projects / firewall-squeep / blob
? search:


9d15eaa802b4ddafd2e737163906384ef20b7361
[firewall-squeep] / trusted.sh
1 #!/bin/sh
2
3 set -e
4
5 . ./common.sh
6
7 set_name='trusted'
8
9 if [ $# -eq 1 -a "x$1" = "xremove" ]
10 then
11 $IPTABLES -D INPUT -m set --match-set "${set_name}" src -j ACCEPT || echo "no rule '${set_name}' to remove"
12 $IP6TABLES -D INPUT -m set --match-set "${set_name}6" src -j ACCEPT || echo "no rule '${set_name}6' to remove"
13 $IPSET destroy "${set_name}" || echo "no set '${set_name}' to remove"
14 $IPSET destroy "${set_name}6" || echo "no set '${set_name}6' to remove"
15 exit 0
16 fi
17
18 create_set "${set_name}" hash:net
19 create_set "${set_name}" hash:net family inet6
20
21
22 if ! $IPTABLES -C INPUT -m set --match-set "${set_name}" src -j ACCEPT >/dev/null 2>&1
23 then
24 echo "initializing rule '${set_name}'"
25 $IPTABLES -I INPUT -m set --match-set "${set_name}" src -j ACCEPT
26 fi
27
28
29 if ! $IP6TABLES -C INPUT -m set --match-set "${set_name}6" src -j ACCEPT >/dev/null 2>&1
30 then
31 echo "initializing rule '${set_name}6'"
32 $IP6TABLES -I INPUT -m set --match-set "${set_name}6" src -j ACCEPT
33 fi
34
35 if [ -e "${set_name}.cidr" ]
36 then
37 echo "updating set '${set_name}'"
38 $IPSET create "${set_name}-tmp" hash:net
39 for s in $(decommentcat "${set_name}.cidr" | grep '\.')
40 do
41 $IPSET add "${set_name}-tmp" "${s}"
42 done
43 $IPSET swap "${set_name}-tmp" "${set_name}"
44 $IPSET destroy "${set_name}-tmp"
45 $IPSET list -t "${set_name}"
46
47 echo "updating set '${set_name}6'"
48 $IPSET create "${set_name}6-tmp" hash:net family inet6
49 for s in $(decommentcat "${set_name}.cidr" | grep '\:')
50 do
51 $IPSET add "${set_name}6-tmp" "${s}"
52 done
53 $IPSET swap "${set_name}6-tmp" "${set_name}6"
54 $IPSET destroy "${set_name}6-tmp"
55 $IPSET list -t "${set_name}6"
56 fi
squeep firewall skeleton - very basic initialization scripts for edge servers