11 IPTABLES
="echo ${IPTABLES}"
12 IP6TABLES
="echo ${IP6TABLES}"
18 echo "Usage: $(basename "$0") external_interface [external_addr]" 1>&2
23 if ! ip link show
"${EXT_IF}" >/dev
/null
2>&1
25 echo "'${EXT_IF}' does not seem to be a valid interface"
45 $IPTABLES -P INPUT DROP
46 $IPTABLES -P OUTPUT ACCEPT
48 $IP6TABLES -P INPUT DROP
49 $IP6TABLES -P OUTPUT ACCEPT
51 # accept local traffic
52 $IPTABLES -A INPUT
-i lo
-j ACCEPT
53 $IP6TABLES -A INPUT
-i lo
-j ACCEPT
56 $IPTABLES -A INPUT
-p icmp
-j ACCEPT
57 $IP6TABLES -A INPUT
-p ipv6
-icmp -j ACCEPT
59 # drop source-route rh0 headery things
60 $IP6TABLES -A INPUT
-m rt
--rt-type 0 -j DROP
|| echo "MISSING RT MATCH" 1>&2
62 # accept things we set up
63 $IPTABLES -A INPUT
-m conntrack
--ctstate RELATED
,ESTABLISHED
-j ACCEPT
64 $IP6TABLES -A INPUT
-m conntrack
--ctstate RELATED
,ESTABLISHED
-j ACCEPT
66 # accept ipv6 link-local traffic
67 $IP6TABLES -A INPUT
-s fe80
::/10 -j ACCEPT
69 # accept ipv6 multicast
70 $IP6TABLES -A INPUT
-s ff00
::/8 -j ACCEPT
72 # log and drop invalid flag combinations
73 for flags
in 'ALL FIN,URG,PSH' 'ALL ALL' 'ALL SYN,RST,ACK,FIN,URG' 'ALL NONE' 'SYN,RST SYN,RST' 'SYN,FIN SYN,FIN'
75 $IPTABLES -A INPUT
-p tcp
--tcp-flags ${flags} -j DROP
78 # accept ESP for IPSec
79 $IPTABLES -A INPUT
-p esp
-j ACCEPT
80 $IP6TABLES -A INPUT
-p esp
-j ACCEPT
82 # accept all IPSec traffic
83 $IPTABLES -A INPUT
-m policy
--dir in --pol ipsec
-j ACCEPT
84 $IP6TABLES -A INPUT
-m policy
--dir in --pol ipsec
-j ACCEPT
86 if [ $is_router -gt 0 ]
88 $IPTABLES -t nat
-A POSTROUTING
-o ${EXT_IF} -j SNAT
--to ${EXT_ADDR}
91 .
/services.sh
${EXT_IF}
93 create_drop_chain xenophobe
98 # insert persistent-pest-blocker
101 # insert trusted passes
projects / firewall-squeep / blob