X-Git-Url: http://git.squeep.com/?p=firewall-squeep;a=blobdiff_plain;f=firewall.sh;h=c55762f75a0db702c9efe4a1ef5ebe935c21d606;hp=eab2cb3404574a08d4f8b914022ee7c3d7ef9786;hb=HEAD;hpb=26febd7376e8c1679d5d088d71d73bc64585ec1e

diff --git a/firewall.sh b/firewall.sh
index eab2cb3..c55762f 100755
--- a/firewall.sh
+++ b/firewall.sh
@@ -15,7 +15,7 @@ fi
 
 if [ $# -lt 1 ]
 then
-	echo "Usage: $(basename "$0") external_interface" 1>&2
+	echo "Usage: $(basename "$0") external_interface [external_addr]" 1>&2
 	exit 64
 fi
 
@@ -26,6 +26,13 @@ then
 	exit 1
 fi
 
+is_router=0
+if [ $# -gt 1 ]
+then
+	is_router=1
+	EXT_ADDR="$2"
+fi
+
 $IPTABLES -F
 $IPTABLES -F INPUT
 $IPTABLES -X
@@ -43,12 +50,10 @@ $IP6TABLES -P OUTPUT ACCEPT
 
 # accept local traffic
 $IPTABLES -A INPUT -i lo -j ACCEPT
-
 $IP6TABLES -A INPUT -i lo -j ACCEPT
 
 # accept ICMP
 $IPTABLES -A INPUT -p icmp -j ACCEPT
-
 $IP6TABLES -A INPUT -p ipv6-icmp -j ACCEPT
 
 # drop source-route rh0 headery things
@@ -56,7 +61,6 @@ $IP6TABLES -A INPUT -m rt --rt-type 0 -j DROP || echo "MISSING RT MATCH" 1>&2
 
 # accept things we set up
 $IPTABLES -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-
 $IP6TABLES -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 
 # accept ipv6 link-local traffic
@@ -71,23 +75,25 @@ do
 	$IPTABLES -A INPUT -p tcp --tcp-flags ${flags} -j DROP
 done
 
-create_set allowed_udp bitmap:port range 0-65535
-create_set allowed_tcp bitmap:port range 0-65535
+# accept ESP for IPSec
+$IPTABLES -A INPUT -p esp -j ACCEPT
+$IP6TABLES -A INPUT -p esp -j ACCEPT
 
-# common services
-allow_services ssh smtp submission domain ntp
+# accept all IPSec traffic
+$IPTABLES -A INPUT -m policy --dir in --pol ipsec -j ACCEPT
+$IP6TABLES -A INPUT -m policy --dir in --pol ipsec -j ACCEPT
 
-# per-host services
-srv_file="services.$(hostname -s)"
-if [ -e "${srv_file}" ]
+if [ $is_router -gt 0 ]
 then
-	. "${srv_file}"
+	$IPTABLES -t nat -A POSTROUTING -o ${EXT_IF} -j SNAT --to ${EXT_ADDR}
 fi
 
-$IPTABLES -A INPUT -i "${EXT_IF}" -p tcp -m set --match-set allowed_tcp dst -j ACCEPT
-$IPTABLES -A INPUT -i "${EXT_IF}" -p udp -m set --match-set allowed_udp dst -j ACCEPT
-$IP6TABLES -A INPUT -i "${EXT_IF}" -p tcp -m set --match-set allowed_tcp dst -j ACCEPT
-$IP6TABLES -A INPUT -i "${EXT_IF}" -p udp -m set --match-set allowed_udp dst -j ACCEPT
+./services.sh ${EXT_IF}
+
+create_drop_chain xenophobe
+
+# insert asia blocker
+./sinokorea.sh
 
 # insert persistent-pest-blocker
 ./xenophobe.sh