iptables rules - Snooops - 03-18-2010 11:35 PM
Hi,
ich habe mir ein paar iptables Regeln erstellt um meinen Server dicht zu machen, nun benötigt ja aber ispcp eigene Regeln für die Traffic Messung, gibts irgendwo das Script um sich die Regeln zu kopieren, ich möchte die ISPcp Regeln natürlch erhalten.
Gruß
Snooops
RE: iptables rules - BeNe - 03-19-2010 12:25 AM
Ja in:
Code:
# /etc/init.d/ispcp_network
Inhalt:
Code:
#!/bin/sh
# ispCP Ï (OMEGA) a Virtual Hosting Control Panel
# Copyright (C) 2006-2010 by isp Control Panel - http://ispcp.net
#
# Version: $ID$
#
# The contents of this file are subject to the Mozilla Public License
# Version 1.1 (the "License"); you may not use this file except in
# compliance with the License. You may obtain a copy of the License at
# http://www.mozilla.org/MPL/
#
# Software distributed under the License is distributed on an "AS IS"
# basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See the
# License for the specific language governing rights and limitations
# under the License.
#
# The Original Code is "ispCP - ISP Control Panel".
#
# The Initial Developer of the Original Code is ispCP Team.
# Portions created by the ispCP Team are Copyright (C) 2006-2010 by
# isp Control Panel. All Rights Reserved.
#
# The ispCP Ï Home Page is:
#
# http://isp-control.net
#
### BEGIN INIT INFO
# Provides: ispcp_network
# Required-Start: $network $local_fs $remote_fs
# Required-Stop:
# Should-Stop: $local_fs
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: ispCP Network Traffic Logger
#
### END INIT INFO
# Note: do not modify any of these vars here, use /etc/default/$NAME instead
PATH=/sbin:/bin:/usr/sbin:/usr/bin
DESC="ispCP Network Traffic Logger"
NAME=ispcp_network
LFILE=/var/run/$NAME
IPTABLES=/sbin/iptables
ENGINEPATH="/var/www/ispcp/engine"
ENGINETOOLSPATH=${ENGINEPATH}"/tools"
NETWORKCARDMANAGER="ispcp-net-interfaces-mngr"
LOGDIR=/var/log/ispcp
LOGFILE=${LOGDIR}/${NAME}.log
DIETIME=3
START=1
# To monitor more ports, edit SERVICES variable add your own ports
# (ftp, proxy, http, etc.)
#
# HTTP(S): 80 443
# POP3(S): 110 995
# IMAP4(S)): 143 993
# MAIL(S): 25 465 587
SERVICES="80 443 110 143 25 465 587 995 993"
# To monitor more outgoing ports, edit SERVICES_OUT variable add your own ports
# (mail, etc.)
#
# MAIL(S): 25 465 587
SERVICES_OUT="25 465 587"
# Debian LSB extensions (will be used if init-functions doesn't override them):
log_daemon_msg() {
if [ ! -z "${2:-}" ]; then
log_success_msg "${1:-}: ${2:-}"
else
log_success_msg "${1:-}"
fi
}
log_end_msg() {
local status="$1"
}
log_progress_msg () {
log_success_msg " $@"
}
# if not present (e.g. *BSD) make sure to provide compatible methods via /etc/default/$NAME
if [ -f /lib/lsb/init-functions ]; then
. /lib/lsb/init-functions
fi
# Read config file if present.
if [ -r /etc/default/$NAME ]; then
. /etc/default/$NAME
fi
if [ $START -eq 0 ]; then
log_warning_msg "Not starting $DESC: edit /etc/default/$NAME."
exit 1
fi
add_rules() {
${IPTABLES} -N ISPCP_INPUT 2>> "$LOGFILE"
${IPTABLES} -N ISPCP_OUTPUT 2>> "$LOGFILE"
# All traffic should jump through ISPCP tables before anything else
${IPTABLES} -I INPUT -j ISPCP_INPUT 2>> "$LOGFILE"
${IPTABLES} -I OUTPUT -j ISPCP_OUTPUT 2>> "$LOGFILE"
# Services from matrix basically receiving data
for PORT in $SERVICES; do
${IPTABLES} -I ISPCP_INPUT -p tcp --dport "$PORT" 2>> "$LOGFILE"
${IPTABLES} -I ISPCP_OUTPUT -p tcp --sport "$PORT" 2>> "$LOGFILE"
done
# Services from matrix basically sending data
for PORT in $SERVICES_OUT; do
${IPTABLES} -I ISPCP_INPUT -p tcp --sport "$PORT" 2>> "$LOGFILE"
${IPTABLES} -I ISPCP_OUTPUT -p tcp --dport "$PORT" 2>> "$LOGFILE"
done
# Explicit return once done
${IPTABLES} -A ISPCP_INPUT -j RETURN
${IPTABLES} -A ISPCP_OUTPUT -j RETURN
# Touch lock file
touch $LFILE
}
remove_rules() {
${IPTABLES} -D INPUT -j ISPCP_INPUT 2>> "$LOGFILE"
${IPTABLES} -D OUTPUT -j ISPCP_OUTPUT 2>> "$LOGFILE"
${IPTABLES} -F ISPCP_INPUT 2>> "$LOGFILE"
${IPTABLES} -F ISPCP_OUTPUT 2>> "$LOGFILE"
${IPTABLES} -X ISPCP_INPUT 2>> "$LOGFILE"
${IPTABLES} -X ISPCP_OUTPUT 2>> "$LOGFILE"
# Remove lock file
rm $LFILE
}
add_interfaces() {
${ENGINETOOLSPATH}/${NETWORKCARDMANAGER} start &>${LOGDIR}/${NETWORKCARDMANAGER}.log 2>&1
}
remove_interfaces() {
${ENGINETOOLSPATH}/${NETWORKCARDMANAGER} stop &>${LOGDIR}/${NETWORKCARDMANAGER}.log 2>&1
}
case "$1" in
start)
log_daemon_msg "Starting $DESC" "$NAME"
if [ -e "$LFILE" ]; then
echo ""
log_warning_msg "${NAME} is already started" >&2
else
add_interfaces
add_rules
fi
log_end_msg $?
;;
stop)
log_daemon_msg "Stopping $DESC" "$NAME"
if [ ! -e "$LFILE" ]; then
echo ""
log_warning_msg "${NAME} is already stopped" >&2
else
remove_rules
remove_interfaces
fi
log_end_msg $?
;;
restart|force-reload)
log_daemon_msg "Stopping $DESC" "$NAME"
if [ ! -e "$LFILE" ]; then
echo ""
log_warning_msg "${NAME} is already stopped" >&2
else
remove_rules
remove_interfaces
log_end_msg $?
[ -n "$DIETIME" ] && sleep "$DIETIME"
fi
log_daemon_msg "Starting $DESC" "$NAME"
add_interfaces
add_rules
log_end_msg $?
;;
status)
log_daemon_msg "Checking status of $DESC" "$NAME"
if [ ! -e "$LFILE" ]; then
log_progress_msg "stopped"
else
log_progress_msg "started"
fi
echo ""
;;
*)
echo "Usage: /etc/init.d/$NAME {start|stop|restart|force-reload|status}" >&2
exit 1
;;
esac
exit 0
Greez BeNe
RE: iptables rules - ZiomekPL - 09-21-2010 08:29 PM
"exit 0"
this line prevents run script, and shuld be removed
RE: iptables rules - MasterTH - 09-21-2010 08:45 PM
hmm... du sollst das skript ja nicht ausführen, sondern da sind die regeln drinnen die du haben wolltest.
RE: iptables rules - nuke3d - 09-21-2010 08:52 PM
(09-21-2010 08:29 PM)ZiomekPL Wrote: "exit 0"
this line prevents run script, and shuld be removed
no it doesn't.
|