initial commit

author: toni <matzeton@googlemail.com> 2013-04-15 15:04:30 +0200
committer: toni <matzeton@googlemail.com> 2013-04-15 15:04:30 +0200
commit: e33b5930923a439f4c73b6dd64253578c4131420 (patch)
tree: f3d9d1c359603174bb75fb2394ddb33a315dcd88 /iptables
2 files changed, 205 insertions, 0 deletions
diff --git a/iptables/iptables-if.sh b/iptables/iptables-if.sh
new file mode 100644
index 0000000..2f99070
--- /dev/null
+++ b/iptables/iptables-if.sh
@@ -0,0 +1,191 @@
+#!/bin/sh
+
+# CONFIG FILE
+[ -z "$CONF" ] && CONF=/etc/iptables.conf
+# IPTABKES BINARY
+[ -z "$IPT" ] && export IPT=/usr/sbin/iptables
+
+[ "`whoami`" != 'root' ] && echo "$0: must be run as root" && exit 2
+[ -x $IPT ] || exit 0
+
+[ $# -ge 1 ] && export MODE="$1"
+[ $# -ge 2 ] && export IFACE="$2"
+
+[ -r ${CONF} ] && . ${CONF}
+
+
+flush_all() {
+    # flush/delete chains
+    $IPT -F
+    $IPT -t nat -F
+    $IPT -X
+    $IPT --delete-chain
+    $IPT --table nat --delete-chain
+}
+
+ipt() {
+    # internal iptables call
+    rule="$*"
+    [ $# -eq 1 ] && rule="$1"
+
+    $IPT -D $rule 2>/dev/null
+    $IPT -A $rule 2>/dev/null
+}
+
+default_pol() {
+    # default policies
+    $IPT -P INPUT DROP
+    $IPT -P OUTPUT ACCEPT
+    $IPT -P FORWARD DROP
+}
+
+check_ip() {
+    local ip
+    ip="$1"
+    echo "$ip" | grep -E '^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$'
+    return $?
+}
+
+get_conf_opt() {
+    local var arg ret
+    var="$1"
+    arg="$2"
+
+    eval "ret=\${${var}_${arg}}"
+    [ -z "$ret" ] && return 1
+    echo "$ret"
+    return 0
+}
+
+get_conf_opts() {
+    local i var arg ret
+    var="$1"
+    arg="$2"
+    i=0
+
+    while `true`; do
+        ret="`get_conf_opt ${var} ${arg}_${i}`"
+        [ $? -eq 0 ] || break
+        echo "$ret"
+
+        i=`expr $i + 1`
+    done
+}
+
+_ipforward() {
+    [ -f /proc/sys/net/ipv4/conf/$1/forwarding ] && \
+         echo 1 > /proc/sys/net/ipv4/conf/$1/forwarding
+}
+
+do_ipforward() {
+    local if ret
+    [ -z "$INTERFACES" ] && return 1
+    if [ -z "$1" ]; then
+       _ipforward "$1"
+       return 0
+   fi
+
+   for if in $INTERFACES; do
+       ret=`get_conf_opt $if KERN_FORWARD`
+       [ $? -eq 0 ] && _ipforward "$if"
+   done
+}
+
+start_if() {
+    [ -z "$INTERFACES" ] && return 1
+    iface="$1"
+
+    ipt "INPUT -i lo -j ACCEPT"
+    ipt "INPUT -p icmp -j ACCEPT"
+
+    for if in $INTERFACES; do
+        [ -f /var/lock/$if.ipt.lock -a "$iface" != "$if" ] && continue
+
+        $IPT -N $if 2>/dev/null
+        $IPT -F $if
+        ipt "INPUT -i $if -j $if"
+        ipt "OUTPUT -o $if -j $if"
+
+        do_ipforward $if
+        ret=`get_conf_opt $if FORWARD`
+        [ $? -eq 0 ] && ipt "FORWARD -i $if -j ACCEPT"
+
+        ret=`get_conf_opt $if POSTROUTING`
+        if [ $? -eq 0 ]; then
+           $IPT -t nat -D POSTROUTING -o $if -j MASQUERADE 2>/dev/null
+           $IPT -t nat -A POSTROUTING -o $if -j MASQUERADE
+        fi
+
+        ret=`get_conf_opt $if TCP_PORTS`
+        if [ $? -eq 0 ]; then
+           for port in $ret; do
+              ipt "$if -p tcp --dport $port -i $if -j ACCEPT"
+           done
+        fi
+
+        ret=`get_conf_opt $if UDP_PORTS`
+        if [ $? -eq 0 ]; then
+           for port in $ret; do
+              ipt "$if -p udp --dport $port -i $if -j ACCEPT"
+           done
+        fi
+
+        ipt "INPUT -j REJECT --reject-with icmp-host-prohibit"
+
+        touch /var/lock/$IFACE.ipt.lock 2>/dev/null
+        [ "$if" == "$iface" ] && break
+    done
+
+    return 0
+}
+
+print_usage() {
+cat << EOF
+$0: start [if]
+$0: stop [if]
+$0: reload|restart [if]
+$0: flush
+$0: ipforward
+EOF
+
+return 0
+}
+
+
+
+case "$MODE" in
+
+        start)
+                [ -z "$MODE" -o -z "$IFACE" ] && print_usage && exit 1
+                start_if "$IFACE"
+                default_pol
+        ;;
+
+        stop)
+                [ -z "$MODE" -o -z "$IFACE" ] && print_usage && exit 1
+                $IPT -F "$IFACE" 2>/dev/null
+                rm -f /var/lock/$IFACE.ipt.lock 2>/dev/null
+        ;;
+
+        reload|restart)
+                $0 stop $IFACE
+                $0 start $IFACE
+        ;;
+
+        flush)
+                flush_all
+                echo 0 > /proc/sys/net/ipv4/conf/all/forwarding
+                # SSH fallback (dont lock yourself out!)
+                $IPT -P INPUT ACCEPT
+        ;;
+
+        ipforward)
+                do_ipforward
+                return 0
+        ;;
+
+        *)
+                print_usage
+        ;;
+
+esac
diff --git a/iptables/iptables.conf b/iptables/iptables.conf
new file mode 100644
index 0000000..ecdf4b9
--- /dev/null
+++ b/iptables/iptables.conf
@@ -0,0 +1,14 @@
+INTERFACES="eth0 eth1 ppp0"
+
+ICMP=1
+
+eth0_FORWARD=1
+eth0_KERN_FORWARD=1
+eth1_KERN_FORWARD=1
+ppp0_FORWARD=1
+ppp0_KERN_FORWARD=1
+ppp0_POSTROUTING=1
+
+eth0_TCP_PORTS="22"
+eth0_UDP_PORTS="53 67"
+ppp0_TCP_PORTS="22"
author	toni <matzeton@googlemail.com>	2013-04-15 15:04:30 +0200
committer	toni <matzeton@googlemail.com>	2013-04-15 15:04:30 +0200
commit	e33b5930923a439f4c73b6dd64253578c4131420 (patch)
tree	f3d9d1c359603174bb75fb2394ddb33a315dcd88 /iptables