You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
92 lines
2.5 KiB
92 lines
2.5 KiB
#!/bin/bash
|
|
# info: add firewall blocking rule
|
|
# options: IP CHAIN
|
|
#
|
|
# example: v-add-firewall-ban 37.120.129.20 MAIL
|
|
#
|
|
# This function adds new blocking rule to system firewall
|
|
|
|
#----------------------------------------------------------#
|
|
# Variables & Functions #
|
|
#----------------------------------------------------------#
|
|
|
|
# Argument definition
|
|
ip=$1
|
|
chain=$(echo $2 | tr '[:lower:]' '[:upper:]')
|
|
|
|
# Defining absolute path for iptables and modprobe
|
|
iptables="/sbin/iptables"
|
|
|
|
# Includes
|
|
# shellcheck source=/etc/hestiacp/hestia.conf
|
|
source /etc/hestiacp/hestia.conf
|
|
# shellcheck source=/usr/local/hestia/func/main.sh
|
|
source $HESTIA/func/main.sh
|
|
# shellcheck source=/usr/local/hestia/func/firewall.sh
|
|
source $HESTIA/func/firewall.sh
|
|
# load config file
|
|
source_conf "$HESTIA/conf/hestia.conf"
|
|
|
|
#----------------------------------------------------------#
|
|
# Verifications #
|
|
#----------------------------------------------------------#
|
|
|
|
check_args '2' "$#" 'IP CHAIN'
|
|
is_format_valid 'ip' 'chain'
|
|
is_system_enabled "$FIREWALL_SYSTEM" 'FIREWALL_SYSTEM'
|
|
|
|
# Perform verification if read-only mode is enabled
|
|
check_hestia_demo_mode
|
|
|
|
#----------------------------------------------------------#
|
|
# Action #
|
|
#----------------------------------------------------------#
|
|
|
|
# Self heal iptables links
|
|
heal_iptables_links
|
|
|
|
# Checking server ip
|
|
if [ -e "$HESTIA/data/ips/$ip" ] || [ "$ip" = '127.0.0.1' ]; then
|
|
exit
|
|
fi
|
|
|
|
# Checking ip exclusions
|
|
excludes="$HESTIA/data/firewall/excludes.conf"
|
|
check_excludes=$(grep "^$ip$" $excludes 2> /dev/null)
|
|
if [ -n "$check_excludes" ]; then
|
|
exit
|
|
fi
|
|
|
|
# Checking ip in banlist
|
|
conf="$HESTIA/data/firewall/banlist.conf"
|
|
check_ip=$(grep "IP='$ip' CHAIN='$chain'" $conf 2> /dev/null)
|
|
if [ -n "$check_ip" ]; then
|
|
exit
|
|
fi
|
|
|
|
# Adding chain
|
|
$BIN/v-add-firewall-chain $chain
|
|
|
|
# Generating timestamp
|
|
time_n_date=$(date +'%T %F')
|
|
time=$(echo "$time_n_date" | cut -f 1 -d \ )
|
|
date=$(echo "$time_n_date" | cut -f 2 -d \ )
|
|
|
|
# Adding ip to banlist
|
|
echo "IP='$ip' CHAIN='$chain' TIME='$time' DATE='$date'" >> $conf
|
|
$iptables -I fail2ban-$chain 1 -s $ip \
|
|
-j REJECT --reject-with icmp-port-unreachable 2> /dev/null
|
|
|
|
# Changing permissions
|
|
chmod 660 $conf
|
|
|
|
#----------------------------------------------------------#
|
|
# Hestia #
|
|
#----------------------------------------------------------#
|
|
|
|
# Logging
|
|
$BIN/v-log-action "system" "Warning" "Firewall" "Banned IP address $ip."
|
|
log_event "$OK" "$ARGUMENTS"
|
|
|
|
exit
|