LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Programming (http://www.linuxquestions.org/questions/programming-9/)
-   -   Bash Firewall rule change/verify (http://www.linuxquestions.org/questions/programming-9/bash-firewall-rule-change-verify-695785/)

naghi32 01-08-2009 03:02 AM

Bash Firewall rule change/verify
 
Hy
I`ve got a bash script that runs on command from a php page ( login/user/ip match/mac match...)

The script Basicly gets a list of ip addresses from mysql and checks/applies the rules if they`re not ( iptables rules )
here goes the script ( for less web text i`l simplify by removing duplicates )

#!/bin/bash
block_file="/tmp/iptables_block"
table_block="BLOCK"
bloc_list=`mysql -u$mysql_user -p$mysql_pass $maindb -B -e "SELECT IP FROM clienti WHERE Status='B'"|grep -w "IP" -v`
function generate_iptables {
/usr/sbin/iptables -L $table_block -v -n --line-numbers >$block_file
}
function is_blocked {
result=`cat $block_file|grep -w $1|awk {'print $9'}`
if [ "$result" == "$1" ]; then echo yes;else echo no;fi
}
function block {
if ! [ `is_blocked $1` = "yes" ]; then
/usr/sbin/iptables -A $table_block -s $1 -j DROP
fi
}
function unblock {
if [ `is_blocked $1` = "yes" ]; then
generate_iptables
/usr/sbin/iptables -D $table_block `cat $block_file| grep -w $1| awk {'print $1'}`
fi
}
for ip in $bloc_list
do
unredirect $ip
unlock $ip
# unfree $ip
block $ip
echo "BLOCKED $ip"
done

The script works really good but on a Quad core 3.2 ghz machine takes around 5 minutes to check and apply all rules ( note that there are duplicates for more things ( FREE LOCK REDIRECT ) and more tables.

My question is: How can i make it faster OR if i can make a c++ app that can basicly do the same think but FASTER ?

I`ve already made a c++ app that gets a set of lines from mysql ( upload speeds download speed rules ) and applies tc rules acordingly ( got a boost in speed from 2 minute 30s to 0.3 seconds ( WOW )

Thanks i`m waiting for a reply.

naghi32 01-08-2009 04:16 AM

Also note that the a part that is really slowing is getting MAC`s from Mysql ( for each ip address ) and also Checking firewall rules ( applying doesn`t take that long because most of rules are already there and that`s why i check so i don`t readd them again :) )

Or a better question/direction is:
How can i add/check/delete rules from iptables .. tables ? ( in c++/c)
if anyone can help :)


All times are GMT -5. The time now is 03:01 AM.