iptables.rules.functions.sh
# ------------------------------------------------------------------------------------------
# -- local loopback :
# ------------------------------------------------------------------------------------------
# -- let the local interface roam wild and free, except stuff from some bad
# person trying to spoof it :
#
local_interface_rules() {
echo "Function: local_interface_rules"
#
# -- allow what we expect through local interface!
#
$IPT -t filter -A INPUT -i lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
$IPT -t filter -A OUTPUT -o lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
#
# -- block those spoofing the local interface :
#
$IPT -t filter -A INPUT -i ! lo -s 127.0.0.1/8 -d 0.0.0.0/0 -m limit --limit 2/m --limit-burst 8 -j LOG --log-level warn --log-prefix $1
$IPT -t filter -A INPUT -i ! lo -s 127.0.0.1/8 -d 0.0.0.0/0 -j DROP
# ...allow packets with source and destination IP address of each interface
# through local loopback interface...
for loipaddress in 192.168.1.254 192.169.1.254 10.0.0.2 $EXTIP
do
$IPT -t filter -A INPUT -i lo -s $loipaddress -d $loipaddress -j ACCEPT
$IPT -t filter -A OUTPUT -o lo -s $loipaddress -d $loipaddress -j ACCEPT
done
#
# -- log all other traffic through local interface :
#
$IPT -t filter -A INPUT -i lo -j LOG --log-prefix " LOCAL_IN "
$IPT -t filter -A OUTPUT -o lo -j LOG --log-prefix " LOCAL_OUT "
}
# ------------------------------------------------------------------------------------------
# ------------------------------------------------------------------------------------------
restart_chain_ssh_service() {
echo "Function: restart_chain_ssh_service..."
$IPT -t filter -F SSH_SERVICE
for host in `cat /root/etc/iptables.rules.ssh_service | sed s/\#.*// | egrep "[a-z0-9]+"`; do
echo -n ""
$IPT -t filter -A SSH_SERVICE -s $host -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -t filter -A SSH_SERVICE -d $host -m state --state ESTABLISHED -j ACCEPT
done
$IPT -t filter -A SSH_SERVICE -j LOG --log-prefix " **SSH_SERVICE DROP** "
$IPT -t filter -A SSH_SERVICE -j DROP
#
# -- Pinhole chain for service on low-numbered port:
# -- default-log-and-drop:
# -- should be no other traffic to/from our port 22;
#
}
# ------------------------------------------------------------------------------------------
# ------------------------------------------------------------------------------------------
allow_tcp_in() {
CHAIN=$1
echo "Function: allow_tcp_in" $CHAIN
shift
until [ -z "$1" ]
do
$IPT -t filter -A $CHAIN -s $1 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -t filter -A $CHAIN -d $1 -m state --state ESTABLISHED -j ACCEPT
shift
done
}
# ------------------------------------------------------------------------------------------
# ------------------------------------------------------------------------------------------
allow_udp_in() {
CHAIN=$1
echo "Function: allow_udp_in" $CHAIN
shift
until [ -z "$1" ]
do
$IPT -t filter -A $CHAIN -s $1 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -t filter -A $CHAIN -d $1 -m state --state ESTABLISHED -j ACCEPT
shift
done
}
# ------------------------------------------------------------------------------------------
# ------------------------------------------------------------------------------------------
allow_tcp_out() {
CHAIN=$1
echo "Function: allow_tcp_out" $CHAIN
shift
until [ -z "$1" ]
do
$IPT -t filter -A $CHAIN -d $1 -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -t filter -A $CHAIN -s $1 -p tcp -m state --state ESTABLISHED -j ACCEPT
shift
done
}
# ------------------------------------------------------------------------------------------
# ------------------------------------------------------------------------------------------
allow_udp_out() {
CHAIN=$1
echo "Function: allow_udp_out" $CHAIN
shift
until [ -z "$1" ]
do
$IPT -t filter -A $CHAIN -d $1 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -t filter -A $CHAIN -s $1 -m state --state ESTABLISHED -j ACCEPT
shift
done
}
# ------------------------------------------------------------------------------------------
# ------------------------------------------------------------------------------------------