Commit | Line | Data |
---|---|---|
3489664e SK |
1 | #! /bin/bash |
2 | ||
3 | set -e | |
4 | ||
5 | PATH="/sbin:$PATH" | |
6 | ||
41a64b8b | 7 | DIR_CFG="$HOME/etc/mypeetables" |
3489664e SK |
8 | FILE_HOSTS_BLACKLIST="$DIR_CFG/hosts_blacklist" |
9 | FILE_PORTS_OPEN="$DIR_CFG/ports_open" | |
10 | ||
11 | set_policy__accept() { | |
12 | iptables -P INPUT ACCEPT | |
13 | iptables -P OUTPUT ACCEPT | |
14 | iptables -P FORWARD ACCEPT | |
15 | } | |
16 | ||
17 | set_policy__drop() { | |
18 | iptables -P INPUT DROP | |
19 | iptables -P OUTPUT DROP | |
20 | iptables -P FORWARD DROP | |
21 | } | |
22 | ||
23 | flush() { | |
24 | iptables -F | |
25 | iptables -X | |
26 | iptables -t nat -F | |
27 | iptables -t nat -X | |
28 | iptables -t mangle -F | |
29 | iptables -t mangle -X | |
30 | ||
31 | set_policy__accept | |
32 | } | |
33 | ||
34 | drop_offenders() { | |
35 | cat "$FILE_HOSTS_BLACKLIST" \ | |
36 | | grep -v '^#' \ | |
37 | | grep -v '^ *$' \ | |
38 | | while read addr; do | |
39 | iptables -A INPUT -s "$addr" -j DROP | |
40 | done | |
41 | } | |
42 | ||
43 | accept() { | |
44 | # accept established connections | |
45 | iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |
46 | iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |
47 | iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT | |
48 | ||
49 | # accept all traffic on loopback inteface | |
50 | iptables -A INPUT -i lo -j ACCEPT | |
51 | iptables -A OUTPUT -o lo -j ACCEPT | |
52 | ||
53 | # accept outgoing connections | |
54 | iptables -A INPUT -s $(hostname) -m state --state NEW -j ACCEPT | |
55 | iptables -A OUTPUT -m state --state NEW -j ACCEPT | |
56 | ||
57 | # accept icmp | |
58 | #iptables -A INPUT -p icmp -j ACCEPT | |
59 | ||
60 | # Services | |
61 | cat "$FILE_PORTS_OPEN" \ | |
62 | | grep -v '^#' \ | |
63 | | grep -v '^ *$' \ | |
64 | | while read port protocol; do | |
65 | iptables \ | |
66 | -A INPUT \ | |
67 | -m state \ | |
68 | --state NEW \ | |
69 | -p "$protocol" \ | |
70 | -m "$protocol" \ | |
71 | --dport "$port" \ | |
72 | -j ACCEPT | |
73 | done | |
74 | ||
75 | ||
76 | } | |
77 | ||
78 | reject() { | |
79 | iptables -A INPUT -j NFLOG | |
80 | iptables -A FORWARD -j NFLOG | |
81 | #iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited | |
82 | #iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited | |
83 | } | |
84 | ||
85 | command_off() { | |
86 | flush | |
87 | } | |
88 | ||
89 | command_on() { | |
90 | flush | |
91 | set_policy__drop | |
92 | accept | |
93 | drop_offenders | |
94 | reject | |
95 | } | |
96 | ||
97 | failwith() { | |
98 | error_msg="$1" | |
99 | echo "$error_msg" >&2 | |
100 | exit 1 | |
101 | } | |
102 | ||
103 | main() { | |
104 | command="$1" | |
105 | case "$command" | |
106 | in 'on' ) command_on | |
107 | ;; 'off' ) command_off | |
108 | ;; * ) failwith "Error: Unknown command: \"$command\". Known: on, off." | |
109 | esac | |
110 | } | |
111 | ||
112 | main "$@" |