#!/bin/bash # info: add firewall rule # options: ACTION IP PORT [PROTOCOL] [COMMENT] [RULE] # # example: v-add-firewall-rule DROP 185.137.111.77 25 # # This function adds new rule to system firewall #----------------------------------------------------------# # Variables & Functions # #----------------------------------------------------------# # Argument definition action=$(echo $1 | tr '[:lower:]' '[:upper:]') ip=$2 port_ext=$3 protocol=${4-TCP} protocol=$(echo $protocol | tr '[:lower:]' '[:upper:]') comment=$5 rule=$6 # Includes # shellcheck source=/etc/hestiacp/hestia.conf source /etc/hestiacp/hestia.conf # shellcheck source=/usr/local/hestia/func/main.sh source $HESTIA/func/main.sh # load config file source_conf "$HESTIA/conf/hestia.conf" # Get next firewall rule id get_next_fw_rule() { if [ -z "$rule" ]; then curr_str=$(grep "RULE=" $HESTIA/data/firewall/rules.conf \ | cut -f 2 -d \' | sort -n | tail -n1) rule="$((curr_str + 1))" fi } sort_fw_rules() { cat $HESTIA/data/firewall/rules.conf \ | sort -n -k 2 -t \' > $HESTIA/data/firewall/rules.conf.tmp mv -f $HESTIA/data/firewall/rules.conf.tmp \ $HESTIA/data/firewall/rules.conf } #----------------------------------------------------------# # Verifications # #----------------------------------------------------------# check_args '3' "$#" 'ACTION IP PORT [PROTOCOL] [COMMENT] [RULE]' is_format_valid 'action' 'protocol' 'port_ext' is_system_enabled "$FIREWALL_SYSTEM" 'FIREWALL_SYSTEM' get_next_fw_rule is_format_valid 'rule' is_object_new '../../data/firewall/rules' 'RULE' "$rule" if [ -n "$comment" ]; then is_format_valid 'comment' fi if [[ "$ip" =~ ^ipset: ]]; then ipset_name="${ip#ipset:}" $BIN/v-list-firewall-ipset plain | grep "^$ipset_name\s" > /dev/null check_result $? 'ipset object not found' "$E_NOTEXIST" else is_format_valid 'ip' fi # Perform verification if read-only mode is enabled check_hestia_demo_mode #----------------------------------------------------------# # Action # #----------------------------------------------------------# # Generating timestamp time_n_date=$(date +'%T %F') time=$(echo "$time_n_date" | cut -f 1 -d \ ) date=$(echo "$time_n_date" | cut -f 2 -d \ ) # Concatenating rule str="RULE='$rule' ACTION='$action' PROTOCOL='$protocol' PORT='$port_ext'" str="$str IP='$ip' COMMENT='$comment' SUSPENDED='no'" str="$str TIME='$time' DATE='$date'" # Adding to config echo "$str" >> $HESTIA/data/firewall/rules.conf # Changing permissions chmod 660 $HESTIA/data/firewall/rules.conf # Sorting firewall rules by id number sort_fw_rules # Updating system firewall $BIN/v-update-firewall #----------------------------------------------------------# # Hestia # #----------------------------------------------------------# # Fix missing port value in log if zero if [ -z "$port" ]; then port="0" fi # Logging $BIN/v-log-action "system" "Info" "Firewall" "Added firewall rule (Action: $action, Port: $port, Protocol: $protocol)." log_event "$OK" "$ARGUMENTS" exit