X-Git-Url: http://git.squeep.com/?a=blobdiff_plain;f=common.sh;h=1e40677e555815434c10762f930e8b94af3d7a95;hb=3943c9626bd2f4b0829c666406340852cfca66e8;hp=781df4abe4a1471b86381ea7b79c4ab9fc54cedb;hpb=cfde4971df11b411615d4e133a372a6d51d7ad97;p=firewall-squeep diff --git a/common.sh b/common.sh index 781df4a..1e40677 100644 --- a/common.sh +++ b/common.sh @@ -5,6 +5,18 @@ set -e IPTABLES=$(which iptables) IP6TABLES=$(which ip6tables) IPSET=$(which ipset) +TC=$(which tc) + +err(){ + echo "$@" 1>&2 +} + +die(){ + local status=$1 + shift + err "$@" + exit ${status} +} function decommentcat(){ sed 's/\s*#.*$//;/^\s*$/d' "$@" @@ -20,12 +32,44 @@ function create_set(){ fi } +function create_drop_chain(){ + local chain="$1" + + if ! $IPTABLES -L "${chain}" >/dev/null 2>&1 + then + echo "initializing chain '${chain}'" + $IPTABLES -N "${chain}" || $IPTABLES -F "${chain}" + $IPTABLES -A "${chain}" -m conntrack --ctstate ESTABLISHED,RELATED -j RETURN + $IPTABLES -A "${chain}" -j REJECT --reject-with icmp-port-unreachable + $IPTABLES -v -L "${chain}" + fi + + if ! $IP6TABLES -L "${chain}" >/dev/null 2>&1 + then + echo "initializing chain '${chain}' ipv6" + $IP6TABLES -N "${chain}" || $IP6TABLES -F "${chain}" + $IP6TABLES -A "${chain}" -m conntrack --ctstate ESTABLISHED,RELATED -j RETURN + $IP6TABLES -A "${chain}" -j REJECT --reject-with icmp6-port-unreachable + $IP6TABLES -v -L "${chain}" + fi +} + function insert_setmatch_rules(){ + local single=0 + if [ "x$1" = "x-single-set" ] + then + single=1 + shift + fi local ipt set_name="$1" shift for v in '' '6' do eval ipt="\$IP${v}TABLES" + if [ $single -eq 1 ] + then + v='' + fi if ! $ipt -C INPUT -m set --match-set "${set_name}${v}" src "$@" >/dev/null 2>&1 then echo "initializing rule '${set_name}${v}'" @@ -74,3 +118,26 @@ function reload_cidr_sets(){ done } +function add_service_entry(){ + local port proto + port=$(echo "$1" | cut -d/ -f1) + proto=$(echo "$1" | cut -d/ -f2) + $IPSET -exist add allowed_${proto} ${port} +} + +function allow_services(){ + local s proto port + for s in "$@" + do + case "${s}" in + */*) add_service_entry "${s}" + ;; + *) for svc in $(getent services "${s}" | awk '{print $2}') + do + add_service_entry "${svc}" + done + ;; + esac + done +} +