From 8f282d43f66a96150c9edef5b8ce39f3f6fc3b4d Mon Sep 17 00:00:00 2001
From: Justin Wind <justin.wind+git@gmail.com>
Date: Sat, 28 Jan 2017 12:55:47 -0800
Subject: [PATCH] create xenophobe chain in main firewall script

---
 common.sh   | 22 ++++++++++++++++++++++
 firewall.sh |  2 ++
 2 files changed, 24 insertions(+)

diff --git a/common.sh b/common.sh
index f2a7f54..1309518 100644
--- a/common.sh
+++ b/common.sh
@@ -20,6 +20,28 @@ function create_set(){
 	fi
 }
 
+function create_drop_chain(){
+	local chain="$1"
+
+	if ! $IPTABLES -L "${chain}" >/dev/null 2>&1
+	then
+		echo "initializing chain '${chain}'"
+		$IPTABLES -N "${chain}" || $IPTABLES -F "${chain}"
+		$IPTABLES -A "${chain}" -m conntrack --ctstate ESTABLISHED,RELATED -j RETURN
+		$IPTABLES -A "${chain}" -j REJECT --reject-with icmp-port-unreachable
+		$IPTABLES -v -L "${chain}"
+	fi
+
+	if ! $IP6TABLES -L "${chain}" >/dev/null 2>&1
+	then
+		echo "initializing chain '${chain}' ipv6"
+		$IP6TABLES -N "${chain}" || $IP6TABLES -F "${chain}"
+		$IP6TABLES -A "${chain}" -m conntrack --ctstate ESTABLISHED,RELATED -j RETURN
+		$IP6TABLES -A "${chain}" -j REJECT --reject-with icmp6-port-unreachable
+		$IP6TABLES -v -L "${chain}"
+	fi
+}
+
 function insert_setmatch_rules(){
 	local single=0
 	if [ "x$1" = "x-single-set" ]
diff --git a/firewall.sh b/firewall.sh
index f880eaf..356075c 100755
--- a/firewall.sh
+++ b/firewall.sh
@@ -91,6 +91,8 @@ $IPTABLES -A INPUT -i "${EXT_IF}" -p udp -m set --match-set allowed_udp dst -j A
 $IP6TABLES -A INPUT -i "${EXT_IF}" -p tcp -m set --match-set allowed_tcp dst -j ACCEPT
 $IP6TABLES -A INPUT -i "${EXT_IF}" -p udp -m set --match-set allowed_udp dst -j ACCEPT
 
+create_drop_chain xenophobe
+
 # insert asia blocker
 ./sinokorea.sh
 
-- 
2.43.2