56 lines
936 B
Bash
56 lines
936 B
Bash
|
#!/bin/sh
|
||
|
|
#
|
||
|
|
# set up the firewall of the cryptobox
|
||
|
|
#
|
||
|
|
# called by:
|
||
|
|
# - cbox-manage.sh during network-up
|
||
|
|
#
|
||
|
|
|
||
|
|
set -u
|
||
|
|
|
||
|
|
# parse config file
|
||
|
|
. /etc/cryptobox/cryptobox.conf
|
||
|
|
|
||
|
|
|
||
|
|
ACTION="help"
|
||
|
|
[ $# -gt 0 ] && ACTION=$1
|
||
|
|
|
||
|
|
case "$ACTION" in
|
||
|
|
start)
|
||
|
|
iptables -P INPUT DROP
|
||
|
|
iptables -P FORWARD DROP
|
||
|
|
iptables -P OUTPUT ACCEPT
|
||
|
|
|
||
|
|
OFILE=/proc/sys/net/ipv4/tcp_syncookies
|
||
|
|
[ -e "$OFILE" ] && echo 1 >"$OFILE"
|
||
|
|
|
||
|
|
iptables -F
|
||
|
|
iptables -X
|
||
|
|
iptables -Z
|
||
|
|
|
||
|
|
iptables -A INPUT -i lo -j ACCEPT
|
||
|
|
|
||
|
|
for a in $ALLOW_TCP_PORTS
|
||
|
|
do iptables -A INPUT -i $NET_IFACE -p tcp --dport $a -j ACCEPT
|
||
|
|
done
|
||
|
|
|
||
|
|
for a in $ALLOW_UDP_PORTS
|
||
|
|
do iptables -A INPUT -i $NET_IFACE -p udp --dport $a -j ACCEPT
|
||
|
|
done
|
||
|
|
|
||
|
|
iptables -A INPUT -i $NET_IFACE -p icmp -j ACCEPT
|
||
|
|
;;
|
||
|
|
stop)
|
||
|
|
iptables -P INPUT ACCEPT
|
||
|
|
iptables -P FORWARD ACCEPT
|
||
|
|
iptables -P OUTPUT ACCEPT
|
||
|
|
iptables -F
|
||
|
|
iptables -X
|
||
|
|
iptables -Z
|
||
|
|
;;
|
||
|
|
*)
|
||
|
|
echo "usage $0 start | stop"
|
||
|
|
;;
|
||
|
|
esac
|
||
|
|
|