add i_interface2 support

8ce4235c · Vitaly Lipatov · eaee486f · 8ce4235c · 8ce4235c
Commit 8ce4235c authored Sep 12, 2022 by Vitaly Lipatov
Hide whitespace changes
Inline Side-by-side

Showing with 46 additions and 8 deletions

settings.ini common/etc/eterban/settings.ini +9 -0

eterban_switcher.py gateway/usr/share/eterban/eterban_switcher.py +37 -8

No files found.
--- a/common/etc/eterban/settings.ini
+++ b/common/etc/eterban/settings.ini
 [Settings]
+# blocking requests queue
 #redis_server = 10.20.30.101
+
+# Redirect banned to
 #ban_server = 192.168.0.0
+
+# Input interface
 #i_interface = brlocal
+
+# Secord input interface
+#i_interface2 = brlocal2
+
 #hostname = localhost
--- a/gateway/usr/share/eterban/eterban_switcher.py
+++ b/gateway/usr/share/eterban/eterban_switcher.py
@@ -42,6 +42,7 @@ def parse_config (path_to_config, path_to_log):
    redis_server = config.get("Settings", "redis_server", fallback = "redis_server")
    ban_server = config.get("Settings", "ban_server", fallback = "ban_server")
    i_interface = config.get("Settings", "i_interface", fallback = "i_interface")
+    i_interface2 = config.get("Settings", "i_interface2", fallback = "")
    if redis_server == "redis_server" or ban_server == "ban_server" or i_interface == "i_interface":
        #config.set("Settings", "redis_server", "10.20.30.101")
        #with open(path_to_config, "w") as config_file:
@@ -52,7 +53,7 @@ def parse_config (path_to_config, path_to_log):
            log_file.write(info)
        sys.exit()
    else:
-        return (redis_server, ban_server, i_interface)
+        return (redis_server, ban_server, i_interface, i_interface2)

 def save_ipset_eterban_1():
    global ipset_eterban_1, ipset_firehol, ipset_eterban_white, path_to_eterban
@@ -69,8 +70,7 @@ def restore_ipset_eterban_1():
        subprocess.call (command, shell = True)

 def create_iptables_rules():
-    global ban_server, ipset_eterban_1, ipset_firehol, ipset_eterban_white, i_interface
-    # set maxelem in config
+    global ban_server, ipset_eterban_1, ipset_firehol, ipset_eterban_white, i_interface, i_interface2
    commands=['ipset create ' + ipset_eterban_1 + ' hash:ip maxelem 650000',
        'ipset create ' + ipset_firehol + ' hash:net',
        'ipset create ' + ipset_eterban_white + ' hash:ip',
@@ -83,17 +83,45 @@ def create_iptables_rules():
    for command in commands:
        subprocess.call (command, shell = True)

+    if not i_interface2:
+        return
+
+    commands=[
+        'iptables -t nat -I PREROUTING -i ' + i_interface2 + ' -m set --match-set ' + ipset_firehol + ' src -j DNAT --to-destination ' + ban_server,
+        'iptables -t nat -I PREROUTING -i ' + i_interface2 + ' -m set --match-set ' + ipset_eterban_1 + ' src -j DNAT --to-destination ' + ban_server,
+        'iptables -t nat -I PREROUTING -i ' + i_interface2 + ' -m set --match-set ' + ipset_eterban_white + ' src -j ACCEPT',
+        #'iptables -t nat -I PREROUTING -i ' + i_interface2 + ' -m set ! --match-set ' + ipset_eterban_1 + ' src -d ' + ban_server + ' -p tcp -m multiport --destination-port 80,443 -j DNAT --to-destination ' + ban_server + ':81',
+        #'iptables -t nat -I PREROUTING -i ' + i_interface2 + ' -m set --match-set ' + ipset_eterban_1 + ' src  -p tcp --dport 443 -j DNAT --to-destination ' + ban_server + ':80',
+        'iptables -I FORWARD -i ' + i_interface2 + ' -p tcp -m multiport ! --dport 80,81,443 -m set --match-set ' + ipset_eterban_1 + ' src -j REJECT']
+    for command in commands:
+        subprocess.call (command, shell = True)
+
 def destroy_iptables_rules ():
-    global ban_server, ipset_eterban_1, ipset_firehol, ipset_eterban_white, i_interface
-    commands=['iptables -t nat -D PREROUTING -i ' + i_interface + ' -m set --match-set ' + ipset_firehol + ' src -j DNAT --to-destination ' + ban_server,
+    global ban_server, ipset_eterban_1, ipset_firehol, ipset_eterban_white, i_interface, i_interface2
+    commands=[
+        'iptables -t nat -D PREROUTING -i ' + i_interface + ' -m set --match-set ' + ipset_firehol + ' src -j DNAT --to-destination ' + ban_server,
        'iptables -t nat -D PREROUTING -i ' + i_interface + ' -m set --match-set ' + ipset_eterban_1 + ' src -j DNAT --to-destination ' + ban_server,
        'iptables -t nat -D PREROUTING -i ' + i_interface + ' -m set --match-set ' + ipset_eterban_white + ' src -j ACCEPT',
        #'iptables -t nat -D PREROUTING -i ' + i_interface + ' -m set ! --match-set ' + ipset_eterban_1 + ' src -d ' + ban_server + ' -p tcp -m multiport --destination-port 80,443 -j DNAT --to-destination ' + ban_server + ':81',
        #'iptables -t nat -D PREROUTING -i ' + i_interface + ' -m set --match-set ' + ipset_eterban_1 + ' src -p tcp --dport 443 -j DNAT --to-destination ' + ban_server + ':80',
-        'iptables -D FORWARD -i ' + i_interface + ' -p tcp -m multiport ! --dport 80,81,443 -m set --match-set ' + ipset_eterban_1 + ' src -j REJECT'
+        'iptables -D FORWARD -i ' + i_interface + ' -p tcp -m multiport ! --dport 80,81,443 -m set --match-set ' + ipset_eterban_1 + ' src -j REJECT',
        'ipset destroy ' + ipset_eterban_1,
        'ipset destroy ' + ipset_firehol,
        'ipset destroy ' + ipset_eterban_white]
+    for command in commands:
+        subprocess.call (command, shell = True)
+        #print (command)
+
+    if not i_interface2:
+        return
+
+    commands=[
+        'iptables -t nat -D PREROUTING -i ' + i_interface2 + ' -m set --match-set ' + ipset_firehol + ' src -j DNAT --to-destination ' + ban_server,
+        'iptables -t nat -D PREROUTING -i ' + i_interface2 + ' -m set --match-set ' + ipset_eterban_1 + ' src -j DNAT --to-destination ' + ban_server,
+        'iptables -t nat -D PREROUTING -i ' + i_interface2 + ' -m set --match-set ' + ipset_eterban_white + ' src -j ACCEPT',
+        #'iptables -t nat -D PREROUTING -i ' + i_interface + ' -m set ! --match-set ' + ipset_eterban_1 + ' src -d ' + ban_server + ' -p tcp -m multiport --destination-port 80,443 -j DNAT --to-destination ' + ban_server + ':81',
+        #'iptables -t nat -D PREROUTING -i ' + i_interface + ' -m set --match-set ' + ipset_eterban_1 + ' src -p tcp --dport 443 -j DNAT --to-destination ' + ban_server + ':80',
+        'iptables -D FORWARD -i ' + i_interface2 + ' -p tcp -m multiport ! --dport 80,81,443 -m set --match-set ' + ipset_eterban_1 + ' src -j REJECT']

    for command in commands:
        subprocess.call (command, shell = True)
@@ -111,7 +139,7 @@ signal.signal(signal.SIGTERM, exit_gracefully)


 #print ('1')
-redis_server, ban_server, i_interface = parse_config (path_to_config, path_to_log)
+redis_server, ban_server, i_interface, i_interface2 = parse_config (path_to_config, path_to_log)

 #destroy_iptables_rules ()
 #sys.exit()
@@ -168,4 +196,4 @@ for message in p.listen():
        log.write(info)
        log.flush()
    else:
-        pass
+        pass
\ No newline at end of file