yo/reaction
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

ip46tables

Browse Source 
wrote `ip46tables` C minimal program to handle both ipv4 and ipv6 at the same time.
fix #22
This commit is contained in:
ppom
2023-10-05 12:00:00 +02:00
parent e56b851d15
commit 92e07f5fe6
8 changed files with 133 additions and 42 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
config/reaction.jsonnet
View File

@ -3,8 +3,10 @@
// JSONNET is a superset of JSON, so one can write plain JSON files if wanted.
// variables defined for later use.
local iptablesban = ['iptables', '-w', '-A', 'reaction', '1', '-s', '<ip>', '-j', 'DROP'];
local iptablesunban = ['iptables', '-w', '-D', 'reaction', '1', '-s', '<ip>', '-j', 'DROP'];
local iptablesban = ['ip46tables', '-w', '-A', 'reaction', '1', '-s', '<ip>', '-j', 'DROP'];
local iptablesunban = ['ip46tables', '-w', '-D', 'reaction', '1', '-s', '<ip>', '-j', 'DROP'];
// ip46tables is a minimal C program (only POSIX dependencies) present as a subdirectory.
// it permits to handle both ipv4/iptables and ipv6/ip6tables commands
{
// patterns are substitued in regexes.

16
config/reaction.service
View File

@ -7,20 +7,22 @@ WantedBy=multi-user.target
ExecStart=/path/to/reaction -c /etc/reaction.yml
# Create an iptables chain for reaction
ExecStartPre=/path/to/iptables -w -N reaction
ExecStartPre=/path/to/ip46tables -w -N reaction
# Set its default to ACCEPT
ExecStartPre=/path/to/iptables -w -A reaction -j ACCEPT
ExecStartPre=/path/to/ip46tables -w -A reaction -j ACCEPT
# Always accept 127.0.0.1
ExecStartPre=/path/to/iptables -w -I reaction 1 -s 127.0.0.1 -j ACCEPT
ExecStartPre=/path/to/ip46tables -w -I reaction 1 -s 127.0.0.1 -j ACCEPT
# Always accept ::1
ExecStartPre=/path/to/ip46tables -w -I reaction 1 -s ::1 -j ACCEPT
# Insert this chain as the first item of the INPUT chain (for incoming connections)
ExecStartPre=/path/to/iptables -w -I INPUT -p all -j reaction
ExecStartPre=/path/to/ip46tables -w -I INPUT -p all -j reaction
# Remove the chain from the INPUT chain
ExecStopPost=/path/to/iptables -w -D INPUT -p all -j reaction
ExecStopPost=/path/to/ip46tables -w -D INPUT -p all -j reaction
# Empty the chain
ExecStopPost=/path/to/iptables -w -F reaction
ExecStopPost=/path/to/ip46tables -w -F reaction
# Delete the chain
ExecStopPost=/path/to/iptables -w -X reaction
ExecStopPost=/path/to/ip46tables -w -X reaction
# Ask systemd to create /var/lib/reaction (/var/lib/ is implicit)
StateDirectory=reaction

25
config/reaction.test.yml
View File

@ -1,25 +0,0 @@
---
patterns:
num:
regex: '[0-9]+'
ip:
regex: '(?:(?:[0-9]{1,3}\.){3}[0-9]{1,3})|(?:[0-9a-fA-F:]{2,90})'
ignore:
- 1.0.0.1
streams:
tailDown1:
cmd: [ "sh", "-c", "echo 1 2 3 4 5 1 2 3 4 5 1 2 3 4 1 2 3 4 1 2 3 4 1 2 3 4 1 2 3 4 1 2 3 4 1 2 3 4 1 2 3 4 1 2 3 4 1 2 3 4 1 2 3 4 1 2 3 4 1 2 3 4 1 2 3 4 1 2 3 4 1 2 3 4 1 2 3 4 1 2 3 4 1 2 3 4 1 2 3 4 1 2 3 4 1 2 3 4 1 2 3 4 1 2 3 4 1 2 3 4 | tr ' ' '\n' | while read i; do sleep 2; echo found $(($i % 10)); done" ]
filters:
findIP:
regex:
- '^found <num>$'
retry: 3
retryperiod: 30s
actions:
damn:
cmd: [ "echo", "<num>" ]
undamn:
cmd: [ "echo", "undamn", "<num>" ]
after: 30s
onexit: true