#!/bin/sh post_string="" if [ "$REQUEST_METHOD" = "POST" ]; then read post_string fi for INPUT_INTERFACE in $(ifconfig | grep ^[a-z] | cut -f1 -d ' '); do x=$x+"$INPUT_INTERFACE" done lanip="$(ifconfig | grep -v lan:0 | grep -A 2 lan | awk -F'[ :]+' '/inet addr/{print $4}')" ###POSTBACK INTERFACE if [ "$QUERY_STRING" != "" ] || [ "$post_string" != "" ] || [ "$NHIPT_CONFIG" = "box" ]; then # Ermitteln der Log Datei vom syslogd: logfile="$(ps | grep -v "grep" | grep -e "syslogd" | awk '{i=1; while (i<=20){ if ($i == "-O"){ print $(i+1)}; i++;}}')" # awk Error Lines + 20 = Real Line (awk -v SYSLOGDFILE=$logfile -v IFCS=$x -v PSTR=$post_string -v QSTR=$QUERY_STRING -v LANIP=$lanip 'BEGIN { myIP = ENVIRON["REMOTE_ADDR"]; changed = 0; # FW CONFIGURATION CHANGED dirchanged = 0; # DIRECTORIES CHANGED cfgchanged = 0; # CONFIGURATION SETTINGS CHANGED flashmodified =0; # WRITE TO FLASH NECESSARY noloadmodules =0; # PREVENT MODULE CHANGES ON EXTERNAL CONFIG logtarget=0; loadSettings(); if (ENVIRON["NHIPT_CONFIG"] == "box") {dirchanged=1; cfgchanged=1; login=1} RCOD=myConf["ADMINIP"]; Boot=myConf["BOOT"]; Bootstrap=myConf["BOOTSTRAP"]; if (Boot=="flash"){BootTarget="/tmp/flash/";} if (Boot=="usb"){if (myConf["BOOTDIR"] == ""){BootTarget=myConf["ROOT"] "/";} else {BootTarget=myConf["BOOTDIR"] "/";}} BootTargetOld = BootTarget; gsub(/ /,"",RCOD); if (RCOD > ""){ i = split(RCOD,ipadr,"/"); if (i > 1) {ip = ipadr[1]; mask=ipadr[2];} else {ip = ipadr[1]; mask="255.255.255.255";} if (index(mask,".") == 0) { sm = ""; ma[8]=255; ma[7]=127; ma[6]=63; ma[5]=31; ma[4]=15; ma[3]=7; ma[2]=3; ma[1]=1; ma[0]=0; for (i=1;i<=4;i++){if (mask >=8) {sm = sm "255.";mask=mask-8;} else {sm = sm ma[mask] ".";mask=0;}} mask=sm; } split(myIP,mpar,"."); split(ip,ipar,"."); split(mask,maskar,"."); if ((and(mpar[1],maskar[1]) == and(ipar[1],maskar[1])) && (and(mpar[2],maskar[2]) == and(ipar[2],maskar[2])) && (and(mpar[3],maskar[3]) == and(ipar[3],maskar[3])) && (and(mpar[4],maskar[4]) == and(ipar[4],maskar[4]))) { login=1} else {login=0} } else { login = 1;} if (login==1) { if(myConf["LOGTARGET"] == "syslog"){ logtarget = 1; } else { logtarget = 0; } if (ENVIRON["REQUEST_METHOD"] == "POST" || ENVIRON["NHIPT_CONFIG"] == "box") { n = split(urldecode(PSTR), PA, "&"); for (i=1;i<=n;i++) {split(PA[i], PM, "=");Param[PM[1]] = PM[2]} if (ENVIRON["NHIPT_CONFIG"] == "box") { delete Param; Param["AIRBAG"] = myConf["AIRBAG"] Param["BACDIR"] = ENVIRON["NHIPT_BACK"] Param["LOGDIR"] = ENVIRON["NHIPT_LOGD"] Param["PORT"] = ENVIRON["NHIPT_PORT"] Param["ROOT"] = ENVIRON["NHIPT_ROOT"] Param["SERVERIP"] = ENVIRON["NHIPT_SERVERIP"] Param["ADMIP"] = ENVIRON["NHIPT_ADMINIP"] Param["LOGTO"] = ENVIRON["NHIPT_LOGTARGET"] Param["BOOT"] = ENVIRON["NHIPT_BOOT"] Param["DELAY"] = ENVIRON["NHIPT_DELAY"] Param["DSLDOFF"] = ENVIRON["NHIPT_DSLDOFF"] Param["BOOTDIR"] = ENVIRON["NHIPT_BOOTDIR"] Param["BOOTSTRAP"] = ENVIRON["NHIPT_BOOTSTRAP"] Param["SESAV"] = "save" Param["SETIP"] = "set" myConf["PORT"] = Param["PORT"] if (ENVIRON["NHIPT_START_LOG"] == "start") {Param["STRTLOG"] = "start";} noloadmodules=1; } if (Param["IPV6"] == 1){myCmdPrefix = "ip6";} else {myCmdPrefix = "ip";} table = Param["TABLE"]; targetSet = 0; if (Param["CUTSYSLOG"] > ""){ret = system("> " myConf["LOGD"] "/system.log"); myCmd = "syslog truncated";} if (Param["CUTFWLOG"] > "") {ret = system("> " myConf["LOGD"] "/fw.log"); myCmd = "firewall log truncated";} if (Param["SAVSYSLOG"] > ""){ret = system("mv " myConf["LOGD"] "/system.log " myConf["LOGD"] "/\"$(date +\"%Y-%m-%d-%H-%M-%S\")\"-system.log"); myCmd = "syslog saved";} if (Param["SAVFWLOG"] > "") {ret = system("mv " myConf["LOGD"] "/fw.log " myConf["LOGD"] "/\"$(date +\"%Y-%m-%d-%H-%M-%S\")\"-fw.log" ); myCmd = "firewall log saved";} if (Param["PERSIST"] > "") {ret = persist("all"); myCmd = "Rules & services written to " BootTarget "nhipt.cfg\nold nhipt.cfg saved in " myConf["BACK"];} if (Param["STRTLOG"] > "") {ret = startLogging(); myCmd = "Logging started...";} if (Param["STOPLOG"] > "") {ret = stopLogging(); myCmd = "Logging stopped";} if (Param["GETSTAT"] > "") {checkConfig(); hs["0"] = "...PASSED"; hs["1"] = "...FAILED!"; hs["2"] = "...NOT SAVED!"; for (x in check){ print "STATUS_" x "=" hs[check[x]]; ret += check[x];} myCmd = "Installation Status";} if (logtarget == 1) { # Use System Log if (SYSLOGDFILE > "") { if (Param["GETFWLOG"] > "") {myCmd = "grep 'SRC=' " SYSLOGDFILE ".2 " SYSLOGDFILE ".1 " SYSLOGDFILE ".0 " SYSLOGDFILE " | tail -n 50"; ret = system(myCmd);} if (Param["GETSYSLOG"] > ""){myCmd = "grep -v -E \"DECT|DCT|dect|SRC=\" " SYSLOGDFILE ".2 " SYSLOGDFILE ".1 " SYSLOGDFILE ".0 " SYSLOGDFILE " | tail -n 50"; ret = system(myCmd);} } } else { if (Param["GETFWLOG"] > "") {myCmd = "tail -n 50 " myConf["LOGD"] "/system.log | grep 'SRC='"; ret = system(myCmd);} if (Param["GETFWLOG"] > "") {myCmd = "tail -n 50 " myConf["LOGD"] "/fw.log"; ret = system(myCmd);} } # if (Param["GETFWLOG"] > "") {myCmd = "tail -n 50 " myConf["LOGD"] "/fw.log"; ret = system(myCmd);} # if (Param["GETSYSLOG"] > "") {myCmd = "tail -n 50 " myConf["LOGD"] "/system.log"; ret = system(myCmd);} if (Param["SESAV"] > "") { if (Param["DSLDOFF"] == "") {Param["DSLDOFF"] = 0;} if (myConf["BOOT"] != Param["BOOT"] || myConf["BACK"] != Param["BACDIR"] || Param["ROOT"] > "" || Param["BOOTSTRAP"] > "" || myConf["LOGD"] != Param["LOGDIR"] || myConf["BOOTDIR"] != Param["BOOTDIR"]){dirchanged=1; myCmd = "Saving Settings to " BootTarget "nhipt.par..."; myConf["BOOT"] = Param["BOOT"]; myConf["BACK"] = Param["BACDIR"]; myConf["LOGD"] = Param["LOGDIR"]; if (myConf["BOOTDIR"] != Param["BOOTDIR"]) {myConf["BOOTDIR"] = Param["BOOTDIR"]; Boot="newdir";} if (myConf["ROOT"] != Param["ROOT"] && Param["ROOT"] > "") {myConf["ROOT"] = Param["ROOT"];} if (myConf["BOOTSTRAP"] != Param["BOOTSTRAP"] && Param["BOOTSTRAP"] > "") {myConf["BOOTSTRAP"] = Param["BOOTSTRAP"];}} if (myConf["AIRBAG"] != Param["AIRBAG"]) { cfgchanged=1; if (Param["AIRBAG"] == "1") { ret = startAirbag(); myCmd = "Fasten your Seatbelts..."; } else {ret = stopAirbag(); myCmd = "You are now a big boy...";}} if (myConf["DELAY"] != Param["DELAY"] || myConf["DSLDOFF"] != Param["DSLDOFF"]){ cfgchanged=1; myCmd = "Changing Delay Settings for " BootTarget "nhipt.par..."; myConf["DELAY"] = Param["DELAY"]; myConf["DSLDOFF"] = Param["DSLDOFF"];} if (myConf["LOGTARGET"] != Param["LOGTO"]) { cfgchanged=1; if(myConf["LOGTARGET"] == "syslog"){ logtarget = 1; } else { logtarget = 0; stopLogging();}; myConf["LOGTARGET"] = Param["LOGTO"]; } ret = loadModules(); ret = persist("settings");} if (Param["SETIP"] == "set") {cfgchanged=1; myCmd = ""; myConf["ADMINIP"] = Param["ADMIP"]; persist("settings");} if (Param["EXEC"] == "execute") {myCmd = Param["EXPERT"]; ret = system(myCmd); if (ret==0){changed=1;}; } if (Param["MODE"] == "New") {myCmd = myCmdPrefix "tables -t " table " -N " Param["CHAIN"]; ret = system(myCmd); if (ret==0){changed=1;}} if (Param["DOIT"] == "Insert") {myCmd = ""; iprange = "-m iprange "; multiport = "-m multiport "; state = "-m state "; esp = "-m esp "; ah = "-m ah "; comment = "-m comment "; gsub(/ /,"",Param["S"]); gsub(/ /,"",Param["D"]); gsub(/ /,"",Param["I"]); gsub(/ /,"",Param["O"]); gsub(/ /,"",Param["P"]); gsub(/ /,"",Param["MODULE"]); gsub(/ /,"",Param["SPORT"]); gsub(/ /,"",Param["DPORT"]); if (Param["ROW"] == "A") { myCmd = myCmdPrefix "tables -t " table " -A " Param["CHAIN"] " ";} else {myCmd = myCmdPrefix "tables -t " table " -I " Param["CHAIN"] " " Param["ROW"] " ";} if (myConf["AIRBAG"] == 1 && Param["ROW"] == 1){myCmd = "### AIRBAG FIRED ###" myCmd;} if (index(Param["S"],"!") > 0) { x = "! "; gsub(/!/,"",Param["S"]);} else { x = ""; } if (Param["S"] > "" && index(Param["S"],"-") == 0) {myCmd = myCmd "-s " x Param["S"] " ";} if (Param["S"] > "" && index(Param["S"],"-") > 0) {myCmd = myCmd iprange x "--src-range " Param["S"] " "; iprange="";} if (index(Param["D"],"!") > 0) { x = "! "; gsub(/!/,"",Param["D"]);} else { x = ""; } if (Param["D"] > "" && index(Param["D"],"-") == 0) {myCmd = myCmd "-d " x Param["D"] " ";} if (Param["D"] > "" && index(Param["D"],"-") > 0) {myCmd = myCmd iprange x "--dst-range " Param["D"] " "; iprange="";} if (index(Param["I"],"!") > 0) { x = "! "; gsub(/!/,"",Param["I"]);} else { x = ""; } if (Param["I"] > "") {myCmd = myCmd "-i " x Param["I"] " ";} if (index(Param["O"],"!") > 0) { x = "! "; gsub(/!/,"",Param["O"]);} else { x = ""; } if (Param["O"] > "") {myCmd = myCmd "-o " x Param["O"] " ";} if (index(Param["P"],"!") > 0) { x = "! "; gsub(/!/,"",Param["P"]);} else { x = ""; } if (Param["P"] == "icmp" && Param["EXTRA"] > "") {myCmd = myCmd "-p " x Param["P"] " --icmp-type " Param["EXTRA"] " ";} else if (Param["P"] > "") {myCmd = myCmd "-p " x Param["P"] " ";} if (Param["MODULE"] == "state") { myCmd = myCmd state "--state " Param["EXTRA"] " "; state="";} else if (Param["MODULE"] == "comment") { system("modprobe ipt_comment"); myCmd = myCmd comment "--comment \47" Param["EXTRA"] "\47 "; comment="";} else if (Param["MODULE"] == "ah") { system("modprobe xt_ah"); myCmd = myCmd ah "--ahspi " Param["EXTRA"] " "; ah="";} else if (Param["MODULE"] == "esp") { system("modprobe xt_esp"); myCmd = myCmd esp "--espspi " Param["EXTRA"] " "; esp="";} if (index(Param["SPORT"],"!") > 0) { x = "! "; gsub(/!/,"",Param["SPORT"]);} else { x = ""; } if (Param["SPORT"] > "" && index(Param["SPORT"],",") == 0 && index(Param["SPORT"],":") == 0) {myCmd = myCmd "--sport " x Param["SPORT"] " ";} if (Param["SPORT"] > "" && (index(Param["SPORT"],",") > 0 || index(Param["SPORT"],":") > 0)) {myCmd = myCmd multiport x "--sports " Param["SPORT"] " "; multiport="";} if (index(Param["DPORT"],"!") > 0) { x = "! "; gsub(/!/,"",Param["DPORT"]);} else { x = ""; } if (Param["DPORT"] > "" && index(Param["DPORT"],",") == 0 && index(Param["DPORT"],":") == 0) {myCmd = myCmd "--dport " x Param["DPORT"] " ";} if (Param["DPORT"] > "" && (index(Param["DPORT"],",") > 0 || index(Param["DPORT"],":") > 0)) {myCmd = myCmd multiport x "--dports " Param["DPORT"] " "; multiport="";} if (Param["ACTION"] == "LOG" && Param["EXTRA"] > "") {myCmd = myCmd "-j LOG --log-prefix " Param["EXTRA"] " ";targetSet=1;} if (Param["ACTION"] == "LOG" && Param["EXTRA"] == "") {myCmd = myCmd "-j LOG --log-prefix \"[IPT] \"";targetSet=1;} if (Param["ACTION"] == "LOG" && Param["EXTRA"] == "") {myCmd = myCmd "-j LOG --log-prefix \"[IPT] \"";targetSet=1;} if (Param["ACTION"] == "DNAT" && Param["EXTRA"] > "") {myCmd = myCmd "-j DNAT --to-destination " Param["EXTRA"] " ";targetSet=1;} if (Param["ACTION"] == "SNAT" && Param["EXTRA"] > "") {myCmd = myCmd "-j SNAT --to-source " Param["EXTRA"] " ";targetSet=1;} if (Param["ACTION"] == "MASQUERADE" && Param["EXTRA"] > "") {system("modprobe ipt_MASQUERADE");myCmd = myCmd "-j MASQUERADE --to-ports " Param["EXTRA"] " ";targetSet=1;} if (Param["ACTION"] == "CONNMARK" && Param["EXTRA"] > "") {myCmd = myCmd "-j CONNMARK --set-mark " Param["EXTRA"] " ";targetSet=1;} if (Param["ACTION"] == "REDIRECT" && Param["EXTRA"] > "") {system("modprobe ipt_REDIRECT"); myCmd = myCmd "-j REDIRECT --to-ports " Param["EXTRA"] " ";targetSet=1;} if (Param["ACTION"] == "MARK" && Param["EXTRA"] > "") {system("modprobe xt_MARK\nmodprobe xt_mark"); myCmd = myCmd "-j MARK --set-mark " Param["EXTRA"] " ";targetSet=1;} if (Param["ACTION"] == "NOTRACK") {system("modprobe xt_NOTRACK"); myCmd = myCmd "-j NOTRACK " Param["EXTRA"] " ";targetSet=1;} if (targetSet==0) {myCmd = myCmd "-j " Param["ACTION"];} ret = system(myCmd); if (ret==0){changed=1;} } } else { n = split(urldecode(QSTR), PA, "&"); for (i=1;i<=n;i++) {split(PA[i], PM, "=");Param[PM[1]] = PM[2]} table = Param["TABLE"]; if (Param["IPV6"] == 1){myCmdPrefix = "ip6";} else {myCmdPrefix = "ip";} if (Param["MODE"] != "UP" || Param["MODE"] != "DN") { if (Param["MODE"] == "POL" && Param["POL"] == "DEL") {myCmd = myCmdPrefix "tables -t " table " -X " Param["CHAIN"]; ret = system(myCmd);if (ret==0){changed=1;}} if (Param["MODE"] == "POL" && Param["POL"] == "ACCEPT") {myCmd = myCmdPrefix "tables -t " table " -P " Param["CHAIN"] " ACCEPT"; ret = system(myCmd);if (ret==0){changed=1;}} if (Param["MODE"] == "POL" && Param["POL"] == "DROP") {myCmd = myCmdPrefix "tables -t " table " -P " Param["CHAIN"] " DROP"; ret = system(myCmd);if (ret==0){changed=1;}} if (Param["MODE"] == "DEL") {myCmd = myCmdPrefix "tables -t " table " -D " Param["CHAIN"] " " Param["IDX"]; ret = system(myCmd);if (ret==0){changed=1;}} if (Param["MODE"] == "POL" && Param["POL"] == "PURGE") {myCmd = myCmdPrefix "tables -t " table " -F " Param["CHAIN"]; ret = system(myCmd);if (ret==0){changed=1;}} if (Param["MODE"] == "UP" && Param["IDX"] > 1) { myCmd = "(" myCmdPrefix "tables -t " table " -S " Param["CHAIN"] " " Param["IDX"] ") | awk \47{gsub(/-A/,\"" myCmdPrefix "tables -t " table " -I\",$1);gsub($2,\"& " Param["IDX"]-1 "\",$2); print $0}\47 | sh"; ret = system(myCmd); if (ret==0){changed=1;} print "Exit Code " ret " - " myCmd; if (ret ==0) {myCmd = myCmdPrefix "tables -t " table " -D " Param["CHAIN"] " " Param["IDX"]+1; ret = system(myCmd);if (ret==0){changed=1;}} else {myCmd="";} } if (Param["MODE"] == "DN") { myCmd = "(" myCmdPrefix "tables -t " table " -S " Param["CHAIN"] " " Param["IDX"] ") | awk \47{gsub(/-A/,\"" myCmdPrefix "tables -t " table " -I\",$1);gsub($2,\"& " Param["IDX"]+2 "\",$2); print $0}\47 | sh"; ret = system(myCmd); if (ret==0){changed=1;} print "Exit Code " ret " - " myCmd; if (ret ==0) {myCmd = myCmdPrefix "tables -t " table " -D " Param["CHAIN"] " " Param["IDX"]; ret = system(myCmd); if (ret==0){changed=1;}} else {myCmd="";} } } } if (myConf["AIRBAG"]==1){ checkAirbag();} if (changed==1) {myConf["CHANGED"] = 2; saveSettings(myConf);} print "Exit Code " ret " - " myCmd; if (flashmodified == 1){system("modsave flash");} #for (x in myConf){print "CONFIG_" x " = " myConf[x];} #DEBUG for (x in myConf) {print x "=" myConf[x];} #DEBUG print "QUERY_STRING = " QSTR; #DEBUG print "POST_PARAMS = " PSTR; } else { print "ACCESS DENIED"; } } # end BEGIN function startAirbag(){myConf["AIRBAG"] = 1; if (RCOD > ""){print "...USING " RCOD;} else {RCOD = myConf["ADMINIP"] = myConf["MYIP"];} saveSettings(myConf); return checkAirbag(); } function stopAirbag(){myConf["AIRBAG"] = 0; saveSettings(myConf); return 0; } function checkAirbag(){ # filter INPUT, OUTPUT ret=0; if (myConf["AIRBAG"] == 1) { tst = system("iptables -S INPUT 1 | grep " RCOD " | grep \"ACCEPT\" 1> /dev/null"); if (tst != 0) { system("iptables -t filter -I INPUT 1 -s " RCOD " -j ACCEPT");} if (myModules["ip_conntrack"] == 1){ tst = system("iptables -S OUTPUT 1 | grep " RCOD " | grep \"RELATED,ESTABLISHED\" | grep \"ACCEPT\" 1> /dev/null"); if (tst != 0) {ret += system("iptables -t filter -I OUTPUT 1 -d " RCOD " -m state --state RELATED,ESTABLISHED -j ACCEPT");} } else { tst = system("iptables -S OUTPUT 1 | grep " RCOD " | grep \"ACCEPT\" 1> /dev/null"); if (tst != 0) {ret += system("iptables -t filter -I OUTPUT 1 -d " RCOD " -j ACCEPT");} } if (myModules["iptable_raw"] == 1){ tst = system("iptables -t raw -S PREROUTING 1 | grep " RCOD " | grep \"ACCEPT\" 1> /dev/null"); if (tst != 0) {ret += system("iptables -t raw -I PREROUTING 1 -s " RCOD " -j ACCEPT");} tst = system("iptables -t raw -S OUTPUT 1 | grep " RCOD " | grep \"ACCEPT\" 1> /dev/null"); if (tst != 0) {ret += system("iptables -t raw -I OUTPUT 1 -d " RCOD " -j ACCEPT");} } if (myModules["iptable_mangle"] == 1){ tst = system("iptables -t mangle -S PREROUTING 1 | grep " RCOD " | grep \"ACCEPT\" 1> /dev/null"); if (tst != 0) {ret += system("iptables -t mangle -I PREROUTING 1 -s " RCOD " -j ACCEPT");} tst = system("iptables -t mangle -S INPUT 1 | grep " RCOD " | grep \"ACCEPT\" 1> /dev/null"); if (tst != 0) {ret += system("iptables -t mangle -I INPUT 1 -s " RCOD " -j ACCEPT");} tst = system("iptables -t mangle -S OUTPUT 1 | grep " RCOD " | grep \"ACCEPT\" 1> /dev/null"); if (tst != 0) {ret += system("iptables -t mangle -I OUTPUT 1 -d " RCOD " -j ACCEPT");} tst = system("iptables -t mangle -S POSTROUTING 1 | grep " RCOD " | grep \"ACCEPT\" 1> /dev/null"); if (tst != 0) {ret += system("iptables -t mangle -I POSTROUTING 1 -d " RCOD " -j ACCEPT");} } if (myModules["iptable_nat"] == 1){ tst = system("iptables -t nat -S PREROUTING 1 | grep " RCOD " | grep \"ACCEPT\" 1> /dev/null"); if (tst != 0) {ret += system("iptables -t nat -I PREROUTING 1 -s " RCOD " -j ACCEPT");} tst = system("iptables -t nat -S OUTPUT 1 | grep " RCOnoloadmodules=D " | grep \"ACCEPT\" 1> /dev/null"); if (tst != 0) {ret += system("iptables -t nat -I OUTPUT 1 -d " RCOD " -j ACCEPT");} tst = system("iptables -t nat -S POSTROUTING 1 | grep " RCOD " | grep \"ACCEPT\" 1> /dev/null"); if (tst != 0) {ret += system("iptables -t nat -I POSTROUTING 1 -d " RCOD " -j ACCEPT");} } } return ret; } function loadModules(){ if (noloadmodules==0){ y["main"] = ""; y["ftp"] = "_ftp"; y["h323"] = "_h323"; y["irc"] = "_irc"; y["pptp"] = "_pptp"; y["tftp"] = "_tftp"; ret=0; nat=0; conntrack=0; mangle=0; raw=0; for (x in Param) {if (index(Param[x], "ip_conntrack") > 0) {conntrack=1;} if (index(Param[x], "ip_nat") > 0) {nat=1;} if (index(Param[x], "iptable_mangle") > 0) {mangle=1;} if (index(Param[x], "iptable_raw") > 0) {raw=1;}} if (conntrack==1){Param["ip_conntrack"] = "ip_conntrack";} if (nat==1) {Param["ip_nat"] = "ip_nat"; if (myModules["iptable_nat"] != 1) {system("modprobe iptable_nat"); changed=1;}} else { if (myModules["iptable_nat"] == 1){ system("rmmod ipt_REDIRECT\nrmmod iptable_nat"); changed=1;}} if (mangle==1) {if (myModules["iptable_mangle"] != 1) {system("modprobe iptable_mangle") changed=1;}} else { if (myModules["iptable_mangle"] == 1){ system("rmmod iptable_mangle"); changed=1;}} if (raw==1) {if (myModules["iptable_raw"] != 1) {system("modprobe iptable_raw") changed=1;}} else { if (myModules["iptable_raw"] == 1){ system("rmmod iptable_raw"); changed=1;}} for (x in y){ if (Param["ip_conntrack" y[x]] == ("ip_conntrack" y[x]) && myModules["ip_conntrack" y[x]] != 1) {ret = system("modprobe ip_conntrack" y[x]); print "Loading " x " ..."; changed=1;} else if (Param["ip_conntrack" y[x]] == "" && myModules["ip_conntrack" y[x]] == 1) {ret = system("rmmod ip_conntrack" y[x]); print "Un-Load " x "..."; changed=1;} if (Param["ip_nat" y[x]] == ("ip_nat" y[x]) && myModules["ip_nat" y[x]] != 1) {ret = system("modprobe ip_nat" y[x]); print "Loading " x " ..."; changed=1;} else if (Param["ip_nat" y[x]] == "" && myModules["ip_nat" y[x]] == 1) {ret = system("rmmod ip_nat" y[x]); print "Un-Load " x "..."; changed=1;} } } return ret; } function checkConfig(){ if (RCOD > "") {check["admin_set"] = 0; } else {check["admin_set"] = 1;} check["changed"] = myConf["CHANGED"]; check["iptables"] = system("iptables -S INPUT 1 1> /dev/null"); if (logtarget == 0) { check["directory_log"] = system("ls " myConf["LOGD"] " 1> /dev/null"); check["log_running"] = system("ps | grep -v grep | grep iptlogger 1> /dev/null"); check["log_x_flag"] = system("ls -l /var/tmp/iptlogger.sh | grep x 1> /dev/null"); check["watchdog_file"] = system("ls -l /var/tmp/logfw.sh 1> /dev/null"); check["watchdog_x_flag"] = system("ls -l /var/tmp/logfw.sh | grep x 1> /dev/null"); check["watchdog_running"] = system("ps | grep -v grep | grep logfw 1> /dev/null"); } if (myConf["BACK"]==""){check["directory_backup"] = 0;} else {check["directory_backup"] = system("ls " myConf["BACK"] " 1> /dev/null");} print "modules loaded :"; system("lsmod \| grep \"^ip_\\\|^ipt_\\\|^iptable\\\|^x_\\\|^xt_\" \| awk \47{print $1}\47 \| sort"); } function createWatchdog(){ print "creating watchdog..."; ret = system("(cat < /var/tmp/logfw.sh \n#!/bin/sh\n\nrunning=\\$(ps | grep -v grep | grep -o iptlogger)\ if [ -z \\$running ]\nthen\necho \"starting log deamon\"\nsh /var/tmp/iptlogger.sh\ myexit=0\nwhile [ \\$myexit -eq 0 ]\ndo\nsleep 15\nrunning=\\$(ps | grep -v grep | grep -o iptlogger)\ if [ -z \\$running ]\nthen\necho \"terminating log deamon\"\nmyexit=1\ else\ngrep -E -v \"<4>|DECT|DCT|^$\" /var/tmp/system.log | sed \"s/^/\\$(date +\47%Y-%m-%d %H:%M:%S\47) /\" >> " myConf["LOGD"] "/system.log\ grep \"<4>\" /var/tmp/system.log | sed \"s/^/\\$(date +\47%Y-%m-%d %H:%M:%S\47) /\" >> " myConf["LOGD"] "/fw.log\ echo \"\" > /var/tmp/system.log\ nmyexit=0\nfi\ndone\nelse\necho \"already running, giving up\"\nfi\nEOF\n\n)"); ret += system("chmod +x /var/tmp/logfw.sh"); return ret; } function createIptlogger(){ ret = system("(cat < /var/tmp/iptlogger.sh \ #!/bin/sh\n\nrunning=\\$(ps | grep -v grep | grep -o iptlogger)\nif [ -n \\$running ]\nthen\nexit 1\nfi\ running=\\$(ps | grep -v grep | grep -o logfw)\nif [ -z \\$running ]\nthen\nexit 2\nfi\ cat /dev/debug > /var/tmp/system.log & \nEOF\n\nchmod +x /var/tmp/iptlogger.sh\n\)"); return ret; } function createStartSequence(logtarget){ if (logtarget == 0) { if (myConf["BACK"] == ""){ myBackUp = ""; } else { myBackUp = "cat " BootTargetOld "nhipt.cfg > " myConf["BACK"] "/\"$(date +\"%Y-%m-%d-%H-%M-%S\")\"-nhipt.cfg\n";} ret = system("(" myBackUp "cat < /var/tmp/nhipt.cfg \n#!/bin/sh\n\n" dsldoff bootdelay dsldon "\n\ echo \"#!/bin/sh\" > /var/tmp/logfw.sh\necho \"\" >> /var/tmp/logfw.sh\ echo \47running=\\$(ps | grep -v grep | grep -o iptlogger)\47 >> /var/tmp/logfw.sh\ echo \47if [ -z \\$running ]\47 >> /var/tmp/logfw.sh\ echo \47then\47 >> /var/tmp/logfw.sh\ echo \47echo \"starting log deamon\"\47 >> /var/tmp/logfw.sh\ echo \47sh /var/tmp/iptlogger.sh\47 >> /var/tmp/logfw.sh\ echo \47myexit=0\47 >> /var/tmp/logfw.sh\ echo \47while [ \\$myexit -eq 0 ]\47 >> /var/tmp/logfw.sh\ echo \47do\47 >> /var/tmp/logfw.sh\ echo \47sleep 15\47 >> /var/tmp/logfw.sh\ echo \47running=\\$(ps | grep -v grep | grep -o iptlogger)\47 >> /var/tmp/logfw.sh\ echo \47if [ -z \\$running ]\47 >> /var/tmp/logfw.sh\ echo \47then\47 >> /var/tmp/logfw.sh\ echo \47echo \"terminating log deamon\"\47 >> /var/tmp/logfw.sh\ echo \47myexit=1\47 >> /var/tmp/logfw.sh\ echo \47else\47 >> /var/tmp/logfw.sh\ echo \47grep -E -v \"<4>|DECT|DCT|^$\" /var/tmp/system.log | sed \"s/^/\\$(date +\47\\\47\47%Y-%m-%d %H:%M:%S\47\\\47\47) /\" >> " myConf["LOGD"] "/system.log\47 >> /var/tmp/logfw.sh\ echo \47grep \"<4>\" /var/tmp/system.log | sed \"s/^/\\$(date +\47\\\47\47%Y-%m-%d %H:%M:%S\47\\\47\47) /\" >> " myConf["LOGD"] "/fw.log\47 >> /var/tmp/logfw.sh\ echo \47echo \"\" > /var/tmp/system.log\47 >> /var/tmp/logfw.sh\ echo \47myexit=0\47 >> /var/tmp/logfw.sh\ echo \47fi\47 >> /var/tmp/logfw.sh\ echo \47done\47 >> /var/tmp/logfw.sh\ echo \47else\47 >> /var/tmp/logfw.sh\ echo \47echo \"already running, giving up\"\47 >> /var/tmp/logfw.sh\ echo \47fi\47 >> /var/tmp/logfw.sh\ \nchmod +x /var/tmp/logfw.sh\ cat " BootTarget "nhipt.par > /var/tmp/nhipt.par\n\ echo \"#!/bin/sh\" > /var/tmp/iptlogger.sh\necho \"\" >> /var/tmp/iptlogger.sh\ echo \47running=\\$(ps | grep -v grep | grep -o iptlogger)\47 >> /var/tmp/iptlogger.sh\ echo \47if [ -n \\$running ]\47 >> /var/tmp/iptlogger.sh\ echo \47then\47 >> /var/tmp/iptlogger.sh\ echo \47exit 1\47 >> /var/tmp/iptlogger.sh\ echo \47fi\47 >> /var/tmp/iptlogger.sh\ echo \47running=\\$(ps | grep -v grep | grep -o logfw)\47 >> /var/tmp/iptlogger.sh\ echo \47if [ -z \\$running ]\47 >> /var/tmp/iptlogger.sh\ echo \47then\47 >> /var/tmp/iptlogger.sh\ echo \47exit 2\47 >> /var/tmp/iptlogger.sh\ echo \47fi\47 >> /var/tmp/iptlogger.sh\ echo \"cat /dev/debug > /var/tmp/system.log & \" >> /var/tmp/iptlogger.sh\n\ iptables -P INPUT ACCEPT\niptables -P OUTPUT ACCEPT\niptables -F\niptables -X\ date > /var/tmp/system.log\n\nchmod 777 /var/tmp/system.log \ chmod +x /var/tmp/iptlogger.sh\n\ sh /var/tmp/logfw.sh & \n\ \nEOF\n)\n"); } else { if (myConf["BACK"] == ""){ myBackUp = ""; } else { myBackUp = "cat " BootTargetOld "nhipt.cfg > " myConf["BACK"] "/\"$(date +\"%Y-%m-%d-%H-%M-%S\")\"-nhipt.cfg\n";} ret = system("(" myBackUp "cat < /var/tmp/nhipt.cfg \n#!/bin/sh\n\n" dsldoff bootdelay dsldon "\n\ . /mod/etc/conf/mod.cfg\ echo \"/:\\$MOD_HTTPD_USER:\\$MOD_HTTPD_PASSWD\" > /mod/etc/httpd.conf\n\ httpd -P /var/run/nhipd.pid -p " LANIP ":" myPort " -h " myRoot " -c /mod/etc/httpd.conf -r Freetz\n \ \nEOF\n)\n"); } return ret; } function appendRules(){ ret = system("(cat <> /var/tmp/nhipt.cfg \n\ ###FIREWALL###\n" bootModules() "\n\n \ \nEOF\n)\ if [ -n \"$(iptables -S -t filter | grep -e \47^Table does not exist\47)\" ]; then touch /var/tmp/iptfilter.tmp; else (iptables -t filter -S 2> /dev/null) | awk \47{print \"iptables -t filter \" $0}\47 >> /var/tmp/nhipt.cfg; fi\ if [ -n \"$(iptables -S -t nat | grep -e \47^Table does not exist\47)\" ]; then touch /var/tmp/iptfilter.tmp; else (iptables -t nat -S 2> /dev/null) | awk \47{print \"iptables -t nat \" $0}\47 >> /var/tmp/nhipt.cfg; fi\ if [ -n \"$(iptables -S -t mangle | grep -e \47^Table does not exist\47)\" ]; then touch /var/tmp/iptfilter.tmp; else (iptables -t mangle -S 2> /dev/null) | awk \47{print \"iptables -t mangle \" $0}\47 >> /var/tmp/nhipt.cfg; fi\ if [ -n \"$(iptables -S -t raw | grep -e \47^Table does not exist\47)\" ]; then touch /var/tmp/iptfilter.tmp; else (iptables -t raw -S 2> /dev/null) | awk \47{print \"iptables -t raw \" $0}\47 >> /var/tmp/nhipt.cfg; fi\ if [ -n \"$(ip6tables -S -t filter | grep -e \47^Table does not exist\47)\" ]; then touch /var/tmp/iptfilter.tmp; else (ip6tables -t filter -S 2> /dev/null) | awk \47{print \"ip6tables -t filter \" $0}\47 >> /var/tmp/nhipt.cfg; fi\ if [ -n \"$(ip6tables -S -t mangle | grep -e \47^Table does not exist\47)\" ]; then touch /var/tmp/iptfilter.tmp; else (ip6tables -t mangle -S 2> /dev/null) | awk \47{print \"ip6tables -t mangle \" $0}\47 >> /var/tmp/nhipt.cfg; fi\ if [ -n \"$(ip6tables -S -t raw | grep -e \47^Table does not exist\47)\" ]; then touch /var/tmp/iptfilter.tmp; else (ip6tables -t raw -S 2> /dev/null) | awk \47{print \"ip6tables -t raw \" $0}\47 >> /var/tmp/nhipt.cfg; fi\ cat /var/tmp/nhipt.cfg > " BootTarget "nhipt.cfg"); return ret; } function startLogging(){ if (logtarget == 1) {return 0;} ret = system("ps | grep -v \"grep\" | grep \"iptlogger\""); if (ret == 0) { print "Sevice already running"; return 0;} else { ret = 0; print "Starting Service..."; if (system("test -f /var/tmp/iptlogger.sh") == 0 ) { print "...starting existing service..."; } else { print "...creating iptlogger.sh..."; ret = createIptlogger(); } if (system("test -f /var/tmp/logfw.sh") == 0 ) { print "...starting watchdog"; } else { print "...creating watchdog"; ret = createWatchdog(); } return ret += system("sh /var/tmp/logfw.sh&"); } } function stopLogging() { print "Stopping deamon iptlogger.sh"; ret = system("ps | grep -v grep | grep iptlogger | awk \47{print $1}\47 | xargs kill"); ret += system("ps | grep -v grep | grep logfw | awk \47{print $1}\47 | xargs kill"); return ret; } function persist(mode){ if (dirchanged==1){ ret = system("ls " myConf["LOGD"] " 1> /dev/null"); if (ret != 0){ system("mkdir " myConf["LOGD"]); print "creating " myConf["LOGD"]; } if (myConf["BACK"] != "") { ret = system("ls " myConf["BACK"] " 1> /dev/null"); if (ret != 0){ system("mkdir " myConf["BACK"]); print "creating " myConf["BACK"];}} ret = system("ls " myConf["BOOTDIR"] " 1> /dev/null"); if (ret != 0){ system("mkdir " myConf["BOOTDIR"]); print "creating " myConf["BOOTDIR"]; } } if (Boot!=myConf["BOOT"] || Bootstrap!=myConf["BOOTSTRAP"]){ if (myConf["BOOTSTRAP"] == "freetz"){myBootstrap="/tmp/flash/nhiptboot.cfg"; flashmodified=1;} else {myBootstrap="/var/flash/debug.cfg";} flashmodified = 1; if (myConf["BOOT"]=="flash"){BootTarget="/tmp/flash/";myDelay="";} if (myConf["BOOT"]=="usb"){ if (myConf["BOOTDIR"] == ""){BootTarget=myConf["ROOT"] "/"; myConf["BOOTDIR"]=myConf["ROOT"]} else {BootTarget=myConf["BOOTDIR"] "/";} myDelay= "for i in 1 2 3 4 5 6 7 8\ndo\n sleep 5\necho \"retry $i times\"\n if [ -r " BootTarget "nhipt.par ]\n then\n echo \"usb stick connected\"\n break\n fi \ndone\n\n"; } myCmd = "Saving Settings to " BootTarget "..."; printed=0; system("rm /var/tmp/debug.cfg") if( system("grep \"#NHIPT-START#\" " myBootstrap) == 0) { found = 0; while ((ret = getline test < myBootstrap) > 0) { if (test == "###NHIPT-START###" && found==0){print "###NHIPT-START###\n\n" myDelay "\ncat " BootTarget "nhipt.cfg > /var/tmp/nhipt.cfg\ncat " BootTarget "nhipt.par > /var/tmp/nhipt.par\nchmod +x /var/tmp/nhipt.cfg\n/bin/sh /var/tmp/nhipt.cfg &\n###NHIPT-END###\n" >> "/var/tmp/debug.cfg";printed=1;found=1;} if (found==0 || found==3 ){print test >> "/var/tmp/debug.cfg";} if (found==2){found=3}; if (test == "###NHIPT-END###"){found = 2;print "Found Footer";} } if (ret==0) {close (myBootstrap);} } if (printed==0) {print "###NHIPT-START###\ncat " BootTarget "nhipt.cfg > /var/tmp/nhipt.cfg\ncat " BootTarget "nhipt.par > /var/tmp/nhipt.par\nchmod +x /var/tmp/nhipt.cfg\n/bin/sh /var/tmp/nhipt.cfg\n###NHIPT-END###\n" >> "/var/tmp/debug.cfg";printed=1;} system("cat /var/tmp/debug.cfg > " myBootstrap); mode="all"; print "STAGE0 - bootstrap reconfigured" } if (myConf["DSLDOFF"] == 1) {dsldoff = "dsld -s\n"; dsldon = "dsld -i -n\n";} else {dsldoff=""; dsldon=""; } if (myConf["DELAY"] > 0) {bootdelay = "sleep " myConf["DELAY"] "\n";} else {bootdelay = ""; dsldoff=""; dsldon="";} if (mode=="all"){ # SAVE ALL cfgchanged=1; ret = createStartSequence(logtarget); ret += appendRules(); print "STAGE1 - complete bootfile written"; if (ret==0){myConf["CHANGED"]=0; ret=saveSettings(myConf);} if (myConf["BOOT"] == "flash") {flashmodified=1;} } else if(cfgchanged == 1 || dirchanged == 1) { #SAVE CONFIG AND BOOTLOADER ret = createStartSequence(logtarget); print "STAGE2 - bootloader only written"; # APPEND SAVED FIREWALL RULES found = 0; while ((ret = getline test < "" BootTargetOld "nhipt.cfg") > 0) { if (test == "###FIREWALL###"){found = 1;} if (found == 1){print test >> "/var/tmp/nhipt.cfg";} } if (ret==0) {close ("" BootTargetOld "nhipt.cfg");} ret = system("cat /var/tmp/nhipt.cfg > " BootTarget "nhipt.cfg"); print "STAGE3 - preserved rules appended"; tmpCnfChg = myConf["CHANGED"]; myConf["CHANGED"]=0; cfgchanged=1; ret += saveSettings(myConf); myConf["CHANGED"] = tmpCnfChg; saveSettings(myConf); if (myConf["BOOT"] == "flash") {flashmodified=1;} } else { myCmd = "Nothing to save"; ret=0; } return ret; } function bootModules(){ strRet = "" system("lsmod \| grep \"^ip_\\\|^ipt_\\\|^iptable\\\|^x_\\\|^xt_\" \| awk \47{print $1}\47 \| sort > /var/tmp/nhipt.yyy"); system("lsmod \| grep \"^ip6_\\\|^ip6t_\\\|^ip6table\" \| awk \47{print $1}\47 \| sort >> /var/tmp/nhipt.yyy"); while((stat = getline test < "/var/tmp/nhipt.yyy") > 0) { strRet = strRet "modprobe " test "\n" ;} if (stat==0) { close("/var/tmp/nhipt.yyy");} return strRet; } function loadSettings(){ system("lsmod \| grep \"^ip_\\\|^ipt_\\\|^iptable\\\|^x_\\\|^xt_\" \| awk \47{print $1}\47 \| sort > /var/tmp/nhipt.yyy"); while((stat = getline test < "/var/tmp/nhipt.yyy") > 0) { myModules[test] = 1; } if (stat==0) { close("/var/tmp/nhipt.yyy");} while ((stat = getline test < "/var/tmp/nhipt.par") > 0) { split(test ,par,"=");myConf[par[1]] = par[2]; } if (stat==-1) {print "Parameter file not found in RAM-disk, loading boot settings"; system("cat " BootTarget "nhipt.par > /var/tmp/nhipt.par"); while ((stat = getline test < "/var/tmp/nhipt.par") > 0) { split(test ,par,"=");myConf[par[1]] = par[2]; } } if (stat==0) { close("/var/tmp/nhipt.par");} if (myConf["PORT"] > "") { myPort = myConf["PORT"]} else {myPort = substr(ENVIRON["HTTP_REFERER"],index(ENVIRON["HTTP_REFERER"],".")); myPort = substr(myPort, index(myPort,":")+1); myPort = substr(myPort,1,index(myPort,"/")-1); myConf["PORT"] = myPort;} if (myConf["ROOT"] > "") { myRoot = myConf["ROOT"]} else {myRoot = substr(ENVIRON["SCRIPT_FILENAME"],1,index(ENVIRON["SCRIPT_FILENAME"],"cgi-bin")-2);; myConf["ROOT"] = myRoot;} # if (myConf["BACK"] == "") { myConf["BACK"] = myRoot;} if (myConf["LOGD"] == "") { myConf["LOGD"] = myRoot;} myConf["MYIP"] = myIP; return stat; } function saveSettings(Settings){ ret = system("rm /var/tmp/nhipt.par"); for (s in Settings){ret += system("echo \"" s "=" Settings[s] "\" >> /var/tmp/nhipt.par"); } if (flashmodified == 1 || dirchanged == 1 || cfgchanged == 1){ ret += system("cat /var/tmp/nhipt.par > " BootTarget "nhipt.par"); print "STAGE4 - settings saved"; if (dirchanged == 1 && logtarget == 0) { logDeamonIsRunning = system("ps | grep -v grep | grep iptlogger 1> /dev/null"); if (logDeamonIsRunning == 0) { ret=stopLogging(); ret=createIptlogger(); ret+=createWatchdog(); ret+=startLogging(); print "STAGE5 - fw and system log reconfigured";} } ## Remove orphaned boot files if (BootTargetOld != BootTarget){ system("rm " BootTargetOld "/nhipt.*"); print "STAGE5 - housekeeping after transfer";} dirchanged=0; cfgchanged=0; } return ret; } function urldecode (s) { hextab["0"] = 0; hextab["8"] = 8; hextab["1"] = 1; hextab["9"] = 9; hextab["2"] = 2; hextab["A"] = hextab["a"] = 10; hextab["3"] = 3; hextab["B"] = hextab["b"] = 11; hextab["4"] = 4; hextab["C"] = hextab["c"] = 12; hextab["5"] = 5; hextab["D"] = hextab["d"] = 13; hextab["6"] = 6; hextab["E"] = hextab["e"] = 14; hextab["7"] = 7; hextab["F"] = hextab["f"] = 15; decoded = ""; i = 1;RELATED,ESTABLISHED len = length (s); while ( i <= len ) { c = substr (s, i, 1); if ( c == "%" ) { if ( i+2 <= len ) { c1 = substr (s, i+1, 1); c2 = substr (s, i+2, 1); if ( hextab[c1] == "" || hextab[c2] == "" ) { print "WARNING: invalid hex encoding: %" c1 c2 | "cat >&2"; } else { code = 0 + hextab[c1] * 16 + hextab[c2] + 0; c = sprintf ("%c", code); i = i + 2; } } else { print "WARNING: invalid % encoding: " substr (s, i, len - i) | "cat >&2"; } } else if ( c == "+" ) { c = " "; } decoded = decoded c; i++; } return decoded; } # end urldecode { } # end main END { }' 2>&1) >> /var/tmp/nhipt.log fi if [ "$NHIPT_CONFIG" = "box" ]; then echo "iptables reconfigured" else ### HTML FORM touch /var/tmp/iptfilter.tmp; touch /var/tmp/iptnat.tmp; touch /var/tmp/iptmangle.tmp; touch /var/tmp/iptraw.tmp; touch /var/tmp/ip6tfilter.tmp; touch /var/tmp/ip6tmangle.tmp; touch /var/tmp/ip6traw.tmp; if [ -n "$(iptables -S -t filter | grep -e '^Table does not exist')" ]; then touch /var/tmp/iptfilter.tmp; else iptables -t filter -S > /var/tmp/iptfilter.tmp; fi if [ -n "$(iptables -S -t nat | grep -e '^Table does not exist')" ]; then touch /var/tmp/iptnat.tmp; else iptables -t nat -S > /var/tmp/iptnat.tmp; fi if [ -n "$(iptables -S -t mangle | grep -e '^Table does not exist')" ]; then touch /var/tmp/iptmangle.tmp; else iptables -t mangle -S > /var/tmp/iptmangle.tmp; fi if [ -n "$(iptables -S -t raw | grep -e '^Table does not exist')" ]; then touch /var/tmp/iptraw.tmp; else iptables -t raw -S > /var/tmp/iptraw.tmp; fi if [ -n "$(ip6tables -S -t filter | grep -e '^-sh: ip6tables: not found')" ]; then touch /var/tmp/ip6tfilter.tmp; touch /var/tmp/ip6tmangle.tmp; touch /var/tmp/ip6traw.tmp; else if [ -n "$(ip6tables -S -t filter | grep -e '^Table does not exist')" ]; then touch /var/tmp/ip6tfilter.tmp; else ip6tables -t filter -S > /var/tmp/ip6tfilter.tmp; fi if [ -n "$(ip6tables -S -t mangle | grep -e '^Table does not exist')" ]; then touch /var/tmp/ip6tmangle.tmp; else ip6tables -t mangle -S > /var/tmp/ip6tmangle.tmp; fi if [ -n "$(ip6tables -S -t raw | grep -e '^Table does not exist')" ]; then touch /var/tmp/ip6traw.tmp; else ip6tables -t raw -S > /var/tmp/ip6traw.tmp; fi fi echo "$(awk -v IFCS=$x -v PSTR=$post_string -v QSTR=$QUERY_STRING 'BEGIN { print "Content-type: text/html" print "" print ""; print ""; print ""; print "NHIPT - IPTABLES FIREWALL ADMIN INTERFACE FOR FRITZ!BOX"; print ""; print ""; print ""; print ""; print ""; print ""; print ""; exitSwitch=0; BoxType = substr(ENVIRON["CONFIG_PRODUKT"],index(ENVIRON["CONFIG_PRODUKT"],"Box_") + 4, 2); system("lsmod \| grep \"^ip_\\\|^ipt_\\\|^iptable\\\|^x_\\\|^xt_\" \| awk \47{print $1}\47 \| sort > /var/tmp/nhipt.yyy"); ip6enabled = system("lsmod | grep -e \47^ipv6\47 1> /dev/null"); while((stat = getline test < "/var/tmp/nhipt.yyy") > 0) { myModules[test] = 1;} if (stat==0) { close("/var/tmp/nhipt.yyy"); system("rm /var/tmp/nhipt.yyy");} while ((stat = getline test < "/var/tmp/nhipt.par") > 0) { split(test,par,"=");myConf[par[1]] = par[2]; } RCOD=myConf["ADMINIP"]; if (stat==-1) {system("cat " BootTarget "nhipt.par > /var/tmp/nhipt.par"); while ((stat = getline test < "/var/tmp/nhipt.par") > 0) { split(test,par,"=");myConf[par[1]] = par[2]; }} if (stat==0) { close("/var/tmp/nhipt.par");} if (myConf["PORT"] > "") { myPort = myConf["PORT"]} else {myPort = substr(ENVIRON["HTTP_REFERER"],index(ENVIRON["HTTP_REFERER"],".")); myPort = substr(myPort, index(myPort,":")+1); myPort = substr(myPort,1,index(myPort,"/")-1); myConf["PORT"] = myPort;} if (myConf["ROOT"] > "") { myRoot = myConf["ROOT"]} else {myRoot = substr(ENVIRON["SCRIPT_FILENAME"],1,index(ENVIRON["SCRIPT_FILENAME"],"cgi-bin")-2); myConf["ROOT"] = myRoot;} # if (myConf["BACK"] == "") { myConf["BACK"] = myRoot;} if (myConf["LOGD"] == "") { myConf["LOGD"] = myRoot;} myConf["MYIP"] = myIP = ENVIRON["REMOTE_ADDR"]; #CHECK LOGIN CREDENTIALS gsub(/ /,"",RCOD); if (RCOD > ""){ i = split(RCOD,ipadr,"/"); if (i > 1) {ip = ipadr[1]; mask=ipadr[2];} else {ip = ipadr[1]; mask="255.255.255.255";} if (index(mask,".") == 0) { sm = ""; ma[8]=255; ma[7]=127; ma[6]=63; ma[5]=31; ma[4]=15; ma[3]=7; ma[2]=3; ma[1]=1; ma[0]=0; for (i=1;i<=4;i++){if (mask >=8) {sm = sm "255.";mask=mask-8;} else {sm = sm ma[mask] ".";mask=0;}} mask=sm; } split(myIP,mpar,"."); split(ip,ipar,"."); split(mask,maskar,"."); if ((and(mpar[1],maskar[1]) == and(ipar[1],maskar[1])) && (and(mpar[2],maskar[2]) == and(ipar[2],maskar[2])) && (and(mpar[3],maskar[3]) == and(ipar[3],maskar[3])) && (and(mpar[4],maskar[4]) == and(ipar[4],maskar[4]))) { login=1} else {login=0} } else { login = 1;} #END CHECK if(login != 1){print "


ACCESS DENIED FROM IP : " myIP "

\n\n"; exitSwitch=1; exit 0;}; myURL = ENVIRON["SCRIPT_NAME"]; admIP = RCOD; settingsPrinted = 0; myIP = ENVIRON["REMOTE_ADDR"]; n = split(QSTR, PA, "&"); for (i=1;i<=n;i++) {split(PA[i], PM, "=");Param[PM[1]] = PM[2]} CurrentJumpMark = Param["J"]; if (Param["MODE"]=="EDT"){ editRule=1; } else {editRule = 0} JumpMark = (CurrentJumpMark + 1) % 9; if (admIP == "") { ifcIP = myIP; ipStr = "SET ";} else { ifcIP = admIP; ipStr = "CHANGE ";} check["log_deamon"] = system("ps | grep -v grep | grep iptlogger 1> /dev/null"); check["changed"] = myConf["CHANGED"]; check["AIRBAG"] = myConf["AIRBAG"]; if (myConf["LOGTARGET"] == "syslog") { nolog=1; } else { nolog=0; } print ""; i = 0; formPrinted = 0; inSubTable = 0; nTables = 0; nCChains = 0; delete Chains; delete CChains; myFile = "ipt.tmp" # INERFACES DROP-DOWN n = split(IFCS, Params,"+"); ifSel = ""; selected = " selected"; for (j=1;j<=n;j++){ if (index(Params[j],":") == 0 ){ifSel = ifSel ""; selected = "" }} # PROTOCOLS DROP-DOWN myProt = "\ \ "; # PRESET FORM ROW STRING LEFT AND RIGHT - ACTION DROP DOWN WILL BE CREATED AND INSERTED DURING RUN TIME myFL = ""; } function myTT (CChains,nCChains, chn) { mySel = ""; if (table == "nat" && (chn == "PREROUTING" || chn == "OUTPUT")){mySel = mySel "";} if (table == "nat" && chn == "POSTROUTING"){mySel = mySel "";} if (table == "mangle"){mySel = mySel "";} if (table == "raw"){mySel = mySel "";} for (z = 1; z<=nCChains; z++) { if (CChains[z] != chn) { mySel = mySel "";} } return mySel; } function myDD (lines) { mySel = ""; return mySel; } function AdminIFC () { usb=""; flash=""; admsafe=""; admunsafe=""; logsyslog=""; loginternal=""; if (myConf["BOOT"] =="usb") {usb=" checked";} else if (myConf["BOOT"] =="flash") {flash=" checked";} if (check["AIRBAG"] == "1") {admsafe=" checked";} else {admunsafe=" checked";} if (myConf["LOGTARGET"] == "syslog") {logsyslog=" checked";} else {loginternal=" checked";} if (myConf["DSLDOFF"] == "1") {dsldoff=" checked";} if (myConf["ADMINIP"] > "") {adminr="adming";} else {adminr="adminr";} myStr = "
"; myStr = myStr ""; myStr = myStr ""; myStr = myStr ""; if (nolog == 0) { myStr = myStr ""; } else { myStr = myStr ""; } if (myConf["BOOT"]=="usb") { myStr = myStr ""; } else { myStr = myStr ""; } if (ip6enabled == 1){ myRowspan = 7;} else { myRowspan = 8;} myStr = myStr ""; if (BoxType == 72) { myStr = myStr ""; } else { myStr = myStr "" } if (BoxType == 73) { myModules["ip_conntrack"] = 1; myModules["ip_nat"] = 1; myModules["iptable_mangle"] = 1; } myStr = myStr ""; myStr = myStr ""; myStr = myStr ""; if (BoxType != 73) { myStr = myStr ""; } myStr = myStr ""; myStr = myStr ""; myStr = myStr ""; myStr = myStr ""; if (ip6enabled == 0){ myStr = myStr ""; myStr = myStr "";} else { myStr = myStr "";} myStr = myStr "
INTERFACE SETTINGS
" ipStr "ADMIN IP :
SET BACKUP DIRECTORY :
SET LOG DIRECTORY :
SET BOOT DIRECTORY :
BOOT FROM : Fritz flashUSB stick
LOG TO : nhipt-deamon syslog-deamon
ADMIN LEVEL : advanced safe
BOOT DELAY : stop dsld on delay
EXTRAS : " cbModule("ip_conntrack", "CONNTRACK") "" cbModule("ip_nat", "NAT") "
" cbModule("ip_conntrack_ftp", "ftp") "" cbModule("ip_nat_ftp","ftp") "
" cbModule("ip_conntrack_h323", "h323") "" cbModule("ip_nat_h323","h323") "
" cbModule("ip_conntrack_irc", "irc") "" cbModule("ip_nat_irc", "irc") "
" cbModule("ip_conntrack_pptp", "pptp") "" cbModule("ip_nat_pptp", "pptp") "
" cbModule("ip_conntrack_tftp", "tftp") "" cbModule("ip_nat_tftp", "tftp") "
" cbModule("iptable_mangle", "mangle") "" cbModule("iptable_raw", "raw") "
" cbModule("ip6table_mangle", "mangle [ipv6]") "" cbModule("ip6table_raw", "raw [ipv6]") "
" cbModule("iptable_mangle", "mangle") "" cbModule("iptable_raw", "raw") "
"; return myStr; } function cbOption(comp, value, caption){if (comp==value){checked=" SELECTED";} else {checked="";} return "";} function cbModule(name,caption){ return (" " caption);} function checkModule (name){ if (myModules[name] == 1) {return " checked";} else {return "";}} function AdminButtons(){ if (check["changed"] == 0) {prStyle = "ok";} else {prStyle = "error";} if (check["log_deamon"] == 0){lgStyle = "ok"; lgAction=""; } else {lgStyle = "error"; lgAction="";} myStr = ""; myStr = myStr ""; if (nolog == 0){ myStr = myStr "\ \ \ \ \ \ "; } else { myStr = myStr "\ \ \ "; } myStr = myStr "
ACTIONS
" lgAction "
"; return myStr; } function myTBHL (chain) { formPrinted = 1; print "
" print " RULES FOR CHAIN " chain " [ " table " ] [ " ipv6txt " ]"; print "IDSource IPDest IPIn IFCOut IFCProtModuleS-PortD-PortActionParamEdit"; } { if (FILENAME != myFile){ if (formPrinted == 1){ CurrentChain = myArray["Chain"]; for (y=1;y<=nTables;y++) { if (Chains[y,1]==CurrentChain) {Chains[y,2] = 1;}} if (inSubTable ==1) {inSubTable=0; print "

"} print myDD(i) myFL myTT(CChains,nCChains,CurrentChain) myFR; } if (inSubTable ==1) { if (MySection == "-P") { print " CUSTOM CHAINS"; inSubTable=1; print "

"; } inSubTable=0; print "

" } for (y=1;y<=nTables;y++) { if (Chains[y,2]==0) { myTBHL(Chains[y,1]); print myDD(1) myFL myTT(CChains,nCChains,Chains[y,1]) myFR;}} if (index(FILENAME,"ip6") > 0){ipv6 = 1; ipv6txt = "IPv6"; table = FILENAME; gsub(/\/var\/tmp\/ip6t/,"",table); gsub(/.tmp/,"",table);} else { ipv6 = 0; ipv6txt = "IPv4"; table = FILENAME; gsub(/\/var\/tmp\/ipt/,"",table); gsub(/.tmp/,"",table);} i = 0; formPrinted = 0; nTables = 0; nCChains = 0; delete Chains; delete CChains; myFile = FILENAME; MySection = "" if (inSubTable ==1) {inSubTable=0; print "

" } print ""; print ""; } InIF=0; OutIF=0; SourceIP=0; DestIP=0; Mode=0; SourcePort=0; DestPort=0; delete myArray; myArray["Extra"]=" "; myArray["Action"]=$1; myArray["Chain"]=$2; if (myArray["Action"] == "-P") { myArray["Target"]=$3; if (MySection != $1) { inSubTable=1; print ""; } nTables++; Chains[nTables,1] = $2; Chains[nTables,2] = 0; if (myArray["Target"] == "ACCEPT") {NewPol = "DROP";} else {NewPol = "ACCEPT";} print ""; } else if (myArray["Action"] == "-N") { if (MySection != $1) {inSubTable=1; print ""; } nTables++; Chains[nTables,1] = $2; Chains[nTables,2] = 0; nCChains++; CChains[nCChains] = $2; inSubTable=1; print ""; } else { if (MySection != $1){ if (MySection != "-N") { print ""; } inSubTable=1; print ""; if (settingsPrinted == 0) {settingsPrinted=1; print "
RULES FOR TABLE [ " table " ] [ " ipv6txt " ]
DEFAULT POLICIES
CHAINPOLICYEDIT
" myArray["Chain"] "" myArray["Target"] "[change][purge]
 
CUSTOM CHAINS
" myArray["Chain"] "[Del][purge]
 
CUSTOM CHAINS

" AdminIFC() "" AdminButtons() ""; inSubTable=0; print "

"; print "Experts only: /var/mod/root #
"; } else {inSubTable=0; print "

"} } if (CurrentChain != myArray["Chain"]) { if (i > 0){ print myDD(i) myFL myTT(CChains,nCChains,CurrentChain) myFR; for (y=1;y<=nTables;y++) { if (Chains[y,1]==CurrentChain) {Chains[y,2] = 1;}} } myTBHL(myArray["Chain"]); i = 1; CurrentChain = myArray["Chain"]; } x=""; for ( j = 3; j <= NF; j++ ) { if ($j == "-s") {j++; if ($j == "!") {j++; myArray["SourceIP"] = "!" $j;} else {myArray["SourceIP"] = $j;}} else if ($j == "-d") {j++; if ($j == "!") {j++; myArray["DestIP"] = "!" $j;} else {myArray["DestIP"] = $j;}} else if ($j == "-i") {j++; if ($j == "!") {j++; myArray["InIF"] = "!" $j;} else {myArray["InIF"] = $j;}} else if ($j == "-o") {j++; if ($j == "!") {j++; myArray["OutIF"] = "!" $j;} else {myArray["OutIF"] = $j;}} else if ($j == "-p") {j++; if ($j == "!") {j++; myArray["Prot"] = "!" $j;} else {myArray["Prot"] = $j;}} else if ($j == "-m") {j++; myArray["Module"] = myArray["Module"] $j " ";} else if ($j == "!") {x="!";} else if ($j == "--src-range") {j++; myArray["SourceIP"] = x $j; x="";} else if ($j == "--dst-range") {j++; myArray["DestIP"] = x $j; x="";} else if ($j == "--sport") {j++; if ($j == "!") {j++; myArray["Sport"] = "!" $j;} else {myArray["Sport"] = $j;}} else if ($j == "--dport") {j++; if ($j == "!") {j++; myArray["Dport"] = "!" $j;} else {myArray["Dport"] = $j;}} else if ($j == "--sports") {j++; if ($j == "!") {j++; myArray["Sport"] = "!" $j;} else {myArray["Sport"] = $j;}} else if ($j == "--dports") {j++; if ($j == "!") {j++; myArray["Dport"] = "!" $j;} else {myArray["Dport"] = $j;}} else if ($j == "--ports") {j++; if ($j == "!") {j++; myArray["Dport"] = "!" $j;} else {myArray["Dport"] = $j;} myArray["Sport"] = myArray["Dport"]} else if ($j == "--state") {j++; myArray["State"] = $j " ";} else if ($j == "-j") {j++; myArray["Target"] = $j;} else if ($j == "--log-prefix") {j++; myArray["Log"] = $j; ixx = length($j); if (index($j, "\"") > 0 && substr($j,ixx,1) != "\"") {do {j++; myArray["Log"] = myArray["Log"] " " $j " "; if (index($j, "\"") > 0) break;} while (j <= NF)}} else if ($j == "--comment") {j++; myArray["Comment"] = $j; ixx = length($j); if (index($j, "\"") > 0 && substr($j,ixx,1) != "\"") {do {j++; myArray["Comment"] = myArray["Comment"] " " $j " "; if (index($j, "\"") > 0) break;} while (j <= NF)}} else if ($j == "--reject-with") {j++; myArray["Rej"] = $j " ";} else {myArray["Extra"] = myArray["Extra"] $j " "; j++; myArray["Extra"] = myArray["Extra"] $j " ";} } if (editRule==1 && Param["TABLE"] == table && Param["CHAIN"] == myArray["Chain"] && Param["IDX"] == i && Param["IPV6"] == ipv6){ myRule=$0; gsub(/\"/,"\47", myRule); gsub("-A " myArray["Chain"],"-t " table " -R " myArray["Chain"] " " i " ", myRule); if (ipv6 == 1) {myCmd = "ip6tables ";} else {myCmd = "iptables ";} print "" i "/var/mod/root #"; } else { print " " i " " \ myArray["SourceIP"] " " myArray["DestIP"] " " myArray["InIF"] " " \ myArray["OutIF"] " " myArray["Prot"] " " myArray["Module"] " " \ myArray["Sport"] " " myArray["Dport"] " " myArray["Target"] " " \ myArray["Rej"] myArray["Log"] myArray["State"] myArray["Extra"] myArray["Comment"] "[UP] [DN] [Del] [Edit]" } i++; } MySection = $1; } END { if(exitSwitch==1){exit 0;} if (MySection == "-P") { print " CUSTOM CHAINS"; inSubTable=1; print "

"; } if (inSubTable ==1) { inSubTable=0; if (settingsPrinted == 0) {settingsPrinted=1; print "

" AdminIFC() "" AdminButtons() ""; inSubTable=0; print "

"; print "Experts only: /var/mod/root #
"; } else {inSubTable=0; print "

"} } if (formPrinted == 1){ CurrentChain = myArray["Chain"]; for (y=1;y<=nTables;y++) { if (Chains[y,1]==CurrentChain) {Chains[y,2] = 1;}} print myDD(i) myFL myTT(CChains,nCChains,CurrentChain) myFR; } for (y=1;y<=nTables;y++) { if (Chains[y,2]==0) { myTBHL(Chains[y,1]); print myDD(1) myFL myTT(CChains,nCChains,Chains[y,1]) myFR;}} print " "; while ((ret = getline test < "/var/tmp/nhipt.log") > 0) { print "" test ""; } if (ret==0){close("/var/tmp/nhipt.log"); system("rm /var/tmp/nhipt.log");} print ""; print ""; print ""; }' /var/tmp/iptfilter.tmp /var/tmp/iptnat.tmp /var/tmp/iptmangle.tmp /var/tmp/iptraw.tmp /var/tmp/ip6tfilter.tmp /var/tmp/ip6tmangle.tmp /var/tmp/ip6traw.tmp)" rm /var/tmp/ip*.tmp myfile=$(echo "$PWD" | sed s/cgi-bin/index.html/) if [ ! -r $myfile ] then cat << EOF > $myfile NHIPT-IPTABLES FIREWALL ADMIN <body> <p>Der Browser unterst&uuml;tzt keine Frames! <a href="/cgi-bin/nhipt.cgi">Klick mich</a></p> </body> EOF fi fi ########### ### EOF ### ###########