Check before adding firewall rules to avoid duplicates

This commit is contained in:
Bob Mottram 2017-06-26 11:58:33 +01:00
parent d742ea58f8
commit dbce6a1a18
1 changed files with 50 additions and 18 deletions

View File

@ -354,15 +354,28 @@ function firewall_add {
if ! grep -q "${firewall_name}=${firewall_port}" $FIREWALL_CONFIG; then if ! grep -q "${firewall_name}=${firewall_port}" $FIREWALL_CONFIG; then
echo "${firewall_name}=${firewall_port}" >> $FIREWALL_CONFIG echo "${firewall_name}=${firewall_port}" >> $FIREWALL_CONFIG
if [ ! ${firewall_protocol} ]; then if [ ! ${firewall_protocol} ]; then
iptables -A INPUT -p udp --dport ${firewall_port} -j ACCEPT iptables -C INPUT -p udp --dport ${firewall_port} -j ACCEPT
iptables -A INPUT -p tcp --dport ${firewall_port} -j ACCEPT if [ ! "$?" = "0" ]; then
else
if [[ "${firewall_protocol}" == *"udp"* ]]; then
iptables -A INPUT -p udp --dport ${firewall_port} -j ACCEPT iptables -A INPUT -p udp --dport ${firewall_port} -j ACCEPT
fi fi
if [[ "${firewall_protocol}" == *"tcp"* ]]; then
iptables -C INPUT -p tcp --dport ${firewall_port} -j ACCEPT
if [ ! "$?" = "0" ]; then
iptables -A INPUT -p tcp --dport ${firewall_port} -j ACCEPT iptables -A INPUT -p tcp --dport ${firewall_port} -j ACCEPT
fi fi
else
if [[ "${firewall_protocol}" == *"udp"* ]]; then
iptables -C INPUT -p udp --dport ${firewall_port} -j ACCEPT
if [ ! "$?" = "0" ]; then
iptables -A INPUT -p udp --dport ${firewall_port} -j ACCEPT
fi
fi
if [[ "${firewall_protocol}" == *"tcp"* ]]; then
iptables -C INPUT -p tcp --dport ${firewall_port} -j ACCEPT
if [ ! "$?" = "0" ]; then
iptables -A INPUT -p tcp --dport ${firewall_port} -j ACCEPT
fi
fi
fi fi
save_firewall_settings save_firewall_settings
fi fi
@ -377,15 +390,27 @@ function firewall_add_range {
if ! grep -q "${firewall_name}=${firewall_port_start}:${firewall_port_end}" $FIREWALL_CONFIG; then if ! grep -q "${firewall_name}=${firewall_port_start}:${firewall_port_end}" $FIREWALL_CONFIG; then
echo "${firewall_name}=${firewall_port_start}:${firewall_port_end}" >> $FIREWALL_CONFIG echo "${firewall_name}=${firewall_port_start}:${firewall_port_end}" >> $FIREWALL_CONFIG
if [ ! ${firewall_protocol} ]; then if [ ! ${firewall_protocol} ]; then
iptables -A INPUT -p udp --dport ${firewall_port_start}:${firewall_port_end} -j ACCEPT iptables -C INPUT -p udp --dport ${firewall_port_start}:${firewall_port_end} -j ACCEPT
iptables -A INPUT -p tcp --dport ${firewall_port_start}:${firewall_port_end} -j ACCEPT if [ ! "$?" = "0" ]; then
else
if [[ "${firewall_protocol}" == *"udp"* ]]; then
iptables -A INPUT -p udp --dport ${firewall_port_start}:${firewall_port_end} -j ACCEPT iptables -A INPUT -p udp --dport ${firewall_port_start}:${firewall_port_end} -j ACCEPT
fi fi
if [[ "${firewall_protocol}" == *"tcp"* ]]; then iptables -C INPUT -p tcp --dport ${firewall_port_start}:${firewall_port_end} -j ACCEPT
if [ ! "$?" = "0" ]; then
iptables -A INPUT -p tcp --dport ${firewall_port_start}:${firewall_port_end} -j ACCEPT iptables -A INPUT -p tcp --dport ${firewall_port_start}:${firewall_port_end} -j ACCEPT
fi fi
else
if [[ "${firewall_protocol}" == *"udp"* ]]; then
iptables -C INPUT -p udp --dport ${firewall_port_start}:${firewall_port_end} -j ACCEPT
if [ ! "$?" = "0" ]; then
iptables -A INPUT -p udp --dport ${firewall_port_start}:${firewall_port_end} -j ACCEPT
fi
fi
if [[ "${firewall_protocol}" == *"tcp"* ]]; then
iptables -C INPUT -p tcp --dport ${firewall_port_start}:${firewall_port_end} -j ACCEPT
if [ ! "$?" = "0" ]; then
iptables -A INPUT -p tcp --dport ${firewall_port_start}:${firewall_port_end} -j ACCEPT
fi
fi
fi fi
save_firewall_settings save_firewall_settings
fi fi
@ -438,8 +463,14 @@ function domain_to_hex_string {
function firewall_block_domain { function firewall_block_domain {
blocked_domain="$1" blocked_domain="$1"
if [[ "$blocked_domain" == *'@'* ]]; then
# Don't try to block email/microblog addresses
return
fi
if ! grep "$blocked_domain" $FIREWALL_DOMAINS; then if ! grep "$blocked_domain" $FIREWALL_DOMAINS; then
hexstr=$(domain_to_hex_string $blocked_domain) hexstr=$(domain_to_hex_string $blocked_domain)
iptables -C INPUT -p udp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP
if [ ! "$?" = "0" ]; then
iptables -A INPUT -p udp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP iptables -A INPUT -p udp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP
iptables -A INPUT -p tcp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP iptables -A INPUT -p tcp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP
iptables -A OUTPUT -p udp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP iptables -A OUTPUT -p udp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP
@ -448,6 +479,7 @@ function firewall_block_domain {
iptables -I FORWARD -p tcp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP iptables -I FORWARD -p tcp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP
echo "${blocked_domain}" >> $FIREWALL_DOMAINS echo "${blocked_domain}" >> $FIREWALL_DOMAINS
save_firewall_settings save_firewall_settings
fi
# run the blocking rules now # run the blocking rules now
if [ -f /usr/bin/gnusocial-firewall ]; then if [ -f /usr/bin/gnusocial-firewall ]; then