From: Justin Wind Date: Sun, 1 Oct 2017 22:11:42 +0000 (-0700) Subject: separate services.sh X-Git-Url: http://git.squeep.com/?p=firewall-squeep;a=commitdiff_plain;h=3d7987337f881e38e8537233959c78054147e737 separate services.sh --- diff --git a/router.sh b/router.sh index b45d988..7b2c5ad 100755 --- a/router.sh +++ b/router.sh @@ -201,11 +201,7 @@ $IPTABLES -t nat -A POSTROUTING -o ${EXT_IF} -j SNAT --to ${EXT} # accept internal network traffic $IPTABLES -A INPUT -i ${INT_IF} -j ACCEPT -# accept list of external ports -$IPTABLES -A INPUT -i ${EXT_IF} -p tcp -m set --match-set allowed_tcp dst -j ACCEPT -$IPTABLES -A INPUT -i ${EXT_IF} -p udp -m set --match-set allowed_udp dst -j ACCEPT -$IP6TABLES -A INPUT -i ${EXT6_IF} -p tcp -m set --match-set allowed_tcp dst -j ACCEPT -$IP6TABLES -A INPUT -i ${EXT6_IF} -p udp -m set --match-set allowed_udp dst -j ACCEPT +./services ${EXT_IF} ${EXT6_IF} # load rules # inserts, so stack order matters diff --git a/services.sh b/services.sh new file mode 100755 index 0000000..32d7576 --- /dev/null +++ b/services.sh @@ -0,0 +1,42 @@ +#!/bin/bash + +set -e + +. ./common.sh + +IFOPT="" +IF6OPT="" +if [[ $# -eq 1 ]] +then + IFOPT="-i $1" + IF6OPT="-i $1" +fi +if [[ $# -eq 2 ]] +then + IFOPT="-i $1" + IF6OPT="-i $2" +fi + +for p in udp tcp +do + create_set allowed_${p} bitmap:port range 0-65535 + if ! $IPTABLES -C INPUT ${IFOPT} -p ${p} -m set --match-set allowed_${p} dst -j ACCEPT + then + $IPTABLES -A INPUT ${IFOPT} -p ${p} -m set --match-set allowed_${p} dst -j ACCEPT + fi + if ! $IP6TABLES -C INPUT ${IF6OPT} -p ${p} -m set --match-set allowed_${p} dst -j ACCEPT + then + $IP6TABLES -A INPUT ${IF6OPT} -p ${p} -m set --match-set allowed_${p} dst -j ACCEPT + fi +done + +for sfx in '' ".$(hostname -s)" +do + if [ -e "services${sfx}" ] + then + for l in $(decommentcat "services${sfx}") + do + allow_services "${l}" + done + fi +done