Skip to content

Commit d348374

Browse files
jaapmarcusjaapmarcus
committed
Merge branch 'improve-validation-of-ips' into 1.9.0-release
2 parents 3dfb7f9 + 6981f86 commit d348374

6 files changed

Lines changed: 78 additions & 141 deletions

File tree

bin/v-add-firewall-ban

Lines changed: 10 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
#!/bin/bash
22
# info: add firewall blocking rule
3-
# options: IP CHAIN
3+
# options: IPV4_CIDR CHAIN
44
#
55
# example: v-add-firewall-ban 37.120.129.20 MAIL
66
#
@@ -11,7 +11,7 @@
1111
#----------------------------------------------------------#
1212

1313
# Argument definition
14-
ip=$1
14+
ipv4_cidr=$1
1515
chain=$(echo $2 | tr '[:lower:]' '[:upper:]')
1616

1717
# Defining absolute path for iptables and modprobe
@@ -31,8 +31,8 @@ source_conf "$HESTIA/conf/hestia.conf"
3131
# Verifications #
3232
#----------------------------------------------------------#
3333

34-
check_args '2' "$#" 'IP CHAIN'
35-
is_format_valid 'ip' 'chain'
34+
check_args '2' "$#" 'IPV4_CIDR CHAIN'
35+
is_format_valid 'ipv4_cidr' 'chain'
3636
is_system_enabled "$FIREWALL_SYSTEM" 'FIREWALL_SYSTEM'
3737

3838
# Perform verification if read-only mode is enabled
@@ -46,20 +46,20 @@ check_hestia_demo_mode
4646
heal_iptables_links
4747

4848
# Checking server ip
49-
if [ -e "$HESTIA/data/ips/$ip" ] || [ "$ip" = '127.0.0.1' ]; then
49+
if [ -e "$HESTIA/data/ips/$ipv4_cidr" ] || [ "$ipv4_cidr" = '127.0.0.1' ]; then
5050
exit
5151
fi
5252

5353
# Checking ip exclusions
5454
excludes="$HESTIA/data/firewall/excludes.conf"
55-
check_excludes=$(grep "^$ip$" $excludes 2> /dev/null)
55+
check_excludes=$(grep "^$ipv4_cidr$" $excludes 2> /dev/null)
5656
if [ -n "$check_excludes" ]; then
5757
exit
5858
fi
5959

6060
# Checking ip in banlist
6161
conf="$HESTIA/data/firewall/banlist.conf"
62-
check_ip=$(grep "IP='$ip' CHAIN='$chain'" $conf 2> /dev/null)
62+
check_ip=$(grep "IP='$ipv4_cidr' CHAIN='$chain'" $conf 2> /dev/null)
6363
if [ -n "$check_ip" ]; then
6464
exit
6565
fi
@@ -73,8 +73,8 @@ time=$(echo "$time_n_date" | cut -f 1 -d \ )
7373
date=$(echo "$time_n_date" | cut -f 2 -d \ )
7474

7575
# Adding ip to banlist
76-
echo "IP='$ip' CHAIN='$chain' TIME='$time' DATE='$date'" >> $conf
77-
$iptables -I fail2ban-$chain 1 -s $ip \
76+
echo "IP='$ipv4_cidr' CHAIN='$chain' TIME='$time' DATE='$date'" >> $conf
77+
$iptables -I fail2ban-$chain 1 -s $ipv4_cidr \
7878
-j REJECT --reject-with icmp-port-unreachable 2> /dev/null
7979

8080
# Changing permissions
@@ -85,7 +85,7 @@ chmod 660 $conf
8585
#----------------------------------------------------------#
8686

8787
# Logging
88-
$BIN/v-log-action "system" "Warning" "Firewall" "Banned IP address $ip."
88+
$BIN/v-log-action "system" "Warning" "Firewall" "Banned IP address $ipv4_cidr."
8989
log_event "$OK" "$ARGUMENTS"
9090

9191
exit

bin/v-add-firewall-rule

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
#!/bin/bash
22
# info: add firewall rule
3-
# options: ACTION IP PORT [PROTOCOL] [COMMENT] [RULE]
3+
# options: ACTION IPV4_CIDR PORT [PROTOCOL] [COMMENT] [RULE]
44
#
55
# example: v-add-firewall-rule DROP 185.137.111.77 25
66
#
@@ -12,7 +12,7 @@
1212

1313
# Argument definition
1414
action=$(echo $1 | tr '[:lower:]' '[:upper:]')
15-
ip=$2
15+
ipv4_cidr=$2
1616
port_ext=$3
1717
protocol=${4-TCP}
1818
protocol=$(echo $protocol | tr '[:lower:]' '[:upper:]')
@@ -47,7 +47,7 @@ sort_fw_rules() {
4747
# Verifications #
4848
#----------------------------------------------------------#
4949

50-
check_args '3' "$#" 'ACTION IP PORT [PROTOCOL] [COMMENT] [RULE]'
50+
check_args '3' "$#" 'ACTION IPV4_CIDR PORT [PROTOCOL] [COMMENT] [RULE]'
5151
is_format_valid 'action' 'protocol' 'port_ext'
5252
is_system_enabled "$FIREWALL_SYSTEM" 'FIREWALL_SYSTEM'
5353
get_next_fw_rule
@@ -56,12 +56,12 @@ is_object_new '../../../data/firewall/rules' 'RULE' "$rule"
5656
if [ -n "$comment" ]; then
5757
is_format_valid 'comment'
5858
fi
59-
if [[ "$ip" =~ ^ipset: ]]; then
60-
ipset_name="${ip#ipset:}"
59+
if [[ "$ipv4_cidr" =~ ^ipset: ]]; then
60+
ipset_name="${ipv4_cidr#ipset:}"
6161
$BIN/v-list-firewall-ipset plain | grep "^$ipset_name\s" > /dev/null
6262
check_result $? 'ipset object not found' "$E_NOTEXIST"
6363
else
64-
is_format_valid 'ip'
64+
is_format_valid 'ipv4_cidr'
6565
fi
6666

6767
# Perform verification if read-only mode is enabled
@@ -78,7 +78,7 @@ date=$(echo "$time_n_date" | cut -f 2 -d \ )
7878

7979
# Concatenating rule
8080
str="RULE='$rule' ACTION='$action' PROTOCOL='$protocol' PORT='$port_ext'"
81-
str="$str IP='$ip' COMMENT='$comment' SUSPENDED='no'"
81+
str="$str IP='$ipv4_cidr' COMMENT='$comment' SUSPENDED='no'"
8282
str="$str TIME='$time' DATE='$date'"
8383

8484
# Adding to config

bin/v-change-firewall-rule

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
#!/bin/bash
22
# info: change firewall rule
3-
# options: RULE ACTION IP PORT [PROTOCOL] [COMMENT]
3+
# options: RULE ACTION IPV4_CIDR PORT [PROTOCOL] [COMMENT]
44
#
55
# example: v-change-firewall-rule 3 ACCEPT 5.188.123.17 443
66
#
@@ -14,7 +14,7 @@
1414
# Argument definition
1515
rule=$1
1616
action=$(echo $2 | tr '[:lower:]' '[:upper:]')
17-
ip=$3
17+
ipv4_cidr=$3
1818
port_ext=$4
1919
protocol=${5-TCP}
2020
protocol=$(echo $protocol | tr '[:lower:]' '[:upper:]')
@@ -40,20 +40,20 @@ sort_fw_rules() {
4040
# Verifications #
4141
#----------------------------------------------------------#
4242

43-
check_args '4' "$#" 'RULE ACTION IP PORT [PROTOCOL] [COMMENT]'
43+
check_args '4' "$#" 'RULE ACTION IPV4_CIDR PORT [PROTOCOL] [COMMENT]'
4444
is_format_valid 'rule' 'action' 'protocol' 'port_ext'
4545
if [ ! -z "$comment" ]; then
4646
is_format_valid 'comment'
4747
fi
4848
is_system_enabled "$FIREWALL_SYSTEM" 'FIREWALL_SYSTEM'
4949
is_object_valid '../../../data/firewall/rules' 'RULE' "$rule"
5050

51-
if [[ "$ip" =~ ^ipset: ]]; then
52-
ipset_name="${ip#ipset:}"
51+
if [[ "$ipv4_cidr" =~ ^ipset: ]]; then
52+
ipset_name="${ipv4_cidr#ipset:}"
5353
$BIN/v-list-firewall-ipset plain | grep "^$ipset_name\s" > /dev/null
5454
check_result $? 'ipset object not found' "$E_NOTEXIST"
5555
else
56-
is_format_valid 'ip'
56+
is_format_valid 'ipv4_cidr'
5757
fi
5858

5959
# Perform verification if read-only mode is enabled
@@ -70,7 +70,7 @@ date=$(echo "$time_n_date" | cut -f 2 -d \ )
7070

7171
# Concatenating firewall rule
7272
str="RULE='$rule' ACTION='$action' PROTOCOL='$protocol' PORT='$port_ext'"
73-
str="$str IP='$ip' COMMENT='$comment' SUSPENDED='no'"
73+
str="$str IP='$ipv4_cidr' COMMENT='$comment' SUSPENDED='no'"
7474
str="$str TIME='$time' DATE='$date'"
7575

7676
# Deleting old rule

bin/v-delete-firewall-ban

Lines changed: 11 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
#!/bin/bash
22
# info: delete firewall blocking rule
3-
# options: IP CHAIN
3+
# options: IPV4_CIDR CHAIN
44
#
55
# example: v-delete-firewall-ban 198.11.130.250 MAIL
66
#
@@ -11,7 +11,7 @@
1111
#----------------------------------------------------------#
1212

1313
# Argument definition
14-
ip=$1
14+
ipv4_cidr=$1
1515
chain=$(echo $2 | tr '[:lower:]' '[:upper:]')
1616

1717
# Defining absolute path for iptables and modprobe
@@ -31,8 +31,8 @@ source_conf "$HESTIA/conf/hestia.conf"
3131
# Verifications #
3232
#----------------------------------------------------------#
3333

34-
check_args '2' "$#" 'IP CHAIN'
35-
is_format_valid 'ip' 'chain'
34+
check_args '2' "$#" 'IPV4_CIDR CHAIN'
35+
is_format_valid 'ipv4_cidr' 'chain'
3636
is_system_enabled "$FIREWALL_SYSTEM" 'FIREWALL_SYSTEM'
3737

3838
# Perform verification if read-only mode is enabled
@@ -47,30 +47,30 @@ heal_iptables_links
4747

4848
conf="$HESTIA/data/firewall/banlist.conf"
4949
if [ "$chain" == "ALL" ]; then
50-
check_ip=$(grep "IP='$ip' CHAIN='*'" $conf)
50+
check_ip=$(grep "IP='$ipv4_cidr' CHAIN='*'" $conf)
5151
if [ -z "$check_ip" ]; then
5252
exit
5353
fi
54-
grep "IP='$ip' CHAIN='*'" $conf | while read -r line; do
54+
grep "IP='$ipv4_cidr' CHAIN='*'" $conf | while read -r line; do
5555
parse_object_kv_list $line
5656

5757
# Deleting ip from banlist
5858
sip=$(echo "$IP" | sed "s|/|\\\/|g")
5959
sed -i "/IP='$sip' CHAIN='$CHAIN'/d" $conf
60-
b=$($iptables -L fail2ban-$CHAIN --line-number -n | grep -w $ip | awk '{print $1}')
60+
b=$($iptables -L fail2ban-$CHAIN --line-number -n | grep -w $ipv4_cidr | awk '{print $1}')
6161
$iptables -D fail2ban-$CHAIN $b 2> /dev/null
6262
done
6363
else
6464
# Checking ip in banlist
65-
check_ip=$(grep "IP='$ip' CHAIN='$chain'" $conf 2> /dev/null)
65+
check_ip=$(grep "IP='$ipv4_cidr' CHAIN='$chain'" $conf 2> /dev/null)
6666
if [ -z "$check_ip" ]; then
6767
exit
6868
fi
6969

7070
# Deleting ip from banlist
71-
sip=$(echo "$ip" | sed "s|/|\\\/|g")
71+
sip=$(echo "$ipv4_cidr" | sed "s|/|\\\/|g")
7272
sed -i "/IP='$sip' CHAIN='$chain'/d" $conf
73-
b=$($iptables -L fail2ban-$chain --line-number -n | grep -w $ip | awk '{print $1}')
73+
b=$($iptables -L fail2ban-$chain --line-number -n | grep -w $ipv4_cidr | awk '{print $1}')
7474
$iptables -D fail2ban-$chain $b 2> /dev/null
7575
fi
7676

@@ -82,7 +82,7 @@ chmod 660 $conf
8282
#----------------------------------------------------------#
8383

8484
# Logging
85-
$BIN/v-log-action "system" "Info" "Firewall" "Removed IP from ban list (IP: $ip, Service: $chain)."
85+
$BIN/v-log-action "system" "Info" "Firewall" "Removed IP from ban list (IP: $ipv4_cidr, Service: $chain)."
8686
log_event "$OK" "$ARGUMENTS"
8787

8888
exit

0 commit comments

Comments
 (0)