X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?a=blobdiff_plain;f=debian%2Fpostinst;h=246b85fee05767b7e5641d3a22e79fa5818e725e;hb=HEAD;hp=6a57a0dc285a57330e9e0c03619ba75486630451;hpb=a34e04407c58606899a68512cf7f259d91dd98c6;p=iptables-cn.git diff --git a/debian/postinst b/debian/postinst index 6a57a0d..246b85f 100755 --- a/debian/postinst +++ b/debian/postinst @@ -1,50 +1,24 @@ #!/bin/sh -# postinst script for bind9-cn -# -# see: dh_installdeb(1) set -e -# summary of how this script can be called: -# * `configure' -# * `abort-upgrade' -# * `abort-remove' `in-favour' -# -# * `abort-deconfigure' `in-favour' -# `removing' -# -# for details, see http://www.debian.org/doc/debian-policy/ or -# the debian-policy package -# - -case "$1" in - configure|reconfigure) - # continue below - ;; - - *) - exit 0 - ;; -esac - -# fix problem with permissions from the old package -if dpkg --compare-versions "$2" lt "2:1.2.11-4"; then - chown -f -Rh root:root /var/lib/iptables /etc/init.d/iptables \ - /etc/default/iptables >/dev/null 2>&1 || true -fi +[ "$1" = "configure" ] || exit 0 +[ "$DEBIAN_SCRIPT_DEBUG" ] && set -vx # remove old iptables init script update-rc.d -f iptables remove >/dev/null 2>&1 || true +update-rc.d -f iptables-cn remove >/dev/null 2>&1 || true -# check if old default file exists and import it +# check if old default file exists and delete it +if [ -e /etc/default/iptables-cn ]; then + rm -f /etc/default/iptables-cn +fi if [ -e /etc/default/iptables ]; then - mv /etc/default/iptables /etc/default/iptables-cn + rm -f /etc/default/iptables fi # check to see if fail2ban is installed -check=(fail2ban fail2ban-cn) -check=$(dpkg -s $check 2> /dev/null | egrep '^Package:|^Status:' | awk '{if ($1 ~ /^Package:/) { package=$2 } else if ($0 ~ /^Status: .* installed$/) { print package }}') -if [ "x$check" != "x" ]; then +if dpkg-query -f '${Status}' -W fail2ban | grep -q installed; then echo "CN: Detected Fail2Ban installation, will remove SSH bruteforce rules by default" iptables -D SSH_Brute_Force -m recent ! --rcheck --seconds 90 \ --hitcount 3 --name SSH --rsource \ @@ -56,28 +30,23 @@ if [ "x$check" != "x" ]; then -j SSH_Brute_Force >/dev/null 2>&1 || true iptables -X SSH_Brute_Force >/dev/null 2>&1 || true - echo "CN: Saving current Netfilter rules to /var/lib/iptables/active" - iptables-save > /var/lib/iptables/active + echo "CN: Saving current Netfilter rules to /etc/iptables/rules.v4" + iptables-save > /etc/iptables/rules.v4 else # check if there is any default netfilter policy and install default SSH # REJECT recent if there is none.. # also, save current set of rules into active and inactive configuration - if [ ! -e /var/lib/iptables/active ]; then + if [ ! -e /etc/iptables/rules.v4 ]; then if ! iptables-save | grep '^-' >/dev/null; then echo "CN: Netfilter rules empty: importing SSH bruteforce rules" /usr/share/doc/iptables-cn/examples/ssh-bruteforce \ 1>/dev/null 2>&1 || true fi - echo "CN: Saving current Netfilter rules to /var/lib/iptables/active" - iptables-save > /var/lib/iptables/active + echo "CN: Saving current Netfilter rules to /etc/iptables/rules.v4" + iptables-save > /etc/iptables/rules.v4 fi fi -# create inactive -if [ ! -e /var/lib/iptables/inactive ]; then - touch /var/lib/iptables/inactive -fi - # dh_installdeb will replace this with shell code automatically # generated by other debhelper scripts.