Menu
▾
▴
[Astlinux-commits] SF.net SVN: astlinux:[6706] branches/1.0/package/arnofw
|
From: <abe...@us...> - 2014-09-15 00:49:27
|
Revision: 6706
http://sourceforge.net/p/astlinux/code/6706
Author: abelbeck
Date: 2014-09-15 00:49:22 +0000 (Mon, 15 Sep 2014)
Log Message:
-----------
arnofw, add new SIP User-Agent plugin
Modified Paths:
--------------
branches/1.0/package/arnofw/arnofw.mk
branches/1.0/package/arnofw/arnofw.serial
Added Paths:
-----------
branches/1.0/package/arnofw/sip-user-agent/
branches/1.0/package/arnofw/sip-user-agent/30sip-user-agent.plugin.sh
branches/1.0/package/arnofw/sip-user-agent/sip-user-agent.conf
Modified: branches/1.0/package/arnofw/arnofw.mk
===================================================================
--- branches/1.0/package/arnofw/arnofw.mk 2014-09-13 17:24:18 UTC (rev 6705)
+++ branches/1.0/package/arnofw/arnofw.mk 2014-09-15 00:49:22 UTC (rev 6706)
@@ -126,6 +126,13 @@
$(INSTALL) -m 0644 package/arnofw/time-schedule-host-block/time-schedule-host-block.conf \
$(TARGET_DIR)/stat$(ARNOFW_PLUGIN_CONFIG_DIR)/time-schedule-host-block.conf
@echo
+ @echo "Install local version of SIP User-Agent plugin."
+ @echo
+ $(INSTALL) -m 0644 package/arnofw/sip-user-agent/30sip-user-agent.plugin.sh \
+ $(TARGET_DIR)$(ARNOFW_PLUGIN_SCRIPT_DIR)/30sip-user-agent.plugin
+ $(INSTALL) -m 0644 package/arnofw/sip-user-agent/sip-user-agent.conf \
+ $(TARGET_DIR)/stat$(ARNOFW_PLUGIN_CONFIG_DIR)/sip-user-agent.conf
+ @echo
@echo "Install local version of PPTP VPN plugin."
@echo
$(INSTALL) -m 0644 package/arnofw/pptp-vpn/50pptp-vpn.plugin.sh \
Modified: branches/1.0/package/arnofw/arnofw.serial
===================================================================
--- branches/1.0/package/arnofw/arnofw.serial 2014-09-13 17:24:18 UTC (rev 6705)
+++ branches/1.0/package/arnofw/arnofw.serial 2014-09-15 00:49:22 UTC (rev 6706)
@@ -1 +1 @@
-0002~0022~0000~0000~0000~
+0002~0023~0000~0000~0000~
Added: branches/1.0/package/arnofw/sip-user-agent/30sip-user-agent.plugin.sh
===================================================================
--- branches/1.0/package/arnofw/sip-user-agent/30sip-user-agent.plugin.sh (rev 0)
+++ branches/1.0/package/arnofw/sip-user-agent/30sip-user-agent.plugin.sh 2014-09-15 00:49:22 UTC (rev 6706)
@@ -0,0 +1,183 @@
+# ------------------------------------------------------------------------------
+# -= Arno's iptables firewall - SIP User-Agent plugin =-
+#
+PLUGIN_NAME="SIP User-Agent plugin"
+PLUGIN_VERSION="1.00"
+PLUGIN_CONF_FILE="sip-user-agent.conf"
+#
+# Last changed : September 14, 2014
+# Requirements : kernel 2.6 + AIF 2.0.1 or better
+# Comments : This filters SIP packets via inspection of the User-Agent field.
+#
+# Author : (C) Copyright 2008-2014 by Arno van Amersfoort & Lonnie Abelbeck
+# Homepage : http://rocky.eld.leidenuniv.nl/
+# Freshmeat homepage : http://freshmeat.net/projects/iptables-firewall/?topic_id=151
+# Email : a r n o v a AT r o c k y DOT e l d DOT l e i d e n u n i v DOT n l
+# (note: you must remove all spaces and substitute the @ and the .
+# at the proper locations!)
+# ------------------------------------------------------------------------------
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# version 2 as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+# ------------------------------------------------------------------------------
+
+# Plugin start function
+plugin_start()
+{
+ local user_agent user_agents mode ACTION port ports_udp ports_tcp IFS
+
+ # Create new chains:
+ iptables -N SIP_USER_AGENT 2>/dev/null
+ iptables -F SIP_USER_AGENT
+
+ iptables -N SIP_USER_AGENT_DROP 2>/dev/null
+ iptables -F SIP_USER_AGENT_DROP
+
+ if [ -n "$SIP_USER_AGENT_PASS_TYPES" ]; then
+ user_agents="$SIP_USER_AGENT_PASS_TYPES"
+ mode="pass"
+ ACTION="RETURN"
+ else
+ user_agents="${SIP_USER_AGENT_DROP_TYPES:-friendly-scanner sipcli}"
+ mode="drop"
+ ACTION="SIP_USER_AGENT_DROP"
+ fi
+
+ ports_udp="$SIP_USER_AGENT_PORTS_UDP"
+ ports_tcp="$SIP_USER_AGENT_PORTS_TCP"
+
+ if [ -z "$ports_udp" -a -z "$ports_tcp" ]; then
+ ports_udp="5060"
+ fi
+
+ echo "${INDENT}SIP User-Agent(s): $user_agents ($mode mode)"
+ if [ -n "$ports_udp" ]; then
+ echo "${INDENT}SIP User-Agent for EXT->Local UDP Port(s): $ports_udp"
+ fi
+ if [ -n "$ports_tcp" ]; then
+ echo "${INDENT}SIP User-Agent for EXT->Local TCP Port(s): $ports_tcp"
+ fi
+
+ if [ "$SIP_USER_AGENT_LOG" = "1" ]; then
+ echo "${INDENT}Logging of SIP User-Agent Dropped packets: Enabled"
+ iptables -A SIP_USER_AGENT_DROP -m limit --limit 1/m --limit-burst 1 -j LOG \
+ --log-level $LOGLEVEL --log-prefix "AIF:SIP User-Agent Dropped: "
+ else
+ echo "${INDENT}Logging of SIP User-Agent Dropped packets: Disabled"
+ fi
+ iptables -A SIP_USER_AGENT_DROP -j DROP
+
+ unset IFS
+ for user_agent in $user_agents; do
+ iptables -A SIP_USER_AGENT -m string --string "User-Agent: $user_agent" --algo bm --icase -j $ACTION
+ done
+
+ if [ "$mode" = "pass" ]; then
+ iptables -A SIP_USER_AGENT -j SIP_USER_AGENT_DROP
+ fi
+
+ # Insert rules into the main chain:
+ IFS=' ,'
+ for port in $ports_udp; do
+ iptables -A EXT_INPUT_CHAIN -p udp --dport $port -j SIP_USER_AGENT
+ done
+ for port in $ports_tcp; do
+ iptables -A EXT_INPUT_CHAIN -p tcp --dport $port -j SIP_USER_AGENT
+ done
+
+ return 0
+}
+
+
+# Plugin restart function
+plugin_restart()
+{
+
+ # Skip plugin_stop on a restart
+ plugin_start
+
+ return 0
+}
+
+
+# Plugin stop function
+plugin_stop()
+{
+
+ iptables -F SIP_USER_AGENT_DROP
+ iptables -X SIP_USER_AGENT_DROP 2>/dev/null
+
+ iptables -F SIP_USER_AGENT
+ iptables -X SIP_USER_AGENT 2>/dev/null
+
+ return 0
+}
+
+
+# Plugin status function
+plugin_status()
+{
+
+ #iptables -xnvL SIP_USER_AGENT
+ return 0
+}
+
+
+# Check sanity of eg. environment
+plugin_sanity_check()
+{
+ return 0
+}
+
+
+############
+# Mainline #
+############
+
+# Check where to find the config file
+CONF_FILE=""
+if [ -n "$PLUGIN_CONF_PATH" ]; then
+ CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE"
+fi
+
+# Check if the config file exists
+if [ ! -e "$CONF_FILE" ]; then
+ printf "NOTE: Config file \"$CONF_FILE\" not found!\n Plugin \"$PLUGIN_NAME v$PLUGIN_VERSION\" ignored!\n" >&2
+ PLUGIN_RET_VAL=0
+else
+ # Source the plugin config file
+ . "$CONF_FILE"
+
+ if [ "$ENABLED" = "1" -a "$PLUGIN_CMD" != "stop-restart" ] ||
+ [ "$ENABLED" = "0" -a "$PLUGIN_CMD" = "stop-restart" ] ||
+ [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "stop" ] ||
+ [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "status" ]; then
+ # Show who we are:
+ echo "${INDENT}$PLUGIN_NAME v$PLUGIN_VERSION"
+
+ # Increment indention
+ INDENT="$INDENT "
+
+ # Only proceed if environment ok
+ if plugin_sanity_check; then
+ case $PLUGIN_CMD in
+ start|'') plugin_start; PLUGIN_RET_VAL=$?;;
+ restart ) plugin_restart; PLUGIN_RET_VAL=$?;;
+ stop|stop-restart) plugin_stop; PLUGIN_RET_VAL=$?;;
+ status ) plugin_status; PLUGIN_RET_VAL=$?;;
+ * ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m${INDENT}ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2;;
+ esac
+ fi
+ else
+ PLUGIN_RET_VAL=0
+ fi
+fi
Added: branches/1.0/package/arnofw/sip-user-agent/sip-user-agent.conf
===================================================================
--- branches/1.0/package/arnofw/sip-user-agent/sip-user-agent.conf (rev 0)
+++ branches/1.0/package/arnofw/sip-user-agent/sip-user-agent.conf 2014-09-15 00:49:22 UTC (rev 6706)
@@ -0,0 +1,42 @@
+# ------------------------------------------------------------------------------
+# -= Arno's iptables firewall - SIP User-Agent plugin =-
+# ------------------------------------------------------------------------------
+
+# To actually enable this plugin make ENABLED=1:
+# ------------------------------------------------------------------------------
+ENABLED=0
+
+# This plugin monitors inbound (EXT->Local) SIP sessions on specified ports
+# by inspecting the User-Agent field.
+# No packets are allowed by this plugin, only denied.
+
+# Specify the left-most match of the SIP User-Agent: field, case insensitive.
+# Multiple User-Agent matches are space separated.
+# If matched, the packet continues the evaluation of firewall rules.
+# If not matched, the packet is dropped.
+#
+# Note: If defined, SIP_USER_AGENT_DROP_TYPES is ignored.
+# ------------------------------------------------------------------------------
+SIP_USER_AGENT_PASS_TYPES=""
+
+# Specify the left-most match of the SIP User-Agent: field, case insensitive.
+# Multiple User-Agent matches are space separated.
+# If matched, the packet is dropped.
+# If not matched, the packet continues the evaluation of firewall rules.
+#
+# Note: Ignored if SIP_USER_AGENT_PASS_TYPES is defined.
+# ------------------------------------------------------------------------------
+SIP_USER_AGENT_DROP_TYPES="friendly-scanner sipcli"
+
+# Specify the monitored UDP ports (5060 default)
+# ------------------------------------------------------------------------------
+SIP_USER_AGENT_PORTS_UDP="5060"
+
+# Specify the monitored TCP ports (no default)
+# ------------------------------------------------------------------------------
+SIP_USER_AGENT_PORTS_TCP=""
+
+# Enable logging for dropped packets when set to "1"
+# ------------------------------------------------------------------------------
+SIP_USER_AGENT_LOG=0
+
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
