Initial

bin/v-add-firewall-chain

@@ -0,0 +1,130 @@
+#!/bin/bash
+# info: add firewall chain
+# options: CHAIN [PORT] [PROTOCOL] [PROTOCOL]
+#
+# example: v-add-firewall-chain CRM 5678 TCP
+#
+# This function adds new rule to system firewall
+
+#----------------------------------------------------------#
+#                Variables & Functions                     #
+#----------------------------------------------------------#
+
+# Argument definition
+chain=$(echo $1 | tr '[:lower:]' '[:upper:]')
+port=$2
+port_ext=$2
+protocol=${4-TCP}
+protocol=$(echo $protocol | tr '[:lower:]' '[:upper:]')
+
+# Defining absolute path to iptables
+iptables="/sbin/iptables"
+
+# Includes
+# shellcheck source=/etc/hestiacp/hestia.conf
+source /etc/hestiacp/hestia.conf
+# shellcheck source=/usr/local/hestia/func/main.sh
+source $HESTIA/func/main.sh
+# shellcheck source=/usr/local/hestia/func/firewall.sh
+source $HESTIA/func/firewall.sh
+# load config file
+source_conf "$HESTIA/conf/hestia.conf"
+
+# Get hestia port by reading nginx.conf
+hestiaport=$(grep -m 1 'listen' $HESTIA/nginx/conf/nginx.conf | awk '{print $2}' | sed "s|;||")
+if [ -z "$hestiaport" ]; then
+	hestiaport=8083
+fi
+
+#----------------------------------------------------------#
+#                    Verifications                         #
+#----------------------------------------------------------#
+
+check_args '1' "$#" 'CHAIN [PORT] [PROTOCOL]'
+is_format_valid 'chain' 'port_ext' 'protocol'
+is_system_enabled "$FIREWALL_SYSTEM" 'FIREWALL_SYSTEM'
+
+# Perform verification if read-only mode is enabled
+check_hestia_demo_mode
+
+#----------------------------------------------------------#
+#                       Action                             #
+#----------------------------------------------------------#
+
+# Self heal iptables links
+heal_iptables_links
+
+# Checking known chains
+case $chain in
+	SSH) # Get ssh port by reading ssh config file.
+		sshport=$(grep '^Port ' /etc/ssh/sshd_config | head -1 | cut -d ' ' -f 2)
+		if [ -z "$sshport" ]; then
+			sshport=22
+		fi
+		port=$sshport
+		protocol=TCP
+		;;
+	FTP)
+		port=21
+		protocol=TCP
+		;;
+	MAIL)
+		port='25,465,587,110,995,143,993'
+		protocol=TCP
+		;;
+	DNS)
+		port=53
+		protocol=UDP
+		;;
+	WEB)
+		port='80,443'
+		protocol=TCP
+		;;
+	DB)
+		port='3306,5432'
+		protocol=TCP
+		;;
+	HESTIA)
+		port=$hestiaport
+		protocol=TCP
+		;;
+	RECIDIVE)
+		port='1:65535'
+		protocol=TCP
+		;;
+	*) check_args '2' "$#" 'CHAIN PORT' ;;
+esac
+
+# Adding chain
+$iptables -N fail2ban-$chain 2> /dev/null
+if [ $? -eq 0 ]; then
+	$iptables -A fail2ban-$chain -j RETURN
+
+	# Adding multiport module
+	if [[ "$port" =~ ,|-|: ]]; then
+		port_str="-m multiport --dports $port"
+	else
+		port_str="--dport $port"
+	fi
+	$iptables -I INPUT -p $protocol $port_str -j fail2ban-$chain
+fi
+
+# Preserving chain
+chains=$HESTIA/data/firewall/chains.conf
+check_chain=$(grep "CHAIN='$chain'" $chains 2> /dev/null)
+if [ -z "$check_chain" ]; then
+	echo "CHAIN='$chain' PORT='$port' PROTOCOL='$protocol'" >> $chains
+fi
+
+# Changing permissions
+chmod 660 $chains
+
+#----------------------------------------------------------#
+#                       Hestia                             #
+#----------------------------------------------------------#
+
+# Logging
+$BIN/v-log-action "system" "Info" "Firewall" "Added service to firewall (Service: $chain, Port: $port, Protocol: $protocol)."
+log_event "$OK" "$ARGUMENTS"
+
+exit