+++ /dev/null
-#!/bin/sh /etc/rc.common
-
-START=82
-ME="freifunk-p2pblock"
-LOCK='/var/run/p2pblock.lock'
-
-# helper-scripts
-ipt_add() {
- logger -t "$ME" "set 'iptables -I $1'"
- iptables -I $1
- echo "iptables -D $1" >> $LOCK
-}
-
-start() {
- /etc/init.d/freifunk-p2pblock enabled || return
-
- if [ ! -s "$LOCK" ]; then
- logger -s -t "$ME" 'starting p2pblock...'
-
- config_load network
- config_get wan wan ifname
-
- if [ -n "$wan" ]; then
- config_load freifunk_p2pblock
- config_get layer7 p2pblock layer7
- config_get ipp2p p2pblock ipp2p
- config_get portrange p2pblock portrange
- config_get blocktime p2pblock blocktime
- config_get whitelist p2pblock whitelist
-
- # load modules
- insmod ipt_ipp2p 2>&-
- insmod ipt_layer7 2>&-
- insmod ipt_recent ip_list_tot=400 ip_pkt_list_tot=3 2>&-
-
- # create new p2p-chain
- iptables -N p2pblock
- # pipe all incoming FORWARD with source-/destination-port 1024-65535 throu p2p-chain
- ipt_add "FORWARD -i $wan -p tcp --sport $portrange --dport $portrange -j p2pblock"
- ipt_add "FORWARD -i $wan -p udp --sport $portrange --dport $portrange -j p2pblock"
-
- # if p2p-traffic blocked 3 packages to a destination ip then block all traffic within the next 180 sec (port 1024-65535)
- ipt_add "p2pblock -m recent --rdest --rcheck --name P2PBLOCK --seconds $blocktime --hitcount 3 -j DROP"
- ipt_add "p2pblock -m recent --rdest --rcheck --name P2PBLOCK --seconds $blocktime --hitcount 3 -m limit --limit 1/minute -j LOG --log-prefix P2PBLOCK-DROP:"
-
- # create layer7-rules
- for proto in $layer7; do
- ipt_add "p2pblock -m layer7 --l7proto $proto -m recent --rdest --set --name P2PBLOCK"
- ipt_add "p2pblock -m layer7 --l7proto $proto -m limit --limit 1/minute -j LOG --log-prefix P2PBLOCK-seen-$proto:"
- done
-
- # create ipp2p-rules
- for proto in $ipp2p; do
- ipt_add "p2pblock -m ipp2p --$proto -m recent --rdest --set --name P2PBLOCK"
- ipt_add "p2pblock -m ipp2p --$proto -m limit --limit 1/minute -j LOG --log-prefix P2PBLOCK-seen-$proto:"
- done
-
- # insert whitelisted ips
- for ip in $whitelist; do
- ipt_add "p2pblock -d $ip -j RETURN"
- done
-
- logger -s -t "$ME" 'Done.'; return 0
- else
- logger -s -t "$ME" 'No wan interface present.'; return 0
- fi
- else
- logger -s -t "$ME" 'WARNING! already running - Aborting!'; return 2
- fi
-}
-
-stop() {
- if [ -s "$LOCK" ]; then
- logger -s -t "$ME" 'stopping p2pblock...'
-
- # unset all rules in $LOCK-file
- cat $LOCK | sed -ne '1!G;h;$p' | while read line; do
- logger -t "$ME" "unset $line"
- while eval $line 2>&-; do :; done
- done; : > "$LOCK"
-
- # flush and delete the p2p-chain
- iptables -F p2pblock
- iptables -X p2pblock
- logger -s -t "$ME" 'Done.'; return 0
-
- else
- logger -s -t "$ME" 'WARNING! not running - Aborting!'; return 2
-
- fi
-}
-
-restart() {
- stop; sleep 1; start
-}
projects / project / luci.git / blobdiff