|ipac~fi|eth0|all|0/0|212.80.235.155
+softeyes excalibur out all|ipac~fo|eth0|all|212.80.235.155|0/0
+
+webmaler gadget in all|ipac~fi|eth0|all|0/0|212.80.235.150
+webmaler gadget out all|ipac~fo|eth0|all|212.80.235.150|0/0
+
+webmaler deflector in all|ipac~fi|eth0|all|0/0|212.80.235.151
+webmaler deflector out all|ipac~fo|eth0|all|212.80.235.151|0/0
+
+webmaler forst in all|ipac~fi|eth0|all|0/0|212.80.235.153
+webmaler forst out all|ipac~fo|eth0|all|212.80.235.153|0/0
+
+langer emv in all|ipac~fi|eth0|all|0/0|212.80.235.156
+langer emv out all|ipac~fo|eth0|all|212.80.235.156|0/0
+
+kappler pc2 in all|ipac~fi|eth0|all|0/0|212.80.235.178
+kappler pc2 out all|ipac~fo|eth0|all|212.80.235.178|0/0
+
+forst woodman in all|ipac~fi|eth0|all|0/0|212.80.235.154
+forst woodman out all|ipac~fo|eth0|all|212.80.235.154|0/0
+
+damisys in all|ipac~fi|eth0|all|0/0|84.19.203.0/26
+damisys out all|ipac~fo|eth0|all|84.19.203.0/26|0/0
+
+sax in all|ipac~fi|eth0|all|0/0|192.109.108.0/24
+sax out all|ipac~fo|eth0|all|192.109.108.0/24|0/0
+
+# -- C
+
+schlittermann tigger-eth3 in all|ipac~fi|eth0|all|0/0|212.80.235.161
+schlittermann tigger-eth3 out all|ipac~fo|eth0|all|212.80.235.161|0/0
+
+kesys in all|ipac~fi|eth0|all|0/0|212.80.235.160/28
+kesys out all|ipac~fo|eth0|all|212.80.235.160/28|0/0
+
+#--
+
+schlittermann tigger-eth4 in all|ipac~fi|eth0|all|0/0|212.80.235.177
+schlittermann tigger-eth4 out all|ipac~fo|eth0|all|212.80.235.177|0/0
+