}
function insert_setmatch_rules(){
+ local single=0
+ if [ "x$1" = "x-single-set" ]
+ then
+ single=1
+ shift
+ fi
local ipt set_name="$1"
shift
for v in '' '6'
do
eval ipt="\$IP${v}TABLES"
+ if [ $single -eq 1 ]
+ then
+ v=''
+ fi
if ! $ipt -C INPUT -m set --match-set "${set_name}${v}" src "$@" >/dev/null 2>&1
then
echo "initializing rule '${set_name}${v}'"
done
}
+function add_service_entry(){
+ local port/proto
+ port=$(echo "${s}" | cut -d/ -f1)
+ proto=$(echo "${s}" | cut -d/ -f2)
+ $IPSET -exist add allowed_${proto} ${port}
+}
+
+function allow_services(){
+ local s proto port
+ for s in "$@"
+ do
+ case "${s}" in
+ */*) add_service_entry "${s}"
+ ;;
+ *) for svc in $(getent services "${s}" | awk '{print $2}')
+ do
+ add_service_entry "${svc}"
+ done
+ ;;
+ esac
+ done
+}
+
$IP6TABLES -A INPUT -p ipv6-icmp -j ACCEPT
# drop source-route rh0 headery things
-$IP6TABLES -A INPUT -m rt --rt-type 0 -j DROP
+$IP6TABLES -A INPUT -m rt --rt-type 0 -j DROP || echo "MISSING RT MATCH" 1>&2
# accept things we set up
$IPTABLES -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
create_set allowed_udp bitmap:port range 0-65535
create_set allowed_tcp bitmap:port range 0-65535
-for p in 22 25 53 80 143 443 587 993 1194 5000 5222 5269 22556 64738
-do
- $IPSET -exist add allowed_tcp ${p}
-done
-for p in 53 123 1194 64738
-do
- $IPSET -exist add allowed_udp ${p}
-done
+# common services
+allow_services ssh smtp submission domain ntp
+
+# per-host services
+srv_file="services.$(hostname -s)"
+if [ -e "${srv_file}" ]
+then
+ . "${srv_file}"
+fi
$IPTABLES -A INPUT -i "${EXT_IF}" -p tcp -m set --match-set allowed_tcp dst -j ACCEPT
$IPTABLES -A INPUT -i "${EXT_IF}" -p udp -m set --match-set allowed_udp dst -j ACCEPT
projects / firewall-squeep / commitdiff