wok annotate knock/stuff/usr/sbin/knockd-helper @ rev 17686
Up knock (0.7)
| author | Pascal Bellard <pascal.bellard@slitaz.org> |
|---|---|
| date | Sat Feb 21 19:04:57 2015 +0100 (2015-02-21) |
| parents | 8e4da8903b1c |
| children |
| rev | line source |
|---|---|
| pascal@4736 | 1 #!/bin/sh |
| pascal@4736 | 2 |
| pascal@17686 | 3 PERIOD=5 # minutes |
| pascal@17686 | 4 |
| pascal@4736 | 5 IP=$2 |
| pascal@4736 | 6 PROT=$3 |
| pascal@4736 | 7 PORT=$4 |
| pascal@4736 | 8 |
| pascal@4736 | 9 [ -d /var/lib/knockd ] || mkdir -p /var/lib/knockd |
| pascal@4736 | 10 |
| pascal@4736 | 11 disable() |
| pascal@4736 | 12 { |
| pascal@4736 | 13 while read IP PROT PORT MSG; do |
| pascal@4736 | 14 iptables -t nat -D PREROUTING -s $IP -p $PROT --dport $PORT -j RETURN |
| pascal@4736 | 15 iptables -D INPUT -s $IP -p $PROT --dport $PORT -j ACCEPT |
| pascal@4736 | 16 logger "Disable $PROT:$PORT for $IP $MSG" |
| pascal@4736 | 17 done < $1 |
| pascal@4736 | 18 rm -rf $1 |
| pascal@4736 | 19 } |
| pascal@4736 | 20 |
| pascal@4736 | 21 case "$1" in |
| pascal@4736 | 22 on) |
| pascal@4736 | 23 shift |
| pascal@4736 | 24 echo "$@" >> /var/lib/knockd/$IP |
| pascal@4736 | 25 iptables -t nat -I PREROUTING -s $IP -p $PROT --dport $PORT -j RETURN |
| pascal@4736 | 26 iptables -I INPUT -s $IP -p $PROT --dport $PORT -j ACCEPT |
| pascal@4736 | 27 shift 3 |
| pascal@4737 | 28 logger "Enable $PROT:$PORT for $IP $@" |
| pascal@4736 | 29 ;; |
| pascal@4736 | 30 off) |
| pascal@4736 | 31 [ -f /var/lib/knockd/$IP ] && disable /var/lib/knockd/$IP |
| pascal@4736 | 32 ;; |
| pascal@4736 | 33 check) |
| pascal@17686 | 34 TIMEOUT=$(( $PERIOD * 120 )) |
| pascal@4736 | 35 for i in /var/lib/knockd/*.*.*.*; do |
| pascal@4736 | 36 [ -f "$i" ] || continue |
| pascal@4736 | 37 while read ip prot port msg; do |
| pascal@17686 | 38 if netstat -nut | grep -qe "^$prot .*:$port *$ip:[0-9]* " ; then |
| pascal@4736 | 39 touch $i |
| pascal@4736 | 40 break |
| pascal@4736 | 41 fi |
| pascal@4736 | 42 done < $i |
| pascal@4736 | 43 [ $(date "+%s") -gt $(( $(date -r $i "+%s") + $TIMEOUT )) ] && |
| pascal@4736 | 44 disable $i |
| pascal@4736 | 45 done |
| pascal@4736 | 46 ;; |
| pascal@4736 | 47 purge) |
| pascal@4736 | 48 for i in /var/lib/knockd/*.*.*.*; do |
| pascal@4736 | 49 [ -f "$i" ] && disable $i |
| pascal@4736 | 50 done |
| pascal@4736 | 51 ;; |
| pascal@4736 | 52 cron) |
| pascal@4736 | 53 crontab -l 2> /dev/null | grep -q $0 || { |
| pascal@4736 | 54 crontab - <<EOT |
| pascal@4736 | 55 $(crontab -l) |
| pascal@4736 | 56 |
| pascal@4736 | 57 # Close old connections opened by knockd |
| pascal@17686 | 58 */$PERIOD * * * * $0 check > /dev/null 2>&1 |
| pascal@4736 | 59 EOT |
| pascal@4736 | 60 /etc/init.d/crond stop |
| pascal@4736 | 61 /etc/init.d/crond start |
| pascal@4736 | 62 } |
| pascal@4736 | 63 ;; |
| pascal@4737 | 64 *) |
| pascal@4737 | 65 PROG=$(basename $0) |
| pascal@4737 | 66 cat <<EOT |
| pascal@4737 | 67 Usage: $PROG [on|off|check|purge|cron] [args...] |
| pascal@4737 | 68 |
| pascal@4737 | 69 $PROG on ip_address protocol port enable access |
| pascal@4737 | 70 $PROG off ip_address disable access |
| pascal@4737 | 71 $PROG check verify timeouts |
| pascal@4737 | 72 $PROG purge disable all accesses |
| pascal@4737 | 73 $PROG cron install auto disable access |
| pascal@4737 | 74 |
| pascal@4737 | 75 Example for /etc/knockd.conf file : |
| pascal@4737 | 76 |
| pascal@4737 | 77 [options] |
| pascal@4737 | 78 PidFile = /var/run/knockd.pid |
| pascal@4737 | 79 logfile = /var/log/knockd.log |
| pascal@4737 | 80 |
| pascal@4737 | 81 [openSSH] |
| pascal@4737 | 82 sequence = 7000,8000,9000 |
| pascal@4737 | 83 seq_timeout = 5 |
| pascal@4737 | 84 command = /usr/sbin/knockd-helper on %IP% tcp 22 |
| pascal@4737 | 85 tcpflags = syn |
| pascal@4737 | 86 EOT |
| pascal@4737 | 87 exit 1 |
| pascal@4737 | 88 ;; |
| pascal@4736 | 89 esac |