Skip to content

ncBash / mcBash

Go to a project
Switch branch/tag
prox-fire 3.15 KB
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 
#!/bin/bash

#    <prox-fire Proxmox-Port öffnen und schließen>
# version: 0.3
#    Copyright (C) <2013>  <Heiko Kokemoor>
#    This program is free software: you can redistribute it and/or modify
#    it under the terms of the GNU General Public License as published by
#    the Free Software Foundation, either version 3 of the License, or
#    (at your option) any later version.
#
#    This program is distributed in the hope that it will be useful,
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#    GNU General Public License for more details.
#
#    You should have received a copy of the GNU General Public License
#    along with this program.  If not, see <http://www.gnu.org/licenses/>.



EXT_IFACE='eth0'
LO_EXT_IFACE='lo'
IPTABLES='/sbin/iptables'
LOGLEVELDROP='4' # 1=alert,2=critical,3=error,4=warning,5=notice,6=info,7=debug
LOGLEVELACCEPT='4'
PROXPORT='8006'



check_rule_start()
{
        CLIENT_IP=$(echo $SSH_CLIENT | awk '{ print $1}')

        $IPTABLES -L|grep "tcp dpt:$PROXPORT"
}

accept_proxmox()
{
        CLIENT_IP=$(echo $SSH_CLIENT | awk '{ print $1}')
        $IPTABLES -A INPUT -i $EXT_IFACE -p tcp --dport $PROXPORT -s $CLIENT_IP -j ACCEPT
        $IPTABLES -A OUTPUT  -o $EXT_IFACE -p tcp --dport $PROXPORT -d $CLIENT_IP -j ACCEPT
        echo "Port $PROXPORT for IP $CLIENT_IP is unblocked"
}

drop_proxmox()
{       
        CLIENT_IP=$(echo $SSH_CLIENT | awk '{ print $1}')
        
        EI=0
        EO=0
        while [ $EI = 0 ] && [ $EO = 0 ]
        do      
                $IPTABLES -D INPUT -i $EXT_IFACE -p tcp --dport $PROXPORT -s $CLIENT_IP -j ACCEPT 
                EI=$?
                $IPTABLES -D OUTPUT  -o $EXT_IFACE -p tcp --dport $PROXPORT -d $CLIENT_IP -j ACCEPT
                EO=$?
        done 
        echo "Port $PROXPORT for IP $CLIENT_IP is blocked"
}


stop_all()
{       
        C=0
        L=0
        unset Z 
        declare -a Z
         
         A=$(iptables -L -n |grep $PROXPORT |awk '{print $4}'|grep -v 0.0.0.0||iptables -L -n |grep $PROXPORT |awk '{print $5}'|grep -v 0.0.0.0)
        
        while [ $C = 0 ]
                do      
                        L=$(( $L+1 ))
                        Z[$L]=$(echo $A|awk '{ print $'''$L'''}')
                        $IPTABLES -D INPUT -i $EXT_IFACE -p tcp --dport $PROXPORT -s ${Z[$L]} -j ACCEPT   
                        $IPTABLES -D OUTPUT -o $EXT_IFACE -p tcp --dport $PROXPORT -d ${Z[$L]} -j ACCEPT  
                        if [ -z ${Z[$L]} ]
                                then C=1
                        fi
                done
        
        echo "Port $PROXPORT for all IPs blocked"
}

i=$1
 
case $i in
        start)
#               check_rule_start
#               if [  $? = 1 ]
#                       then 
                                accept_proxmox
#               fi              
                
        ;;      
        stop)
               drop_proxmox
        ;;     
        stop-all)
                stop_all
        ;;              
        *)
                echo $(basename $0) '[start|stop|stop-all] - opens a port for the Proxmox Webinterface'
        ;;
esac