config_load network
config_get wan wan ifname
- config_load freifunk_p2pblock
- config_get layer7 p2pblock layer7
- config_get ipp2p p2pblock ipp2p
- config_get portrange p2pblock portrange
- config_get blocktime p2pblock blocktime
-
- # load modules
- insmod ipt_ipp2p 2>&-
- insmod ipt_layer7 2>&-
- insmod ipt_recent ip_list_tot=400 ip_pkt_list_tot=3 2>&-
-
- # create new p2p-chain
- iptables -N p2pblock
- # pipe all incomming FORWARD with source-/destination-port 1024-65535 throu p2p-chain
- ipt_add "FORWARD -i $wan -p tcp --sport $portrange --dport $portrange -j p2pblock"
- ipt_add "FORWARD -i $wan -p udp --sport $portrange --dport $portrange -j p2pblock"
-
- # if p2p-traffic blocked 3 packages to a destination ip then block all traffic within the next 180 sec (port 1024-65535)
- ipt_add "p2pblock -m recent --rdest --rcheck --name P2PBLOCK --seconds $blocktime --hitcount 3 -j DROP"
- ipt_add "p2pblock -m recent --rdest --rcheck --name P2PBLOCK --seconds $blocktime --hitcount 3 -m limit --limit 1/minute -j LOG --log-prefix P2PBLOCK-DROP:"
-
- # create layer7-rules
- for proto in $layer7; do
- ipt_add "p2pblock -m layer7 --l7proto $proto -m recent --rdest --set --name P2PBLOCK"
- ipt_add "p2pblock -m layer7 --l7proto $proto -m limit --limit 1/minute -j LOG --log-prefix P2PBLOCK-seen-$proto:"
- done
-
- # create ipp2p-rules
- for proto in $ipp2p; do
- ipt_add "p2pblock -m ipp2p --$proto -m recent --rdest --set --name P2PBLOCK"
- ipt_add "p2pblock -m ipp2p --$proto -m limit --limit 1/minute -j LOG --log-prefix P2PBLOCK-seen-$proto:"
- done
-
- # insert whitelisted ips
- for ip in $WHITELIST; do
- ipt_add "p2pblock -d $ip -j RETURN"
- done
-
- logger -s -t "$ME" 'Done.'; return 0
+ if [ -n "$wan" ]; then
+ config_load freifunk_p2pblock
+ config_get layer7 p2pblock layer7
+ config_get ipp2p p2pblock ipp2p
+ config_get portrange p2pblock portrange
+ config_get blocktime p2pblock blocktime
+
+ # load modules
+ insmod ipt_ipp2p 2>&-
+ insmod ipt_layer7 2>&-
+ insmod ipt_recent ip_list_tot=400 ip_pkt_list_tot=3 2>&-
+
+ # create new p2p-chain
+ iptables -N p2pblock
+ # pipe all incomming FORWARD with source-/destination-port 1024-65535 throu p2p-chain
+ ipt_add "FORWARD -i $wan -p tcp --sport $portrange --dport $portrange -j p2pblock"
+ ipt_add "FORWARD -i $wan -p udp --sport $portrange --dport $portrange -j p2pblock"
+
+ # if p2p-traffic blocked 3 packages to a destination ip then block all traffic within the next 180 sec (port 1024-65535)
+ ipt_add "p2pblock -m recent --rdest --rcheck --name P2PBLOCK --seconds $blocktime --hitcount 3 -j DROP"
+ ipt_add "p2pblock -m recent --rdest --rcheck --name P2PBLOCK --seconds $blocktime --hitcount 3 -m limit --limit 1/minute -j LOG --log-prefix P2PBLOCK-DROP:"
+
+ # create layer7-rules
+ for proto in $layer7; do
+ ipt_add "p2pblock -m layer7 --l7proto $proto -m recent --rdest --set --name P2PBLOCK"
+ ipt_add "p2pblock -m layer7 --l7proto $proto -m limit --limit 1/minute -j LOG --log-prefix P2PBLOCK-seen-$proto:"
+ done
+
+ # create ipp2p-rules
+ for proto in $ipp2p; do
+ ipt_add "p2pblock -m ipp2p --$proto -m recent --rdest --set --name P2PBLOCK"
+ ipt_add "p2pblock -m ipp2p --$proto -m limit --limit 1/minute -j LOG --log-prefix P2PBLOCK-seen-$proto:"
+ done
+
+ # insert whitelisted ips
+ for ip in $WHITELIST; do
+ ipt_add "p2pblock -d $ip -j RETURN"
+ done
+
+ logger -s -t "$ME" 'Done.'; return 0
+ else
+ logger -s -t "$ME" 'No wan interface present.'; return 0
+ fi
else
logger -s -t "$ME" 'WARNING! already running - Aborting!'; return 2
-
fi
}
projects / project / luci.git / commitdiff