#!/bin/bash #Copyright 2011 William Stearns #Released under the GPL if [ -r /etc/yubiknock.conf ]; then . /etc/yubiknock.conf fi MaxHours="$AUTHORIZATION_TIME" while [ -n "$1" ]; do case "$1" in -m) if [ -n "$2" ]; then MaxHours="$2" shift 2 else echo "Missing MaxHours after -m, exiting." exit 1 fi ;; -u) if [ -n "$Username" ]; then echo "Only one username spec at a time, exiting." exit 1 elif [ -n "$2" ]; then Username="$2" shift 2 else echo "Missing username after -u, exiting." exit 1 fi ;; -s) if [ -n "$SourceIP" ]; then echo "Only one source ip at a time, exiting." exit 1 elif [ -n "$2" ]; then SourceIP="$2" shift 2 else echo "Missing source IP after -s, exiting." exit 1 fi ;; *) echo "Unrecognized parameter $1 , exiting." exit 1 ;; esac done #Remove stale (created more than MaxHours hours ago) rules from DynamicI sudo /sbin/iptables -L DynamicI -n \ | egrep -v '(^Chain.*policy|^Chain.*references|^target *prot)' \ | awk '{print $1,$4,$7 }' \ | while read DestChain OneSource CreateTime ; do CreateTime=`echo "$CreateTime" | sed -e 's/CreateStamp-//'` #echo ". $DestChain . $OneSource . $CreateTime . " if [ -z "$Username" -o "$DestChain" = "UserI-${Username}" ]; then if [ -z "$SourceIP" -o "$SourceIP" = "$OneSource" ]; then if [ $[ $CreateTime + ( $MaxHours * 3600 ) ] -lt `date +%s` ]; then sudo /sbin/iptables -D DynamicI -s "$OneSource" -m comment --comment "CreateStamp-$CreateTime" -j "$DestChain" fi fi fi done #Remove stale (created more than MaxHours hours ago) rules from DynamicF sudo /sbin/iptables -L DynamicF -n \ | egrep -v '(^Chain.*policy|^Chain.*references|^target *prot)' \ | awk '{print $1,$4,$7 }' \ | while read DestChain OneSource CreateTime ; do CreateTime=`echo "$CreateTime" | sed -e 's/CreateStamp-//'` #echo ". $DestChain . $OneSource . $CreateTime . " if [ -z "$Username" -o "$DestChain" = "UserF-${Username}" ]; then if [ -z "$SourceIP" -o "$SourceIP" = "$OneSource" ]; then if [ $[ $CreateTime + ( $MaxHours * 3600 ) ] -lt `date +%s` ]; then sudo /sbin/iptables -D DynamicF -s "$OneSource" -m comment --comment "CreateStamp-$CreateTime" -j "$DestChain" fi fi fi done #Old approach with flag dir #( #if [ -z "$SourceIP" -a -z "$Username" ]; then # FindOut=`find "$YPK_FLAG_DIR" -type f -mmin +$[ $MaxHours * 60 ] -printf "%f\n"` #elif [ -z "$SourceIP" -a -n "$Username" ]; then # FindOut=`find "$YPK_FLAG_DIR" -type f -mmin +$[ $MaxHours * 60 ] -iname "*,${Username}" -printf "%f\n"` #elif [ -n "$SourceIP" -a -z "$Username" ]; then # FindOut=`find "$YPK_FLAG_DIR" -type f -mmin +$[ $MaxHours * 60 ] -iname "${SourceIP},*" -printf "%f\n"` #elif [ -n "$SourceIP" -a -n "$Username" ]; then # FindOut=`find "$YPK_FLAG_DIR" -type f -mmin +$[ $MaxHours * 60 ] -iname "${SourceIP},${Username}" -printf "%f\n"` #fi ) \ # | sed -e 's/,/ /' \ # | while read OneSource OneName ; do # #FIXME - repeat rule remove in case there are multiple rules. # sudo /sbin/iptables -D Dynamicipv4-I -s "$OneSource" -j "User-${OneName}-I" # rm -f "$YPK_FLAG_DIR/${OneSource},${OneName}" #done