Firewall with Fail2ban support

Author: serghey-rodin

bin/v-add-firewall-ban

@@ -0,0 +1,78 @@
+#!/bin/bash
+# info: add firewall blocking rule
+# options: IP CHAIN
+#
+# The function adds new blocking rule to system firewall
+
+
+#----------------------------------------------------------#
+#                    Variable&Function                     #
+#----------------------------------------------------------#
+
+# Importing system variables
+source /etc/profile
+
+# Argument defenition
+ip=$1
+chain=$(echo $2|tr '[:lower:]' '[:upper:]')
+
+# Defining absolute path for iptables and modprobe
+iptables="/sbin/iptables"
+
+# Includes
+source $VESTA/func/main.sh
+source $VESTA/conf/vesta.conf
+
+
+#----------------------------------------------------------#
+#                    Verifications                         #
+#----------------------------------------------------------#
+
+check_args '2' "$#" 'IP CHAIN'
+validate_format 'ip' 'chain'
+is_system_enabled "$FIREWALL_SYSTEM" 'FIREWALL_SYSTEM'
+
+
+#----------------------------------------------------------#
+#                       Action                             #
+#----------------------------------------------------------#
+
+# Checking server ip
+if [ -e "$VESTA/data/ips/$ip" ] || [ "$ip" = '127.0.0.1' ]; then
+    exit
+fi
+
+# Checking ip exclusions
+excludes="$VESTA/data/firewall/excludes.conf"
+check_excludes=$(grep "^$ip$" $excludes 2>/dev/null)
+if  [ ! -z "$check_excludes" ]; then
+    exit
+fi
+
+# Checking ip in banlist
+conf="$VESTA/data/firewall/banlist.conf"
+check_ip=$(grep "IP='$ip' CHAIN='$chain'" $conf 2>/dev/null)
+if [ ! -z "$check_ip" ]; then
+    exit
+fi
+
+# Adding chain
+$BIN/v-add-firewall-chain $chain
+
+# Adding ip to banlist
+echo "IP='$ip' CHAIN='$chain' TIME='$TIME' DATE='$DATE'" >> $conf
+$iptables -I fail2ban-$chain 1 -s $ip \
+    -j REJECT --reject-with icmp-port-unreachable 2>/dev/null
+
+# Changing permissions
+chmod 660 $conf
+
+
+#----------------------------------------------------------#
+#                       Vesta                              #
+#----------------------------------------------------------#
+
+# Logging
+log_event "$OK" "$EVENT"
+
+exit

bin/v-add-firewall-chain

@@ -0,0 +1,83 @@
+#!/bin/bash
+# info: add firewall chain
+# options: CHAIN [PORT] [PROTOCOL] [PROTOCOL]
+#
+# The function adds new rule to system firewall
+
+
+#----------------------------------------------------------#
+#                    Variable&Function                     #
+#----------------------------------------------------------#
+
+# Importing system variables
+source /etc/profile
+
+# Argument defenition
+chain=$(echo $1 | tr '[:lower:]' '[:upper:]')
+port=$2
+protocol=${4-TCP}
+protocol=$(echo $protocol|tr '[:lower:]' '[:upper:]')
+
+# Defining absolute path to iptables
+iptables="/sbin/iptables"
+
+# Includes
+source $VESTA/func/main.sh
+source $VESTA/conf/vesta.conf
+
+
+#----------------------------------------------------------#
+#                    Verifications                         #
+#----------------------------------------------------------#
+
+check_args '1' "$#" 'CHAIN [PORT] [PROTOCOL]'
+validate_format 'chain'
+is_system_enabled "$FIREWALL_SYSTEM" 'FIREWALL_SYSTEM'
+
+
+#----------------------------------------------------------#
+#                       Action                             #
+#----------------------------------------------------------#
+
+# Checking known chains
+case $chain in
+    SSH)        port=22; protocol=TCP ;;
+    FTP)        port=21; protocol=TCP  ;;
+    MAIL)       port=25; protocol=TCP  ;;
+    DNS)        port=53; protocol=UDP  ;;
+    HTTP)       port=80; protocol=TCP  ;;
+    HTTPS)      port=443; protocol=TCP  ;;
+    POP3)       port=110; protocol=TCP  ;;
+    IMAP)       port=143; protocol=TCP  ;;
+    MYSQL)      port=3306; protocol=TCP  ;;
+    POSTGRES)   port=5432; protocol=TCP  ;;
+    VESTA)      port=8083; protocol=TCP  ;;
+    *)          check_args '2' "$#" 'CHAIN PORT' ;;
+esac
+
+# Adding chain
+$iptables -N fail2ban-$chain 2>/dev/null
+if [ $? -eq 0 ]; then
+    $iptables -A fail2ban-$chain -j RETURN
+    $iptables -I INPUT -p $protocol --dport $port -j fail2ban-$chain
+fi
+
+# Preserving chain
+chains=$VESTA/data/firewall/chains.conf
+check_chain=$(grep "CHAIN='$chain'" $chains 2>/dev/null)
+if [ -z "$check_chain" ]; then
+    echo "CHAIN='$chain' PORT='$port' PROTOCOL='$protocol'" >> $chains
+fi
+
+# Changing permissions
+chmod 660 $chains
+
+
+#----------------------------------------------------------#
+#                       Vesta                              #
+#----------------------------------------------------------#
+
+# Logging
+log_event "$OK" "$EVENT"
+
+exit

bin/v-add-sys-firewall-rule bin/v-add-firewall-rulebin/v-add-sys-firewall-rule renamed to bin/v-add-firewall-rule

@@ -1,6 +1,6 @@
 #!/bin/bash
 # info: add firewall rule
-# options: ACTION PROTOCOL PORT IP [COMMENT] [RULE]
+# options: ACTION IP PORT [PROTOCOL] [COMMENT] [RULE]
 #
 # The function adds new rule to system firewall
 
@@ -9,11 +9,15 @@
 #                    Variable&Function                     #
 #----------------------------------------------------------#
 
+# Importing system variables
+source /etc/profile
+
 # Argument defenition
 action=$(echo $1|tr '[:lower:]' '[:upper:]')
-protocol=$(echo $2|tr '[:lower:]' '[:upper:]')
+ip=$2
 port_ext=$3
-ip=$4
+protocol=${4-TCP}
+protocol=$(echo $protocol|tr '[:lower:]' '[:upper:]')
 comment=$5
 rule=$6
 
@@ -24,30 +28,30 @@ source $VESTA/conf/vesta.conf
 # Get next firewall rule id
 get_next_fw_rule() {
     if [ -z "$rule" ]; then
-        curr_str=$(grep "RULE=" $VESTA/data/firewall/rules_ipv4.conf |\
+        curr_str=$(grep "RULE=" $VESTA/data/firewall/rules.conf |\
          cut -f 2 -d \' | sort -n | tail -n1)
         rule="$((curr_str +1))"
     fi
 }
 
 sort_fw_rules() {
-    cat $VESTA/data/firewall/rules_ipv4.conf |\
-        sort -n -k 2 -t \' > $VESTA/data/firewall/rules_ipv4.conf.tmp
-    mv -f $VESTA/data/firewall/rules_ipv4.conf.tmp \
-        $VESTA/data/firewall/rules_ipv4.conf
+    cat $VESTA/data/firewall/rules.conf |\
+        sort -n -k 2 -t \' > $VESTA/data/firewall/rules.conf.tmp
+    mv -f $VESTA/data/firewall/rules.conf.tmp \
+        $VESTA/data/firewall/rules.conf
 }
 
 
 #----------------------------------------------------------#
 #                    Verifications                         #
 #----------------------------------------------------------#
 
-check_args '4' "$#" 'ACTION PROTOCOL PORT IP [COMMENT] [RULE]'
+check_args '3' "$#" 'ACTION IP PORT [PROTOCOL] [COMMENT] [RULE]'
 validate_format 'action' 'protocol' 'port_ext' 'ip'
 is_system_enabled "$FIREWALL_SYSTEM" 'FIREWALL_SYSTEM'
 get_next_fw_rule
 validate_format 'rule'
-is_object_new '../../data/firewall/rules_ipv4' 'RULE' "$rule"
+is_object_new '../../data/firewall/rules' 'RULE' "$rule"
 if [ ! -z "$comment"]; then
     validate_format 'comment'
 fi
@@ -57,22 +61,22 @@ fi
 #                       Action                             #
 #----------------------------------------------------------#
 
-# Concatenating cron string
+# Concatenating rule
 str="RULE='$rule' ACTION='$action' PROTOCOL='$protocol' PORT='$port_ext'"
 str="$str IP='$ip' COMMENT='$comment' SUSPENDED='no'"
 str="$str TIME='$TIME' DATE='$DATE'"
 
-# Adding to crontab
-echo "$str" >> $VESTA/data/firewall/rules_ipv4.conf
+# Adding to config
+echo "$str" >> $VESTA/data/firewall/rules.conf
 
 # Changing permissions
-chmod 660 $VESTA/data/firewall/rules_ipv4.conf
+chmod 660 $VESTA/data/firewall/rules.conf
 
 # Sorting firewall rules by id number
 sort_fw_rules
 
 # Updating system firewall
-$BIN/v-update-sys-firewall
+$BIN/v-update-firewall
 
 
 #----------------------------------------------------------#

bin/v-change-sys-firewall-rule bin/v-change-firewall-rulebin/v-change-sys-firewall-rule renamed to bin/v-change-firewall-rule

@@ -1,6 +1,6 @@
 #!/bin/bash
 # info: change firewall rule
-# options: RULE ACTION PROTOCOL PORT IP [COMMENT]
+# options: RULE ACTION IP PORT [PROTOCOL] [COMMENT]
 #
 # The function is used for changing existing firewall rule.
 # It fully replace rule with new one but keeps same id.
@@ -10,12 +10,16 @@
 #                    Variable&Function                     #
 #----------------------------------------------------------#
 
+# Importing system variables
+source /etc/profile
+
 # Argument defenition
 rule=$1
 action=$(echo $2|tr '[:lower:]' '[:upper:]')
-protocol=$(echo $3|tr '[:lower:]' '[:upper:]')
+ip=$3
 port_ext=$4
-ip=$5
+protocol=${5-TCP}
+protocol=$(echo $protocol|tr '[:lower:]' '[:upper:]')
 comment=$6
 
 # Includes
@@ -24,21 +28,24 @@ source $VESTA/conf/vesta.conf
 
 # Sort function
 sort_fw_rules() {
-    cat $VESTA/data/firewall/rules_ipv4.conf |\
-        sort -n -k 2 -t \' > $VESTA/data/firewall/rules_ipv4.conf.tmp
-    mv -f $VESTA/data/firewall/rules_ipv4.conf.tmp \
-        $VESTA/data/firewall/rules_ipv4.conf
+    cat $VESTA/data/firewall/rules.conf |\
+        sort -n -k 2 -t \' > $VESTA/data/firewall/rules.conf.tmp
+    mv -f $VESTA/data/firewall/rules.conf.tmp \
+        $VESTA/data/firewall/rules.conf
 }
 
 
 #----------------------------------------------------------#
 #                    Verifications                         #
 #----------------------------------------------------------#
 
-check_args '5' "$#" 'RULE ACTION PROTOCOL PORT IP [COMMENT]'
-validate_format 'rule' 'action' 'protocol' 'port_ext' 'ip' 'comment'
+check_args '5' "$#" 'RULE ACTION IP  PORT [PROTOCOL] [COMMENT]'
+validate_format 'rule' 'action' 'protocol' 'port_ext' 'ip'
+if [ ! -z "$comment" ]; then
+    validate_format 'comment'
+fi
 is_system_enabled "$FIREWALL_SYSTEM" 'FIREWALL_SYSTEM'
-is_object_valid '../../data/firewall/rules_ipv4' 'RULE' "$rule"
+is_object_valid '../../data/firewall/rules' 'RULE' "$rule"
 
 
 #----------------------------------------------------------#
@@ -51,16 +58,16 @@ str="$str IP='$ip' COMMENT='$comment' SUSPENDED='no'"
 str="$str TIME='$TIME' DATE='$DATE'"
 
 # Deleting old rule
-sed -i "/RULE='$rule' /d" $VESTA/data/firewall/rules_ipv4.conf
+sed -i "/RULE='$rule' /d" $VESTA/data/firewall/rules.conf
 
 # Adding new
-echo "$str" >> $VESTA/data/firewall/rules_ipv4.conf
+echo "$str" >> $VESTA/data/firewall/rules.conf
 
 # Sorting firewall rules by id number
 sort_fw_rules
 
 # Updating system firewall
-$BIN/v-update-sys-firewall
+$BIN/v-update-firewall
 
 
 #----------------------------------------------------------#

bin/v-delete-firewall-ban

@@ -0,0 +1,63 @@
+#!/bin/bash
+# info: delete firewall blocking rule
+# options: IP CHAIN
+#
+# The function deletes blocking rule from system firewall
+
+
+#----------------------------------------------------------#
+#                    Variable&Function                     #
+#----------------------------------------------------------#
+
+# Importing system variables
+source /etc/profile
+
+# Argument defenition
+ip=$1
+chain=$(echo $2|tr '[:lower:]' '[:upper:]')
+
+# Defining absolute path for iptables and modprobe
+iptables="/sbin/iptables"
+
+# Includes
+source $VESTA/func/main.sh
+source $VESTA/conf/vesta.conf
+
+
+#----------------------------------------------------------#
+#                    Verifications                         #
+#----------------------------------------------------------#
+
+check_args '2' "$#" 'IP CHAIN'
+validate_format 'ip' 'chain'
+is_system_enabled "$FIREWALL_SYSTEM" 'FIREWALL_SYSTEM'
+
+
+#----------------------------------------------------------#
+#                       Action                             #
+#----------------------------------------------------------#
+
+# Checking ip in banlist
+conf="$VESTA/data/firewall/banlist.conf"
+check_ip=$(grep "IP='$ip' CHAIN='$chain'" $conf 2>/dev/null)
+if [ -z "$check_ip" ]; then
+    exit
+fi
+
+# Deleting ip from banlist
+sed -i "/IP='$ip' CHAIN='$chain'/d" $conf
+$iptables -D fail2ban-$chain -s $ip \
+    -j REJECT --reject-with icmp-port-unreachable 2>/dev/null
+
+# Changing permissions
+chmod 660 $conf
+
+
+#----------------------------------------------------------#
+#                       Vesta                              #
+#----------------------------------------------------------#
+
+# Logging
+log_event "$OK" "$EVENT"
+
+exit