-
Notifications
You must be signed in to change notification settings - Fork 5
/
Copy pathfirewall.sh
executable file
·51 lines (45 loc) · 1.46 KB
/
firewall.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
#!/bin/sh
# Firewall script for cbridge, to avoid having the world access your Chaosnet over UDP
# Name of the iptables input chain to use (don't use INPUT, more work to clean up)
CHAIN=Cbridge_INPUT
if [ "$1" = "stop" ]; then
if [ "$CHAIN" != INPUT ]; then
# delete the rule using the chain
iptables -D INPUT -j $CHAIN
# flush all the rules in the chain
iptables -F $CHAIN
# remove the chain
iptables -X $CHAIN
exit
fi
fi
CHUDP_port=`cat cbridge.conf | grep -v ';' | grep -e '^chudp' | awk '{ print $2 }'`
if [ "x$CHUDP_port" = "x" ]; then
CHUDP_port=42042
fi
CHUDP_sources=`cat cbridge.conf | grep -v ';' | grep 'link chudp' | awk '{ print $3 }'`
if [ "x$CHUDP_sources" = "x" ]; then
# No chudp links, done
exit
fi
echo "Using CHUDP port ${CHUDP_port}"
if [ "$CHAIN" != "INPUT" ]; then
# create a new chain
iptables -N $CHAIN
# flush it in case it existed
iptables -F $CHAIN
fi
for src in $CHUDP_sources; do
h=`echo $src | sed -e 's/:.*//'`
p=`echo $src | sed -e 's/[^:]*//' -e 's/://'`
if [ "$p" = "" ]; then p=42042; fi
echo "Accept from $h on port $p"
iptables -A $CHAIN -s $h -p udp -m udp --sport $p --dport $CHUDP_port -j ACCEPT
done
# Log and drop all else
iptables -A $CHAIN -p udp -m udp --dport $CHUDP_port -j LOG --log-prefix '[Unknown_CHUDP]'
iptables -A $CHAIN -p udp -m udp --dport $CHUDP_port -j DROP
# Finally enable the use of the chain
if [ "$CHAIN" != "INPUT" ]; then
iptables -I INPUT -j $CHAIN
fi