11 IPTABLES
="echo ${IPTABLES}"
12 IP6TABLES
="echo ${IP6TABLES}"
18 echo "Usage: $(basename "$0") external_interface" 1>&2
23 if ! ip link show
"${EXT_IF}" >/dev
/null
2>&1
25 echo "'${EXT_IF}' does not seem to be a valid interface"
38 $IPTABLES -P INPUT DROP
39 $IPTABLES -P OUTPUT ACCEPT
41 $IP6TABLES -P INPUT DROP
42 $IP6TABLES -P OUTPUT ACCEPT
44 # accept local traffic
45 $IPTABLES -A INPUT
-i lo
-j ACCEPT
47 $IP6TABLES -A INPUT
-i lo
-j ACCEPT
50 $IPTABLES -A INPUT
-p icmp
-j ACCEPT
52 $IP6TABLES -A INPUT
-p ipv6
-icmp -j ACCEPT
54 # drop source-route rh0 headery things
55 $IP6TABLES -A INPUT
-m rt
--rt-type 0 -j DROP
57 # accept things we set up
58 $IPTABLES -A INPUT
-m conntrack
--ctstate RELATED
,ESTABLISHED
-j ACCEPT
60 $IP6TABLES -A INPUT
-m conntrack
--ctstate RELATED
,ESTABLISHED
-j ACCEPT
62 # accept ipv6 link-local traffic
63 $IP6TABLES -A INPUT
-s fe80
::/10 -j ACCEPT
65 # accept ipv6 multicast
66 $IP6TABLES -A INPUT
-s ff00
::/8 -j ACCEPT
68 # log and drop invalid flag combinations
69 for flags
in 'ALL FIN,URG,PSH' 'ALL ALL' 'ALL SYN,RST,ACK,FIN,URG' 'ALL NONE' 'SYN,RST SYN,RST' 'SYN,FIN SYN,FIN'
71 $IPTABLES -A INPUT
-p tcp
--tcp-flags ${flags} -j DROP
74 create_set allowed_udp bitmap
:port range
0-65535
75 create_set allowed_tcp bitmap
:port range
0-65535
77 for p
in 22 25 53 80 143 443 587 993 1194 5000 5222 5269 22556 64738
79 $IPSET -exist add allowed_tcp
${p}
81 for p
in 53 123 1194 64738
83 $IPSET -exist add allowed_udp
${p}
86 $IPTABLES -A INPUT
-i "${EXT_IF}" -p tcp
-m set --match-set allowed_tcp dst
-j ACCEPT
87 $IPTABLES -A INPUT
-i "${EXT_IF}" -p udp
-m set --match-set allowed_udp dst
-j ACCEPT
88 $IP6TABLES -A INPUT
-i "${EXT_IF}" -p tcp
-m set --match-set allowed_tcp dst
-j ACCEPT
89 $IP6TABLES -A INPUT
-i "${EXT_IF}" -p udp
-m set --match-set allowed_udp dst
-j ACCEPT
91 # insert persistent-pest-blocker
94 # insert trusted passes
projects / firewall-squeep / blob