home/bin/mypeetables

   1 #! /bin/bash
   2
   3 set -e
   4
   5 PATH="/sbin:$PATH"
   6
   7 DIR_CFG="$HOME/etc/mypeetables"
   8 FILE_HOSTS_BLACKLIST="$DIR_CFG/hosts_blacklist"
   9 FILE_PORTS_OPEN="$DIR_CFG/ports_open"
  10
  11 set_policy__accept() {
  12     iptables -P INPUT   ACCEPT
  13     iptables -P OUTPUT  ACCEPT
  14     iptables -P FORWARD ACCEPT
  15 }
  16
  17 set_policy__drop() {
  18     iptables -P INPUT   DROP
  19     iptables -P OUTPUT  DROP
  20     iptables -P FORWARD DROP
  21 }
  22
  23 flush() {
  24     iptables -F
  25     iptables -X
  26     iptables -t nat -F
  27     iptables -t nat -X
  28     iptables -t mangle -F
  29     iptables -t mangle -X
  30
  31     set_policy__accept
  32 }
  33
  34 drop_offenders() {
  35     cat "$FILE_HOSTS_BLACKLIST" \
  36     | grep -v '^#' \
  37     | grep -v '^ *$' \
  38     | while read addr; do
  39         iptables -A INPUT -s "$addr" -j DROP
  40     done
  41 }
  42
  43 accept() {
  44     # accept established connections
  45     iptables -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
  46     iptables -A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
  47     iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
  48
  49     # accept all traffic on loopback inteface
  50     iptables -A INPUT  -i lo -j ACCEPT
  51     iptables -A OUTPUT -o lo -j ACCEPT
  52
  53     # accept outgoing connections
  54     iptables -A INPUT  -s $(hostname) -m state --state NEW -j ACCEPT
  55     iptables -A OUTPUT                -m state --state NEW -j ACCEPT
  56
  57     # accept icmp
  58     #iptables -A INPUT -p icmp -j ACCEPT
  59
  60     # Services
  61     cat "$FILE_PORTS_OPEN" \
  62     | grep -v '^#' \
  63     | grep -v '^ *$' \
  64     | while read port protocol; do
  65         iptables \
  66             -A INPUT \
  67             -m state \
  68             --state NEW \
  69             -p "$protocol" \
  70             -m "$protocol" \
  71             --dport "$port" \
  72             -j ACCEPT
  73     done
  74
  75
  76 }
  77
  78 reject() {
  79     iptables -A INPUT   -j NFLOG
  80     iptables -A FORWARD -j NFLOG
  81     #iptables -A INPUT   -j REJECT --reject-with icmp-host-prohibited
  82     #iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited
  83 }
  84
  85 command_off() {
  86     flush
  87 }
  88
  89 command_on() {
  90     flush
  91     set_policy__drop
  92     accept
  93     drop_offenders
  94     reject
  95 }
  96
  97 failwith() {
  98     error_msg="$1"
  99     echo "$error_msg" >&2
 100     exit 1
 101 }
 102
 103 main() {
 104     command="$1"
 105     case "$command"
 106     in  'on'  ) command_on
 107     ;;  'off' ) command_off
 108     ;;  *     ) failwith "Error: Unknown command: \"$command\". Known: on, off."
 109     esac
 110 }
 111
 112 main "$@"