add tc egress shaping

[firewall-squeep] / firewall.sh

diff --git a/firewall.sh b/firewall.sh
index 4106807247651f4dfa3ae9fdbcf3dd93bd4aec66..356075c424f98eb5d40a071a543455ba17a018a1 100755 (executable)
--- a/firewall.sh
+++ b/firewall.sh
@@ -52,7 +52,7 @@ $IPTABLES -A INPUT -p icmp -j ACCEPT
 $IP6TABLES -A INPUT -p ipv6-icmp -j ACCEPT
 
 # drop source-route rh0 headery things
-$IP6TABLES -A INPUT -m rt --rt-type 0 -j DROP
+$IP6TABLES -A INPUT -m rt --rt-type 0 -j DROP || echo "MISSING RT MATCH" 1>&2
 
 # accept things we set up
 $IPTABLES -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
@@ -74,13 +74,16 @@ done
 create_set allowed_udp bitmap:port range 0-65535
 create_set allowed_tcp bitmap:port range 0-65535
 
-for p in 22 25 53 80 143 443 587 993 1194 5000 5222 5269 22556 64738
+for sfx in '' ".$(hostname -s)"
 do
-       $IPSET -exist add allowed_tcp ${p}
-done
-for p in 53 123 1194 64738
-do
-       $IPSET -exist add allowed_udp ${p}
+       if [ -e "services${sfx}" ]
+       then
+
+               for l in $(decommentcat "services${sfx}")
+               do
+                       allow_services "${l}"
+               done
+       fi
 done
 
 $IPTABLES -A INPUT -i "${EXT_IF}" -p tcp -m set --match-set allowed_tcp dst -j ACCEPT
@@ -88,6 +91,11 @@ $IPTABLES -A INPUT -i "${EXT_IF}" -p udp -m set --match-set allowed_udp dst -j A
 $IP6TABLES -A INPUT -i "${EXT_IF}" -p tcp -m set --match-set allowed_tcp dst -j ACCEPT
 $IP6TABLES -A INPUT -i "${EXT_IF}" -p udp -m set --match-set allowed_udp dst -j ACCEPT
 
+create_drop_chain xenophobe
+
+# insert asia blocker
+./sinokorea.sh
+
 # insert persistent-pest-blocker
 ./xenophobe.sh