create xenophobe chain in main firewall script

[firewall-squeep] / common.sh
diff --git a/common.sh b/common.sh

index 781df4abe4a1471b86381ea7b79c4ab9fc54cedb..1309518af3bce28ffed72d4eb3c72be87ba6d3da 100644 (file)
--- a/common.sh
+++ b/common.sh
@@ -20,12 +20,44 @@ function create_set(){
         fi
  }
  
+function create_drop_chain(){
+       local chain="$1"
+
+       if ! $IPTABLES -L "${chain}" >/dev/null 2>&1
+       then
+               echo "initializing chain '${chain}'"
+               $IPTABLES -N "${chain}" || $IPTABLES -F "${chain}"
+               $IPTABLES -A "${chain}" -m conntrack --ctstate ESTABLISHED,RELATED -j RETURN
+               $IPTABLES -A "${chain}" -j REJECT --reject-with icmp-port-unreachable
+               $IPTABLES -v -L "${chain}"
+       fi
+
+       if ! $IP6TABLES -L "${chain}" >/dev/null 2>&1
+       then
+               echo "initializing chain '${chain}' ipv6"
+               $IP6TABLES -N "${chain}" || $IP6TABLES -F "${chain}"
+               $IP6TABLES -A "${chain}" -m conntrack --ctstate ESTABLISHED,RELATED -j RETURN
+               $IP6TABLES -A "${chain}" -j REJECT --reject-with icmp6-port-unreachable
+               $IP6TABLES -v -L "${chain}"
+       fi
+}
+
  function insert_setmatch_rules(){
+       local single=0
+       if [ "x$1" = "x-single-set" ]
+       then
+               single=1
+               shift
+       fi
         local ipt set_name="$1"
         shift
         for v in '' '6'
         do
                 eval ipt="\$IP${v}TABLES"
+               if [ $single -eq 1 ]
+               then
+                       v=''
+               fi
                 if ! $ipt -C INPUT -m set --match-set "${set_name}${v}" src "$@" >/dev/null 2>&1
                 then
                         echo "initializing rule '${set_name}${v}'"
@@ -74,3 +106,26 @@ function reload_cidr_sets(){
         done
  }
  
+function add_service_entry(){
+       local port proto
+       port=$(echo "$1" | cut -d/ -f1)
+       proto=$(echo "$1" | cut -d/ -f2)
+       $IPSET -exist add allowed_${proto} ${port}
+}
+
+function allow_services(){
+       local s proto port
+       for s in "$@"
+       do
+               case "${s}" in
+               */*)    add_service_entry "${s}"
+                       ;;
+               *)      for svc in $(getent services "${s}" | awk '{print $2}')
+                       do
+                               add_service_entry "${svc}"
+                       done
+                       ;;
+               esac
+       done
+}
+