contrib/package: add freifunk-p2pblock firewall addon

diff --git a/contrib/package/freifunk-p2pblock/Makefile b/contrib/package/freifunk-p2pblock/Makefile
new file mode 100644 (file)
index 0000000..918d6a9
--- /dev/null
+++ b/contrib/package/freifunk-p2pblock/Makefile
@@ -0,0 +1,46 @@
+#
+# Copyright (C) 2009 Andreas Seidler <tetzlav@subsignal.org>
+#
+# This is free software, licensed under the GNU General Public License v2.
+# See /LICENSE for more information.
+#
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=freifunk-p2pblock
+PKG_RELEASE:=1
+
+PKG_BUILD_DIR := $(BUILD_DIR)/$(PKG_NAME)
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/freifunk-p2pblock
+  SECTION:=net
+  CATEGORY:=Network
+  TITLE:=Freifunk p2pblock Addon
+  DEPENDS:=+iptables-mod-filter +l7-protocols +iptables-mod-conntrack-extra
+endef
+
+define Package/freifunk-p2pblock/description
+  Simple Addon for Freifunk which use iptables layer7-, ipp2p- and recent-modules 
+  to block p2p/filesharing traffic
+endef
+
+define Build/Prepare
+       mkdir -p $(PKG_BUILD_DIR)
+endef
+
+define Build/Configure
+endef
+
+define Build/Compile
+endef
+
+define Package/freifunk-p2pblock/install
+       $(INSTALL_DIR) $(1)/etc/init.d
+       $(INSTALL_BIN) ./files/freifunk-p2pblock.init $(1)/etc/init.d/freifunk-p2pblock
+       $(INSTALL_DIR) $(1)/etc/config
+       $(INSTALL_BIN) ./files/freifunk-p2pblock.config $(1)/etc/config/freifunk-p2pblock
+endef
+
+$(eval $(call BuildPackage,freifunk-p2pblock))

diff --git a/contrib/package/freifunk-p2pblock/files/freifunk-p2pblock.config b/contrib/package/freifunk-p2pblock/files/freifunk-p2pblock.config
new file mode 100644 (file)
index 0000000..ae90fb5
--- /dev/null
+++ b/contrib/package/freifunk-p2pblock/files/freifunk-p2pblock.config
@@ -0,0 +1,6 @@
+config 'p2pblock'
+       option 'portrange' '1024:65535'
+       option 'layer7' 'edonkey bittorrent fasttrack'
+       option 'ipp2p' 'edk dc kazaa gnu bit ares soul winmx apple'
+       option 'blocktime' '60'
+       option 'whitelist' ''

diff --git a/contrib/package/freifunk-p2pblock/files/freifunk-p2pblock.init b/contrib/package/freifunk-p2pblock/files/freifunk-p2pblock.init
new file mode 100644 (file)
index 0000000..95193aa
--- /dev/null
+++ b/contrib/package/freifunk-p2pblock/files/freifunk-p2pblock.init
@@ -0,0 +1,89 @@
+#!/bin/sh /etc/rc.common
+
+START=82
+ME="freifunk-p2pblock"
+LOCK='/var/run/p2pblock.lock'
+
+# helper-scripts
+ipt_add() {
+       logger -t "$ME" "set 'iptables -I $1'"
+       iptables -I $1
+       echo "iptables -D $1" >> $LOCK
+}
+
+start() {
+       if [ ! -s "$LOCK" ]; then
+               logger -s -t "$ME" 'starting p2pblock...'
+               
+               config_load network
+               config_get wan wan ifname
+               config_load freifunk-p2pblock
+               config_get layer7 p2pblock layer7
+               config_get ipp2p p2pblock ipp2p
+               config_get portrange p2pblock portrange
+               config_get blocktime p2pblock blocktime
+
+               # load modules
+               insmod ipt_ipp2p 2>&-
+               insmod ipt_layer7 2>&-
+               insmod ipt_recent ip_list_tot=400 ip_pkt_list_tot=3 2>&-
+
+               # create new p2p-chain
+               iptables -N p2pblock
+               # pipe all incomming FORWARD with source-/destination-port 1024-65535 throu p2p-chain 
+               ipt_add "FORWARD -i $wan -p tcp --sport $portrange --dport $portrange -j p2pblock"
+               ipt_add "FORWARD -i $wan -p udp --sport $portrange --dport $portrange -j p2pblock"
+
+               # if p2p-traffic blocked 3 packages to a destination ip then block all traffic within the next 180 sec (port 1024-65535)
+               ipt_add "p2pblock -m recent --rdest --rcheck --name P2PBLOCK --seconds $blocktime --hitcount 3 -j DROP"
+               ipt_add "p2pblock -m recent --rdest --rcheck --name P2PBLOCK --seconds $blocktime --hitcount 3 -m limit --limit 1/minute -j LOG --log-prefix P2PBLOCK-DROP:"
+
+               # create layer7-rules
+               for proto in $layer7; do
+                       ipt_add "p2pblock -m layer7 --l7proto $proto -m recent --rdest --set --name P2PBLOCK"
+                       ipt_add "p2pblock -m layer7 --l7proto $proto -m limit --limit 1/minute -j LOG --log-prefix P2PBLOCK-seen-$proto:"
+               done
+
+               # create ipp2p-rules
+               for proto in $ipp2p; do
+                       ipt_add "p2pblock -m ipp2p --$proto -m recent --rdest --set --name P2PBLOCK"
+                       ipt_add "p2pblock -m ipp2p --$proto -m limit --limit 1/minute -j LOG --log-prefix P2PBLOCK-seen-$proto:"
+               done
+
+               # insert whitelisted ips
+               for ip in $WHITELIST; do
+                       ipt_add "p2pblock -d $ip -j RETURN"
+               done
+
+               logger -s -t "$ME" 'Done.'; return 0
+
+       else
+               logger -s -t "$ME" 'WARNING! already running - Aborting!'; return 2
+
+       fi
+}
+
+stop() {
+       if [ -s "$LOCK" ]; then
+               logger -s -t "$ME" 'stopping p2pblock...'
+
+               # unset all rules in $LOCK-file
+               cat $LOCK | sed -ne '1!G;h;$p' | while read line; do
+                       logger -t "$ME" "unset $line"
+                       while eval $line 2>&-; do :; done
+               done; : > "$LOCK"
+
+               # flush and delete the p2p-chain
+               iptables -F p2pblock
+               iptables -X p2pblock
+               logger -s -t "$ME" 'Done.'; return 0
+
+       else
+               logger -s -t "$ME" 'WARNING! not running - Aborting!'; return 2
+
+       fi
+}
+
+restart() {
+       stop; sleep 1; start
+}