separate services.sh

diff --git a/router.sh b/router.sh
index b45d988dbb46fd412fc66d4562c037f9d9658d09..7b2c5ad1b228e9c4805a405db795cefed1e4d235 100755 (executable)
--- a/router.sh
+++ b/router.sh
@@ -201,11 +201,7 @@ $IPTABLES -t nat -A POSTROUTING -o ${EXT_IF} -j SNAT --to ${EXT}
 # accept internal network traffic
 $IPTABLES -A INPUT -i ${INT_IF} -j ACCEPT
 
-# accept list of external ports
-$IPTABLES -A INPUT -i ${EXT_IF} -p tcp -m set --match-set allowed_tcp dst -j ACCEPT
-$IPTABLES -A INPUT -i ${EXT_IF} -p udp -m set --match-set allowed_udp dst -j ACCEPT
-$IP6TABLES -A INPUT -i ${EXT6_IF} -p tcp -m set --match-set allowed_tcp dst -j ACCEPT
-$IP6TABLES -A INPUT -i ${EXT6_IF} -p udp -m set --match-set allowed_udp dst -j ACCEPT
+./services ${EXT_IF} ${EXT6_IF}
 
 # load rules
 # inserts, so stack order matters

diff --git a/services.sh b/services.sh
new file mode 100755 (executable)
index 0000000..32d7576
--- /dev/null
+++ b/services.sh
@@ -0,0 +1,42 @@
+#!/bin/bash
+
+set -e
+
+. ./common.sh
+
+IFOPT=""
+IF6OPT=""
+if [[ $# -eq 1 ]]
+then
+       IFOPT="-i $1"
+       IF6OPT="-i $1"
+fi
+if [[ $# -eq 2 ]]
+then
+       IFOPT="-i $1"
+       IF6OPT="-i $2"
+fi
+
+for p in udp tcp
+do
+       create_set allowed_${p} bitmap:port range 0-65535
+       if ! $IPTABLES -C INPUT ${IFOPT} -p ${p} -m set --match-set allowed_${p} dst -j ACCEPT
+       then
+               $IPTABLES -A INPUT ${IFOPT} -p ${p} -m set --match-set allowed_${p} dst -j ACCEPT
+       fi
+       if ! $IP6TABLES -C INPUT ${IF6OPT} -p ${p} -m set --match-set allowed_${p} dst -j ACCEPT
+       then
+               $IP6TABLES -A INPUT ${IF6OPT} -p ${p} -m set --match-set allowed_${p} dst -j ACCEPT
+       fi
+done
+
+for sfx in '' ".$(hostname -s)"
+do
+       if [ -e "services${sfx}" ]
+       then
+               for l in $(decommentcat "services${sfx}")
+               do
+                       allow_services "${l}"
+               done
+       fi
+done