239 lines
6.5 KiB
Bash
Executable File
239 lines
6.5 KiB
Bash
Executable File
#!/bin/sh /etc/rc.common
|
|
|
|
USE_PROCD=1
|
|
|
|
START=99
|
|
|
|
NAME=crowdsec-firewall-bouncer
|
|
PROG=/usr/bin/cs-firewall-bouncer
|
|
VARCONFIGDIR=/var/etc/crowdsec/bouncers
|
|
VARCONFIG=/var/etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml
|
|
|
|
CONFIGURATION=crowdsec
|
|
|
|
TABLE="crowdsec"
|
|
TABLE6="crowdsec6"
|
|
|
|
service_triggers() {
|
|
procd_add_reload_trigger crowdsec-firewall-bouncer
|
|
procd_add_config_trigger "config.change" "crowdsec" /etc/init.d/crowdsec-firewall-bouncer reload
|
|
}
|
|
|
|
init_yaml() {
|
|
|
|
local section="$1"
|
|
|
|
local update_frequency
|
|
local log_level
|
|
local api_url
|
|
local api_key
|
|
local ipv6
|
|
local deny_action
|
|
local deny_log
|
|
local log_prefix
|
|
local log_max_size
|
|
local log_max_backups
|
|
local log_max_age
|
|
local ipv4
|
|
local input_chain_name
|
|
local input6_chain_name
|
|
|
|
config_get update_frequency $section update_frequency '10s'
|
|
config_get log_level $section log_level 'info'
|
|
config_get api_url $section api_url "http://127.0.0.1:8080"
|
|
config_get api_key $section api_key "API_KEY"
|
|
config_get_bool ipv6 $section ipv6 '1'
|
|
config_get deny_action $section deny_action "drop"
|
|
config_get_bool deny_log $section deny_log '0'
|
|
config_get log_prefix $section log_prefix "crowdsec: "
|
|
config_get log_max_size $section log_max_size '100'
|
|
config_get log_max_backups $section log_max_backups '3'
|
|
config_get log_max_age $section log_max_age '30'
|
|
config_get_bool ipv4 $section ipv4 '1'
|
|
config_get input_chain_name $section input_chain_name "input"
|
|
config_get input6_chain_name $section input6_chain_name "input"
|
|
|
|
# Create tmp dir & permissions if needed
|
|
if [ ! -d "${VARCONFIGDIR}" ]; then
|
|
mkdir -m 0755 -p "${VARCONFIGDIR}"
|
|
fi;
|
|
|
|
cat > $VARCONFIG <<-EOM
|
|
mode: nftables
|
|
pid_dir: /var/run/
|
|
update_frequency: $update_frequency
|
|
daemonize: true
|
|
log_mode: file
|
|
log_dir: /var/log/
|
|
log_level: $log_level
|
|
log_compression: true
|
|
log_max_size: $log_max_size
|
|
log_max_backups: $log_max_backups
|
|
log_max_age: $log_max_age
|
|
api_url: $api_url
|
|
api_key: $api_key
|
|
insecure_skip_verify: true
|
|
disable_ipv6: boolnot($ipv6)
|
|
deny_action: $deny_action
|
|
deny_log: bool($deny_log)
|
|
supported_decisions_type:
|
|
- ban
|
|
#to change log prefix
|
|
deny_log_prefix: "$log_prefix"
|
|
#to change the blacklists name
|
|
blacklists_ipv4: crowdsec-blacklists
|
|
blacklists_ipv6: crowdsec6-blacklists
|
|
#type of ipset to use
|
|
ipset_type: nethash
|
|
#if present, insert rule in those chains
|
|
iptables_chains:
|
|
- INPUT
|
|
# - FORWARD
|
|
# - DOCKER-USER
|
|
## nftables
|
|
nftables:
|
|
ipv4:
|
|
enabled: bool($ipv4)
|
|
set-only: true
|
|
table: $TABLE
|
|
chain: $input_chain_name
|
|
ipv6:
|
|
enabled: bool($ipv6)
|
|
set-only: true
|
|
table: $TABLE6
|
|
chain: $input6_chain_name
|
|
# packet filter
|
|
pf:
|
|
# an empty disables the anchor
|
|
anchor_name: ""
|
|
prometheus:
|
|
enabled: false
|
|
listen_addr: 127.0.0.1
|
|
listen_port: 60601
|
|
EOM
|
|
|
|
sed -i "s/bool(1)/true/g" $VARCONFIG
|
|
sed -i "s/bool(0)/false/g" $VARCONFIG
|
|
sed -i "s/boolnot(1)/false/g" $VARCONFIG
|
|
sed -i "s/boolnot(0)/true/g" $VARCONFIG
|
|
sed -i "s,^\(\s*api_url\s*:\s*\).*\$,\1$api_url," $VARCONFIG
|
|
sed -i "s,^\(\s*api_key\s*:\s*\).*\$,\1$api_key," $VARCONFIG
|
|
}
|
|
|
|
init_nftables() {
|
|
|
|
local section="$1"
|
|
|
|
local priority
|
|
local deny_action
|
|
local deny_log
|
|
local log_prefix
|
|
local ipv4
|
|
local ipv6
|
|
local filter_input
|
|
local filter_forward
|
|
local input_chain_name
|
|
local forward_chain_name
|
|
local input6_chain_name
|
|
local forward6_chain_name
|
|
local interface
|
|
local log_term=""
|
|
|
|
config_get priority $section priority "4"
|
|
config_get deny_action $section deny_action "drop"
|
|
config_get_bool deny_log $section deny_log '0'
|
|
config_get log_prefix $section log_prefix "crowdsec: "
|
|
config_get_bool ipv4 $section ipv4 '1'
|
|
config_get_bool ipv6 $section ipv6 '1'
|
|
config_get_bool filter_input $section filter_input '1'
|
|
config_get_bool filter_forward $section filter_forward '1'
|
|
config_get input_chain_name $section input_chain_name "input"
|
|
config_get forward_chain_name $section forward_chain_name "forward"
|
|
config_get input6_chain_name $section input6_chain_name "input"
|
|
config_get forward6_chain_name $section forward6_chain_name "forward"
|
|
config_get interface $section interface 'eth1'
|
|
|
|
if [ "$deny_log" -eq "1" ] ; then
|
|
local log_term="log prefix \"${log_prefix}\""
|
|
fi
|
|
|
|
local interface="${interface// /, }"
|
|
|
|
#as of kernel 3.18 we can delete a table without need to flush it
|
|
nft delete table ip crowdsec 2>/dev/null
|
|
nft delete table ip6 crowdsec6 2>/dev/null
|
|
|
|
if [ "$ipv4" -eq "1" ] ; then
|
|
|
|
nft add table ip crowdsec
|
|
nft add set ip crowdsec crowdsec-blacklists '{ type ipv4_addr; flags timeout; }'
|
|
|
|
if [ "$filter_input" -eq "1" ] ; then
|
|
nft add chain ip "$TABLE" $input_chain_name "{ type filter hook input priority $priority; policy accept; }"
|
|
nft add rule ip "$TABLE" $input_chain_name iifname { $interface } ct state new ip saddr @crowdsec-blacklists ${log_term} counter $deny_action
|
|
fi
|
|
if [ "$filter_forward" -eq "1" ] ; then
|
|
nft add chain ip "$TABLE" $forward_chain_name "{ type filter hook forward priority $priority; policy accept; }"
|
|
nft add rule ip "$TABLE" $forward_chain_name iifname { $interface } ct state new ip saddr @crowdsec-blacklists ${log_term} counter $deny_action
|
|
fi
|
|
fi
|
|
|
|
if [ "$ipv6" -eq "1" ] ; then
|
|
|
|
nft add table ip6 crowdsec6
|
|
nft add set ip6 crowdsec6 crowdsec6-blacklists '{ type ipv6_addr; flags timeout; }'
|
|
|
|
if [ "$filter_input" -eq "1" ] ; then
|
|
nft add chain ip6 "$TABLE6" $input6_chain_name "{ type filter hook input priority $priority; policy accept; }"
|
|
nft add rule ip6 "$TABLE6" $input6_chain_name iifname { $interface } ct state new ip6 saddr @crowdsec6-blacklists ${log_term} counter $deny_action
|
|
fi
|
|
if [ "$filter_forward" -eq "1" ] ; then
|
|
nft add chain ip6 "$TABLE6" $forward6_chain_name "{ type filter hook forward priority $priority; policy accept; }"
|
|
nft add rule ip6 "$TABLE6" $forward6_chain_name iifname { $interface } ct state new ip6 saddr @crowdsec6-blacklists ${log_term} counter $deny_action
|
|
fi
|
|
fi
|
|
}
|
|
|
|
run_bouncer() {
|
|
|
|
local section="$1"
|
|
|
|
local enabled
|
|
config_get_bool enabled $section enabled 0
|
|
|
|
if [ "$enabled" -eq "1" ] ; then
|
|
|
|
init_yaml "$section"
|
|
init_nftables "$section"
|
|
|
|
procd_open_instance
|
|
procd_set_param command "$PROG" -c "$VARCONFIG"
|
|
procd_set_param stdout 1
|
|
procd_set_param stderr 1
|
|
procd_set_param nice 10
|
|
if [ -x "/sbin/ujail" ]; then
|
|
procd_add_jail cs-bouncer log
|
|
procd_add_jail_mount $VARCONFIG
|
|
procd_add_jail_mount_rw /var/log/
|
|
procd_set_param no_new_privs 1
|
|
fi
|
|
procd_close_instance
|
|
fi
|
|
}
|
|
|
|
start_service() {
|
|
|
|
config_load "${CONFIGURATION}"
|
|
config_foreach run_bouncer bouncer
|
|
}
|
|
|
|
service_stopped() {
|
|
|
|
rm $VARCONFIG
|
|
|
|
nft delete table ip crowdsec 2>/dev/null
|
|
nft delete table ip6 crowdsec6 2>/dev/null
|
|
}
|
|
|
|
|