📄 lib.cli

📁 sharewall is very good
💻 CLI
📖 第 1 页 / 共 2 页
字号:
上一页 12
			echo "allowInvalid        # Accept packets that are in the INVALID conntrack state."			echo "allowinUPnP         # Allow UPnP inbound (to firewall) traffic"			echo "allowoutUPnP        # Allow traffic from local command 'upnpd' (does not work with kernels after 2.6.13)"			echo "dropBcast           # Silently Drop Broadcast/multicast"			echo "dropInvalid         # Silently Drop packets that are in the INVALID conntrack state"			echo "dropNotSyn          # Silently Drop Non-syn TCP packets"			echo "drop1918src         # Drop packets with an RFC 1918 source address (Shorewall-perl only)"			echo "drop1918dst         # Drop packets with an RFC 1918 original dest address (Shorewall-perl only)"			echo "forwardUPnP         # Allow traffic that upnpd has redirected from"			echo "rejNotSyn           # Silently Reject Non-syn TCP packets"			echo "rej1918src          # Reject packets with an RFC 1918 source address (Shorewall-perl only)"			echo "rej1918dst          # Reject packets with an RFC 1918 original dest address (Shorewall-perl only)"			if [ -f ${CONFDIR}/actions ]; then			    cat ${SHAREDIR}/actions.std ${CONFDIR}/actions | grep -Ev '^\#|^$'			else			    grep -Ev '^\#|^$' ${SHAREDIR}/actions.std			fi			return			;;		    macros)			[ $# -gt 1 ] && usage 1			for directory in $(split $CONFIG_PATH); do			    temp=			    for macro in ${directory}/macro.*; do				case $macro in				    *\*)                                        ;;				    *)				        if [ -z "$temp" ]; then					    echo					    echo "Macros in $directory:"					    echo					    temp=Yes					fi					show_macro					;;				esac			    done			done			return			;;		esac	    fi	    if [ $# -gt 0 ]; then		[ -n "$table_given" ] || for chain in $*; do		    if ! qt $IPTABLES -t $table -L $chain $IPT_OPTIONS; then			echo "usage $(basename $0) show [ -x ] [ -m ] [-f] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]|actions|capabilities|classifiers|config|connections|filters|ip|log|macros|mangle|nat|routing|tc|zones} ] " >&2			exit 1		    fi		done				echo "$PRODUCT $version $([ $# -gt 1 ] && echo "Chains " || echo "Chain ")$* at $HOSTNAME - $(date)"		echo		show_reset		for chain in $*; do		    $IPTABLES -t $table -L $chain $IPT_OPTIONS		done	    else		echo "$PRODUCT $version $table Table at $HOSTNAME - $(date)"		echo		show_reset		$IPTABLES -t $table -L $IPT_OPTIONS	    fi	    ;;    esac}## Dump Command Executor#dump_command() {    local finished    finished=0    while [ $finished -eq 0 -a $# -gt 0 ]; do	option=$1	case $option in	    -*)		option=${option#-}		while [ -n "$option" ]; do		    case $option in			-)			    finished=1			    option=			    ;;			x*)			    IPT_OPTIONS="-xnv"			    option=${option#x}			    ;;			m*)			    SHOWMACS=Yes			    option=${option#m}			    ;;			*)			    usage 1			    ;;		    esac		done		shift		;;	    *)		finished=1		;;	esac    done    [ $VERBOSE -lt 2 ] && VERBOSE=2    [ -n "$debugging" ] && set -x    [ $# -eq 0 ] || usage 1    clear_term    echo "$PRODUCT $version Dump at $HOSTNAME - $(date)"    echo    if [ -f /usr/share/shorewall-shell/version ]; then	echo "   Shorewall-shell $(cat /usr/share/shorewall-shell/version)"	if [ -f /usr/share/shorewall-perl/version ]; then	    echo "   Shorewall-perl  $(cat /usr/share/shorewall-perl/version)"	fi	echo     elif [ -f /usr/share/shorewall-perl/version ]; then	echo "   Shorewall-perl $(cat /usr/share/shorewall-perl/version)"	echo    fi        show_reset    host=$(echo $HOSTNAME | sed 's/\..*$//')    $IPTABLES -L $IPT_OPTIONS    heading "Log ($LOGFILE)"    packet_log 20    heading "NAT Table"    $IPTABLES -t nat -L $IPT_OPTIONS    heading "Mangle Table"    $IPTABLES -t mangle -L $IPT_OPTIONS    heading "Raw Table"    $IPTABLES -t raw -L $IPT_OPTIONS    heading "Conntrack Table"    [ -f /proc/net/ip_conntrack ] && cat /proc/net/ip_conntrack || grep -v '^ipv6' /proc/net/nf_conntrack    heading "IP Configuration"    ip -4 addr list    heading "IP Stats"    ip -stat link list    if qt mywhich brctl; then	heading "Bridges"	brctl show    fi    if qt mywhich setkey; then	heading "PFKEY SPD"	setkey -DP	heading "PFKEY SAD"	setkey -D | grep -Ev '^[[:space:]](A:|E:)'  # Don't divulge the keys     fi    heading "/proc"    show_proc /proc/version    show_proc /proc/sys/net/ipv4/ip_forward    show_proc /proc/sys/net/ipv4/icmp_echo_ignore_all    for directory in /proc/sys/net/ipv4/conf/*; do	for file in proxy_arp arp_filter arp_ignore rp_filter log_martians; do	    show_proc $directory/$file	done    done    show_routing    heading "ARP"    arp -na    if qt mywhich lsmod; then	heading "Modules"	lsmod | grep -E '^(ip_|ipt_|iptable_|nf_|xt_)' | sort    fi    determine_capabilities    echo    report_capabilities    echo    netstat -tunap    if [ -n "$TC_ENABLED" ]; then	heading "Traffic Control"	show_tc	heading "TC Filters"	show_classifiers	fi}## Restore Comand Executor#restore_command() {    local finished    finished=0    while [ $finished -eq 0 -a $# -gt 0 ]; do	option=$1	case $option in	    -*)		option=${option#-}		while [ -n "$option" ]; do		    case $option in			-)			    finished=1			    option=			    ;;			n*)			    NOROUTES=Yes			    option=${option#n}			    ;;			*)			    usage 1			    ;;		    esac		done		shift		;;	    *)		finished=1		;;	esac    done    case $# in    0)	;;    1)	RESTOREFILE="$1"	validate_restorefile '<restore file>'	;;    *)	usage 1	;;    esac    if [ -z "$STARTUP_ENABLED" ]; then	error_message "ERROR: Startup is disabled"	exit 2    fi    RESTOREPATH=${VARDIR}/$RESTOREFILE    export NOROUTES    [ -n "$nolock" ] || mutex_on    if [ -x $RESTOREPATH ]; then	if [ -x ${RESTOREPATH}-ipsets ] ; then	    echo Restoring Ipsets...	    iptables -F	    iptables -X	    $SHOREWALL_SHELL ${RESTOREPATH}-ipsets	fi	progress_message3 "Restoring Shorewall..."	$SHOREWALL_SHELL $RESTOREPATH restore && progress_message3 "$PRODUCT restored from ${VARDIR}/$RESTOREFILE"	[ -n "$nolock" ] || mutex_off    else	echo "File $RESTOREPATH: file not found"	[ -n "$nolock" ] || mutex_off	exit 2    fi}## Display the time that the counters were last reset#show_reset() {    [ -f ${VARDIR}/restarted ] && \	echo "Counters reset $(cat ${VARDIR}/restarted)" && \	echo}## Display's the passed file name followed by "=" and the file's contents.#show_proc() # $1 = name of a file{    [ -f $1 ] && echo "   $1 = $(cat $1)"}read_yesno_with_timeout() {    read -t 60 yn 2> /dev/null    if [ $? -eq 2 ]    then	# read doesn't support timeout	test -x /bin/bash || return 2 # bash is not installed so the feature is not available	/bin/bash -c 'read -t 60 yn ; if [ "$yn" == "y" ] ; then exit 0 ; else exit 1 ; fi' # invoke bash and use its version of read	return $?    else	# read supports timeout	case "$yn" in	    y|Y)		return 0		;;	    *)		return 1		;;	esac    fi}## Print a heading with leading and trailing black lines#heading() {    echo    echo "$@"    echo}## Create the appropriate -q option to pass onward#make_verbose() {    local v    v=$VERBOSE_OFFSET    local option    option=-    if [ -n "$USE_VERBOSITY" ]; then	echo "-v$USE_VERBOSITY"    elif [ $VERBOSE_OFFSET -gt 0 ]; then	while [ $v -gt 0 ]; do	    option="${option}v"	    v=$(($v - 1))	done	echo $option    elif [ $VERBOSE_OFFSET -lt 0 ]; then	while [ $v -lt 0 ]; do	    option="${option}q"	    v=$(($v + 1))	done	echo $option    fi}## Executor for drop,reject,... commands#block() # $1 = command, $2 = Finished, $3 - $n addresses{    local chain    chain=$1    local finished    finished=$2    shift 3    while [ $# -gt 0 ]; do	case $1 in	    *-*)		qt $IPTABLES -D dynamic -m iprange --src-range $1 -j reject		qt $IPTABLES -D dynamic -m iprange --src-range  $1 -j DROP		qt $IPTABLES -D dynamic -m iprange --src-range $1 -j logreject		qt $IPTABLES -D dynamic -m iprange --src-range $1 -j logdrop		$IPTABLES -A dynamic -m iprange --src-range $1 -j $chain || break 1		;;	    *)		qt $IPTABLES -D dynamic -s $1 -j reject		qt $IPTABLES -D dynamic -s $1 -j DROP		qt $IPTABLES -D dynamic -s $1 -j logreject		qt $IPTABLES -D dynamic -s $1 -j logdrop		$IPTABLES -A dynamic -s $1 -j $chain || break 1		;;	esac	echo "$1 $finished"	shift    done}## 'hits' commmand executor#hits_command() {    local finished    finished=0    local today    today=    while [ $finished -eq 0 -a $# -gt 0 ]; do	option=$1	case $option in	    -*)		option=${option#-}		while [ -n "$option" ]; do		    case $option in			-)			    finished=1			    option=			    ;;			t*)			    today=$(date +'^%b %_d.*')			    option=${option#t}			    ;;			*)			    usage 1			    ;;		    esac		done		shift		;;	    *)		finished=1		;;	esac    done    [ $# -eq 0 ] || usage 1    clear_term    echo "$PRODUCT $version Hits at $HOSTNAME - $(date)"    echo    timeout=30    if $LOGREAD | grep -q "${today}IN=.* OUT=" ; then	echo "   HITS IP	        DATE"	echo "   ---- --------------- ------"	$LOGREAD | grep "${today}IN=.* OUT=" | sed 's/\(.\{6\}\)\(.*SRC=\)\(.*\)\( DST=.*\)/\3	\1/' | sort | uniq -c | sort -rn | while read count address month day; do	    printf '%7d %-15s %3s %2d\n' $count $address $month $day	done	echo ""	echo "   HITS IP	        PORT"	echo "   ---- --------------- -----"	$LOGREAD | grep  "${today}IN=.* OUT=" | sed 's/\(.*SRC=\)\(.*\)\( DST=.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2	\4/						t						s/\(.*SRC=\)\(.*\)\( DST=.*\)/\2/' | sort | uniq -c | sort -rn | while read count address port; do	    printf '%7d %-15s %d\n' $count $address $port	done	echo ""	echo "   HITS DATE"	echo "   ---- ------"	$LOGREAD | grep  "${today}IN=.* OUT=" | sed 's/\(.\{6\}\)\(.*\)/\1/' | sort | uniq -c | sort -rn | while read count month day; do	    printf '%7d %3s %2d\n' $count $month $day	done	echo ""	echo "   HITS  PORT SERVICE(S)"	echo "   ---- ----- ----------"	$LOGREAD | grep "${today}IN=.* OUT=.*DPT" | sed 's/\(.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2/' | sort | uniq -c | sort -rn | while read count port ; do	    # List all services defined for the given port	    srv=$(grep "^[^#].*\\b$port/" /etc/services | cut -f 1 | cut -f 1 -d' ' | sort -u)	    srv=$(echo $srv | sed 's/ /,/g')	    if [ -n "$srv" ] ; then		printf '%7d %5d %s\n' $count $port $srv	    else		printf '%7d %5d\n' $count $port	    fi	done    fi}## 'allow' command executor#allow_command() {    [ -n "$debugging" ] && set -x    [ $# -eq 1 ] && usage 1    if shorewall_is_started ; then	[ -n "$nolock" ] || mutex_on	while [ $# -gt 1 ]; do	    shift	    case $1 in		*-*)		    if  qt $IPTABLES -D dynamic -m iprange --src-range $1 -j reject    ||\			qt $IPTABLES -D dynamic -m iprange --src-range $1 -j DROP      ||\			qt $IPTABLES -D dynamic -m iprange --src-range $1 -j logdrop   ||\			qt $IPTABLES -D dynamic -m iprange --src-range $1 -j logreject			then			echo "$1 Allowed"		    else			echo "$1 Not Dropped or Rejected"		    fi		    ;;		*)		    if  qt $IPTABLES -D dynamic -s $1 -j reject    ||\			qt $IPTABLES -D dynamic -s $1 -j DROP      ||\			qt $IPTABLES -D dynamic -s $1 -j logdrop   ||\			qt $IPTABLES -D dynamic -s $1 -j logreject			then			echo "$1 Allowed"		    else			echo "$1 Not Dropped or Rejected"		    fi		    ;;	    esac	done	[ -n "$nolock" ] || mutex_off    else	error_message "ERROR: $PRODUCT is not started"	exit 2    fi}## 'logwatch' command executor#logwatch_command() {    shift    finished=0    while [ $finished -eq 0 -a $# -ne 0 ]; do	option=$1	case $option in	    -*)		option=${option#-}				[ -z "$option" ] && usage 1				while [ -n "$option" ]; do		    case $option in			v*)			    VERBOSE=$(($VERBOSE + 1 ))			    option=${option#v}			    ;;			q*)			    VERBOSE=$(($VERBOSE - 1 ))			    option=${option#q}			    ;;			m*)			    SHOWMACS=Yes			    option=${option#m}			    ;;			-)			    finished=1			    option=			    ;;			*)			    usage 1			    ;;		    esac		done		shift		;;	    *)		finished=1		;;	esac    done        [ -n "$debugging" ] && set -x    if [ $# -eq 1 ]; then	logwatch $1    elif [ $# -eq 0 ]; then	logwatch 30    else	usage 1    fi}
上一页 12
💿 文件大小 203 K
👤 上传用户 zhangpeng
📂 所属分类 Linux/Unix编程
🏷️ 相关标签

#sharewall #good #very #is
⌨️ 快捷键说明

复制代码 Ctrl + C
搜索代码 Ctrl + F
全屏模式 F11
切换主题 Ctrl + Shift + D
显示快捷键 ?
增大字号 Ctrl + =
减小字号 Ctrl + -