-
Notifications
You must be signed in to change notification settings - Fork 0
/
update_agave_connectors.sh
executable file
·128 lines (106 loc) · 4.76 KB
/
update_agave_connectors.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
#!/bin/bash
# Update the agave firewall rules based on their feed
# RSS feed where the current list of agave hosts lives.
AGAVE_SERVER_FEED='http://agaveapi.co/server-feed/'
# Location of the cache directory for the agave ip addresses
AGAVE_IP_CACHE_DIR=agave
# Set to 1 to force the script to run
FORCE_UPDATE=${FORCE_UPDATE:-0}
# Set to 1 to enabled debug output
FORCE_DEBUG=${FORCE_DEBUG:-0}
# Set to 1 to print actual iptable rules
FORCE_TRACE=${FORCE_TRACE:-0}
# Set to 1 to print the list of ip addresses and exit
FETCH_ONLY=${FETCH_ONLY:-0}
# Set to 1 to make a dry run, skipping commands
DRY_RUN=${DRY_RUN:-0}
######################################################
# DO NOT EDIT BELOW THIS LINE
######################################################
# protocols passed in as arguments to the script
PROTOCOL_PORTS=$@
# ensure at least one script is entered
if [[ -z "$PROTOCOL_PORTS" ]]; then
echo "ERROR: Please specify one or more ports to allow access from Agave servers" 1>&2
exit 1;
else
PROTOCOL_PORTS=("$@")
fi
echo "Running script to allow Agave servers access to this host on port ${PROTOCOL_PORTS}"
if [[ ! -e "$AGAVE_IP_CACHE_DIR" ]]; then
mkdir -p $AGAVE_IP_CACHE_DIR
fi
(($FORCE_DEBUG)) && echo "Saving agave server ip cache to $AGAVE_IP_CACHE_DIR/agave_ips"
# get agave ips from their rss feed
(($FORCE_DEBUG)) && echo "Fetching server list from $AGAVE_SERVER_FEED"
wget $AGAVE_SERVER_FEED -O $AGAVE_IP_CACHE_DIR/agave_connector_servers.xml -o /dev/null
if [[ -n "$FETCH_ONLY" ]]; then
cat $AGAVE_IP_CACHE_DIR/agave_connector_servers.xml | grep '<title>' | sed -e 's/<title>//g' | sed -e 's/<\/title>//g' | sed -e 's/ //g' | grep -v "Listing"
exit 0
else
# rotate agave ip list (keep 8 days)
#
LIST=$(ls -r $AGAVE_IP_CACHE_DIR/agave_ips*);
for i in $LIST; do
# get index of file
INDEX=$(ls $i | cut -d"." -f 2)
# if there's no index, rename to agave_ips.0
if [ $INDEX = "$AGAVE_IP_CACHE_DIR/agave_ips" ]; then
NEW=$INDEX.0
mv $i $NEW
# remove files with index > 6 (keep 8 files)
elif [ $INDEX -gt 6 ]; then
rm $i
# increment index for all other files
else
BASE=$(ls $i | cut -d"." -f 1)
NEW=$BASE.$(($INDEX+1))
mv $i $NEW
fi
done
cat $AGAVE_IP_CACHE_DIR/agave_connector_servers.xml | grep '<title>' | sed -e 's/<title>//g' | sed -e 's/<\/title>//g' | sed -e 's/ //g' | grep -v "Listing" > $AGAVE_IP_CACHE_DIR/agave_ips
fi
# if old lists do not exist, just allow all ips in the feed on each of the supplied $PROTOCOL_PORTS
if [ ! -f $AGAVE_IP_CACHE_DIR/agave_ips.0 ]; then
# iterate over all ip addresses
for j in `cat $AGAVE_IP_CACHE_DIR/agave_ips`; do
# add a rule for each protocol port given as an argument to this script
(($FORCE_DEBUG)) && echo "Allowing access to $j on ${PROTOCOL_PORTS[@]}"
for p in "${PROTOCOL_PORTS[@]}"; do
(($FORCE_TRACE)) && echo "iptables -A INPUT -p tcp -s $j -m tcp --dport $p -j ACCEPT"
!((DRY_RUN)) && iptables -A INPUT -p tcp -s $j -m tcp --dport $p -j ACCEPT
done
done
else
# if there any differences between previous and current list, synch up the ip list
if [[ -n "$FORCE_UPDATE" ]] || [[ -n $(diff -q $AGAVE_IP_CACHE_DIR/agave_ips $AGAVE_IP_CACHE_DIR/agave_ips.0) ]]; then
# get a list of just the removed ip addresses
REMOVED_IP=$(diff --changed-group-format='%>' --unchanged-group-format='' $AGAVE_IP_CACHE_DIR/agave_ips $AGAVE_IP_CACHE_DIR/agave_ips.0)
if [[ -n "$REMOVED_IP" ]] || (("$FORCE_UPDATE")); then
for i in `echo $REMOVED_IP`; do
# add a rule for each port given as an argument to this script
(($FORCE_DEBUG)) && echo "Revoking access to $i on ${PROTOCOL_PORTS[@]}"
for p in "${PROTOCOL_PORTS[@]}"; do
(($FORCE_TRACE)) && echo "iptables -A INPUT -p tcp -s $i -m tcp --dport $p -j DROP"
!((DRY_RUN)) && iptables -A INPUT -p tcp -s $i -m tcp --dport $p -j DROP
done
done
fi
# get a list of just the added ip addresses
ADDED_IP=$(diff --changed-group-format='%>' --unchanged-group-format='' $AGAVE_IP_CACHE_DIR/agave_ips.0 $AGAVE_IP_CACHE_DIR/agave_ips)
if [[ -n "$ADDED_IP" ]] || (("$FORCE_UPDATE")); then
# add a rule for each ip address added
for j in `cat $AGAVE_IP_CACHE_DIR/agave_ips`; do
# add a rule for each port given as an argument to this script
(($FORCE_DEBUG)) && echo "Allowing access to $j on ${PROTOCOL_PORTS[@]}"
for p in "${PROTOCOL_PORTS[@]}"; do
(($FORCE_TRACE)) && echo "iptables -A INPUT -p tcp -s $j -m tcp --dport $p -j ACCEPT"
!((DRY_RUN)) && iptables -A INPUT -p tcp -s $j -m tcp --dport $p -j ACCEPT
done
done
(($FORCE_DEBUG)) && echo "Allowing outbound traffics to established connectionsfrom Agave hosts"
(($FORCE_TRACE)) && echo "iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT"
!((DRY_RUN)) && iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
fi
fi
fi