X-Git-Url: http://git.squeep.com/?a=blobdiff_plain;f=common.sh;h=1309518af3bce28ffed72d4eb3c72be87ba6d3da;hb=8f282d43f66a96150c9edef5b8ce39f3f6fc3b4d;hp=781df4abe4a1471b86381ea7b79c4ab9fc54cedb;hpb=cfde4971df11b411615d4e133a372a6d51d7ad97;p=firewall-squeep diff --git a/common.sh b/common.sh index 781df4a..1309518 100644 --- a/common.sh +++ b/common.sh @@ -20,12 +20,44 @@ function create_set(){ fi } +function create_drop_chain(){ + local chain="$1" + + if ! $IPTABLES -L "${chain}" >/dev/null 2>&1 + then + echo "initializing chain '${chain}'" + $IPTABLES -N "${chain}" || $IPTABLES -F "${chain}" + $IPTABLES -A "${chain}" -m conntrack --ctstate ESTABLISHED,RELATED -j RETURN + $IPTABLES -A "${chain}" -j REJECT --reject-with icmp-port-unreachable + $IPTABLES -v -L "${chain}" + fi + + if ! $IP6TABLES -L "${chain}" >/dev/null 2>&1 + then + echo "initializing chain '${chain}' ipv6" + $IP6TABLES -N "${chain}" || $IP6TABLES -F "${chain}" + $IP6TABLES -A "${chain}" -m conntrack --ctstate ESTABLISHED,RELATED -j RETURN + $IP6TABLES -A "${chain}" -j REJECT --reject-with icmp6-port-unreachable + $IP6TABLES -v -L "${chain}" + fi +} + function insert_setmatch_rules(){ + local single=0 + if [ "x$1" = "x-single-set" ] + then + single=1 + shift + fi local ipt set_name="$1" shift for v in '' '6' do eval ipt="\$IP${v}TABLES" + if [ $single -eq 1 ] + then + v='' + fi if ! $ipt -C INPUT -m set --match-set "${set_name}${v}" src "$@" >/dev/null 2>&1 then echo "initializing rule '${set_name}${v}'" @@ -74,3 +106,26 @@ function reload_cidr_sets(){ done } +function add_service_entry(){ + local port proto + port=$(echo "$1" | cut -d/ -f1) + proto=$(echo "$1" | cut -d/ -f2) + $IPSET -exist add allowed_${proto} ${port} +} + +function allow_services(){ + local s proto port + for s in "$@" + do + case "${s}" in + */*) add_service_entry "${s}" + ;; + *) for svc in $(getent services "${s}" | awk '{print $2}') + do + add_service_entry "${svc}" + done + ;; + esac + done +} +