5 IPTABLES
=$(which iptables)
6 IP6TABLES
=$(which ip6tables)
21 function decommentcat
(){
22 sed 's/\s*#.*$//;/^\s*$/d' "$@"
25 function create_set
(){
28 if ! $IPSET list
"${set_name}" >/dev
/null
2>&1
30 echo "creating set '${set_name}'"
31 $IPSET create
"${set_name}" "$@"
35 function create_drop_chain
(){
38 if ! $IPTABLES -L "${chain}" >/dev
/null
2>&1
40 echo "initializing chain '${chain}'"
41 $IPTABLES -N "${chain}" || $IPTABLES -F "${chain}"
42 $IPTABLES -A "${chain}" -m conntrack
--ctstate ESTABLISHED
,RELATED
-j RETURN
43 $IPTABLES -A "${chain}" -j REJECT
--reject-with icmp
-port-unreachable
44 $IPTABLES -v -L "${chain}"
47 if ! $IP6TABLES -L "${chain}" >/dev
/null
2>&1
49 echo "initializing chain '${chain}' ipv6"
50 $IP6TABLES -N "${chain}" || $IP6TABLES -F "${chain}"
51 $IP6TABLES -A "${chain}" -m conntrack
--ctstate ESTABLISHED
,RELATED
-j RETURN
52 $IP6TABLES -A "${chain}" -j REJECT
--reject-with icmp6
-port-unreachable
53 $IP6TABLES -v -L "${chain}"
57 function insert_setmatch_rules
(){
59 if [ "x$1" = "x-single-set" ]
64 local ipt set_name
="$1"
68 eval ipt
="\$IP${v}TABLES"
73 if ! $ipt -C INPUT
-m set --match-set "${set_name}${v}" src
"$@" >/dev
/null
2>&1
75 echo "initializing rule '${set_name}${v}'"
76 $ipt -I INPUT
-m set --match-set "${set_name}${v}" src
"$@"
81 function reload_cidr_sets
(){
85 # init new temporary sets
86 echo "updating set '${set_name}'"
88 create_set
"${set_name}-tmp" hash:net
"$@"
89 create_set
"${set_name}6-tmp" hash:net
"$@" family inet6
92 for sfx
in '' .
$(hostname -s)
94 cidrfile
="${set_name}.cidr${sfx}"
95 if [ -e "${cidrfile}" ]
97 for s
in $(decommentcat "${cidrfile}")
100 *.
*) table
="${set_name}-tmp" ;;
101 *:*) table
="${set_name}6-tmp" ;;
103 echo "unknown entry '${s}' in '${cidrfile}'" 1>&2
107 $IPSET add
"${table}" "${s}"
116 $IPSET swap
"${n}-tmp" "${n}"
117 $IPSET destroy
"${n}-tmp"
118 $IPSET list
-t "${n}"
122 function add_service_entry
(){
124 port
=$(echo "$1" | cut -d/ -f1)
125 proto
=$(echo "$1" | cut -d/ -f2)
126 $IPSET -exist add allowed_
${proto} ${port}
129 function allow_services
(){
134 */*) add_service_entry
"${s}"
136 *) for svc
in $(getent services "${s}" | awk '{print $2}')
138 add_service_entry
"${svc}"