set -e
-IPTABLES=$(which iptables)
-IP6TABLES=$(which ip6tables)
-IPSET=$(which ipset)
+. ./common.sh
debug=0
$IP6TABLES -A INPUT -p ipv6-icmp -j ACCEPT
# drop source-route rh0 headery things
-$IP6TABLES -A INPUT -m rt --rt-type 0 -j DROP
+$IP6TABLES -A INPUT -m rt --rt-type 0 -j DROP || echo "MISSING RT MATCH" 1>&2
# accept things we set up
$IPTABLES -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -p tcp --tcp-flags ${flags} -j DROP
done
-$IPSET -exist create allowed_udp bitmap:port range 0-65535
-$IPSET -exist create allowed_tcp bitmap:port range 0-65535
-for p in 22 25 53 80 143 443 587 993 1194 5000 5222 5269 22556 64738
-do
- $IPSET -exist add allowed_tcp ${p}
-done
-for p in 53 123 1194 64738
+create_set allowed_udp bitmap:port range 0-65535
+create_set allowed_tcp bitmap:port range 0-65535
+
+for sfx in '' ".$(hostname -s)"
do
- $IPSET -exist add allowed_udp ${p}
+ if [ -e "services${sfx}" ]
+ then
+
+ for l in $(decommentcat "services${sfx}")
+ do
+ allow_services "${l}"
+ done
+ fi
done
$IPTABLES -A INPUT -i "${EXT_IF}" -p tcp -m set --match-set allowed_tcp dst -j ACCEPT
$IP6TABLES -A INPUT -i "${EXT_IF}" -p tcp -m set --match-set allowed_tcp dst -j ACCEPT
$IP6TABLES -A INPUT -i "${EXT_IF}" -p udp -m set --match-set allowed_udp dst -j ACCEPT
+create_drop_chain xenophobe
+
+# insert asia blocker
+./sinokorea.sh
+
# insert persistent-pest-blocker
./xenophobe.sh