create xenophobe chain in main firewall script

diff --git a/common.sh b/common.sh
index f2a7f549dfaf4122dfacbdcb7ce489ef7ae31e71..1309518af3bce28ffed72d4eb3c72be87ba6d3da 100644 (file)
--- a/common.sh
+++ b/common.sh
@@ -20,6 +20,28 @@ function create_set(){
        fi
 }
 
+function create_drop_chain(){
+       local chain="$1"
+
+       if ! $IPTABLES -L "${chain}" >/dev/null 2>&1
+       then
+               echo "initializing chain '${chain}'"
+               $IPTABLES -N "${chain}" || $IPTABLES -F "${chain}"
+               $IPTABLES -A "${chain}" -m conntrack --ctstate ESTABLISHED,RELATED -j RETURN
+               $IPTABLES -A "${chain}" -j REJECT --reject-with icmp-port-unreachable
+               $IPTABLES -v -L "${chain}"
+       fi
+
+       if ! $IP6TABLES -L "${chain}" >/dev/null 2>&1
+       then
+               echo "initializing chain '${chain}' ipv6"
+               $IP6TABLES -N "${chain}" || $IP6TABLES -F "${chain}"
+               $IP6TABLES -A "${chain}" -m conntrack --ctstate ESTABLISHED,RELATED -j RETURN
+               $IP6TABLES -A "${chain}" -j REJECT --reject-with icmp6-port-unreachable
+               $IP6TABLES -v -L "${chain}"
+       fi
+}
+
 function insert_setmatch_rules(){
        local single=0
        if [ "x$1" = "x-single-set" ]

diff --git a/firewall.sh b/firewall.sh
index f880eafad6986950ea39bb344663ab4d74fbd70a..356075c424f98eb5d40a071a543455ba17a018a1 100755 (executable)
--- a/firewall.sh
+++ b/firewall.sh
@@ -91,6 +91,8 @@ $IPTABLES -A INPUT -i "${EXT_IF}" -p udp -m set --match-set allowed_udp dst -j A
 $IP6TABLES -A INPUT -i "${EXT_IF}" -p tcp -m set --match-set allowed_tcp dst -j ACCEPT
 $IP6TABLES -A INPUT -i "${EXT_IF}" -p udp -m set --match-set allowed_udp dst -j ACCEPT
 
+create_drop_chain xenophobe
+
 # insert asia blocker
 ./sinokorea.sh