iptables.rules.functions.sh





# ------------------------------------------------------------------------------------------
# -- local loopback :
# ------------------------------------------------------------------------------------------


# -- let the local interface roam wild and free, except stuff from some bad 
#    person trying to spoof it :
#
local_interface_rules() {

    echo "Function: local_interface_rules"

    #
    # -- allow what we expect through local interface!
    #
    $IPT -t filter -A INPUT  -i lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
    $IPT -t filter -A OUTPUT -o lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT

    #
    # -- block those spoofing the local interface :
    #
    $IPT -t filter -A INPUT -i ! lo  -s 127.0.0.1/8 -d 0.0.0.0/0  -m limit --limit 2/m --limit-burst 8 -j LOG  --log-level warn  --log-prefix $1
    $IPT -t filter -A INPUT -i ! lo  -s 127.0.0.1/8 -d 0.0.0.0/0 -j DROP


    # ...allow packets with source and destination IP address of each interface
    #    through local loopback interface...

    for loipaddress in 192.168.1.254 192.169.1.254 10.0.0.2 $EXTIP
    do
        $IPT -t filter -A INPUT  -i lo -s $loipaddress -d $loipaddress -j ACCEPT
        $IPT -t filter -A OUTPUT -o lo -s $loipaddress -d $loipaddress -j ACCEPT
    done


    #
    # -- log all other traffic through local interface :
    #
    $IPT -t filter -A INPUT  -i lo -j LOG --log-prefix " LOCAL_IN "
    $IPT -t filter -A OUTPUT -o lo -j LOG --log-prefix " LOCAL_OUT "
  }



# ------------------------------------------------------------------------------------------
# ------------------------------------------------------------------------------------------


restart_chain_ssh_service() {

    echo "Function: restart_chain_ssh_service..."

    $IPT -t filter -F SSH_SERVICE

    for host in `cat /root/etc/iptables.rules.ssh_service | sed s/\#.*// | egrep "[a-z0-9]+"`; do 
    echo -n ""
        $IPT -t filter -A SSH_SERVICE  -s $host  -m state --state NEW,ESTABLISHED  -j ACCEPT
        $IPT -t filter -A SSH_SERVICE  -d $host  -m state --state ESTABLISHED      -j ACCEPT
    done

    $IPT -t filter -A SSH_SERVICE  -j LOG  --log-prefix " **SSH_SERVICE DROP** "
    $IPT -t filter -A SSH_SERVICE  -j DROP
        #
        # -- Pinhole chain for service on low-numbered port:
        #     -- default-log-and-drop:
        #         -- should be no other traffic to/from our port 22;
        #
  }


# ------------------------------------------------------------------------------------------
# ------------------------------------------------------------------------------------------


allow_tcp_in() {

    CHAIN=$1
    echo "Function: allow_tcp_in" $CHAIN
    shift

    until [ -z "$1" ]
    do
        $IPT -t filter -A $CHAIN  -s $1  -m state --state NEW,ESTABLISHED -j ACCEPT
        $IPT -t filter -A $CHAIN  -d $1  -m state --state ESTABLISHED     -j ACCEPT

        shift
    done
  }


# ------------------------------------------------------------------------------------------
# ------------------------------------------------------------------------------------------


allow_udp_in() {

    CHAIN=$1
    echo "Function: allow_udp_in" $CHAIN
    shift

    until [ -z "$1" ]
    do
        $IPT -t filter -A $CHAIN  -s $1  -m state --state NEW,ESTABLISHED -j ACCEPT
        $IPT -t filter -A $CHAIN  -d $1  -m state --state ESTABLISHED     -j ACCEPT

        shift
    done
  }


# ------------------------------------------------------------------------------------------
# ------------------------------------------------------------------------------------------


allow_tcp_out() {

    CHAIN=$1
    echo "Function: allow_tcp_out" $CHAIN
    shift

    until [ -z "$1" ]
    do
        $IPT -t filter -A $CHAIN  -d $1 -p tcp  -m state --state NEW,ESTABLISHED  -j ACCEPT
        $IPT -t filter -A $CHAIN  -s $1 -p tcp  -m state --state ESTABLISHED      -j ACCEPT

        shift
    done
  }


# ------------------------------------------------------------------------------------------
# ------------------------------------------------------------------------------------------


allow_udp_out() {

    CHAIN=$1
    echo "Function: allow_udp_out" $CHAIN
    shift

    until [ -z "$1" ]
    do
        $IPT -t filter -A $CHAIN  -d $1  -m state --state NEW,ESTABLISHED  -j ACCEPT
        $IPT -t filter -A $CHAIN  -s $1  -m state --state ESTABLISHED      -j ACCEPT

        shift
    done
  }


# ------------------------------------------------------------------------------------------
# ------------------------------------------------------------------------------------------