summaryrefslogtreecommitdiff
blob: ce07ae27c8810d97f42091672ed9e966fef30930 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
#!/sbin/runscript
# Copyright 1999-2006 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Header: $

checkconfig() {
	test -s "${BLOCKLISTFILE}" && return
	einfo
	einfo "Block list file ${BLOCKLISTFILE} not found, running moblock-update."
	einfo
	moblock-update
	test -s "${BLOCKLISTFILE}" && return

	eerror "moblock-update failed, cannot start"
	return 1
}

start() {
	checkconfig || return 1

	ebegin "Starting MoBlock"
	
	# Is this needed?
	#modprobe ipt_NFQUEUE

	# Filter all traffic, edit for your needs

	iptables -N MOBLOCK_IN
	iptables -N MOBLOCK_OUT
	iptables -N MOBLOCK_FW

	if [ ${ACTIVATE_CHAINS} -eq 1 ]; then
		iptables -I INPUT -p all -m state --state NEW -j MOBLOCK_IN
		iptables -I OUTPUT -p all -m state --state NEW -j MOBLOCK_OUT
		iptables -I FORWARD -p all -m state --state NEW -j MOBLOCK_FW	
	fi

	iptables -I MOBLOCK_IN -p all -j ${TARGET}
	iptables -I MOBLOCK_OUT -p all -j ${TARGET}
	iptables -I MOBLOCK_FW -p all -j ${TARGET}

	for PORT in ${WHITE_TCP_OUT}; do
		iptables -I MOBLOCK_OUT -p tcp --dport ${PORT} -j ACCEPT
	done
	for PORT in ${WHITE_UDP_OUT}; do
		iptables -I MOBLOCK_OUT -p udp --dport ${PORT} -j ACCEPT
	done

	for PORT in ${WHITE_TCP_IN}; do
		iptables -I MOBLOCK_IN -p tcp --dport ${PORT} -j ACCEPT
	done
	for PORT in ${WHITE_UDP_IN}; do
		iptables -I MOBLOCK_IN -p udp --dport ${PORT} -j ACCEPT
	done

	for PORT in ${WHITE_TCP_FORWARD}; do
		iptables -I MOBLOCK_FW -p tcp --dport ${PORT} -j ACCEPT
	done
	for PORT in ${WHITE_UDP_FORWARD}; do
		iptables -I MOBLOCK_FW -p udp --dport ${PORT} -j ACCEPT
	done


	# Loopback traffic fix

	iptables -I INPUT -p all -i lo -j ACCEPT
	iptables -I OUTPUT -p all -o lo -j ACCEPT

	# Here you can change block list and log files

	if start-stop-daemon --start --quiet --background --pidfile ${PIDFILE} \
			--exec /usr/sbin/moblock -- \
			${BLOCKLISTTYPE} "${BLOCKLISTFILE}" "${LOGFILE}"; then
		eend 0
	else
		# If startup failed, we need to cleanup iptables
		cleanup_iptables
		eend 1
	fi
}

cleanup_iptables() {
	if [ ${ACTIVATE_CHAINS} -eq 1 ]; then
		iptables -D INPUT -p all -m state --state NEW -j MOBLOCK_IN
		iptables -D OUTPUT -p all -m state --state NEW -j MOBLOCK_OUT
		iptables -D FORWARD -p all -m state --state NEW -j MOBLOCK_FW
	fi

	iptables -D INPUT -p all -i lo -j ACCEPT
	iptables -D OUTPUT -p all -o lo -j ACCEPT

	iptables -F MOBLOCK_IN
	iptables -X MOBLOCK_IN
	iptables -F MOBLOCK_OUT
	iptables -X MOBLOCK_OUT
	iptables -F MOBLOCK_FW
	iptables -X MOBLOCK_FW
}

stop() {
	
	ebegin "Stopping MoBlock"
	start-stop-daemon --stop --pidfile ${PIDFILE}
	eend ${?}
	
	# On exit delete the rules we added
	cleanup_iptables
}