Initial
This commit is contained in:
Alexey Berezhok
91
bin/v-add-firewall-ban
Executable file
91
bin/v-add-firewall-ban
Executable file
@@ -0,0 +1,91 @@
|
||||
#!/bin/bash
|
||||
# info: add firewall blocking rule
|
||||
# options: IP CHAIN
|
||||
#
|
||||
# example: v-add-firewall-ban 37.120.129.20 MAIL
|
||||
#
|
||||
# This function adds new blocking rule to system firewall
|
||||
|
||||
#----------------------------------------------------------#
|
||||
# Variables & Functions #
|
||||
#----------------------------------------------------------#
|
||||
|
||||
# Argument definition
|
||||
ip=$1
|
||||
chain=$(echo $2 | tr '[:lower:]' '[:upper:]')
|
||||
|
||||
# Defining absolute path for iptables and modprobe
|
||||
iptables="/sbin/iptables"
|
||||
|
||||
# Includes
|
||||
# shellcheck source=/etc/hestiacp/hestia.conf
|
||||
source /etc/hestiacp/hestia.conf
|
||||
# shellcheck source=/usr/local/hestia/func/main.sh
|
||||
source $HESTIA/func/main.sh
|
||||
# shellcheck source=/usr/local/hestia/func/firewall.sh
|
||||
source $HESTIA/func/firewall.sh
|
||||
# load config file
|
||||
source_conf "$HESTIA/conf/hestia.conf"
|
||||
|
||||
#----------------------------------------------------------#
|
||||
# Verifications #
|
||||
#----------------------------------------------------------#
|
||||
|
||||
check_args '2' "$#" 'IP CHAIN'
|
||||
is_format_valid 'ip' 'chain'
|
||||
is_system_enabled "$FIREWALL_SYSTEM" 'FIREWALL_SYSTEM'
|
||||
|
||||
# Perform verification if read-only mode is enabled
|
||||
check_hestia_demo_mode
|
||||
|
||||
#----------------------------------------------------------#
|
||||
# Action #
|
||||
#----------------------------------------------------------#
|
||||
|
||||
# Self heal iptables links
|
||||
heal_iptables_links
|
||||
|
||||
# Checking server ip
|
||||
if [ -e "$HESTIA/data/ips/$ip" ] || [ "$ip" = '127.0.0.1' ]; then
|
||||
exit
|
||||
fi
|
||||
|
||||
# Checking ip exclusions
|
||||
excludes="$HESTIA/data/firewall/excludes.conf"
|
||||
check_excludes=$(grep "^$ip$" $excludes 2> /dev/null)
|
||||
if [ -n "$check_excludes" ]; then
|
||||
exit
|
||||
fi
|
||||
|
||||
# Checking ip in banlist
|
||||
conf="$HESTIA/data/firewall/banlist.conf"
|
||||
check_ip=$(grep "IP='$ip' CHAIN='$chain'" $conf 2> /dev/null)
|
||||
if [ -n "$check_ip" ]; then
|
||||
exit
|
||||
fi
|
||||
|
||||
# Adding chain
|
||||
$BIN/v-add-firewall-chain $chain
|
||||
|
||||
# Generating timestamp
|
||||
time_n_date=$(date +'%T %F')
|
||||
time=$(echo "$time_n_date" | cut -f 1 -d \ )
|
||||
date=$(echo "$time_n_date" | cut -f 2 -d \ )
|
||||
|
||||
# Adding ip to banlist
|
||||
echo "IP='$ip' CHAIN='$chain' TIME='$time' DATE='$date'" >> $conf
|
||||
$iptables -I fail2ban-$chain 1 -s $ip \
|
||||
-j REJECT --reject-with icmp-port-unreachable 2> /dev/null
|
||||
|
||||
# Changing permissions
|
||||
chmod 660 $conf
|
||||
|
||||
#----------------------------------------------------------#
|
||||
# Hestia #
|
||||
#----------------------------------------------------------#
|
||||
|
||||
# Logging
|
||||
$BIN/v-log-action "system" "Warning" "Firewall" "Banned IP address $ip."
|
||||
log_event "$OK" "$ARGUMENTS"
|
||||
|
||||
exit
|
||||
Reference in New Issue
Block a user