From 26febd7376e8c1679d5d088d71d73bc64585ec1e Mon Sep 17 00:00:00 2001 From: Justin Wind Date: Tue, 24 Jan 2017 15:20:47 -0800 Subject: [PATCH] fancier services --- common.sh | 33 +++++++++++++++++++++++++++++++++ firewall.sh | 19 ++++++++++--------- 2 files changed, 43 insertions(+), 9 deletions(-) diff --git a/common.sh b/common.sh index 781df4a..f8860fc 100644 --- a/common.sh +++ b/common.sh @@ -21,11 +21,21 @@ function create_set(){ } function insert_setmatch_rules(){ + local single=0 + if [ "x$1" = "x-single-set" ] + then + single=1 + shift + fi local ipt set_name="$1" shift for v in '' '6' do eval ipt="\$IP${v}TABLES" + if [ $single -eq 1 ] + then + v='' + fi if ! $ipt -C INPUT -m set --match-set "${set_name}${v}" src "$@" >/dev/null 2>&1 then echo "initializing rule '${set_name}${v}'" @@ -74,3 +84,26 @@ function reload_cidr_sets(){ done } +function add_service_entry(){ + local port/proto + port=$(echo "${s}" | cut -d/ -f1) + proto=$(echo "${s}" | cut -d/ -f2) + $IPSET -exist add allowed_${proto} ${port} +} + +function allow_services(){ + local s proto port + for s in "$@" + do + case "${s}" in + */*) add_service_entry "${s}" + ;; + *) for svc in $(getent services "${s}" | awk '{print $2}') + do + add_service_entry "${svc}" + done + ;; + esac + done +} + diff --git a/firewall.sh b/firewall.sh index 4106807..eab2cb3 100755 --- a/firewall.sh +++ b/firewall.sh @@ -52,7 +52,7 @@ $IPTABLES -A INPUT -p icmp -j ACCEPT $IP6TABLES -A INPUT -p ipv6-icmp -j ACCEPT # drop source-route rh0 headery things -$IP6TABLES -A INPUT -m rt --rt-type 0 -j DROP +$IP6TABLES -A INPUT -m rt --rt-type 0 -j DROP || echo "MISSING RT MATCH" 1>&2 # accept things we set up $IPTABLES -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT @@ -74,14 +74,15 @@ done create_set allowed_udp bitmap:port range 0-65535 create_set allowed_tcp bitmap:port range 0-65535 -for p in 22 25 53 80 143 443 587 993 1194 5000 5222 5269 22556 64738 -do - $IPSET -exist add allowed_tcp ${p} -done -for p in 53 123 1194 64738 -do - $IPSET -exist add allowed_udp ${p} -done +# common services +allow_services ssh smtp submission domain ntp + +# per-host services +srv_file="services.$(hostname -s)" +if [ -e "${srv_file}" ] +then + . "${srv_file}" +fi $IPTABLES -A INPUT -i "${EXT_IF}" -p tcp -m set --match-set allowed_tcp dst -j ACCEPT $IPTABLES -A INPUT -i "${EXT_IF}" -p udp -m set --match-set allowed_udp dst -j ACCEPT -- 2.45.2