streamlined more common functionality

author Justin Wind <justin.wind+git@gmail.com>

Tue, 24 Jan 2017 20:41:04 +0000 (12:41 -0800)

committer Justin Wind <justin.wind+git@gmail.com>

Tue, 24 Jan 2017 20:41:04 +0000 (12:41 -0800)
author Justin Wind <justin.wind+git@gmail.com>
Tue, 24 Jan 2017 20:41:04 +0000 (12:41 -0800)
committer Justin Wind <justin.wind+git@gmail.com>
Tue, 24 Jan 2017 20:41:04 +0000 (12:41 -0800)
diff --git a/common.sh b/common.sh

index 4bb66ff664b0a8be18b419a9eda030f0abc78680..781df4abe4a1471b86381ea7b79c4ab9fc54cedb 100644 (file)
--- a/common.sh
+++ b/common.sh
@@ -20,3 +20,57 @@ function create_set(){
         fi
  }
  
         fi
  }
  
+function insert_setmatch_rules(){
+       local ipt set_name="$1"
+       shift
+       for v in '' '6'
+       do
+               eval ipt="\$IP${v}TABLES"
+               if ! $ipt -C INPUT -m set --match-set "${set_name}${v}" src "$@" >/dev/null 2>&1
+               then
+                       echo "initializing rule '${set_name}${v}'"
+                       $ipt -I INPUT -m set --match-set "${set_name}${v}" src "$@"
+               fi
+       done
+}
+
+function reload_cidr_sets(){
+       local set_name="$1"
+
+       # init new temporary sets
+       echo "updating set '${set_name}'"
+
+       create_set "${set_name}-tmp" hash:net
+       create_set "${set_name}6-tmp" hash:net family inet6
+
+       # populate them
+       for sfx in '' .$(hostname -s)
+       do
+               cidrfile="${set_name}.cidr${sfx}"
+               if [ -e "${cidrfile}" ]
+               then
+                       for s in $(decommentcat "${cidrfile}")
+                       do
+                               case "${s}" in
+                                       *.*) table="${set_name}-tmp" ;;
+                                       *:*) table="${set_name}6-tmp" ;;
+                                       *)
+                                               echo "unknown entry '${s}' in '${cidrfile}'" 1>&2
+                                               continue
+                                       ;;
+                               esac
+                               $IPSET add "${table}" "${s}"
+                       done
+               fi
+       done
+
+       # take new sets live
+       for v in '' 6
+       do
+               n="${set_name}${v}"
+               $IPSET swap "${n}-tmp" "${n}"
+               $IPSET destroy "${n}-tmp"
+               $IPSET list -t "${n}"
+       done
+}
+
diff --git a/firewall.sh b/firewall.sh

index 34184eefcdaa2091b669dcca60a0c6e2cfda0697..4106807247651f4dfa3ae9fdbcf3dd93bd4aec66 100755 (executable)
--- a/firewall.sh
+++ b/firewall.sh
@@ -2,9 +2,7 @@
  
  set -e
  
  
  set -e
  
-IPTABLES=$(which iptables)
-IP6TABLES=$(which ip6tables)
-IPSET=$(which ipset)
+. ./common.sh
  
  debug=0
  
  
  debug=0
  
@@ -73,8 +71,9 @@ do
         $IPTABLES -A INPUT -p tcp --tcp-flags ${flags} -j DROP
  done
  
         $IPTABLES -A INPUT -p tcp --tcp-flags ${flags} -j DROP
  done
  
-$IPSET -exist create allowed_udp bitmap:port range 0-65535
-$IPSET -exist create allowed_tcp bitmap:port range 0-65535
+create_set allowed_udp bitmap:port range 0-65535
+create_set allowed_tcp bitmap:port range 0-65535
+
  for p in 22 25 53 80 143 443 587 993 1194 5000 5222 5269 22556 64738
  do
         $IPSET -exist add allowed_tcp ${p}
  for p in 22 25 53 80 143 443 587 993 1194 5000 5222 5269 22556 64738
  do
         $IPSET -exist add allowed_tcp ${p}
diff --git a/trusted.sh b/trusted.sh

index 9d15eaa802b4ddafd2e737163906384ef20b7361..5dec74fd685f6557d8b094408d4bb19f1e405415 100755 (executable)
--- a/trusted.sh
+++ b/trusted.sh
@@ -18,39 +18,7 @@ fi
  create_set "${set_name}" hash:net
  create_set "${set_name}" hash:net family inet6
  
  create_set "${set_name}" hash:net
  create_set "${set_name}" hash:net family inet6
  
+insert_setmatch_rules "${set_name}" -j ACCEPT
  
  
-if ! $IPTABLES -C INPUT -m set --match-set "${set_name}" src -j ACCEPT >/dev/null 2>&1
-then
-       echo "initializing rule '${set_name}'"
-       $IPTABLES -I INPUT -m set --match-set "${set_name}" src -j ACCEPT
-fi
-
-
-if ! $IP6TABLES -C INPUT -m set --match-set "${set_name}6" src -j ACCEPT >/dev/null 2>&1
-then
-       echo "initializing rule '${set_name}6'"
-       $IP6TABLES -I INPUT -m set --match-set "${set_name}6" src -j ACCEPT
-fi
+reload_cidr_sets "${set_name}"
  
  
-if [ -e "${set_name}.cidr" ]
-then
-       echo "updating set '${set_name}'"
-       $IPSET create "${set_name}-tmp" hash:net
-       for s in $(decommentcat "${set_name}.cidr" | grep '\.')
-       do
-               $IPSET add "${set_name}-tmp" "${s}"
-       done
-       $IPSET swap "${set_name}-tmp" "${set_name}"
-       $IPSET destroy "${set_name}-tmp"
-       $IPSET list -t "${set_name}"
-
-       echo "updating set '${set_name}6'"
-       $IPSET create "${set_name}6-tmp" hash:net family inet6
-       for s in $(decommentcat "${set_name}.cidr" | grep '\:')
-       do
-               $IPSET add "${set_name}6-tmp" "${s}"
-       done
-       $IPSET swap "${set_name}6-tmp" "${set_name}6"
-       $IPSET destroy "${set_name}6-tmp"
-       $IPSET list -t "${set_name}6"
-fi
diff --git a/xenophobe.sh b/xenophobe.sh

index 631c49275aa69dae4c945189f934c820aeaac59b..91d250a3eb3e6748ecd5075e750ed39a5c3c998c 100755 (executable)
--- a/xenophobe.sh
+++ b/xenophobe.sh
@@ -38,39 +38,7 @@ then
         $IP6TABLES -v -L "${chain}"
  fi
  
         $IP6TABLES -v -L "${chain}"
  fi
  
-if ! $IPTABLES -C INPUT -m set --match-set "${set_name}" src -j "${chain}" >/dev/null 2>&1
-then
-       echo "initializing rule '${set_name}'"
-       $IPTABLES -I INPUT -m set --match-set "${set_name}" src -j "${chain}"
-fi
-
-if ! $IP6TABLES -C INPUT -m set --match-set "${set_name}6" src -j "${chain}" >/dev/null 2>&1
-then
-       echo "initializing rule '${set_name}6'"
-       $IP6TABLES -I INPUT -m set --match-set "${set_name}6" src -j "${chain}"
-fi
-
-# init new temporary set
-if [ -e "${set_name}.cidr" ]
-then
-       echo "updating set '${set_name}'"
-       $IPSET create "${set_name}-tmp" hash:net
-       for s in $(decommentcat "${set_name}.cidr" | grep '\.')
-       do
-               $IPSET add "${set_name}-tmp" "${s}"
-       done
-       $IPSET swap "${set_name}-tmp" "${set_name}"
-       $IPSET destroy "${set_name}-tmp"
-       $IPSET list -t "${set_name}"
+insert_setmatch_rules "${set_name}" -j "${chain}"
  
  
-       echo "updating set '${set_name}'"
-       $IPSET create "${set_name}6-tmp" hash:net family inet6
-       for s in $(decommentcat "${set_name}.cidr" | grep '\:')
-       do
-               $IPSET add "${set_name}6-tmp" "${s}"
-       done
-       $IPSET swap "${set_name}6-tmp" "${set_name}6"
-       $IPSET destroy "${set_name}6-tmp"
-       $IPSET list -t "${set_name}6"
-fi
+reload_cidr_sets "${set_name}"
author	Justin Wind <justin.wind+git@gmail.com>
	Tue, 24 Jan 2017 20:41:04 +0000 (12:41 -0800)
committer	Justin Wind <justin.wind+git@gmail.com>
	Tue, 24 Jan 2017 20:41:04 +0000 (12:41 -0800)
common.sh		patch \| blob \| history
firewall.sh		patch \| blob \| history
trusted.sh		patch \| blob \| history
xenophobe.sh		patch \| blob \| history