11 IPTABLES
="echo ${IPTABLES}"
12 IP6TABLES
="echo ${IP6TABLES}"
18 echo "Usage: $(basename "$0") external_interface" 1>&2
23 if ! ip link show
"${EXT_IF}" >/dev
/null
2>&1
25 echo "'${EXT_IF}' does not seem to be a valid interface"
38 $IPTABLES -P INPUT DROP
39 $IPTABLES -P OUTPUT ACCEPT
41 $IP6TABLES -P INPUT DROP
42 $IP6TABLES -P OUTPUT ACCEPT
44 # accept local traffic
45 $IPTABLES -A INPUT
-i lo
-j ACCEPT
47 $IP6TABLES -A INPUT
-i lo
-j ACCEPT
50 $IPTABLES -A INPUT
-p icmp
-j ACCEPT
52 $IP6TABLES -A INPUT
-p ipv6
-icmp -j ACCEPT
54 # drop source-route rh0 headery things
55 $IP6TABLES -A INPUT
-m rt
--rt-type 0 -j DROP
|| echo "MISSING RT MATCH" 1>&2
57 # accept things we set up
58 $IPTABLES -A INPUT
-m conntrack
--ctstate RELATED
,ESTABLISHED
-j ACCEPT
60 $IP6TABLES -A INPUT
-m conntrack
--ctstate RELATED
,ESTABLISHED
-j ACCEPT
62 # accept ipv6 link-local traffic
63 $IP6TABLES -A INPUT
-s fe80
::/10 -j ACCEPT
65 # accept ipv6 multicast
66 $IP6TABLES -A INPUT
-s ff00
::/8 -j ACCEPT
68 # log and drop invalid flag combinations
69 for flags
in 'ALL FIN,URG,PSH' 'ALL ALL' 'ALL SYN,RST,ACK,FIN,URG' 'ALL NONE' 'SYN,RST SYN,RST' 'SYN,FIN SYN,FIN'
71 $IPTABLES -A INPUT
-p tcp
--tcp-flags ${flags} -j DROP
74 create_set allowed_udp bitmap
:port range
0-65535
75 create_set allowed_tcp bitmap
:port range
0-65535
77 for sfx
in '' ".$(hostname -s)"
79 if [ -e "services${sfx}" ]
82 for l
in $(decommentcat "services${sfx}")
89 $IPTABLES -A INPUT
-i "${EXT_IF}" -p tcp
-m set --match-set allowed_tcp dst
-j ACCEPT
90 $IPTABLES -A INPUT
-i "${EXT_IF}" -p udp
-m set --match-set allowed_udp dst
-j ACCEPT
91 $IP6TABLES -A INPUT
-i "${EXT_IF}" -p tcp
-m set --match-set allowed_tcp dst
-j ACCEPT
92 $IP6TABLES -A INPUT
-i "${EXT_IF}" -p udp
-m set --match-set allowed_udp dst
-j ACCEPT
94 # insert persistent-pest-blocker
97 # insert trusted passes