This file is indexed.

/usr/share/arno-iptables-firewall/plugins/dyndns-host-open-helper is in arno-iptables-firewall 2.0.1.c-1.

This file is owned by root:root, with mode 0o755.

The actual contents of the file can be viewed below.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
#!/bin/bash

# The plugin configuration file
###############################
PLUGIN_CONF_FILE="dyndns-host-open.conf"

# Location of the main configuration file for the firewall
##########################################################
CONFIG_FILE=/etc/arno-iptables-firewall/firewall.conf

# Check if the main config file exists and if so load it
########################################################
if [ -e "$CONFIG_FILE" ]; then
  . $CONFIG_FILE
else
  echo "** ERROR: Could not read configuration file $CONFIG_FILE!" >&2
  echo "**        Please, check the file's location and (root) rights." >&2
  exit 2
fi

# Check if the environment file exists and if so, load it
#########################################################
if [ -n "$ENV_FILE" ]; then
  . "$ENV_FILE"
else
  if [ -f /usr/local/share/arno-iptables-firewall/environment ]; then
    . /usr/local/share/arno-iptables-firewall/environment
  else
    if [ -f /usr/share/arno-iptables-firewall/environment ]; then
      . /usr/share/arno-iptables-firewall/environment
    else
      echo "** ERROR: The environment file (ENV_FILE) has not been specified" >&2
      echo "**        in the configuration file. Try upgrading your config-file!" >&2
      exit 2
    fi
  fi
fi

# Define some global variables
DYNDNS_HOST_CACHE="/var/tmp/aif_dyndns_host_cache"
DNS_SERVER_FAILURE=0
INDENT='   '

# Check sanity of environment
sanity_check()
{
  if [ -z "$DYNDNS_HOST_OPEN_CRON" ]; then
    echo "** ERROR: The plugin config file is not properly setup!" >&2
    return 1
  fi

  if [ -z "$DYNDNS_HOST_OPEN_TCP" -a -z "$DYNDNS_HOST_OPEN_UDP" -a -z "$DYNDNS_HOST_OPEN_IP" -a -z "$DYNDNS_HOST_OPEN_ICMP" ]; then
    echo "** ERROR: The plugin config file is not (properly) setup!" >&2
    return 1
  fi

  # Check whether chain exists
  if ! ip4tables -nL DYNDNS_CHAIN >/dev/null 2>&1; then
    echo "** ERROR: DYNDNS_CHAIN does not exist! **" >&2
    return 1
  fi

  # Check if chain is inserted in the main chains
  if ! ip4tables -nL EXT_INPUT_CHAIN |grep -q '^DYNDNS_CHAIN '; then
    echo "** ERROR: DYNDNS_CHAIN is not inserted in the EXT_INPUT_CHAIN chain! **" >&2
    return 1
  fi

  if ! check_command dig nslookup; then
    echo "** ERROR: Required command dig (or nslookup) is not available!" >&2
    return 1
  fi

  return 0
}


# Resolve a hostname using our cache
dyndns_get_cached_host()
{
  local host="$1"

  if is_numeric_ip "$host"; then
    echo "$host"
    return 0
  fi
  
  if [ -e "$DYNDNS_HOST_CACHE" ]; then
    local host_ip=`grep "^$host " -m1 "$DYNDNS_HOST_CACHE" |cut -s -f2 -d' '`
    if [ -n "$host_ip" ]; then
      echo "$host_ip"
      return 0
    fi
  fi
  
  # Return error
  return 1
}


# Resolve hostname to IP and store both in our (new) cache
dyndns_host_to_cache()
{
  local host="$1"
  local host_ip=""
  local retval=0
  
  # Check whether we already have it in our (new) cache and don't try to resolve stuff that's already numeric
  if ! is_numeric_ip "$host" && ! grep -q "^$host " "$DYNDNS_HOST_CACHE".new; then
    printf "${INDENT}Resolving host \"$host\" -> "

    if [ "$DNS_SERVER_FAILURE" = "1" ]; then
      echo "** WARNING: Not quering DNS server since it is considered dead for this session! **" >&2 
      host_ip=""
      retval=9
    else
      host_ip=`gethostbyname "$host"`
      retval=$?
      
      # Check whether our DNS server itself failed
      if [ "$retval" = "9" ]; then
        if [ "$DYNDNS_SESSION_FAILED_DNS_SKIP" = "1" ]; then
          # The DNS server failed, so set flag so we know this the next time
          DNS_SERVER_FAILURE=1
          echo "** ERROR(9): DNS server connection failed! Assuming server dead for this session. **" >&2 
        else
          echo "** ERROR(9): DNS server connection failed! **" >&2 
        fi
      fi
    fi
     
    if [ -z "$host_ip" ]; then
      # Try to get from (old) cache, if allowed
      if [ "$DYNDNS_OLD_CACHE_FALLBACK" = "1" ]; then
        host_ip=`dyndns_get_cached_host $host`
      fi
      
      # (Re)check $host_ip
      if [ -z "$host_ip" ]; then
        printf "\033[40m\033[1;31mFAILED!\033[0m\n"
        echo "** ERROR($retval): Unresolvable host \"$host\", and no old IP to fallback on! **" >&2 
      else
        echo "** WARNING($retval): Unresolvable host \"$host\". Re-using old IP ($host_ip)! **" >&2 
      fi
    fi
    echo "$host_ip"
    echo "$host $host_ip" >>"$DYNDNS_HOST_CACHE".new 
  fi
}


# Setup host->ip cache
dyndns_setup_cache()
{
  # Create new empty file
  printf "" >"$DYNDNS_HOST_CACHE".new
  
  unset IFS
  for rule in $DYNDNS_HOST_OPEN_TCP; do
    hosts=`get_hosts_ihp "$rule"`
    
    IFS=','
    for host in $hosts; do
      dyndns_host_to_cache "$host"
    done
  done

  unset IFS
  for rule in $DYNDNS_HOST_OPEN_UDP; do
    hosts=`get_hosts_ihp "$rule"`
   
    IFS=','
    for host in $hosts; do
      dyndns_host_to_cache "$host"
    done
  done

  unset IFS
  for rule in $DYNDNS_HOST_OPEN_IP; do
    hosts=`get_hosts_ihp "$rule"`

    IFS=','    
    for host in $hosts; do
      dyndns_host_to_cache "$host"
    done
  done

  IFS=' ,'
  for rule in $DYNDNS_HOST_OPEN_ICMP; do
    hosts=`get_hosts_ih "$rule"`

    IFS=','
    for host in $hosts; do
      dyndns_host_to_cache "$host"
    done
  done

  # Remove old cache file
  rm -f "$DYNDNS_HOST_CACHE"
  
  # Make our new cache file active
  mv "$DYNDNS_HOST_CACHE".new "$DYNDNS_HOST_CACHE"
  
  return 0
}


dyndns_host_open()
{
  # Flush the DYNDNS_CHAIN
  iptables -F DYNDNS_CHAIN

  # Add TCP ports to allow for certain hosts
  ##########################################
  unset IFS
  for rule in $DYNDNS_HOST_OPEN_TCP; do
    if parse_rule "$rule" DYNDNS_HOST_OPEN_TCP "interfaces-destips-hosts-ports"; then

      echo "${INDENT}$(show_if_ip "$interfaces" "$destips")Allowing $hosts for TCP port(s): $ports"
    
      IFS=','
      for interface in $interfaces; do
        for destip in $destips; do
          for host in $hosts; do
            for port in $ports; do
              host_ip=`dyndns_get_cached_host $host`
              if [ -n "$host_ip" ]; then
                iptables -A DYNDNS_CHAIN -i $interface -s $host_ip -d $destip -p tcp --dport $port -j ACCEPT
              fi
            done
          done
        done
      done
    fi
  done


  # Add UDP ports to allow for certain hosts
  ##########################################
  unset IFS
  for rule in $DYNDNS_HOST_OPEN_UDP; do
    if parse_rule "$rule" DYNDNS_HOST_OPEN_UDP "interfaces-destips-hosts-ports"; then

      echo "${INDENT}$(show_if_ip "$interfaces" "$destips")Allowing $hosts for UDP port(s): $ports"
    
      IFS=','
      for interface in $interfaces; do
        for destip in $destips; do
          for host in $hosts; do
            for port in $ports; do
              host_ip=`dyndns_get_cached_host $host`
              if [ -n "$host_ip" ]; then
                iptables -A DYNDNS_CHAIN -i $interface -s $host_ip -d $destip -p udp --dport $port -j ACCEPT
              fi
            done
          done
        done
      done
    fi
  done


  # Add IP protocols to allow for certain hosts
  #############################################
  unset IFS
  for rule in $DYNDNS_HOST_OPEN_IP; do
    if parse_rule "$rule" DYNDNS_HOST_OPEN_IP "interfaces-destips-hosts-protos"; then

      echo "${INDENT}$(show_if_ip "$interfaces" "$destips")Allowing $hosts for IP protocol(s): $protos"
    
      IFS=','
      for interface in $interfaces; do
        for destip in $destips; do
          for host in $hosts; do
            for proto in $protos; do
              host_ip=`dyndns_get_cached_host $host`
              if [ -n "$host_ip" ]; then
                iptables -A DYNDNS_CHAIN -i $interface -s $host_ip -d $destip -p $proto -j ACCEPT
              fi
            done
          done
        done
      done
    fi
  done


  # Add ICMP to allow for certain hosts
  #####################################
  unset IFS
  for rule in $DYNDNS_HOST_OPEN_ICMP; do
    if parse_rule "$rule" DYNDNS_HOST_OPEN_ICMP "interfaces-destips-hosts"; then

      echo "${INDENT}$(show_if_ip "$interfaces" "$destips")Allowing $hosts for ICMP-requests(ping)"
    
      IFS=','
      for interface in $interfaces; do
        for destip in $destips; do
          for host in $hosts; do
            host_ip=`dyndns_get_cached_host $host`
            if [ -n "$host_ip" ]; then
              iptables -A DYNDNS_CHAIN -i $interface -s $host_ip -d $destip -p icmp --icmp-type echo-request -j ACCEPT
            fi
          done
        done
      done
    fi
  done
}


############
# Mainline #
############

# Check where to find the config file
CONF_FILE=""
if [ -n "$PLUGIN_CONF_PATH" ]; then
  CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE"
fi

# Check if the config file exists
if [ ! -e "$CONF_FILE" ]; then
  echo "** ERROR: Config file \"$CONF_FILE\" not found! **" >&2
  exit 1
else
  # Source the plugin config file
  . "$CONF_FILE"

  if [ "$ENABLED" = "1" ]; then
    # Only proceed if environment ok
    if sanity_check; then
      # This is a critical section so we use a lockfile
      lockfile="/var/tmp/aif_dyndns_helper.lock"
      if ( set -o noclobber; echo "$$" > "$lockfile") 2> /dev/null; then
        # Setup int handler
        trap 'rm -f "$lockfile"; exit $?' INT TERM EXIT

        # Setup our name cache
        dyndns_setup_cache;
        
        # Create actual rules
        dyndns_host_open;
        
        # Remove lockfile
        rm -f "$lockfile"

        # Disable int handler
        trap - INT TERM EXIT
        
        exit 0
      else
        echo "Failed to acquire lockfile: $lockfile." >&2
        echo "Held by $(cat $lockfile)" >&2
      fi
    fi
  fi
fi

exit 1