mirror of
https://github.com/mail-in-a-box/mailinabox.git
synced 2025-04-21 03:02:09 +00:00
replaced iptables-persistent with another iptables-persistent in /etc/init.d, this one also will save ipsets and allow persistence upon reboot. Cleaned up some code, changed debconf variables at iptables-persistent install to false. Still installs iptable-persistant through apt, just to get rid of all the foundation work for it to run, but is quickly replaced.
This commit is contained in:
ChiefGyk
parent
9b3a158b72
commit
52410106e9
@ -102,6 +102,4 @@ echo "Done!"
|
||||
# remove the spam list
|
||||
unlink $FILE
|
||||
|
||||
# Persistence
|
||||
ipset save > /etc/ipset.up.rules
|
||||
iptables-save > /etc/iptables.up.rules
|
||||
/etc/init.d/iptables-persistent save
|
||||
@ -3,5 +3,4 @@ curl http://www.okean.com/antispam/iptables/rc.firewall.china > /tmp/china.sh
|
||||
chmod +x /tmp/china.sh
|
||||
source /tmp/china.sh
|
||||
rm -f /tmp/china.sh
|
||||
ipset save > /etc/ipset.up.rules
|
||||
iptables-save > /etc/iptables.up.rules
|
||||
/etc/init.d/iptables-persistent save
|
||||
|
||||
182
conf/blacklist/iptables-persistent
Normal file
182
conf/blacklist/iptables-persistent
Normal file
@ -0,0 +1,182 @@
|
||||
#!/bin/sh
|
||||
# Written by Simon Richter <sjr@debian.org>
|
||||
# modified by Jonathan Wiltshire <jmw@debian.org>
|
||||
# with help from Christoph Anton Mitterer
|
||||
# and again by Jordan Rinke <me@jordanrinke.com>
|
||||
#
|
||||
|
||||
### BEGIN INIT INFO
|
||||
# Provides: iptables-persistent
|
||||
# Required-Start: mountkernfs $local_fs
|
||||
# Required-Stop: $local_fs
|
||||
# Default-Start: 2 3 4 5
|
||||
# Default-Stop: 0 1 6
|
||||
# X-Start-Before: $network
|
||||
# X-Stop-After: $network
|
||||
# Short-Description: Set up iptables rules
|
||||
# Description: Loads/saves current iptables rules from/to /etc/iptables
|
||||
# to provide a persistent rule set during boot time
|
||||
### END INIT INFO
|
||||
|
||||
. /lib/lsb/init-functions
|
||||
|
||||
rc=0
|
||||
|
||||
load_rules()
|
||||
{
|
||||
log_action_begin_msg "Loading iptables rules"
|
||||
|
||||
#load IPsets
|
||||
if [ ! -f /etc/iptables/rules.ipsets ]; then
|
||||
log_action_cont_msg " skipping IPsets (no rules to load)"
|
||||
else
|
||||
log_action_cont_msg " IPset"
|
||||
ipset restore -! < /etc/iptables/rules.ipsets 2> /dev/null
|
||||
if [ $? -ne 0 ]; then
|
||||
rc=1
|
||||
fi
|
||||
fi
|
||||
|
||||
#load IPv4 rules
|
||||
if [ ! -f /etc/iptables/rules.v4 ]; then
|
||||
log_action_cont_msg " skipping IPv4 (no rules to load)"
|
||||
else
|
||||
log_action_cont_msg " IPv4"
|
||||
iptables-restore < /etc/iptables/rules.v4 2> /dev/null
|
||||
if [ $? -ne 0 ]; then
|
||||
rc=1
|
||||
fi
|
||||
fi
|
||||
|
||||
#load IPv6 rules
|
||||
if [ ! -f /etc/iptables/rules.v6 ]; then
|
||||
log_action_cont_msg " skipping IPv6 (no rules to load)"
|
||||
else
|
||||
log_action_cont_msg " IPv6"
|
||||
ip6tables-restore < /etc/iptables/rules.v6 2> /dev/null
|
||||
if [ $? -ne 0 ]; then
|
||||
rc=1
|
||||
fi
|
||||
fi
|
||||
|
||||
log_action_end_msg $rc
|
||||
}
|
||||
|
||||
save_rules()
|
||||
{
|
||||
log_action_begin_msg "Saving rules"
|
||||
|
||||
#save IPsets
|
||||
#need at least iptable_filter loaded:
|
||||
if ! ipset list | grep -i "name">/dev/null 2>&1; then
|
||||
log_action_cont_msg " skipping IPset - no sets defined or not loaded"
|
||||
elif [ -x /usr/sbin/ipset ] || [ -x /sbin/ipset ]; then
|
||||
log_action_cont_msg " IPset"
|
||||
ipset save | grep -iv "f2b"> /etc/iptables/rules.ipsets
|
||||
if [ $? -ne 0 ]; then
|
||||
rc=1
|
||||
fi
|
||||
fi
|
||||
|
||||
#save IPv4 rules
|
||||
#need at least iptable_filter loaded:
|
||||
/sbin/modprobe -q iptable_filter
|
||||
if [ ! -f /proc/net/ip_tables_names ]; then
|
||||
log_action_cont_msg " skipping IPv4 (no modules loaded)"
|
||||
elif [ -x /sbin/iptables-save ]; then
|
||||
log_action_cont_msg " IPv4"
|
||||
iptables-save > /etc/iptables/rules.v4
|
||||
if [ $? -ne 0 ]; then
|
||||
rc=1
|
||||
fi
|
||||
fi
|
||||
|
||||
#save IPv6 rules
|
||||
#need at least ip6table_filter loaded:
|
||||
/sbin/modprobe -q ip6table_filter
|
||||
if [ ! -f /proc/net/ip6_tables_names ]; then
|
||||
log_action_cont_msg " skipping IPv6 (no modules loaded)"
|
||||
elif [ -x /sbin/ip6tables-save ]; then
|
||||
log_action_cont_msg " IPv6"
|
||||
ip6tables-save > /etc/iptables/rules.v6
|
||||
if [ $? -ne 0 ]; then
|
||||
rc=1
|
||||
fi
|
||||
fi
|
||||
|
||||
log_action_end_msg $rc
|
||||
}
|
||||
|
||||
flush_rules()
|
||||
{
|
||||
log_action_begin_msg "Flushing rules"
|
||||
|
||||
if ! ipset list | grep -i "name">/dev/null 2>&1; then
|
||||
log_action_cont_msg " skipping IPset (no sets defined or not installed)"
|
||||
elif [ -x /usr/sbin/ipset ] || [ -x /sbin/ipset ]; then
|
||||
log_action_cont_msg " IPset"
|
||||
ipset flush
|
||||
fi
|
||||
|
||||
|
||||
|
||||
if [ ! -f /proc/net/ip_tables_names ]; then
|
||||
log_action_cont_msg " skipping IPv4 (no module loaded)"
|
||||
elif [ -x /sbin/iptables ]; then
|
||||
log_action_cont_msg " IPv4"
|
||||
for param in F Z X; do /sbin/iptables -$param; done
|
||||
for table in $(cat /proc/net/ip_tables_names)
|
||||
do
|
||||
/sbin/iptables -t $table -F
|
||||
/sbin/iptables -t $table -Z
|
||||
/sbin/iptables -t $table -X
|
||||
done
|
||||
for chain in INPUT FORWARD OUTPUT
|
||||
do
|
||||
/sbin/iptables -P $chain ACCEPT
|
||||
done
|
||||
fi
|
||||
|
||||
if [ ! -f /proc/net/ip6_tables_names ]; then
|
||||
log_action_cont_msg " skipping IPv6 (no module loaded)"
|
||||
elif [ -x /sbin/ip6tables ]; then
|
||||
log_action_cont_msg " IPv6"
|
||||
for param in F Z X; do /sbin/ip6tables -$param; done
|
||||
for table in $(cat /proc/net/ip6_tables_names)
|
||||
do
|
||||
/sbin/ip6tables -t $table -F
|
||||
/sbin/ip6tables -t $table -Z
|
||||
/sbin/ip6tables -t $table -X
|
||||
done
|
||||
for chain in INPUT FORWARD OUTPUT
|
||||
do
|
||||
/sbin/ip6tables -P $chain ACCEPT
|
||||
done
|
||||
fi
|
||||
|
||||
log_action_end_msg 0
|
||||
}
|
||||
|
||||
case "$1" in
|
||||
start|restart|reload|force-reload)
|
||||
load_rules
|
||||
;;
|
||||
save)
|
||||
save_rules
|
||||
;;
|
||||
stop)
|
||||
# Why? because if stop is used, the firewall gets flushed for a variable
|
||||
# amount of time during package upgrades, leaving the machine vulnerable
|
||||
# It's also not always desirable to flush during purge
|
||||
echo "Automatic flushing disabled, use \"flush\" instead of \"stop\""
|
||||
;;
|
||||
flush)
|
||||
flush_rules
|
||||
;;
|
||||
*)
|
||||
echo "Usage: $0 {start|restart|reload|force-reload|save|flush}" >&2
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
|
||||
exit $rc
|
||||
@ -3,5 +3,5 @@ curl http://www.okean.com/antispam/iptables/rc.firewall.korea > /tmp/korea.sh
|
||||
chmod +x /tmp/korea.sh
|
||||
source /tmp/korea.sh
|
||||
rm -f /tmp/korea.sh
|
||||
ipset save > /etc/ipset.up.rules
|
||||
iptables-save > /etc/iptables.up.rules
|
||||
/etc/init.d/iptables-persistent save
|
||||
|
||||
|
||||
@ -8,14 +8,15 @@
|
||||
source setup/functions.sh # load our functions
|
||||
source /etc/mailinabox.conf # load global vars
|
||||
|
||||
apt_install -y ipset
|
||||
echo iptables-persistent iptables-persistent/autosave_v4 boolean false | debconf-set-selections
|
||||
echo iptables-persistent iptables-persistent/autosave_v6 boolean false | debconf-set-selections
|
||||
apt_install -y ipset dialog iptables-persistent
|
||||
cp conf/iptables-persistent /etc/init.d/iptables-persistent
|
||||
ipset create blacklist hash:net
|
||||
iptables -I INPUT -m set --match-set blacklist src -j DROP
|
||||
cp conf/blacklist/blacklist /etc/cron.daily/blacklist
|
||||
chmod a+x /etc/cron.daily/blacklist
|
||||
time /etc/cron.daily/blacklist
|
||||
source setup/dialog.sh
|
||||
iptables-save > /etc/iptables.up.rules
|
||||
sed -i -e "\$apre-up ipset restore < /etc/ipset.up.rules" /etc/network/interfaces
|
||||
sed -i -e "\$apost up iptables-restore < /etc/iptables.up.rules" /etc/network/interfaces
|
||||
/etc/init.d/iptables-persistent save
|
||||
echo "Blacklist has been installed. It will run daily automatically."
|
||||
|
||||
@ -25,31 +25,23 @@ CHOICE=$(dialog --clear \
|
||||
clear
|
||||
case $CHOICE in
|
||||
1)
|
||||
echo "Ok Mr. Trump"
|
||||
echo iptables-persistent iptables-persistent/autosave_v4 boolean true | debconf-set-selections
|
||||
echo iptables-persistent iptables-persistent/autosave_v6 boolean true | debconf-set-selections
|
||||
echo "Are you Donald Trump?"
|
||||
cp conf/blacklist/china /etc/cron.weekly/china
|
||||
chmod +x /etc/cron.weekly/china
|
||||
time /etc/cron.weekly/china
|
||||
apt-get install -y iptables-persistent
|
||||
;;
|
||||
2)
|
||||
echo "Starting the Korean war again"
|
||||
echo iptables-persistent iptables-persistent/autosave_v4 boolean true | debconf-set-selections
|
||||
echo iptables-persistent iptables-persistent/autosave_v6 boolean true | debconf-set-selections
|
||||
cp conf/blacklist/korea /etc/cron.weekly/korea
|
||||
chmod +x /etc/cron.weekly/korea
|
||||
time /etc/cron.weekly/korea
|
||||
apt-get install -y iptables-persistent
|
||||
;;
|
||||
3)
|
||||
echo "Blocking almost 1/3 of the world"
|
||||
echo iptables-persistent iptables-persistent/autosave_v4 boolean true | debconf-set-selections
|
||||
echo iptables-persistent iptables-persistent/autosave_v6 boolean true | debconf-set-selections
|
||||
cp conf/blacklist/sinokorea /etc/cron.weekly/sinokorea
|
||||
chmod +x /etc/cron.weekly/sinokorea
|
||||
time /etc/cron.weekly/sinokorea
|
||||
apt-get install -y iptables-persistent
|
||||
;;
|
||||
4) break;;
|
||||
4) echo "Doing nothing"
|
||||
;;
|
||||
esac
|
||||
Loading…
Reference in New Issue
Block a user