firewall uses services
[firewall-squeep] / xenophobe.sh
1 #!/bin/sh
2
3 set -e
4
5 . ./common.sh
6
7 set_name='xenophobe'
8 chain="${set_name}"
9
10 if [ $# -eq 1 -a "x$1" = "xremove" ]
11 then
12 $IPTABLES -D INPUT -m set --match-set "${set_name}" src -j "${chain}" || echo "no rule '${set_name}' to remove"
13 $IP6TABLES -D INPUT -m set --match-set "${set_name}6" src -j "${chain}" || echo "no rule '${set_name}6' to remove"
14 $IPSET destroy "${set_name}" || echo "no set '${set_name}' to remove"
15 $IPSET destroy "${set_name}6" || echo "no set '${set_name}6' to remove"
16 exit 0
17 fi
18
19 create_set "${set_name}" hash:net counters
20 create_set "${set_name}6" hash:net counters family inet6
21
22 # create or re-init chains
23 if ! $IPTABLES -L "${chain}" >/dev/null 2>&1
24 then
25 echo "initializing chain '${chain}'"
26 $IPTABLES -N "${chain}" || $IPTABLES -F "${chain}"
27 $IPTABLES -A "${chain}" -m conntrack --ctstate ESTABLISHED,RELATED -j RETURN
28 $IPTABLES -A "${chain}" -j REJECT --reject-with icmp-port-unreachable
29 $IPTABLES -v -L "${chain}"
30 fi
31
32 if ! $IP6TABLES -L "${chain}" >/dev/null 2>&1
33 then
34 echo "initializing chain '${chain}' ipv6"
35 $IP6TABLES -N "${chain}" || $IP6TABLES -F "${chain}"
36 $IP6TABLES -A "${chain}" -m conntrack --ctstate ESTABLISHED,RELATED -j RETURN
37 $IP6TABLES -A "${chain}" -j REJECT --reject-with icmp6-port-unreachable
38 $IP6TABLES -v -L "${chain}"
39 fi
40
41 insert_setmatch_rules "${set_name}" -j "${chain}"
42
43 reload_cidr_sets "${set_name}" counters
44