if [ $# -lt 1 ]
then
- echo "Usage: $(basename "$0") external_interface" 1>&2
+ echo "Usage: $(basename "$0") external_interface [external_addr]" 1>&2
exit 64
fi
exit 1
fi
+is_router=0
+if [ $# -gt 1 ]
+then
+ is_router=1
+ EXT_ADDR="$2"
+fi
+
$IPTABLES -F
$IPTABLES -F INPUT
$IPTABLES -X
# accept local traffic
$IPTABLES -A INPUT -i lo -j ACCEPT
-
$IP6TABLES -A INPUT -i lo -j ACCEPT
# accept ICMP
$IPTABLES -A INPUT -p icmp -j ACCEPT
-
$IP6TABLES -A INPUT -p ipv6-icmp -j ACCEPT
# drop source-route rh0 headery things
# accept things we set up
$IPTABLES -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-
$IP6TABLES -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# accept ipv6 link-local traffic
$IPTABLES -A INPUT -p tcp --tcp-flags ${flags} -j DROP
done
-create_set allowed_udp bitmap:port range 0-65535
-create_set allowed_tcp bitmap:port range 0-65535
+# accept ESP for IPSec
+$IPTABLES -A INPUT -p esp -j ACCEPT
+$IP6TABLES -A INPUT -p esp -j ACCEPT
-for sfx in '' ".$(hostname -s)"
-do
- if [ -e "services${sfx}" ]
- then
-
- for l in $(decommentcat "services${sfx}")
- do
- allow_services "${l}"
- done
- fi
-done
+# accept all IPSec traffic
+$IPTABLES -A INPUT -m policy --dir in --pol ipsec -j ACCEPT
+$IP6TABLES -A INPUT -m policy --dir in --pol ipsec -j ACCEPT
+
+if [ $is_router -gt 0 ]
+then
+ $IPTABLES -t nat -A POSTROUTING -o ${EXT_IF} -j SNAT --to ${EXT_ADDR}
+fi
-$IPTABLES -A INPUT -i "${EXT_IF}" -p tcp -m set --match-set allowed_tcp dst -j ACCEPT
-$IPTABLES -A INPUT -i "${EXT_IF}" -p udp -m set --match-set allowed_udp dst -j ACCEPT
-$IP6TABLES -A INPUT -i "${EXT_IF}" -p tcp -m set --match-set allowed_tcp dst -j ACCEPT
-$IP6TABLES -A INPUT -i "${EXT_IF}" -p udp -m set --match-set allowed_udp dst -j ACCEPT
+./services.sh ${EXT_IF}
create_drop_chain xenophobe
projects / firewall-squeep / blobdiff