#!/bin/sh
# Copyright (C) 2000-2004 Boris Wesslowski
# $Id: fwlw_respond,v 1.5 2004/03/21 09:43:03 bw Exp $
# fwlogwatch realtime response script

# Set the $MODE variable to activate realtime modification of
# ipchains or netfilter packet filters.

# You may want to add custom commands at the commented spots to modify
# tcp wrappers or ipfilter rules or even remote control access lists
# on cisco routers...

# $TARGET contains the name of the chain that will be used for rules
# generated by this script.

# See fwlw_notify for the contents of the variables passed by fwlogwatch

#MODE=iptables
IPCHAINS=/sbin/ipchains
IPTABLES=/sbin/iptables
TARGET=fwlw
RETVAL=0


case "$1" in
##############################################################################

start)
  case "$MODE" in
  ipchains)
    if $IPCHAINS -n -L $TARGET 2>/dev/null | /bin/grep "Chain $TARGET " >/dev/null
    then
      $IPCHAINS -F $TARGET
    else
      $IPCHAINS -N $TARGET
      $IPCHAINS -I input -j $TARGET
    fi
  ;;
  iptables)
    if $IPTABLES -t filter -n -L $TARGET 2>/dev/null | /bin/grep "Chain $TARGET " >/dev/null
    then
      $IPTABLES -F $TARGET
    else
      $IPTABLES -N $TARGET
      $IPTABLES -I INPUT -j $TARGET
      $IPTABLES -I FORWARD -j $TARGET
    fi
  ;;
  # Insert setup for custom response here
  *)
    RETVAL=1
  ;;
  esac
;;

##############################################################################

add)
  if [ -z "$3" ]
  then
    exit 1
  fi

  case "$MODE" in
  ipchains)
    if $IPCHAINS -n -L $TARGET 2>/dev/null | /bin/grep "Chain $TARGET " >/dev/null
    then
      $IPCHAINS -A $TARGET -s $3 -j DENY
    else
      $IPCHAINS -N $TARGET
      $IPCHAINS -I input -j $TARGET
      $IPCHAINS -A $TARGET -s $3 -j DENY
    fi
  ;;
  iptables)
    if $IPTABLES -t filter -n -L $TARGET 2>/dev/null | /bin/grep "Chain $TARGET " >/dev/null
    then
      $IPTABLES -A $TARGET -s $3 -j DROP
    else
      $IPTABLES -N $TARGET
      $IPTABLES -I INPUT -j $TARGET
      $IPTABLES -I FORWARD -j $TARGET
      $IPTABLES -A $TARGET -s $3 -j DROP
    fi
  ;;
  # Insert custom response action here
  *)
    RETVAL=1
  ;;
  esac
;;

##############################################################################

remove)
  if [ -z "$3" ]
  then
    exit 1
  fi

  case "$MODE" in
  ipchains)
    if $IPCHAINS -n -L $TARGET 2>/dev/null | /bin/grep "Chain $TARGET " >/dev/null
    then
      $IPCHAINS -D $TARGET -s $3 -j DENY
    else
      RETVAL=1
    fi
  ;;
  iptables)
    if $IPTABLES -t filter -n -L $TARGET 2>/dev/null | /bin/grep "Chain $TARGET " >/dev/null
    then
      $IPTABLES -D $TARGET -s $3 -j DROP
    else
      RETVAL=1
    fi
  ;;
  # Insert custom response action stop here
  *)
    RETVAL=1
  ;;
  esac
;;

##############################################################################

stop)
  case "$MODE" in
  ipchains)
    if $IPCHAINS -n -L $TARGET 2>/dev/null | /bin/grep "Chain $TARGET " >/dev/null
    then
      $IPCHAINS -F $TARGET
      $IPCHAINS -D input -j $TARGET
      $IPCHAINS -X $TARGET
    fi
  ;;
  iptables)
    if $IPTABLES -t filter -n -L $TARGET 2>/dev/null | /bin/grep "Chain $TARGET " >/dev/null
    then
      $IPTABLES -F $TARGET
      $IPTABLES -D INPUT -j $TARGET
      $IPTABLES -D FORWARD -j $TARGET
      $IPTABLES -X $TARGET
    fi
  ;;
  # Insert cleanup for custom response here
  *)
    RETVAL=1
  ;;
  esac
;;

##############################################################################

*)
  echo "Usage: $0 {start|add|remove|stop} [count src_ip dst_ip protocol src_port dst_port]"
;;

##############################################################################
esac
exit $RETVAL
# EOF
