iptables rules

[BeNe]

Ja in:

Code:

# /etc/init.d/ispcp_network

Inhalt:

Code:

#!/bin/sh

# ispCP Ï (OMEGA) a Virtual Hosting Control Panel
# Copyright (C) 2006-2010 by isp Control Panel - http://ispcp.net
#
# Version: $ID$
#
# The contents of this file are subject to the Mozilla Public License
# Version 1.1 (the "License"); you may not use this file except in
# compliance with the License. You may obtain a copy of the License at
# http://www.mozilla.org/MPL/
#
# Software distributed under the License is distributed on an "AS IS"
# basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See the
# License for the specific language governing rights and limitations
# under the License.
#
# The Original Code is "ispCP - ISP Control Panel".
#
# The Initial Developer of the Original Code is ispCP Team.
# Portions created by the ispCP Team are Copyright (C) 2006-2010 by
# isp Control Panel. All Rights Reserved.
#
# The ispCP Ï Home Page is:
#
#    http://isp-control.net
#
### BEGIN INIT INFO
# Provides:             ispcp_network
# Required-Start:       $network $local_fs $remote_fs
# Required-Stop:
# Should-Stop:          $local_fs
# Default-Start:        2 3 4 5
# Default-Stop:         0 1 6
# Short-Description:    ispCP Network Traffic Logger
#
### END INIT INFO
# Note: do not modify any of these vars here, use /etc/default/$NAME instead

PATH=/sbin:/bin:/usr/sbin:/usr/bin
DESC="ispCP Network Traffic Logger"
NAME=ispcp_network
LFILE=/var/run/$NAME
IPTABLES=/sbin/iptables
ENGINEPATH="/var/www/ispcp/engine"
ENGINETOOLSPATH=${ENGINEPATH}"/tools"
NETWORKCARDMANAGER="ispcp-net-interfaces-mngr"
LOGDIR=/var/log/ispcp
LOGFILE=${LOGDIR}/${NAME}.log
DIETIME=3

START=1

# To monitor more ports, edit SERVICES variable add your own ports
# (ftp, proxy, http, etc.)
#
# HTTP(S): 80 443
# POP3(S): 110 995
# IMAP4(S)): 143 993
# MAIL(S): 25 465 587
SERVICES="80 443 110 143 25 465 587 995 993"
# To monitor more outgoing ports, edit SERVICES_OUT variable add your own ports
# (mail, etc.)
#
# MAIL(S): 25 465 587
SERVICES_OUT="25 465 587"

# Debian LSB extensions (will be used if init-functions doesn't override them):
log_daemon_msg() {
        if [ ! -z "${2:-}" ]; then
                log_success_msg "${1:-}: ${2:-}"
        else
                log_success_msg "${1:-}"
        fi
}

log_end_msg() {
        local status="$1"
}

log_progress_msg () {
        log_success_msg " $@"
}

# if not present (e.g. *BSD) make sure to provide compatible methods via /etc/default/$NAME
if [ -f /lib/lsb/init-functions ]; then
        . /lib/lsb/init-functions
fi

# Read config file if present.
if [ -r /etc/default/$NAME ]; then
        . /etc/default/$NAME
fi

if [ $START -eq 0 ]; then
        log_warning_msg "Not starting $DESC: edit /etc/default/$NAME."
        exit 1
fi

add_rules() {
        ${IPTABLES} -N ISPCP_INPUT  2>> "$LOGFILE"
        ${IPTABLES} -N ISPCP_OUTPUT 2>> "$LOGFILE"

        # All traffic should jump through ISPCP tables before anything else
        ${IPTABLES} -I INPUT  -j ISPCP_INPUT  2>> "$LOGFILE"
        ${IPTABLES} -I OUTPUT -j ISPCP_OUTPUT 2>> "$LOGFILE"

        # Services from matrix basically receiving data
        for PORT in $SERVICES; do
                ${IPTABLES} -I ISPCP_INPUT  -p tcp --dport "$PORT" 2>> "$LOGFILE"
                ${IPTABLES} -I ISPCP_OUTPUT -p tcp --sport "$PORT" 2>> "$LOGFILE"
        done

        # Services from matrix basically sending data
        for PORT in $SERVICES_OUT; do
                ${IPTABLES} -I ISPCP_INPUT  -p tcp --sport "$PORT" 2>> "$LOGFILE"
                ${IPTABLES} -I ISPCP_OUTPUT -p tcp --dport "$PORT" 2>> "$LOGFILE"
        done

        # Explicit return once done
        ${IPTABLES} -A ISPCP_INPUT  -j RETURN
        ${IPTABLES} -A ISPCP_OUTPUT -j RETURN

        # Touch lock file
        touch $LFILE
}

remove_rules() {
        ${IPTABLES} -D INPUT  -j ISPCP_INPUT  2>> "$LOGFILE"
        ${IPTABLES} -D OUTPUT -j ISPCP_OUTPUT 2>> "$LOGFILE"
        ${IPTABLES} -F ISPCP_INPUT  2>> "$LOGFILE"
        ${IPTABLES} -F ISPCP_OUTPUT 2>> "$LOGFILE"
        ${IPTABLES} -X ISPCP_INPUT  2>> "$LOGFILE"
        ${IPTABLES} -X ISPCP_OUTPUT 2>> "$LOGFILE"

        # Remove lock file
        rm $LFILE
}

add_interfaces() {
        ${ENGINETOOLSPATH}/${NETWORKCARDMANAGER} start &>${LOGDIR}/${NETWORKCARDMANAGER}.log 2>&1
}

remove_interfaces() {
        ${ENGINETOOLSPATH}/${NETWORKCARDMANAGER} stop &>${LOGDIR}/${NETWORKCARDMANAGER}.log 2>&1
}

case "$1" in
  start)
        log_daemon_msg "Starting $DESC" "$NAME"

        if [ -e "$LFILE" ]; then
                echo ""
                log_warning_msg "${NAME} is already started" >&2
        else
                add_interfaces
                add_rules
        fi

        log_end_msg $?
        ;;
  stop)
        log_daemon_msg "Stopping $DESC" "$NAME"
        if [ ! -e "$LFILE" ]; then
                echo ""
                log_warning_msg "${NAME} is already stopped" >&2
        else
                remove_rules
                remove_interfaces
        fi

        log_end_msg $?
        ;;
  restart|force-reload)
        log_daemon_msg "Stopping $DESC" "$NAME"

        if [ ! -e "$LFILE" ]; then
                echo ""
                log_warning_msg "${NAME} is already stopped" >&2
        else
                remove_rules
                remove_interfaces
                log_end_msg $?
                [ -n "$DIETIME" ] && sleep "$DIETIME"
        fi

        log_daemon_msg "Starting $DESC" "$NAME"

        add_interfaces
        add_rules

        log_end_msg $?

        ;;
  status)
        log_daemon_msg "Checking status of $DESC" "$NAME"

        if [ ! -e "$LFILE" ]; then
           log_progress_msg "stopped"
        else
           log_progress_msg "started"
        fi

        echo ""
        ;;
  *)
        echo "Usage: /etc/init.d/$NAME {start|stop|restart|force-reload|status}" >&2
        exit 1
        ;;
esac

exit 0

Greez BeNe