You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
131 lines
3.2 KiB
131 lines
3.2 KiB
#!/bin/bash
|
|
# info: add firewall chain
|
|
# options: CHAIN [PORT] [PROTOCOL] [PROTOCOL]
|
|
#
|
|
# example: v-add-firewall-chain CRM 5678 TCP
|
|
#
|
|
# This function adds new rule to system firewall
|
|
|
|
#----------------------------------------------------------#
|
|
# Variables & Functions #
|
|
#----------------------------------------------------------#
|
|
|
|
# Argument definition
|
|
chain=$(echo $1 | tr '[:lower:]' '[:upper:]')
|
|
port=$2
|
|
port_ext=$2
|
|
protocol=${4-TCP}
|
|
protocol=$(echo $protocol | tr '[:lower:]' '[:upper:]')
|
|
|
|
# Defining absolute path to iptables
|
|
iptables="/sbin/iptables"
|
|
|
|
# Includes
|
|
# shellcheck source=/etc/hestiacp/hestia.conf
|
|
source /etc/hestiacp/hestia.conf
|
|
# shellcheck source=/usr/local/hestia/func/main.sh
|
|
source $HESTIA/func/main.sh
|
|
# shellcheck source=/usr/local/hestia/func/firewall.sh
|
|
source $HESTIA/func/firewall.sh
|
|
# load config file
|
|
source_conf "$HESTIA/conf/hestia.conf"
|
|
|
|
# Get hestia port by reading nginx.conf
|
|
hestiaport=$(grep -m 1 'listen' $HESTIA/nginx/conf/nginx.conf | awk '{print $2}' | sed "s|;||")
|
|
if [ -z "$hestiaport" ]; then
|
|
hestiaport=8083
|
|
fi
|
|
|
|
#----------------------------------------------------------#
|
|
# Verifications #
|
|
#----------------------------------------------------------#
|
|
|
|
check_args '1' "$#" 'CHAIN [PORT] [PROTOCOL]'
|
|
is_format_valid 'chain' 'port_ext' 'protocol'
|
|
is_system_enabled "$FIREWALL_SYSTEM" 'FIREWALL_SYSTEM'
|
|
|
|
# Perform verification if read-only mode is enabled
|
|
check_hestia_demo_mode
|
|
|
|
#----------------------------------------------------------#
|
|
# Action #
|
|
#----------------------------------------------------------#
|
|
|
|
# Self heal iptables links
|
|
heal_iptables_links
|
|
|
|
# Checking known chains
|
|
case $chain in
|
|
SSH) # Get ssh port by reading ssh config file.
|
|
sshport=$(grep '^Port ' /etc/ssh/sshd_config | head -1 | cut -d ' ' -f 2)
|
|
if [ -z "$sshport" ]; then
|
|
sshport=22
|
|
fi
|
|
port=$sshport
|
|
protocol=TCP
|
|
;;
|
|
FTP)
|
|
port=21
|
|
protocol=TCP
|
|
;;
|
|
MAIL)
|
|
port='25,465,587,110,995,143,993'
|
|
protocol=TCP
|
|
;;
|
|
DNS)
|
|
port=53
|
|
protocol=UDP
|
|
;;
|
|
WEB)
|
|
port='80,443'
|
|
protocol=TCP
|
|
;;
|
|
DB)
|
|
port='3306,5432'
|
|
protocol=TCP
|
|
;;
|
|
HESTIA)
|
|
port=$hestiaport
|
|
protocol=TCP
|
|
;;
|
|
RECIDIVE)
|
|
port='1:65535'
|
|
protocol=TCP
|
|
;;
|
|
*) check_args '2' "$#" 'CHAIN PORT' ;;
|
|
esac
|
|
|
|
# Adding chain
|
|
$iptables -N fail2ban-$chain 2> /dev/null
|
|
if [ $? -eq 0 ]; then
|
|
$iptables -A fail2ban-$chain -j RETURN
|
|
|
|
# Adding multiport module
|
|
if [[ "$port" =~ ,|-|: ]]; then
|
|
port_str="-m multiport --dports $port"
|
|
else
|
|
port_str="--dport $port"
|
|
fi
|
|
$iptables -I INPUT -p $protocol $port_str -j fail2ban-$chain
|
|
fi
|
|
|
|
# Preserving chain
|
|
chains=$HESTIA/data/firewall/chains.conf
|
|
check_chain=$(grep "CHAIN='$chain'" $chains 2> /dev/null)
|
|
if [ -z "$check_chain" ]; then
|
|
echo "CHAIN='$chain' PORT='$port' PROTOCOL='$protocol'" >> $chains
|
|
fi
|
|
|
|
# Changing permissions
|
|
chmod 660 $chains
|
|
|
|
#----------------------------------------------------------#
|
|
# Hestia #
|
|
#----------------------------------------------------------#
|
|
|
|
# Logging
|
|
$BIN/v-log-action "system" "Info" "Firewall" "Added service to firewall (Service: $chain, Port: $port, Protocol: $protocol)."
|
|
log_event "$OK" "$ARGUMENTS"
|
|
|
|
exit
|