prox-fire 3.15 KB
#!/bin/bash

#    <prox-fire Proxmox-Port öffnen und schließen>
# version: 0.3
#    Copyright (C) <2013>  <Heiko Kokemoor>
#    This program is free software: you can redistribute it and/or modify
#    it under the terms of the GNU General Public License as published by
#    the Free Software Foundation, either version 3 of the License, or
#    (at your option) any later version.
#
#    This program is distributed in the hope that it will be useful,
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#    GNU General Public License for more details.
#
#    You should have received a copy of the GNU General Public License
#    along with this program.  If not, see <http://www.gnu.org/licenses/>.



EXT_IFACE='eth0'
LO_EXT_IFACE='lo'
IPTABLES='/sbin/iptables'
LOGLEVELDROP='4' # 1=alert,2=critical,3=error,4=warning,5=notice,6=info,7=debug
LOGLEVELACCEPT='4'
PROXPORT='8006'



check_rule_start()
{
        CLIENT_IP=$(echo $SSH_CLIENT | awk '{ print $1}')

        $IPTABLES -L|grep "tcp dpt:$PROXPORT"
}

accept_proxmox()
{
        CLIENT_IP=$(echo $SSH_CLIENT | awk '{ print $1}')
        $IPTABLES -A INPUT -i $EXT_IFACE -p tcp --dport $PROXPORT -s $CLIENT_IP -j ACCEPT
        $IPTABLES -A OUTPUT  -o $EXT_IFACE -p tcp --dport $PROXPORT -d $CLIENT_IP -j ACCEPT
        echo "Port $PROXPORT for IP $CLIENT_IP is unblocked"
}

drop_proxmox()
{       
        CLIENT_IP=$(echo $SSH_CLIENT | awk '{ print $1}')
        
        EI=0
        EO=0
        while [ $EI = 0 ] && [ $EO = 0 ]
        do      
                $IPTABLES -D INPUT -i $EXT_IFACE -p tcp --dport $PROXPORT -s $CLIENT_IP -j ACCEPT 
                EI=$?
                $IPTABLES -D OUTPUT  -o $EXT_IFACE -p tcp --dport $PROXPORT -d $CLIENT_IP -j ACCEPT
                EO=$?
        done 
        echo "Port $PROXPORT for IP $CLIENT_IP is blocked"
}


stop_all()
{       
        C=0
        L=0
        unset Z 
        declare -a Z
         
         A=$(iptables -L -n |grep $PROXPORT |awk '{print $4}'|grep -v 0.0.0.0||iptables -L -n |grep $PROXPORT |awk '{print $5}'|grep -v 0.0.0.0)
        
        while [ $C = 0 ]
                do      
                        L=$(( $L+1 ))
                        Z[$L]=$(echo $A|awk '{ print $'''$L'''}')
                        $IPTABLES -D INPUT -i $EXT_IFACE -p tcp --dport $PROXPORT -s ${Z[$L]} -j ACCEPT   
                        $IPTABLES -D OUTPUT -o $EXT_IFACE -p tcp --dport $PROXPORT -d ${Z[$L]} -j ACCEPT  
                        if [ -z ${Z[$L]} ]
                                then C=1
                        fi
                done
        
        echo "Port $PROXPORT for all IPs blocked"
}

i=$1
 
case $i in
        start)
#               check_rule_start
#               if [  $? = 1 ]
#                       then 
                                accept_proxmox
#               fi              
                
        ;;      
        stop)
               drop_proxmox
        ;;     
        stop-all)
                stop_all
        ;;              
        *)
                echo $(basename $0) '[start|stop|stop-all] - opens a port for the Proxmox Webinterface'
        ;;
esac