Switch experiment README to .md
[khome.git] / home / bin / mypeetables
CommitLineData
3489664e
SK
1#! /bin/bash
2
3set -e
4
5PATH="/sbin:$PATH"
6
41a64b8b 7DIR_CFG="$HOME/etc/mypeetables"
3489664e
SK
8FILE_HOSTS_BLACKLIST="$DIR_CFG/hosts_blacklist"
9FILE_PORTS_OPEN="$DIR_CFG/ports_open"
10
11set_policy__accept() {
12 iptables -P INPUT ACCEPT
13 iptables -P OUTPUT ACCEPT
14 iptables -P FORWARD ACCEPT
15}
16
17set_policy__drop() {
18 iptables -P INPUT DROP
19 iptables -P OUTPUT DROP
20 iptables -P FORWARD DROP
21}
22
23flush() {
24 iptables -F
25 iptables -X
26 iptables -t nat -F
27 iptables -t nat -X
28 iptables -t mangle -F
29 iptables -t mangle -X
30
31 set_policy__accept
32}
33
34drop_offenders() {
35 cat "$FILE_HOSTS_BLACKLIST" \
36 | grep -v '^#' \
37 | grep -v '^ *$' \
38 | while read addr; do
39 iptables -A INPUT -s "$addr" -j DROP
40 done
41}
42
43accept() {
44 # accept established connections
45 iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
46 iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
47 iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
48
49 # accept all traffic on loopback inteface
50 iptables -A INPUT -i lo -j ACCEPT
51 iptables -A OUTPUT -o lo -j ACCEPT
52
53 # accept outgoing connections
54 iptables -A INPUT -s $(hostname) -m state --state NEW -j ACCEPT
55 iptables -A OUTPUT -m state --state NEW -j ACCEPT
56
57 # accept icmp
58 #iptables -A INPUT -p icmp -j ACCEPT
59
60 # Services
61 cat "$FILE_PORTS_OPEN" \
62 | grep -v '^#' \
63 | grep -v '^ *$' \
64 | while read port protocol; do
65 iptables \
66 -A INPUT \
67 -m state \
68 --state NEW \
69 -p "$protocol" \
70 -m "$protocol" \
71 --dport "$port" \
72 -j ACCEPT
73 done
74
75
76}
77
78reject() {
79 iptables -A INPUT -j NFLOG
80 iptables -A FORWARD -j NFLOG
81 #iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
82 #iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited
83}
84
85command_off() {
86 flush
87}
88
89command_on() {
90 flush
91 set_policy__drop
92 accept
93 drop_offenders
94 reject
95}
96
97failwith() {
98 error_msg="$1"
99 echo "$error_msg" >&2
100 exit 1
101}
102
103main() {
104 command="$1"
105 case "$command"
106 in 'on' ) command_on
107 ;; 'off' ) command_off
108 ;; * ) failwith "Error: Unknown command: \"$command\". Known: on, off."
109 esac
110}
111
112main "$@"
This page took 0.111232 seconds and 4 git commands to generate.