5 IPTABLES
=$(which iptables)
6 IP6TABLES
=$(which ip6tables)
20 function decommentcat
(){
21 sed 's/\s*#.*$//;/^\s*$/d' "$@"
24 function create_set
(){
27 if ! $IPSET list
"${set_name}" >/dev
/null
2>&1
29 echo "creating set '${set_name}'"
30 $IPSET create
"${set_name}" "$@"
34 function create_drop_chain
(){
37 if ! $IPTABLES -L "${chain}" >/dev
/null
2>&1
39 echo "initializing chain '${chain}'"
40 $IPTABLES -N "${chain}" || $IPTABLES -F "${chain}"
41 $IPTABLES -A "${chain}" -m conntrack
--ctstate ESTABLISHED
,RELATED
-j RETURN
42 $IPTABLES -A "${chain}" -j REJECT
--reject-with icmp
-port-unreachable
43 $IPTABLES -v -L "${chain}"
46 if ! $IP6TABLES -L "${chain}" >/dev
/null
2>&1
48 echo "initializing chain '${chain}' ipv6"
49 $IP6TABLES -N "${chain}" || $IP6TABLES -F "${chain}"
50 $IP6TABLES -A "${chain}" -m conntrack
--ctstate ESTABLISHED
,RELATED
-j RETURN
51 $IP6TABLES -A "${chain}" -j REJECT
--reject-with icmp6
-port-unreachable
52 $IP6TABLES -v -L "${chain}"
56 function insert_setmatch_rules
(){
58 if [ "x$1" = "x-single-set" ]
63 local ipt set_name
="$1"
67 eval ipt
="\$IP${v}TABLES"
72 if ! $ipt -C INPUT
-m set --match-set "${set_name}${v}" src
"$@" >/dev
/null
2>&1
74 echo "initializing rule '${set_name}${v}'"
75 $ipt -I INPUT
-m set --match-set "${set_name}${v}" src
"$@"
80 function reload_cidr_sets
(){
83 # init new temporary sets
84 echo "updating set '${set_name}'"
86 create_set
"${set_name}-tmp" hash:net
87 create_set
"${set_name}6-tmp" hash:net family inet6
90 for sfx
in '' .
$(hostname -s)
92 cidrfile
="${set_name}.cidr${sfx}"
93 if [ -e "${cidrfile}" ]
95 for s
in $(decommentcat "${cidrfile}")
98 *.
*) table
="${set_name}-tmp" ;;
99 *:*) table
="${set_name}6-tmp" ;;
101 echo "unknown entry '${s}' in '${cidrfile}'" 1>&2
105 $IPSET add
"${table}" "${s}"
114 $IPSET swap
"${n}-tmp" "${n}"
115 $IPSET destroy
"${n}-tmp"
116 $IPSET list
-t "${n}"
120 function add_service_entry
(){
122 port
=$(echo "$1" | cut -d/ -f1)
123 proto
=$(echo "$1" | cut -d/ -f2)
124 $IPSET -exist add allowed_
${proto} ${port}
127 function allow_services
(){
132 */*) add_service_entry
"${s}"
134 *) for svc
in $(getent services "${s}" | awk '{print $2}')
136 add_service_entry
"${svc}"