fi
}
+function insert_setmatch_rules(){
+ local ipt set_name="$1"
+ shift
+ for v in '' '6'
+ do
+ eval ipt="\$IP${v}TABLES"
+ if ! $ipt -C INPUT -m set --match-set "${set_name}${v}" src "$@" >/dev/null 2>&1
+ then
+ echo "initializing rule '${set_name}${v}'"
+ $ipt -I INPUT -m set --match-set "${set_name}${v}" src "$@"
+ fi
+ done
+}
+
+function reload_cidr_sets(){
+ local set_name="$1"
+
+ # init new temporary sets
+ echo "updating set '${set_name}'"
+
+ create_set "${set_name}-tmp" hash:net
+ create_set "${set_name}6-tmp" hash:net family inet6
+
+ # populate them
+ for sfx in '' .$(hostname -s)
+ do
+ cidrfile="${set_name}.cidr${sfx}"
+ if [ -e "${cidrfile}" ]
+ then
+ for s in $(decommentcat "${cidrfile}")
+ do
+ case "${s}" in
+ *.*) table="${set_name}-tmp" ;;
+ *:*) table="${set_name}6-tmp" ;;
+ *)
+ echo "unknown entry '${s}' in '${cidrfile}'" 1>&2
+ continue
+ ;;
+ esac
+ $IPSET add "${table}" "${s}"
+ done
+ fi
+ done
+
+ # take new sets live
+ for v in '' 6
+ do
+ n="${set_name}${v}"
+ $IPSET swap "${n}-tmp" "${n}"
+ $IPSET destroy "${n}-tmp"
+ $IPSET list -t "${n}"
+ done
+}
+
set -e
-IPTABLES=$(which iptables)
-IP6TABLES=$(which ip6tables)
-IPSET=$(which ipset)
+. ./common.sh
debug=0
$IPTABLES -A INPUT -p tcp --tcp-flags ${flags} -j DROP
done
-$IPSET -exist create allowed_udp bitmap:port range 0-65535
-$IPSET -exist create allowed_tcp bitmap:port range 0-65535
+create_set allowed_udp bitmap:port range 0-65535
+create_set allowed_tcp bitmap:port range 0-65535
+
for p in 22 25 53 80 143 443 587 993 1194 5000 5222 5269 22556 64738
do
$IPSET -exist add allowed_tcp ${p}
create_set "${set_name}" hash:net
create_set "${set_name}" hash:net family inet6
+insert_setmatch_rules "${set_name}" -j ACCEPT
-if ! $IPTABLES -C INPUT -m set --match-set "${set_name}" src -j ACCEPT >/dev/null 2>&1
-then
- echo "initializing rule '${set_name}'"
- $IPTABLES -I INPUT -m set --match-set "${set_name}" src -j ACCEPT
-fi
-
-
-if ! $IP6TABLES -C INPUT -m set --match-set "${set_name}6" src -j ACCEPT >/dev/null 2>&1
-then
- echo "initializing rule '${set_name}6'"
- $IP6TABLES -I INPUT -m set --match-set "${set_name}6" src -j ACCEPT
-fi
+reload_cidr_sets "${set_name}"
-if [ -e "${set_name}.cidr" ]
-then
- echo "updating set '${set_name}'"
- $IPSET create "${set_name}-tmp" hash:net
- for s in $(decommentcat "${set_name}.cidr" | grep '\.')
- do
- $IPSET add "${set_name}-tmp" "${s}"
- done
- $IPSET swap "${set_name}-tmp" "${set_name}"
- $IPSET destroy "${set_name}-tmp"
- $IPSET list -t "${set_name}"
-
- echo "updating set '${set_name}6'"
- $IPSET create "${set_name}6-tmp" hash:net family inet6
- for s in $(decommentcat "${set_name}.cidr" | grep '\:')
- do
- $IPSET add "${set_name}6-tmp" "${s}"
- done
- $IPSET swap "${set_name}6-tmp" "${set_name}6"
- $IPSET destroy "${set_name}6-tmp"
- $IPSET list -t "${set_name}6"
-fi
$IP6TABLES -v -L "${chain}"
fi
-if ! $IPTABLES -C INPUT -m set --match-set "${set_name}" src -j "${chain}" >/dev/null 2>&1
-then
- echo "initializing rule '${set_name}'"
- $IPTABLES -I INPUT -m set --match-set "${set_name}" src -j "${chain}"
-fi
-
-if ! $IP6TABLES -C INPUT -m set --match-set "${set_name}6" src -j "${chain}" >/dev/null 2>&1
-then
- echo "initializing rule '${set_name}6'"
- $IP6TABLES -I INPUT -m set --match-set "${set_name}6" src -j "${chain}"
-fi
-
-# init new temporary set
-if [ -e "${set_name}.cidr" ]
-then
- echo "updating set '${set_name}'"
- $IPSET create "${set_name}-tmp" hash:net
- for s in $(decommentcat "${set_name}.cidr" | grep '\.')
- do
- $IPSET add "${set_name}-tmp" "${s}"
- done
- $IPSET swap "${set_name}-tmp" "${set_name}"
- $IPSET destroy "${set_name}-tmp"
- $IPSET list -t "${set_name}"
+insert_setmatch_rules "${set_name}" -j "${chain}"
- echo "updating set '${set_name}'"
- $IPSET create "${set_name}6-tmp" hash:net family inet6
- for s in $(decommentcat "${set_name}.cidr" | grep '\:')
- do
- $IPSET add "${set_name}6-tmp" "${s}"
- done
- $IPSET swap "${set_name}6-tmp" "${set_name}6"
- $IPSET destroy "${set_name}6-tmp"
- $IPSET list -t "${set_name}6"
-fi
+reload_cidr_sets "${set_name}"
projects / firewall-squeep / commitdiff