git.squeep.com Git - firewall-squeep/blob - xenophobe.sh

   1 #!/bin/sh
   2
   3 set -e
   4
   5 . ./common.sh
   6
   7 set_name='xenophobe'
   8 chain="${set_name}"
   9
  10 if [ $# -eq 1 -a "x$1" = "xremove" ]
  11 then
  12         $IPTABLES -D INPUT -m set --match-set "${set_name}" src -j "${chain}" || echo "no rule '${set_name}' to remove"
  13         $IP6TABLES -D INPUT -m set --match-set "${set_name}6" src -j "${chain}" || echo "no rule '${set_name}6' to remove"
  14         $IPSET destroy "${set_name}" || echo "no set '${set_name}' to remove"
  15         $IPSET destroy "${set_name}6" || echo "no set '${set_name}6' to remove"
  16         exit 0
  17 fi
  18
  19 create_set "${set_name}" hash:net
  20 create_set "${set_name}6" hash:net family inet6
  21
  22 # create or re-init chains
  23 if ! $IPTABLES -L "${chain}" >/dev/null
  24 then
  25         echo "initializing chain '${chain}'"
  26         $IPTABLES -N "${chain}" || $IPTABLES -F "${chain}"
  27         $IPTABLES -A "${chain}" -m conntrack --ctstate ESTABLISHED,RELATED -j RETURN
  28         $IPTABLES -A "${chain}" -j REJECT --reject-with icmp-port-unreachable
  29         $IPTABLES -v -L "${chain}"
  30 fi
  31
  32 if ! $IP6TABLES -L "${chain}" >/dev/null
  33 then
  34         echo "initializing chain '${chain}' ipv6"
  35         $IP6TABLES -N "${chain}" || $IP6TABLES -F "${chain}"
  36         $IP6TABLES -A "${chain}" -m conntrack --ctstate ESTABLISHED,RELATED -j RETURN
  37         $IP6TABLES -A "${chain}" -j REJECT --reject-with icmp6-port-unreachable
  38         $IP6TABLES -v -L "${chain}"
  39 fi
  40
  41 if ! $IPTABLES -C INPUT -m set --match-set "${set_name}" src -j "${chain}" >/dev/null 2>&1
  42 then
  43         echo "initializing rule '${set_name}'"
  44         $IPTABLES -I INPUT -m set --match-set "${set_name}" src -j "${chain}"
  45 fi
  46
  47 if ! $IP6TABLES -C INPUT -m set --match-set "${set_name}6" src -j "${chain}" >/dev/null 2>&1
  48 then
  49         echo "initializing rule '${set_name}6'"
  50         $IP6TABLES -I INPUT -m set --match-set "${set_name}6" src -j "${chain}"
  51 fi
  52
  53 # init new temporary set
  54 if [ -e "${set_name}.cidr" ]
  55 then
  56         echo "updating set '${set_name}'"
  57         $IPSET create "${set_name}-tmp" hash:net
  58         for s in $(decommentcat "${set_name}.cidr" | grep '\.')
  59         do
  60                 $IPSET add "${set_name}-tmp" "${s}"
  61         done
  62         $IPSET swap "${set_name}-tmp" "${set_name}"
  63         $IPSET destroy "${set_name}-tmp"
  64         $IPSET list -t "${set_name}"
  65
  66         echo "updating set '${set_name}'"
  67         $IPSET create "${set_name}6-tmp" hash:net family inet6
  68         for s in $(decommentcat "${set_name}.cidr" | grep '\:')
  69         do
  70                 $IPSET add "${set_name}6-tmp" "${s}"
  71         done
  72         $IPSET swap "${set_name}6-tmp" "${set_name}6"
  73         $IPSET destroy "${set_name}6-tmp"
  74         $IPSET list -t "${set_name}6"
  75 fi
  76