hyperledger · mgmgwi · Jun 24, 2024 · Jun 21, 2024 · Jun 21, 2024 · Jun 21, 2024
diff --git a/run/add_ddos_protection_iptables_rule.sh b/run/add_ddos_protection_iptables_rule.sh
@@ -97,15 +97,15 @@ CONN_LOGGING_LEVEL=${6}
 source ./ip_tables_utils.sh
 
 add() {
-    if [ -z ${DELETE} ]; then
+    if [ -z "${DELETE}" ]; then
         return 0
     else
         return 1
     fi
 }
 
 delete() {
-    if [ -n ${DELETE} ]; then
+    if [ -n "${DELETE}" ]; then
         return 0
     else
         return 1
@@ -142,7 +142,7 @@ if [ $# -lt 2 ]; then
     usage
 fi
 
-if [ -n ${TEST_MODE} ]; then
+if [ -n "${TEST_MODE}" ]; then
     print_settings
     exit 0
 fi
@@ -163,35 +163,35 @@ else
 fi
 
 # Make sure the previous default logging rule is removed.  It causes too much CPU overhead under load.
-RULE="${LOG_CHAIN} -j LOG --log-level warning --log-prefix \"connlimit: \""
-delete_rule ${RULE}
+RULE=("${LOG_CHAIN}" -j LOG --log-level "${CONN_LOGGING_LEVEL}" --log-prefix "connlimit: ")
+delete_rule "${RULE[@]}"
 
 # Append a rule that sets log level and log prefix
 # Default to no logging unless a logging level is explicitly supplied.
-if [ -n ${CONN_LOGGING_LEVEL} ]; then
-    RULE="${LOG_CHAIN} -j LOG --log-level ${CONN_LOGGING_LEVEL} --log-prefix \"connlimit: \""
-    ${OPERATION} ${RULE}
+if [ -n "${CONN_LOGGING_LEVEL}" ]; then
+    RULE=("${LOG_CHAIN}" -j LOG --log-level "${CONN_LOGGING_LEVEL}" --log-prefix "connlimit: ")
+    ${OPERATION} "${RULE[@]}"
 fi
 
 # Append a rule that finally rejects connection
-RULE="${LOG_CHAIN} -p tcp -j REJECT --reject-with tcp-reset"
-make_last_rule ${RULE}
+RULE=("${LOG_CHAIN}" -p tcp -j REJECT --reject-with tcp-reset)
+make_last_rule "${RULE[@]}"
 
 # Append a rule to limit the total number of simultaneous client connections
-RULE="${IP_TABLES_CHAIN} -p tcp --syn --dport ${DPORT} -m connlimit --connlimit-above ${OVER_ALL_CONN_LIMIT} --connlimit-mask 0 -j ${LOG_CHAIN}"
-${OPERATION} ${RULE}
+RULE=("${IP_TABLES_CHAIN}" -p tcp --syn --dport "${DPORT}" -m connlimit --connlimit-above "${OVER_ALL_CONN_LIMIT}" --connlimit-mask 0 -j "${LOG_CHAIN}")
+${OPERATION} "${RULE[@]}"
 
 # Append a rule to limit the number connections per IP address
-RULE="${IP_TABLES_CHAIN} -p tcp -m tcp --dport ${DPORT} --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above ${CONN_LIMIT_PER_IP} --connlimit-mask 32 --connlimit-saddr -j ${LOG_CHAIN}"
-${OPERATION} ${RULE}
+RULE=("${IP_TABLES_CHAIN}" -p tcp -m tcp --dport "${DPORT}" --tcp-flags "FIN,SYN,RST,ACK" SYN -m connlimit --connlimit-above "${CONN_LIMIT_PER_IP}" --connlimit-mask 32 --connlimit-saddr -j "${LOG_CHAIN}")
+${OPERATION} "${RULE[@]}"
 
 # Append rules to rate limit connections
-if ((CONN_RATE_LIMIT_LIMIT} > 0)) && ((CONN_RATE_LIMIT_PERIOD > 0)); then
+if [ "${CONN_RATE_LIMIT_LIMIT}" -gt "0" ] && [ "${CONN_RATE_LIMIT_PERIOD}" -gt "0" ]; then
     echo "Including settings for rate limiting ..."
-    RULE="${IP_TABLES_CHAIN} -p tcp -m tcp --dport ${DPORT} -m conntrack --ctstate NEW -m recent --set --name DEFAULT --mask 255.255.255.255 --rsource"
-    ${OPERATION} ${RULE}
-    RULE="${IP_TABLES_CHAIN} -p tcp -m tcp --dport ${DPORT} -m conntrack --ctstate NEW -m recent --update --seconds ${CONN_RATE_LIMIT_PERIOD} --hitcount ${CONN_RATE_LIMIT_LIMIT} --name DEFAULT --mask 255.255.255.255 --rsource -j ${LOG_CHAIN}"
-    ${OPERATION} ${RULE}
+    RULE=("${IP_TABLES_CHAIN}" -p tcp -m tcp --dport "${DPORT}" -m conntrack --ctstate NEW -m recent --set --name DEFAULT --mask 255.255.255.255 --rsource)
+    ${OPERATION} "${RULE[@]}"
+    RULE=("${IP_TABLES_CHAIN}" -p tcp -m tcp --dport "${DPORT}" -m conntrack --ctstate NEW -m recent --update --seconds "${CONN_RATE_LIMIT_PERIOD}" --hitcount "${CONN_RATE_LIMIT_LIMIT}" --name DEFAULT --mask 255.255.255.255 --rsource -j "${LOG_CHAIN}")
+    ${OPERATION} "${RULE[@]}"
 else
     echo "Rate limiting is disabled, skipping settings for rate limiting ..."
 fi

diff --git a/run/ip_tables_utils.sh b/run/ip_tables_utils.sh
@@ -2,39 +2,39 @@
 
 # skip existing rules to avoid duplicates
 add_new_rule() {
-    RULE="$@"
+    RULE=("$@")
 
-    if rule_exists ${RULE}; then
-        echo "[skip] $RULE already exists"
-    elif [[ "$RULE" == *"DROP"* ]] || [[ "$RULE" == *"RETURN"* ]] || [[ "$RULE" == *"REJECT"* ]]; then
-        iptables -A $RULE
-        echo "[OK] $RULE added to the end of the chain"
+    if rule_exists "${RULE[@}]}"; then
+        echo "[skip] ${RULE[*]} already exists"
+    elif [[ "${RULE[*]}" =~ "DROP" ]] || [[ "${RULE[*]}" =~ "RETURN" ]] || [[ "${RULE[*]}" =~ "REJECT" ]]; then
+        iptables -A "${RULE[@]}"
+        echo "[OK] ${RULE[*]} added to the end of the chain"
     else
-        iptables -I $RULE
-        echo "[OK] $RULE added to the beginning of the chain"
+        iptables -I "${RULE[@]}"
+        echo "[OK] ${RULE[*]} added to the beginning of the chain"
     fi
 }
 
 make_last_rule() {
-    RULE="$@"
-    delete_rule ${RULE}
-    iptables -A $RULE
-    echo "[OK] $RULE added to the end of the chain"
+    RULE=("$@")
+    delete_rule "${RULE[@]}"
+    iptables -A "${RULE[@]}"
+    echo "[OK] ${RULE[*]} added to the end of the chain"
 }
 
 rule_exists() {
-    RULE="$@"
-    if iptables -C ${RULE} 2>/dev/null 1>&2; then
+    RULE=("$@")
+    if iptables -C "${RULE[@]}" 2>/dev/null 1>&2; then
         return 0
     fi
     return 1
 }
 
 delete_rule() {
-    RULE="$@"
-    while rule_exists ${RULE}; do
-        iptables -D $RULE
-        echo "[OK] $RULE deleted"
+    RULE=("$@")
+    while rule_exists "${RULE[@]}"; do
+        iptables -D "${RULE[@]}"
+        echo "[OK] ${RULE[*]} deleted"
     done
 }
 

diff --git a/run/set_iptables.sh b/run/set_iptables.sh
@@ -34,8 +34,8 @@ INTERFACE=$1
 echo "INTERFACE=${INTERFACE:=ens18}"
 
 # check if INTERFACE is set to an inet facing interface
-if ! ip a | grep inet | grep "$INTERFACE" >/dev/null; then
-    echo "[ERROR] interface '$INTERFACE' does not seem to be an internet facing interface"
+if ! ip a | grep inet | grep "${INTERFACE}" >/dev/null; then
+    echo "[ERROR] interface '${INTERFACE}' does not seem to be an internet facing interface"
     usage
     exit 1
 fi
@@ -61,17 +61,17 @@ echo
 echo "[...] Setting up iptables white list for ips that may access port ${INTERNAL_PORT} from file ${IP_FILE}"
 
 # 9701 whitelist approach: drop all others INCOMING (-i) connections
-add_new_rule $CHAIN -p tcp -i $INTERFACE --dport $INTERNAL_PORT -j DROP
+add_new_rule "${CHAIN}" -p tcp -i "${INTERFACE}" --dport "${INTERNAL_PORT}" -j DROP
 
 # 9701 create IP whitelist from file
 while read -r IP; do
     if [[ "$IP" != "#"* ]] && [[ "$IP" != "" ]]; then
-        add_new_rule $CHAIN -p tcp --dport $INTERNAL_PORT -s "$IP" -j ACCEPT
+        add_new_rule "${CHAIN}" -p tcp --dport "${INTERNAL_PORT}" -s "$IP" -j ACCEPT
     fi
 done <"$IP_FILE"
 
 # make sure, RETURN ist the last rule
-make_last_rule $CHAIN -j RETURN
+make_last_rule "${CHAIN}" -j RETURN
 
 echo "[OK] Connections to ${INTERNAL_PORT} only allowed from white listed ips."
 echo
@@ -80,7 +80,7 @@ echo "[...] Setting DOS protection on port ${CLI_PORT} via ${CLI_PORT_PROTECTION
 $CLI_PORT_PROTECTION_SCRIPT "${CLI_PORT}" "${OVER_ALL_CONN_LIMIT}" "${CONN_LIMIT_PER_IP}" "${CONN_RATE_LIMIT_LIMIT}" "${CONN_RATE_LIMIT_PERIOD}" debug
 
 # make sure, RETURN ist the last rule
-make_last_rule $CHAIN -j RETURN
+make_last_rule "${CHAIN}" -j RETURN
 
 echo "[OK] Rules for connections on port ${CLI_PORT} set."