#!/bin/bash # #!F:reject-masq # #!P:/usr/local/sbin # #!D:Reject old connections after shutting down ISDN link #!D: for kernel 2.1.102+ (usage of ipchains) # #!C:Copyright 1999 by Peter Bieringer #!C: Idea taken from reject-masq.c (usage of ipfwadm) #!C: with Copyright (C) Jochen Roedenbeck 1998 # #!V:Version 1.01 1999-04-28 # Changes to # 1.01: first published release # Description is taken from reject-masq.c # # If dynamic IP address allocation is used to connect the Internet # all connections become invalid when the ISDN link is shut down. # Nevertheless data for these old connections can be sent. This program # installs firewall rules to reject these data and to prevent the ISDN # system from calling out for a dead connection. # # usage: # a) reject-masq --insert # # /proc/net/ip_masquerade is read. For each line in this file a # forwarding firewall rule is installed to reject all packets # for the connection. A file /var/run/MASQ.* is written containing # the options for deleting the installed firewall rules. # # This command should be used in /etc/ppp/ip-down. # # b) reject-masq --delete [time-out value] # # /var/run/ is scanned for MASQ.* files. If creation time of the file # is more than "time-out value" seconds ago the firewall entries # listed in the file are deleted by calling /sbin/ipfwadm. The file # is deleted, too. If no time-out value is specified 3600s (1h) is # used. # # This command should be called periodically by a crontab entry. # # c) reject-masq --deleteall # # like b), but delete all firewall entries regardless of time-out value # # d) reject-masq -l # # list /proc/net/ip_masquerade and /var/run/MASQ.* # # A debug value can be set here #DEBUG=$[ 1 + 128 ] DEBUG=0 # 2: print runtime echos # 64: do not execute ipchains # 128: use file instead of real connections [ "$DEBUG" != "0" ] && echo "Debug level is $DEBUG" if [ $[ $DEBUG & 128 ] != 0 ]; then echo " Using file instead of kernel-proc" IPMASQEXEC="cat ./ip_masquerade" IPMASQLOCK="." else IPMASQEXEC="netstat -M -n" IPMASQLOCK="/var/run" fi IPMASQLOCKPREFIX="MASQ" # default timeout in seconds TIMEOUT=3600 ## some functions usage() { echo " Options: (see script contents for details)" echo " reject-masq [--insert|--delete [timeout]|--list|-l]" } insertFWrules() { date=`date +%s` LOCKFILE=$IPMASQLOCK/$IPMASQLOCKPREFIX.$date cat /dev/null >$LOCKFILE $IPMASQEXEC | while read proto expire srcip dstip srcprt dummy dstprt dummy; do if [ "$proto" = "tcp" -o "$proto" = "udp" ]; then echo " Get: $srcip:$srcprt / $dstip:$dstprt" fwruleinfo="-p $proto -s $srcip $srcprt -d $dstip $dstprt -j REJECT" echo $fwruleinfo >>$LOCKFILE if [ $[ $DEBUG & 64 ] != 0 ]; then echo " Exec: ipchains -I forward $fwruleinfo" else ipchains -I forward $fwruleinfo fi fi done } ## main if [ $[ $DEBUG & 1 ] != 0 ]; then echo " Option1: $1" fi if [ "#$1" = "#--insert" ]; then [ $[ $DEBUG & 2 ] != 0 ] && echo " 'insert': start" insertFWrules [ $[ $DEBUG & 2 ] != 0 ] && echo "'insert': done" elif [ "#$1" = "#--delete" ]; then [ $[ $DEBUG & 2 ] != 0 ] && echo " 'delete': start" if ! [ "$2" = "" ]; then TIMEOUT=$2 fi date=`date +%s` for i in $IPMASQLOCK/$IPMASQLOCKPREFIX.*; do if ! [ "$i" = "$IPMASQLOCK/$IPMASQLOCKPREFIX.*" ]; then fwdate=`echo $i | awk -F. '{ print $NF }'` difftime=$[ $date - $fwdate ] # echo "Current time: $date, fwrule: $fwdate, diff: $difftime" if [ $difftime -ge $TIMEOUT ]; then [ $[ $DEBUG & 2 ] != 0 ] && echo " Rule has reached timeout" cat $i | while read line; do if [ $[ $DEBUG & 64 ] != 0 ]; then echo " Exec: ipchains -D forward $line" else ipchains -D forward $line fi done rm -f $i fi fi done [ $[ $DEBUG & 2 ] != 0 ] && echo " 'delete': done" elif [ "#$1" = "#--deleteall" ]; then [ $[ $DEBUG & 2 ] != 0 ] && echo " 'deleteall': start" for i in $IPMASQLOCK/$IPMASQLOCKPREFIX.*; do if ! [ "$i" = "$IPMASQLOCK/$IPMASQLOCKPREFIX.*" ]; then cat $i | while read line; do if [ $[ $DEBUG & 64 ] != 0 ]; then echo " Exec: ipchains -D forward $line" else ipchains -D forward $line fi done rm -f $i fi done [ $[ $DEBUG & 2 ] != 0 ] && echo " 'deleteall': done" elif [ "#$1" = "#-l" -o "#$1" = "#--list" ]; then [ $[ $DEBUG & 2 ] != 0 ] && echo " 'list': start" echo " List current masquerading information" $IPMASQEXEC echo " List current installed firewalling rules" for i in $IPMASQLOCK/$IPMASQLOCKPREFIX.*; do cat $i done [ $[ $DEBUG & 2 ] != 0 ] && echo " 'list': done" else usage exit 1 fi