if [ $# -lt 1 ]
then
- echo "Usage: $(basename "$0") external_interface" 1>&2
+ echo "Usage: $(basename "$0") external_interface [external_addr]" 1>&2
exit 64
fi
exit 1
fi
+is_router=0
+if [ $# -gt 1 ]
+then
+ is_router=1
+ EXT_ADDR="$2"
+fi
+
$IPTABLES -F
$IPTABLES -F INPUT
$IPTABLES -X
# accept local traffic
$IPTABLES -A INPUT -i lo -j ACCEPT
-
$IP6TABLES -A INPUT -i lo -j ACCEPT
# accept ICMP
$IPTABLES -A INPUT -p icmp -j ACCEPT
-
$IP6TABLES -A INPUT -p ipv6-icmp -j ACCEPT
# drop source-route rh0 headery things
# accept things we set up
$IPTABLES -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-
$IP6TABLES -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# accept ipv6 link-local traffic
$IPTABLES -A INPUT -p tcp --tcp-flags ${flags} -j DROP
done
-create_set allowed_udp bitmap:port range 0-65535
-create_set allowed_tcp bitmap:port range 0-65535
+# accept ESP for IPSec
+$IPTABLES -A INPUT -p esp -j ACCEPT
+$IP6TABLES -A INPUT -p esp -j ACCEPT
-# common services
-allow_services ssh smtp submission domain ntp
+# accept all IPSec traffic
+$IPTABLES -A INPUT -m policy --dir in --pol ipsec -j ACCEPT
+$IP6TABLES -A INPUT -m policy --dir in --pol ipsec -j ACCEPT
-# per-host services
-srv_file="services.$(hostname -s)"
-if [ -e "${srv_file}" ]
+if [ $is_router -gt 0 ]
then
- . "${srv_file}"
+ $IPTABLES -t nat -A POSTROUTING -o ${EXT_IF} -j SNAT --to ${EXT_ADDR}
fi
-$IPTABLES -A INPUT -i "${EXT_IF}" -p tcp -m set --match-set allowed_tcp dst -j ACCEPT
-$IPTABLES -A INPUT -i "${EXT_IF}" -p udp -m set --match-set allowed_udp dst -j ACCEPT
-$IP6TABLES -A INPUT -i "${EXT_IF}" -p tcp -m set --match-set allowed_tcp dst -j ACCEPT
-$IP6TABLES -A INPUT -i "${EXT_IF}" -p udp -m set --match-set allowed_udp dst -j ACCEPT
+./services.sh ${EXT_IF}
+
+create_drop_chain xenophobe
+
+# insert asia blocker
+./sinokorea.sh
# insert persistent-pest-blocker
./xenophobe.sh