wok rev 4736
knock: add knockd-helper
| author | Pascal Bellard <pascal.bellard@slitaz.org> |
|---|---|
| date | Thu Jan 07 12:10:30 2010 +0100 (2010-01-07) |
| parents | bff5188ad747 |
| children | 8e4da8903b1c |
| files | knock/stuff/usr/sbin/knockd-helper |
line diff
1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 1.2 +++ b/knock/stuff/usr/sbin/knockd-helper Thu Jan 07 12:10:30 2010 +0100 1.3 @@ -0,0 +1,62 @@ 1.4 +#!/bin/sh 1.5 + 1.6 +IP=$2 1.7 +PROT=$3 1.8 +PORT=$4 1.9 + 1.10 +[ -d /var/lib/knockd ] || mkdir -p /var/lib/knockd 1.11 + 1.12 +disable() 1.13 +{ 1.14 +while read IP PROT PORT MSG; do 1.15 + iptables -t nat -D PREROUTING -s $IP -p $PROT --dport $PORT -j RETURN 1.16 + iptables -D INPUT -s $IP -p $PROT --dport $PORT -j ACCEPT 1.17 + logger "Disable $PROT:$PORT for $IP $MSG" 1.18 +done < $1 1.19 +rm -rf $1 1.20 +} 1.21 + 1.22 +case "$1" in 1.23 +on) 1.24 + shift 1.25 + echo "$@" >> /var/lib/knockd/$IP 1.26 + iptables -t nat -I PREROUTING -s $IP -p $PROT --dport $PORT -j RETURN 1.27 + iptables -I INPUT -s $IP -p $PROT --dport $PORT -j ACCEPT 1.28 + shift 3 1.29 + logger "Ensable $PROT:$PORT for $IP $@" 1.30 + ;; 1.31 +off) 1.32 + [ -f /var/lib/knockd/$IP ] && disable /var/lib/knockd/$IP 1.33 + ;; 1.34 +check) 1.35 + TIMEOUT=$(( 6 * 60 )) 1.36 + for i in /var/lib/knockd/*.*.*.*; do 1.37 + [ -f "$i" ] || continue 1.38 + while read ip prot port msg; do 1.39 + if grep -qe "^$prot.* src=$ip .* dport=$port" /proc/net/ip_conntrack ; then 1.40 + touch $i 1.41 + break 1.42 + fi 1.43 + done < $i 1.44 + [ $(date "+%s") -gt $(( $(date -r $i "+%s") + $TIMEOUT )) ] && 1.45 + disable $i 1.46 + done 1.47 + ;; 1.48 +purge) 1.49 + for i in /var/lib/knockd/*.*.*.*; do 1.50 + [ -f "$i" ] && disable $i 1.51 + done 1.52 + ;; 1.53 +cron) 1.54 + crontab -l 2> /dev/null | grep -q $0 || { 1.55 + crontab - <<EOT 1.56 +$(crontab -l) 1.57 + 1.58 +# Close old connections opened by knockd 1.59 +*/5 * * * * $0 check > /dev/null 2>&1 1.60 +EOT 1.61 + /etc/init.d/crond stop 1.62 + /etc/init.d/crond start 1.63 + } 1.64 + ;; 1.65 +esac