49 lines
1.3 KiB
Bash
Executable File
49 lines
1.3 KiB
Bash
Executable File
#!/bin/bash -e
|
|
|
|
function log {
|
|
echo "$(date +'%Y-%m-%d %H:%M:%S') $@"
|
|
}
|
|
|
|
# Include config file if present
|
|
if [ -f "/etc/sshutter.conf" ]; then
|
|
. /etc/sshutter.conf
|
|
fi
|
|
|
|
# Check if args are given
|
|
if [ "$WHITELIST" == "" ] || [ "$PORT" == "" ] || [ "$TARGET" == "" ]; then
|
|
echo "Error: you need to specify WHITELIST, PORT and TARGET, either in /etc/sshutter.conf or through environment variables." 1>&2
|
|
exit 1
|
|
fi
|
|
|
|
# Check if permissions are high enough
|
|
if [ "$UID" -ne 0 ]; then
|
|
echo "Error: must be root." 1>&2
|
|
exit 1
|
|
fi
|
|
|
|
# Main loop
|
|
oldstate=""
|
|
while [ true ]; do
|
|
ping -c 3 "$TARGET" 1>/dev/null
|
|
if [ "$?" -eq 0 ]; then
|
|
# Ping successful, apply shutter
|
|
if [ "$oldstate" != "blocked" ]; then
|
|
log "[sshutter] Blocking port 22 for IPs outside $WHITELIST"
|
|
oldstate="blocked"
|
|
fi
|
|
nft add table inet filter
|
|
nft add chain inet filter sshutterv4 \{ type filter hook input priority filter \; policy accept \; \}
|
|
nft add rule inet filter sshutterv4 tcp dport "$PORT" ip saddr "$WHITELIST" accept
|
|
nft add rule inet filter sshutterv4 tcp dport "$PORT" drop
|
|
else
|
|
# Ping failed, lift shutter
|
|
if [ "$oldstate" != "released" ]; then
|
|
log "[sshutter] Releasing port block"
|
|
oldstate="released"
|
|
fi
|
|
nft destroy chain inet filter sshutterv4
|
|
fi
|
|
|
|
sleep 60
|
|
done
|