#!/bin/bash #Copyright 2011 William Stearns #Released under the GPL #Dedicated to Matthew Hathaway, who left us too soon. #Return codes #0 Success #1 Generic failure #2 Invalid address or Yubikey Identity #Params #$1 IP address that should be given access (currently ipv4, later ipv6) #$2 44 char Yubikey OTP if echo "$1" | grep -q '^[12]\{0,1\}[0-9]\{1,2\}\.[12]\{0,1\}[0-9]\{1,2\}\.[12]\{0,1\}[0-9]\{1,2\}\.[12]\{0,1\}[0-9]\{1,2\}$' ; then : #Valid ipv4 format else logger -t yubiknock-authorize "Invalid IPv4 address format, exiting." exit 2 fi if echo "$2" | grep -q '^[bcdefghijklnrtuv]\{12\}$' ; then : #Valid yubikey Identity format else logger -t yubiknock-authorize "Invalid Yubikey Identity format, exiting." exit 2 fi YubiKeyIdentity="$2" #UserAccounts=`grep ":$YubiKeyIdentity" /etc/yubikey_mappings | sed -e 's/:.*//'` if ! /usr/bin/sudo /sbin/iptables -L DynamicI -n >/dev/null 2>&1 ; then /usr/bin/sudo /sbin/iptables -N DynamicI fi if ! /usr/bin/sudo /sbin/iptables -L DynamicF -n >/dev/null 2>&1 ; then /usr/bin/sudo /sbin/iptables -N DynamicF fi Now="CreateStamp-"`date +%s` for TargetChain in KeyI-${YubiKeyIdentity} `grep ":$YubiKeyIdentity" /etc/yubikey_mappings | sed -e 's/:.*//' -e 's/^/UserI-/'` ; do if /usr/bin/sudo /sbin/iptables -L "$TargetChain" -n >/dev/null 2>&1 ; then #If chain exists logger "Linking to $TargetChain" /usr/bin/sudo /sbin/iptables -A DynamicI -s "$1" -m comment --comment "$Now" -j "$TargetChain" #else # logger "No chain named $TargetChain , skipping." fi done for TargetChain in KeyF-${YubiKeyIdentity} `grep ":$YubiKeyIdentity" /etc/yubikey_mappings | sed -e 's/:.*//' -e 's/^/UserF-/'` ; do if /usr/bin/sudo /sbin/iptables -L "$TargetChain" -n >/dev/null 2>&1 ; then #If chain exists logger "Linking to $TargetChain" /usr/bin/sudo /sbin/iptables -A DynamicF -s "$1" -m comment --comment "$Now" -j "$TargetChain" #else # logger "No chain named $TargetChain , skipping." fi done