From cfde4971df11b411615d4e133a372a6d51d7ad97 Mon Sep 17 00:00:00 2001 From: Justin Wind Date: Tue, 24 Jan 2017 12:41:04 -0800 Subject: [PATCH] streamlined more common functionality --- common.sh | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++ firewall.sh | 9 ++++----- trusted.sh | 36 ++--------------------------------- xenophobe.sh | 36 ++--------------------------------- 4 files changed, 62 insertions(+), 73 deletions(-) diff --git a/common.sh b/common.sh index 4bb66ff..781df4a 100644 --- a/common.sh +++ b/common.sh @@ -20,3 +20,57 @@ function create_set(){ fi } +function insert_setmatch_rules(){ + local ipt set_name="$1" + shift + for v in '' '6' + do + eval ipt="\$IP${v}TABLES" + if ! $ipt -C INPUT -m set --match-set "${set_name}${v}" src "$@" >/dev/null 2>&1 + then + echo "initializing rule '${set_name}${v}'" + $ipt -I INPUT -m set --match-set "${set_name}${v}" src "$@" + fi + done +} + +function reload_cidr_sets(){ + local set_name="$1" + + # init new temporary sets + echo "updating set '${set_name}'" + + create_set "${set_name}-tmp" hash:net + create_set "${set_name}6-tmp" hash:net family inet6 + + # populate them + for sfx in '' .$(hostname -s) + do + cidrfile="${set_name}.cidr${sfx}" + if [ -e "${cidrfile}" ] + then + for s in $(decommentcat "${cidrfile}") + do + case "${s}" in + *.*) table="${set_name}-tmp" ;; + *:*) table="${set_name}6-tmp" ;; + *) + echo "unknown entry '${s}' in '${cidrfile}'" 1>&2 + continue + ;; + esac + $IPSET add "${table}" "${s}" + done + fi + done + + # take new sets live + for v in '' 6 + do + n="${set_name}${v}" + $IPSET swap "${n}-tmp" "${n}" + $IPSET destroy "${n}-tmp" + $IPSET list -t "${n}" + done +} + diff --git a/firewall.sh b/firewall.sh index 34184ee..4106807 100755 --- a/firewall.sh +++ b/firewall.sh @@ -2,9 +2,7 @@ set -e -IPTABLES=$(which iptables) -IP6TABLES=$(which ip6tables) -IPSET=$(which ipset) +. ./common.sh debug=0 @@ -73,8 +71,9 @@ do $IPTABLES -A INPUT -p tcp --tcp-flags ${flags} -j DROP done -$IPSET -exist create allowed_udp bitmap:port range 0-65535 -$IPSET -exist create allowed_tcp bitmap:port range 0-65535 +create_set allowed_udp bitmap:port range 0-65535 +create_set allowed_tcp bitmap:port range 0-65535 + for p in 22 25 53 80 143 443 587 993 1194 5000 5222 5269 22556 64738 do $IPSET -exist add allowed_tcp ${p} diff --git a/trusted.sh b/trusted.sh index 9d15eaa..5dec74f 100755 --- a/trusted.sh +++ b/trusted.sh @@ -18,39 +18,7 @@ fi create_set "${set_name}" hash:net create_set "${set_name}" hash:net family inet6 +insert_setmatch_rules "${set_name}" -j ACCEPT -if ! $IPTABLES -C INPUT -m set --match-set "${set_name}" src -j ACCEPT >/dev/null 2>&1 -then - echo "initializing rule '${set_name}'" - $IPTABLES -I INPUT -m set --match-set "${set_name}" src -j ACCEPT -fi - - -if ! $IP6TABLES -C INPUT -m set --match-set "${set_name}6" src -j ACCEPT >/dev/null 2>&1 -then - echo "initializing rule '${set_name}6'" - $IP6TABLES -I INPUT -m set --match-set "${set_name}6" src -j ACCEPT -fi +reload_cidr_sets "${set_name}" -if [ -e "${set_name}.cidr" ] -then - echo "updating set '${set_name}'" - $IPSET create "${set_name}-tmp" hash:net - for s in $(decommentcat "${set_name}.cidr" | grep '\.') - do - $IPSET add "${set_name}-tmp" "${s}" - done - $IPSET swap "${set_name}-tmp" "${set_name}" - $IPSET destroy "${set_name}-tmp" - $IPSET list -t "${set_name}" - - echo "updating set '${set_name}6'" - $IPSET create "${set_name}6-tmp" hash:net family inet6 - for s in $(decommentcat "${set_name}.cidr" | grep '\:') - do - $IPSET add "${set_name}6-tmp" "${s}" - done - $IPSET swap "${set_name}6-tmp" "${set_name}6" - $IPSET destroy "${set_name}6-tmp" - $IPSET list -t "${set_name}6" -fi diff --git a/xenophobe.sh b/xenophobe.sh index 631c492..91d250a 100755 --- a/xenophobe.sh +++ b/xenophobe.sh @@ -38,39 +38,7 @@ then $IP6TABLES -v -L "${chain}" fi -if ! $IPTABLES -C INPUT -m set --match-set "${set_name}" src -j "${chain}" >/dev/null 2>&1 -then - echo "initializing rule '${set_name}'" - $IPTABLES -I INPUT -m set --match-set "${set_name}" src -j "${chain}" -fi - -if ! $IP6TABLES -C INPUT -m set --match-set "${set_name}6" src -j "${chain}" >/dev/null 2>&1 -then - echo "initializing rule '${set_name}6'" - $IP6TABLES -I INPUT -m set --match-set "${set_name}6" src -j "${chain}" -fi - -# init new temporary set -if [ -e "${set_name}.cidr" ] -then - echo "updating set '${set_name}'" - $IPSET create "${set_name}-tmp" hash:net - for s in $(decommentcat "${set_name}.cidr" | grep '\.') - do - $IPSET add "${set_name}-tmp" "${s}" - done - $IPSET swap "${set_name}-tmp" "${set_name}" - $IPSET destroy "${set_name}-tmp" - $IPSET list -t "${set_name}" +insert_setmatch_rules "${set_name}" -j "${chain}" - echo "updating set '${set_name}'" - $IPSET create "${set_name}6-tmp" hash:net family inet6 - for s in $(decommentcat "${set_name}.cidr" | grep '\:') - do - $IPSET add "${set_name}6-tmp" "${s}" - done - $IPSET swap "${set_name}6-tmp" "${set_name}6" - $IPSET destroy "${set_name}6-tmp" - $IPSET list -t "${set_name}6" -fi +reload_cidr_sets "${set_name}" -- 2.45.2