bayrepo
/
hestiacp
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '4905975d79'
${ noResults }
hestiacp/bin/v-add-firewall-chain

131 lines
3.2 KiB
Raw Normal View History Unescape

Initial
2 years ago
#!/bin/bash
# info: add firewall chain
# options: CHAIN [PORT] [PROTOCOL] [PROTOCOL]
#
# example: v-add-firewall-chain CRM 5678 TCP
#
# This function adds new rule to system firewall
#----------------------------------------------------------#
# Variables & Functions #
#----------------------------------------------------------#
# Argument definition
chain=$(echo $1 | tr '[:lower:]' '[:upper:]')
port=$2
port_ext=$2
protocol=${4-TCP}
protocol=$(echo $protocol | tr '[:lower:]' '[:upper:]')
# Defining absolute path to iptables
iptables="/sbin/iptables"
# Includes
# shellcheck source=/etc/hestiacp/hestia.conf
source /etc/hestiacp/hestia.conf
# shellcheck source=/usr/local/hestia/func/main.sh
source $HESTIA/func/main.sh
# shellcheck source=/usr/local/hestia/func/firewall.sh
source $HESTIA/func/firewall.sh
# load config file
source_conf "$HESTIA/conf/hestia.conf"
# Get hestia port by reading nginx.conf
hestiaport=$(grep -m 1 'listen' $HESTIA/nginx/conf/nginx.conf | awk '{print $2}' | sed "s|;||")
if [ -z "$hestiaport" ]; then
hestiaport=8083
fi
#----------------------------------------------------------#
# Verifications #
#----------------------------------------------------------#
check_args '1' "$#" 'CHAIN [PORT] [PROTOCOL]'
is_format_valid 'chain' 'port_ext' 'protocol'
is_system_enabled "$FIREWALL_SYSTEM" 'FIREWALL_SYSTEM'
# Perform verification if read-only mode is enabled
check_hestia_demo_mode
#----------------------------------------------------------#
# Action #
#----------------------------------------------------------#
# Self heal iptables links
heal_iptables_links
# Checking known chains
case $chain in
SSH) # Get ssh port by reading ssh config file.
sshport=$(grep '^Port ' /etc/ssh/sshd_config | head -1 | cut -d ' ' -f 2)
if [ -z "$sshport" ]; then
sshport=22
fi
port=$sshport
protocol=TCP
;;
FTP)
port=21
protocol=TCP
;;
MAIL)
port='25,465,587,110,995,143,993'
protocol=TCP
;;
DNS)
port=53
protocol=UDP
;;
WEB)
port='80,443'
protocol=TCP
;;
DB)
port='3306,5432'
protocol=TCP
;;
HESTIA)
port=$hestiaport
protocol=TCP
;;
RECIDIVE)
port='1:65535'
protocol=TCP
;;
*) check_args '2' "$#" 'CHAIN PORT' ;;
esac
# Adding chain
$iptables -N fail2ban-$chain 2> /dev/null
if [ $? -eq 0 ]; then
$iptables -A fail2ban-$chain -j RETURN
# Adding multiport module
if [[ "$port" =~ ,|-|: ]]; then
port_str="-m multiport --dports $port"
else
port_str="--dport $port"
fi
$iptables -I INPUT -p $protocol $port_str -j fail2ban-$chain
fi
# Preserving chain
chains=$HESTIA/data/firewall/chains.conf
check_chain=$(grep "CHAIN='$chain'" $chains 2> /dev/null)
if [ -z "$check_chain" ]; then
echo "CHAIN='$chain' PORT='$port' PROTOCOL='$protocol'" >> $chains
fi
# Changing permissions
chmod 660 $chains
#----------------------------------------------------------#
# Hestia #
#----------------------------------------------------------#
# Logging
$BIN/v-log-action "system" "Info" "Firewall" "Added service to firewall (Service: $chain, Port: $port, Protocol: $protocol)."
log_event "$OK" "$ARGUMENTS"
exit