gsd
/
zapret
mirror of https://github.com/bol-van/zapret/
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

sysv helper functions : APPLY_FW=1 to override INIT_APPLY_FW

pull/33/head
bolvan 6 years ago
parent
12757467f2
commit
a2a75bb34b
2 changed files with 21 additions and 13 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 8
      docs/readme.txt
  2. 26
      init.d/sysv/functions

8
docs/readme.txt
View File

@ -307,8 +307,14 @@ IFACE_WAN=eth1
Параметр INIT_APPLY_FW=1 разрешает init скрипту самостоятельно применять правила iptables.
При иных значениях или если параметр закомментирован, правила применены не будут.
Это полезно, если у вас есть система управления фаерволом, в настройки которой и следует прикрутить правила.
Хелпер-функции для настройки фаервола вынесены в отдельный shell include : /opt/zapret/init.d/sysv/functions.
Хелпер-функции для настройки фаервола вынесены в отдельный shell include
Чтобы не копировать текст и не изобретать велосипед можно подключить include из ваших скриптов.
В своем скрипте необходимо выставить переменную APPLY_FW=1, чтобы принудительно разрешить применение правил iptales
вне зависимости от параметра INIT_APPLY_FW.
Пример :
./opt/zapret/init.d/sysv/functions
APPLY_FW=1
fw_tpws_add "--dport 80 -m set --match-set zapret dst" "--dport 80 -m set --match-set zapret6 dst" $TPPORT_HTTP
Пример установки на debian-подобную систему
-------------------------------------------

26
init.d/sysv/functions
View File

@ -28,6 +28,8 @@ TPWS_OPT_BASE_HTTPS="--port=$TPPORT_HTTPS"
[ -n "$IFACE_WAN" ] && IPT_IWAN="-i $IFACE_WAN"
[ -n "$IFACE_LAN" ] && IPT_ILAN="-i $IFACE_LAN"
[ -n "$APPLY_FW" ] || APPLY_FW=$INIT_APPLY_FW
exists()
{
which $1 >/dev/null 2>/dev/null
@ -86,14 +88,14 @@ fw_tpws_add()
# $1 - iptable filter for ipv4
# $2 - iptable filter for ipv6
# $3 - tpws port
[ "$INIT_APPLY_FW" = "1" ] && [ "$DISABLE_IPV4" != "1" ] && {
[ "$APPLY_FW" = "1" ] && [ "$DISABLE_IPV4" != "1" ] && {
echo "Adding iptables rule for tpws : $1"
[ -n "$IFACE_LAN" ] && {
ipt PREROUTING -t nat $IPT_ILAN -p tcp $1 -j DNAT --to 127.0.0.1:$3
}
ipt OUTPUT -t nat $IPT_OWAN -m owner ! --uid-owner $TPWS_USER -p tcp $1 -j DNAT --to 127.0.0.1:$3
}
[ "$INIT_APPLY_FW" = "1" ] && [ "$DISABLE_IPV6" != "1" ] && {
[ "$APPLY_FW" = "1" ] && [ "$DISABLE_IPV6" != "1" ] && {
echo "Adding ip6tables rule for tpws : $2"
[ -n "$IFACE_LAN" ] && {
dnat6_target
@ -107,14 +109,14 @@ fw_tpws_del()
# $1 - iptable filter for ipv4
# $2 - iptable filter for ipv6
# $3 - tpws port
[ "$INIT_APPLY_FW" = "1" ] && [ "$DISABLE_IPV4" != "1" ] && {
[ "$APPLY_FW" = "1" ] && [ "$DISABLE_IPV4" != "1" ] && {
echo "Deleting iptables rule for tpws : $1"
[ -n "$IFACE_LAN" ] && {
ipt_del PREROUTING -t nat $IPT_ILAN -p tcp $1 -j DNAT --to 127.0.0.1:$3
}
ipt_del OUTPUT -t nat $IPT_OWAN -m owner ! --uid-owner $TPWS_USER -p tcp $1 -j DNAT --to 127.0.0.1:$3
}
[ "$INIT_APPLY_FW" = "1" ] && [ "$DISABLE_IPV6" != "1" ] && {
[ "$APPLY_FW" = "1" ] && [ "$DISABLE_IPV6" != "1" ] && {
echo "Deleting ip6tables rule for tpws : $2"
[ -n "$IFACE_LAN" ] && {
dnat6_target
@ -128,11 +130,11 @@ fw_nfqws_add_pre()
{
# $1 - iptable filter for ipv4
# $2 - iptable filter for ipv6
[ "$INIT_APPLY_FW" = "1" ] && [ "$DISABLE_IPV4" != "1" ] && {
[ "$APPLY_FW" = "1" ] && [ "$DISABLE_IPV4" != "1" ] && {
echo "Adding iptables rule for nfqws prerouting : $1"
ipt PREROUTING -t raw $IPT_IWAN -p tcp --tcp-flags SYN,ACK SYN,ACK $1 -j NFQUEUE --queue-num $QNUM --queue-bypass
}
[ "$INIT_APPLY_FW" = "1" ] && [ "$DISABLE_IPV6" != "1" ] && {
[ "$APPLY_FW" = "1" ] && [ "$DISABLE_IPV6" != "1" ] && {
echo "Adding ip6tables rule for nfqws prerouting : $2"
ipt6 PREROUTING -t raw $IPT_IWAN -p tcp --tcp-flags SYN,ACK SYN,ACK $2 -j NFQUEUE --queue-num $QNUM --queue-bypass
}
@ -141,11 +143,11 @@ fw_nfqws_del_pre()
{
# $1 - iptable filter for ipv4
# $2 - iptable filter for ipv6
[ "$INIT_APPLY_FW" = "1" ] && [ "$DISABLE_IPV4" != "1" ] && {
[ "$APPLY_FW" = "1" ] && [ "$DISABLE_IPV4" != "1" ] && {
echo "Deleting iptables rule for nfqws prerouting : $1"
ipt_del PREROUTING -t raw $IPT_IWAN -p tcp --tcp-flags SYN,ACK SYN,ACK $1 -j NFQUEUE --queue-num $QNUM --queue-bypass
}
[ "$INIT_APPLY_FW" = "1" ] && [ "$DISABLE_IPV6" != "1" ] && {
[ "$APPLY_FW" = "1" ] && [ "$DISABLE_IPV6" != "1" ] && {
echo "Deleting ip6tables rule for nfqws prerouting : $2"
ipt6_del PREROUTING -t raw $IPT_IWAN -p tcp --tcp-flags SYN,ACK SYN,ACK $2 -j NFQUEUE --queue-num $QNUM --queue-bypass
}
@ -154,11 +156,11 @@ fw_nfqws_add_post()
{
# $1 - iptable filter for ipv4
# $2 - iptable filter for ipv6
[ "$INIT_APPLY_FW" = "1" ] && [ "$DISABLE_IPV4" != "1" ] && {
[ "$APPLY_FW" = "1" ] && [ "$DISABLE_IPV4" != "1" ] && {
echo "Adding iptables rule for nfqws postrouting : $1"
ipt POSTROUTING -t mangle $IPT_OWAN -p tcp $1 -j NFQUEUE --queue-num $QNUM --queue-bypass
}
[ "$INIT_APPLY_FW" = "1" ] && [ "$DISABLE_IPV6" != "1" ] && {
[ "$APPLY_FW" = "1" ] && [ "$DISABLE_IPV6" != "1" ] && {
echo "Adding ip6tables rule for nfqws postrouting : $2"
ipt6 POSTROUTING -t mangle $IPT_OWAN -p tcp $2 -j NFQUEUE --queue-num $QNUM --queue-bypass
}
@ -167,11 +169,11 @@ fw_nfqws_del_post()
{
# $1 - iptable filter for ipv4
# $2 - iptable filter for ipv6
[ "$INIT_APPLY_FW" = "1" ] && [ "$DISABLE_IPV4" != "1" ] && {
[ "$APPLY_FW" = "1" ] && [ "$DISABLE_IPV4" != "1" ] && {
echo "Deleting iptables rule for nfqws postrouting : $1"
ipt_del POSTROUTING -t mangle $IPT_OWAN -p tcp $1 -j NFQUEUE --queue-num $QNUM --queue-bypass
}
[ "$INIT_APPLY_FW" = "1" ] && [ "$DISABLE_IPV6" != "1" ] && {
[ "$APPLY_FW" = "1" ] && [ "$DISABLE_IPV6" != "1" ] && {
echo "Deleting ip6tables rule for nfqws postrouting : $2"
ipt6_del POSTROUTING -t mangle $IPT_OWAN -p tcp $2 -j NFQUEUE --queue-num $QNUM --queue-bypass
}

Write Preview
Loading…
Cancel
Save