fancier services

diff --git a/common.sh b/common.sh
index 781df4abe4a1471b86381ea7b79c4ab9fc54cedb..f8860fcb1adf50868d549a147cfeb5f57ef23ea9 100644 (file)
--- a/common.sh
+++ b/common.sh
@@ -21,11 +21,21 @@ function create_set(){
 }
 
 function insert_setmatch_rules(){
 }
 
 function insert_setmatch_rules(){

+       local single=0
+       if [ "x$1" = "x-single-set" ]
+       then
+               single=1
+               shift
+       fi

        local ipt set_name="$1"
        shift
        for v in '' '6'
        do
                eval ipt="\$IP${v}TABLES"
        local ipt set_name="$1"
        shift
        for v in '' '6'
        do
                eval ipt="\$IP${v}TABLES"

+               if [ $single -eq 1 ]
+               then
+                       v=''
+               fi

                if ! $ipt -C INPUT -m set --match-set "${set_name}${v}" src "$@" >/dev/null 2>&1
                then
                        echo "initializing rule '${set_name}${v}'"
                if ! $ipt -C INPUT -m set --match-set "${set_name}${v}" src "$@" >/dev/null 2>&1
                then
                        echo "initializing rule '${set_name}${v}'"


@@ -74,3 +84,26 @@ function reload_cidr_sets(){
        done
 }
 
        done
 }
 

+function add_service_entry(){
+       local port/proto
+       port=$(echo "${s}" | cut -d/ -f1)
+       proto=$(echo "${s}" | cut -d/ -f2)
+       $IPSET -exist add allowed_${proto} ${port}
+}
+
+function allow_services(){
+       local s proto port
+       for s in "$@"
+       do
+               case "${s}" in
+               */*)    add_service_entry "${s}"
+                       ;;
+               *)      for svc in $(getent services "${s}" | awk '{print $2}')
+                       do
+                               add_service_entry "${svc}"
+                       done
+                       ;;
+               esac
+       done
+}
+

diff --git a/firewall.sh b/firewall.sh
index 4106807247651f4dfa3ae9fdbcf3dd93bd4aec66..eab2cb3404574a08d4f8b914022ee7c3d7ef9786 100755 (executable)
--- a/firewall.sh
+++ b/firewall.sh
@@ -52,7 +52,7 @@ $IPTABLES -A INPUT -p icmp -j ACCEPT
 $IP6TABLES -A INPUT -p ipv6-icmp -j ACCEPT
 
 # drop source-route rh0 headery things
 $IP6TABLES -A INPUT -p ipv6-icmp -j ACCEPT
 
 # drop source-route rh0 headery things

-$IP6TABLES -A INPUT -m rt --rt-type 0 -j DROP
+$IP6TABLES -A INPUT -m rt --rt-type 0 -j DROP || echo "MISSING RT MATCH" 1>&2

 
 # accept things we set up
 $IPTABLES -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 
 # accept things we set up
 $IPTABLES -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT


@@ -74,14 +74,15 @@ done
 create_set allowed_udp bitmap:port range 0-65535
 create_set allowed_tcp bitmap:port range 0-65535
 
 create_set allowed_udp bitmap:port range 0-65535
 create_set allowed_tcp bitmap:port range 0-65535
 

-for p in 22 25 53 80 143 443 587 993 1194 5000 5222 5269 22556 64738
-do
-       $IPSET -exist add allowed_tcp ${p}
-done
-for p in 53 123 1194 64738
-do
-       $IPSET -exist add allowed_udp ${p}
-done
+# common services
+allow_services ssh smtp submission domain ntp
+
+# per-host services
+srv_file="services.$(hostname -s)"
+if [ -e "${srv_file}" ]
+then
+       . "${srv_file}"
+fi

 
 $IPTABLES -A INPUT -i "${EXT_IF}" -p tcp -m set --match-set allowed_tcp dst -j ACCEPT
 $IPTABLES -A INPUT -i "${EXT_IF}" -p udp -m set --match-set allowed_udp dst -j ACCEPT
 
 $IPTABLES -A INPUT -i "${EXT_IF}" -p tcp -m set --match-set allowed_tcp dst -j ACCEPT
 $IPTABLES -A INPUT -i "${EXT_IF}" -p udp -m set --match-set allowed_udp dst -j ACCEPT