fancier services

[firewall-squeep] / firewall.sh

diff --git a/firewall.sh b/firewall.sh
index 34184eefcdaa2091b669dcca60a0c6e2cfda0697..eab2cb3404574a08d4f8b914022ee7c3d7ef9786 100755 (executable)
--- a/firewall.sh
+++ b/firewall.sh
@@ -2,9 +2,7 @@
 
 set -e
 
-IPTABLES=$(which iptables)
-IP6TABLES=$(which ip6tables)
-IPSET=$(which ipset)
+. ./common.sh
 
 debug=0
 
@@ -54,7 +52,7 @@ $IPTABLES -A INPUT -p icmp -j ACCEPT
 $IP6TABLES -A INPUT -p ipv6-icmp -j ACCEPT
 
 # drop source-route rh0 headery things
-$IP6TABLES -A INPUT -m rt --rt-type 0 -j DROP
+$IP6TABLES -A INPUT -m rt --rt-type 0 -j DROP || echo "MISSING RT MATCH" 1>&2
 
 # accept things we set up
 $IPTABLES -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
@@ -73,16 +71,18 @@ do
        $IPTABLES -A INPUT -p tcp --tcp-flags ${flags} -j DROP
 done
 
-$IPSET -exist create allowed_udp bitmap:port range 0-65535
-$IPSET -exist create allowed_tcp bitmap:port range 0-65535
-for p in 22 25 53 80 143 443 587 993 1194 5000 5222 5269 22556 64738
-do
-       $IPSET -exist add allowed_tcp ${p}
-done
-for p in 53 123 1194 64738
-do
-       $IPSET -exist add allowed_udp ${p}
-done
+create_set allowed_udp bitmap:port range 0-65535
+create_set allowed_tcp bitmap:port range 0-65535
+
+# common services
+allow_services ssh smtp submission domain ntp
+
+# per-host services
+srv_file="services.$(hostname -s)"
+if [ -e "${srv_file}" ]
+then
+       . "${srv_file}"
+fi
 
 $IPTABLES -A INPUT -i "${EXT_IF}" -p tcp -m set --match-set allowed_tcp dst -j ACCEPT
 $IPTABLES -A INPUT -i "${EXT_IF}" -p udp -m set --match-set allowed_udp dst -j ACCEPT