|
|
@@ -354,14 +354,27 @@ function firewall_add {
|
|
354
|
354
|
if ! grep -q "${firewall_name}=${firewall_port}" $FIREWALL_CONFIG; then
|
|
355
|
355
|
echo "${firewall_name}=${firewall_port}" >> $FIREWALL_CONFIG
|
|
356
|
356
|
if [ ! ${firewall_protocol} ]; then
|
|
357
|
|
- iptables -A INPUT -p udp --dport ${firewall_port} -j ACCEPT
|
|
358
|
|
- iptables -A INPUT -p tcp --dport ${firewall_port} -j ACCEPT
|
|
|
357
|
+ iptables -C INPUT -p udp --dport ${firewall_port} -j ACCEPT
|
|
|
358
|
+ if [ ! "$?" = "0" ]; then
|
|
|
359
|
+ iptables -A INPUT -p udp --dport ${firewall_port} -j ACCEPT
|
|
|
360
|
+ fi
|
|
|
361
|
+
|
|
|
362
|
+ iptables -C INPUT -p tcp --dport ${firewall_port} -j ACCEPT
|
|
|
363
|
+ if [ ! "$?" = "0" ]; then
|
|
|
364
|
+ iptables -A INPUT -p tcp --dport ${firewall_port} -j ACCEPT
|
|
|
365
|
+ fi
|
|
359
|
366
|
else
|
|
360
|
367
|
if [[ "${firewall_protocol}" == *"udp"* ]]; then
|
|
361
|
|
- iptables -A INPUT -p udp --dport ${firewall_port} -j ACCEPT
|
|
|
368
|
+ iptables -C INPUT -p udp --dport ${firewall_port} -j ACCEPT
|
|
|
369
|
+ if [ ! "$?" = "0" ]; then
|
|
|
370
|
+ iptables -A INPUT -p udp --dport ${firewall_port} -j ACCEPT
|
|
|
371
|
+ fi
|
|
362
|
372
|
fi
|
|
363
|
373
|
if [[ "${firewall_protocol}" == *"tcp"* ]]; then
|
|
364
|
|
- iptables -A INPUT -p tcp --dport ${firewall_port} -j ACCEPT
|
|
|
374
|
+ iptables -C INPUT -p tcp --dport ${firewall_port} -j ACCEPT
|
|
|
375
|
+ if [ ! "$?" = "0" ]; then
|
|
|
376
|
+ iptables -A INPUT -p tcp --dport ${firewall_port} -j ACCEPT
|
|
|
377
|
+ fi
|
|
365
|
378
|
fi
|
|
366
|
379
|
fi
|
|
367
|
380
|
save_firewall_settings
|
|
|
@@ -377,14 +390,26 @@ function firewall_add_range {
|
|
377
|
390
|
if ! grep -q "${firewall_name}=${firewall_port_start}:${firewall_port_end}" $FIREWALL_CONFIG; then
|
|
378
|
391
|
echo "${firewall_name}=${firewall_port_start}:${firewall_port_end}" >> $FIREWALL_CONFIG
|
|
379
|
392
|
if [ ! ${firewall_protocol} ]; then
|
|
380
|
|
- iptables -A INPUT -p udp --dport ${firewall_port_start}:${firewall_port_end} -j ACCEPT
|
|
381
|
|
- iptables -A INPUT -p tcp --dport ${firewall_port_start}:${firewall_port_end} -j ACCEPT
|
|
|
393
|
+ iptables -C INPUT -p udp --dport ${firewall_port_start}:${firewall_port_end} -j ACCEPT
|
|
|
394
|
+ if [ ! "$?" = "0" ]; then
|
|
|
395
|
+ iptables -A INPUT -p udp --dport ${firewall_port_start}:${firewall_port_end} -j ACCEPT
|
|
|
396
|
+ fi
|
|
|
397
|
+ iptables -C INPUT -p tcp --dport ${firewall_port_start}:${firewall_port_end} -j ACCEPT
|
|
|
398
|
+ if [ ! "$?" = "0" ]; then
|
|
|
399
|
+ iptables -A INPUT -p tcp --dport ${firewall_port_start}:${firewall_port_end} -j ACCEPT
|
|
|
400
|
+ fi
|
|
382
|
401
|
else
|
|
383
|
402
|
if [[ "${firewall_protocol}" == *"udp"* ]]; then
|
|
384
|
|
- iptables -A INPUT -p udp --dport ${firewall_port_start}:${firewall_port_end} -j ACCEPT
|
|
|
403
|
+ iptables -C INPUT -p udp --dport ${firewall_port_start}:${firewall_port_end} -j ACCEPT
|
|
|
404
|
+ if [ ! "$?" = "0" ]; then
|
|
|
405
|
+ iptables -A INPUT -p udp --dport ${firewall_port_start}:${firewall_port_end} -j ACCEPT
|
|
|
406
|
+ fi
|
|
385
|
407
|
fi
|
|
386
|
408
|
if [[ "${firewall_protocol}" == *"tcp"* ]]; then
|
|
387
|
|
- iptables -A INPUT -p tcp --dport ${firewall_port_start}:${firewall_port_end} -j ACCEPT
|
|
|
409
|
+ iptables -C INPUT -p tcp --dport ${firewall_port_start}:${firewall_port_end} -j ACCEPT
|
|
|
410
|
+ if [ ! "$?" = "0" ]; then
|
|
|
411
|
+ iptables -A INPUT -p tcp --dport ${firewall_port_start}:${firewall_port_end} -j ACCEPT
|
|
|
412
|
+ fi
|
|
388
|
413
|
fi
|
|
389
|
414
|
fi
|
|
390
|
415
|
save_firewall_settings
|
|
|
@@ -438,16 +463,23 @@ function domain_to_hex_string {
|
|
438
|
463
|
|
|
439
|
464
|
function firewall_block_domain {
|
|
440
|
465
|
blocked_domain="$1"
|
|
|
466
|
+ if [[ "$blocked_domain" == *'@'* ]]; then
|
|
|
467
|
+ # Don't try to block email/microblog addresses
|
|
|
468
|
+ return
|
|
|
469
|
+ fi
|
|
441
|
470
|
if ! grep "$blocked_domain" $FIREWALL_DOMAINS; then
|
|
442
|
471
|
hexstr=$(domain_to_hex_string $blocked_domain)
|
|
443
|
|
- iptables -A INPUT -p udp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP
|
|
444
|
|
- iptables -A INPUT -p tcp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP
|
|
445
|
|
- iptables -A OUTPUT -p udp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP
|
|
446
|
|
- iptables -A OUTPUT -p tcp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP
|
|
447
|
|
- iptables -I FORWARD -p udp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP
|
|
448
|
|
- iptables -I FORWARD -p tcp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP
|
|
449
|
|
- echo "${blocked_domain}" >> $FIREWALL_DOMAINS
|
|
450
|
|
- save_firewall_settings
|
|
|
472
|
+ iptables -C INPUT -p udp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP
|
|
|
473
|
+ if [ ! "$?" = "0" ]; then
|
|
|
474
|
+ iptables -A INPUT -p udp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP
|
|
|
475
|
+ iptables -A INPUT -p tcp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP
|
|
|
476
|
+ iptables -A OUTPUT -p udp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP
|
|
|
477
|
+ iptables -A OUTPUT -p tcp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP
|
|
|
478
|
+ iptables -I FORWARD -p udp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP
|
|
|
479
|
+ iptables -I FORWARD -p tcp --dport 53 -m string --hex-string "$hexstr" --algo bm -j DROP
|
|
|
480
|
+ echo "${blocked_domain}" >> $FIREWALL_DOMAINS
|
|
|
481
|
+ save_firewall_settings
|
|
|
482
|
+ fi
|
|
451
|
483
|
|
|
452
|
484
|
# run the blocking rules now
|
|
453
|
485
|
if [ -f /usr/bin/gnusocial-firewall ]; then
|
Bob Mottram
7 jaren geleden