From 5ae86ebc3f8ee13ef7c267e2de16fbe6664f8cf0 Mon Sep 17 00:00:00 2001 From: Jo-Philipp Wich Date: Sun, 7 Jun 2009 11:48:37 +0000 Subject: [PATCH] contrib/package: add freifunk-p2pblock firewall addon --- contrib/package/freifunk-p2pblock/Makefile | 46 +++++++++++ .../files/freifunk-p2pblock.config | 6 ++ .../freifunk-p2pblock/files/freifunk-p2pblock.init | 89 ++++++++++++++++++++++ 3 files changed, 141 insertions(+) create mode 100644 contrib/package/freifunk-p2pblock/Makefile create mode 100644 contrib/package/freifunk-p2pblock/files/freifunk-p2pblock.config create mode 100644 contrib/package/freifunk-p2pblock/files/freifunk-p2pblock.init diff --git a/contrib/package/freifunk-p2pblock/Makefile b/contrib/package/freifunk-p2pblock/Makefile new file mode 100644 index 000000000..918d6a95e --- /dev/null +++ b/contrib/package/freifunk-p2pblock/Makefile @@ -0,0 +1,46 @@ +# +# Copyright (C) 2009 Andreas Seidler +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# + +include $(TOPDIR)/rules.mk + +PKG_NAME:=freifunk-p2pblock +PKG_RELEASE:=1 + +PKG_BUILD_DIR := $(BUILD_DIR)/$(PKG_NAME) + +include $(INCLUDE_DIR)/package.mk + +define Package/freifunk-p2pblock + SECTION:=net + CATEGORY:=Network + TITLE:=Freifunk p2pblock Addon + DEPENDS:=+iptables-mod-filter +l7-protocols +iptables-mod-conntrack-extra +endef + +define Package/freifunk-p2pblock/description + Simple Addon for Freifunk which use iptables layer7-, ipp2p- and recent-modules + to block p2p/filesharing traffic +endef + +define Build/Prepare + mkdir -p $(PKG_BUILD_DIR) +endef + +define Build/Configure +endef + +define Build/Compile +endef + +define Package/freifunk-p2pblock/install + $(INSTALL_DIR) $(1)/etc/init.d + $(INSTALL_BIN) ./files/freifunk-p2pblock.init $(1)/etc/init.d/freifunk-p2pblock + $(INSTALL_DIR) $(1)/etc/config + $(INSTALL_BIN) ./files/freifunk-p2pblock.config $(1)/etc/config/freifunk-p2pblock +endef + +$(eval $(call BuildPackage,freifunk-p2pblock)) diff --git a/contrib/package/freifunk-p2pblock/files/freifunk-p2pblock.config b/contrib/package/freifunk-p2pblock/files/freifunk-p2pblock.config new file mode 100644 index 000000000..ae90fb59e --- /dev/null +++ b/contrib/package/freifunk-p2pblock/files/freifunk-p2pblock.config @@ -0,0 +1,6 @@ +config 'p2pblock' + option 'portrange' '1024:65535' + option 'layer7' 'edonkey bittorrent fasttrack' + option 'ipp2p' 'edk dc kazaa gnu bit ares soul winmx apple' + option 'blocktime' '60' + option 'whitelist' '' diff --git a/contrib/package/freifunk-p2pblock/files/freifunk-p2pblock.init b/contrib/package/freifunk-p2pblock/files/freifunk-p2pblock.init new file mode 100644 index 000000000..95193aa62 --- /dev/null +++ b/contrib/package/freifunk-p2pblock/files/freifunk-p2pblock.init @@ -0,0 +1,89 @@ +#!/bin/sh /etc/rc.common + +START=82 +ME="freifunk-p2pblock" +LOCK='/var/run/p2pblock.lock' + +# helper-scripts +ipt_add() { + logger -t "$ME" "set 'iptables -I $1'" + iptables -I $1 + echo "iptables -D $1" >> $LOCK +} + +start() { + if [ ! -s "$LOCK" ]; then + logger -s -t "$ME" 'starting p2pblock...' + + config_load network + config_get wan wan ifname + config_load freifunk-p2pblock + config_get layer7 p2pblock layer7 + config_get ipp2p p2pblock ipp2p + config_get portrange p2pblock portrange + config_get blocktime p2pblock blocktime + + # load modules + insmod ipt_ipp2p 2>&- + insmod ipt_layer7 2>&- + insmod ipt_recent ip_list_tot=400 ip_pkt_list_tot=3 2>&- + + # create new p2p-chain + iptables -N p2pblock + # pipe all incomming FORWARD with source-/destination-port 1024-65535 throu p2p-chain + ipt_add "FORWARD -i $wan -p tcp --sport $portrange --dport $portrange -j p2pblock" + ipt_add "FORWARD -i $wan -p udp --sport $portrange --dport $portrange -j p2pblock" + + # if p2p-traffic blocked 3 packages to a destination ip then block all traffic within the next 180 sec (port 1024-65535) + ipt_add "p2pblock -m recent --rdest --rcheck --name P2PBLOCK --seconds $blocktime --hitcount 3 -j DROP" + ipt_add "p2pblock -m recent --rdest --rcheck --name P2PBLOCK --seconds $blocktime --hitcount 3 -m limit --limit 1/minute -j LOG --log-prefix P2PBLOCK-DROP:" + + # create layer7-rules + for proto in $layer7; do + ipt_add "p2pblock -m layer7 --l7proto $proto -m recent --rdest --set --name P2PBLOCK" + ipt_add "p2pblock -m layer7 --l7proto $proto -m limit --limit 1/minute -j LOG --log-prefix P2PBLOCK-seen-$proto:" + done + + # create ipp2p-rules + for proto in $ipp2p; do + ipt_add "p2pblock -m ipp2p --$proto -m recent --rdest --set --name P2PBLOCK" + ipt_add "p2pblock -m ipp2p --$proto -m limit --limit 1/minute -j LOG --log-prefix P2PBLOCK-seen-$proto:" + done + + # insert whitelisted ips + for ip in $WHITELIST; do + ipt_add "p2pblock -d $ip -j RETURN" + done + + logger -s -t "$ME" 'Done.'; return 0 + + else + logger -s -t "$ME" 'WARNING! already running - Aborting!'; return 2 + + fi +} + +stop() { + if [ -s "$LOCK" ]; then + logger -s -t "$ME" 'stopping p2pblock...' + + # unset all rules in $LOCK-file + cat $LOCK | sed -ne '1!G;h;$p' | while read line; do + logger -t "$ME" "unset $line" + while eval $line 2>&-; do :; done + done; : > "$LOCK" + + # flush and delete the p2p-chain + iptables -F p2pblock + iptables -X p2pblock + logger -s -t "$ME" 'Done.'; return 0 + + else + logger -s -t "$ME" 'WARNING! not running - Aborting!'; return 2 + + fi +} + +restart() { + stop; sleep 1; start +} -- 2.11.0