compact syntax for loops
This commit is contained in:
parent
a3ab1a4f2e
commit
8eb0180b51
222
minifirewall
222
minifirewall
|
@ -159,19 +159,17 @@ start() {
|
||||||
# Trusted ip addresses
|
# Trusted ip addresses
|
||||||
${IPT} -N ONLYTRUSTED
|
${IPT} -N ONLYTRUSTED
|
||||||
${IPT} -A ONLYTRUSTED -j LOG_DROP
|
${IPT} -A ONLYTRUSTED -j LOG_DROP
|
||||||
for x in ${TRUSTEDIPS}
|
for ip in ${TRUSTEDIPS}; do
|
||||||
do
|
${IPT} -I ONLYTRUSTED -s ${ip} -j ACCEPT
|
||||||
${IPT} -I ONLYTRUSTED -s ${x} -j ACCEPT
|
done
|
||||||
done
|
|
||||||
|
|
||||||
# Privilegied ip addresses
|
# Privilegied ip addresses
|
||||||
# (trusted ip addresses *are* privilegied)
|
# (trusted ip addresses *are* privilegied)
|
||||||
${IPT} -N ONLYPRIVILEGIED
|
${IPT} -N ONLYPRIVILEGIED
|
||||||
${IPT} -A ONLYPRIVILEGIED -j ONLYTRUSTED
|
${IPT} -A ONLYPRIVILEGIED -j ONLYTRUSTED
|
||||||
for x in ${PRIVILEGIEDIPS}
|
for ip in ${PRIVILEGIEDIPS}; do
|
||||||
do
|
${IPT} -I ONLYPRIVILEGIED -s ${ip} -j ACCEPT
|
||||||
${IPT} -I ONLYPRIVILEGIED -s ${x} -j ACCEPT
|
done
|
||||||
done
|
|
||||||
|
|
||||||
# Chain for restrictions (blacklist IPs/ranges)
|
# Chain for restrictions (blacklist IPs/ranges)
|
||||||
${IPT} -N NEEDRESTRICT
|
${IPT} -N NEEDRESTRICT
|
||||||
|
@ -223,170 +221,142 @@ start() {
|
||||||
${IPT} -A INPUT -s ${INTLAN} -j ACCEPT
|
${IPT} -A INPUT -s ${INTLAN} -j ACCEPT
|
||||||
|
|
||||||
# Enable protection chain for sensible services
|
# Enable protection chain for sensible services
|
||||||
for port in ${SERVICESTCP1p}
|
for port in ${SERVICESTCP1p}; do
|
||||||
do
|
${IPT} -A INPUT -p tcp --dport ${port} -j NEEDRESTRICT
|
||||||
${IPT} -A INPUT -p tcp --dport ${port} -j NEEDRESTRICT
|
done
|
||||||
done
|
|
||||||
|
|
||||||
for port in ${SERVICESUDP1p}
|
for port in ${SERVICESUDP1p}; do
|
||||||
do
|
${IPT} -A INPUT -p udp --dport ${port} -j NEEDRESTRICT
|
||||||
${IPT} -A INPUT -p udp --dport ${port} -j NEEDRESTRICT
|
done
|
||||||
done
|
|
||||||
|
|
||||||
# Public service
|
# Public service
|
||||||
for port in ${SERVICESTCP1}
|
for port in ${SERVICESTCP1}; do
|
||||||
do
|
${IPT} -A INPUT -p tcp --dport ${port} -j ACCEPT
|
||||||
${IPT} -A INPUT -p tcp --dport ${port} -j ACCEPT
|
[ "${IPV6}" != "off" ] && ${IPT6} -A INPUT -p tcp --dport ${port} -j ACCEPT
|
||||||
[ "${IPV6}" != "off" ] && ${IPT6} -A INPUT -p tcp --dport ${port} -j ACCEPT
|
done
|
||||||
done
|
|
||||||
|
|
||||||
for port in ${SERVICESUDP1}
|
for port in ${SERVICESUDP1}; do
|
||||||
do
|
${IPT} -A INPUT -p udp --dport ${port} -j ACCEPT
|
||||||
${IPT} -A INPUT -p udp --dport ${port} -j ACCEPT
|
[ "${IPV6}" != "off" ] && ${IPT6} -A INPUT -p udp --dport ${port} -j ACCEPT
|
||||||
[ "${IPV6}" != "off" ] && ${IPT6} -A INPUT -p udp --dport ${port} -j ACCEPT
|
done
|
||||||
done
|
|
||||||
|
|
||||||
# Privilegied services
|
# Privilegied services
|
||||||
for port in ${SERVICESTCP2}
|
for port in ${SERVICESTCP2}; do
|
||||||
do
|
${IPT} -A INPUT -p tcp --dport ${port} -j ONLYPRIVILEGIED
|
||||||
${IPT} -A INPUT -p tcp --dport ${port} -j ONLYPRIVILEGIED
|
done
|
||||||
done
|
|
||||||
|
|
||||||
for port in ${SERVICESUDP2}
|
for port in ${SERVICESUDP2}; do
|
||||||
do
|
${IPT} -A INPUT -p udp --dport ${port} -j ONLYPRIVILEGIED
|
||||||
${IPT} -A INPUT -p udp --dport ${port} -j ONLYPRIVILEGIED
|
done
|
||||||
done
|
|
||||||
|
|
||||||
# Private services
|
# Private services
|
||||||
for port in ${SERVICESTCP3}
|
for port in ${SERVICESTCP3}; do
|
||||||
do
|
${IPT} -A INPUT -p tcp --dport ${port} -j ONLYTRUSTED
|
||||||
${IPT} -A INPUT -p tcp --dport ${port} -j ONLYTRUSTED
|
done
|
||||||
done
|
|
||||||
|
|
||||||
for port in ${SERVICESUDP3}
|
for port in ${SERVICESUDP3}; do
|
||||||
do
|
${IPT} -A INPUT -p udp --dport ${port} -j ONLYTRUSTED
|
||||||
${IPT} -A INPUT -p udp --dport ${port} -j ONLYTRUSTED
|
done
|
||||||
done
|
|
||||||
|
|
||||||
|
|
||||||
if [ "${DOCKER}" = "on" ]; then
|
if [ "${DOCKER}" = "on" ]; then
|
||||||
|
|
||||||
# Public services defined in SERVICESTCP1 & SERVICESUDP1
|
# Public services defined in SERVICESTCP1 & SERVICESUDP1
|
||||||
for dstport in ${SERVICESTCP1}
|
for dstport in ${SERVICESTCP1}; do
|
||||||
do
|
${IPT} -I MINIFW-DOCKER-PUB -p tcp --dport "${dstport}" -j RETURN
|
||||||
${IPT} -I MINIFW-DOCKER-PUB -p tcp --dport "${dstport}" -j RETURN
|
done
|
||||||
done
|
|
||||||
|
|
||||||
for dstport in ${SERVICESUDP1}
|
for dstport in ${SERVICESUDP1}; do
|
||||||
do
|
${IPT} -I MINIFW-DOCKER-PUB -p udp --dport "${dstport}" -j RETURN
|
||||||
${IPT} -I MINIFW-DOCKER-PUB -p udp --dport "${dstport}" -j RETURN
|
done
|
||||||
done
|
|
||||||
|
|
||||||
# Privileged services (accessible from privileged & trusted IPs)
|
# Privileged services (accessible from privileged & trusted IPs)
|
||||||
for dstport in ${SERVICESTCP2}
|
for dstport in ${SERVICESTCP2}; do
|
||||||
do
|
for srcip in ${PRIVILEGIEDIPS}; do
|
||||||
for srcip in ${PRIVILEGIEDIPS}
|
${IPT} -I MINIFW-DOCKER-PRIVILEGED -p tcp -s "${srcip}" --dport "${dstport}" -j RETURN
|
||||||
do
|
|
||||||
${IPT} -I MINIFW-DOCKER-PRIVILEGED -p tcp -s "${srcip}" --dport "${dstport}" -j RETURN
|
|
||||||
done
|
|
||||||
|
|
||||||
for srcip in ${TRUSTEDIPS}
|
|
||||||
do
|
|
||||||
${IPT} -I MINIFW-DOCKER-PRIVILEGED -p tcp -s "${srcip}" --dport "${dstport}" -j RETURN
|
|
||||||
done
|
|
||||||
done
|
done
|
||||||
|
|
||||||
for dstport in ${SERVICESUDP2}
|
for srcip in ${TRUSTEDIPS}; do
|
||||||
do
|
${IPT} -I MINIFW-DOCKER-PRIVILEGED -p tcp -s "${srcip}" --dport "${dstport}" -j RETURN
|
||||||
for srcip in ${PRIVILEGIEDIPS}
|
|
||||||
do
|
|
||||||
${IPT} -I MINIFW-DOCKER-PRIVILEGED -p udp -s "${srcip}" --dport "${dstport}" -j RETURN
|
|
||||||
done
|
|
||||||
|
|
||||||
for srcip in ${TRUSTEDIPS}
|
|
||||||
do
|
|
||||||
${IPT} -I MINIFW-DOCKER-PRIVILEGED -p udp -s "${srcip}" --dport "${dstport}" -j RETURN
|
|
||||||
done
|
|
||||||
done
|
done
|
||||||
|
done
|
||||||
|
|
||||||
|
for dstport in ${SERVICESUDP2}; do
|
||||||
|
for srcip in ${PRIVILEGIEDIPS}; do
|
||||||
|
${IPT} -I MINIFW-DOCKER-PRIVILEGED -p udp -s "${srcip}" --dport "${dstport}" -j RETURN
|
||||||
|
done
|
||||||
|
|
||||||
|
for srcip in ${TRUSTEDIPS}; do
|
||||||
|
${IPT} -I MINIFW-DOCKER-PRIVILEGED -p udp -s "${srcip}" --dport "${dstport}" -j RETURN
|
||||||
|
done
|
||||||
|
done
|
||||||
|
|
||||||
# Trusted services (accessible from trusted IPs)
|
# Trusted services (accessible from trusted IPs)
|
||||||
for dstport in ${SERVICESTCP3}
|
for dstport in ${SERVICESTCP3}; do
|
||||||
do
|
for srcip in ${TRUSTEDIPS}; do
|
||||||
for srcip in ${TRUSTEDIPS}
|
${IPT} -I MINIFW-DOCKER-TRUSTED -p tcp -s "${srcip}" --dport "${dstport}" -j RETURN
|
||||||
do
|
|
||||||
${IPT} -I MINIFW-DOCKER-TRUSTED -p tcp -s "${srcip}" --dport "${dstport}" -j RETURN
|
|
||||||
done
|
|
||||||
done
|
done
|
||||||
|
done
|
||||||
|
|
||||||
for dstport in ${SERVICESUDP3}
|
for dstport in ${SERVICESUDP3}; do
|
||||||
do
|
for srcip in ${TRUSTEDIPS}; do
|
||||||
for srcip in ${TRUSTEDIPS}
|
${IPT} -I MINIFW-DOCKER-TRUSTED -p udp -s "${srcip}" --dport "${dstport}" -j RETURN
|
||||||
do
|
|
||||||
${IPT} -I MINIFW-DOCKER-TRUSTED -p udp -s "${srcip}" --dport "${dstport}" -j RETURN
|
|
||||||
done
|
|
||||||
done
|
done
|
||||||
|
done
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# External services
|
# External services
|
||||||
###################
|
###################
|
||||||
|
|
||||||
# DNS authorizations
|
# DNS authorizations
|
||||||
for x in ${DNSSERVEURS}
|
for x in ${DNSSERVEURS}; do
|
||||||
do
|
${IPT} -A INPUT -p tcp ! --syn --sport 53 --dport ${PORTSUSER} -s ${x} -j ACCEPT
|
||||||
${IPT} -A INPUT -p tcp ! --syn --sport 53 --dport ${PORTSUSER} -s ${x} -j ACCEPT
|
${IPT} -A INPUT -p udp --sport 53 --dport ${PORTSUSER} -s ${x} -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||||
${IPT} -A INPUT -p udp --sport 53 --dport ${PORTSUSER} -s ${x} -m state --state ESTABLISHED,RELATED -j ACCEPT
|
${IPT} -A OUTPUT -o ${INT} -p udp -d ${x} --dport 53 --match state --state NEW -j ACCEPT
|
||||||
${IPT} -A OUTPUT -o ${INT} -p udp -d ${x} --dport 53 --match state --state NEW -j ACCEPT
|
done
|
||||||
done
|
|
||||||
|
|
||||||
# HTTP (TCP/80) authorizations
|
# HTTP (TCP/80) authorizations
|
||||||
for x in ${HTTPSITES}
|
for x in ${HTTPSITES}; do
|
||||||
do
|
${IPT} -A INPUT -p tcp ! --syn --sport 80 --dport ${PORTSUSER} -s ${x} -j ACCEPT
|
||||||
${IPT} -A INPUT -p tcp ! --syn --sport 80 --dport ${PORTSUSER} -s ${x} -j ACCEPT
|
done
|
||||||
done
|
|
||||||
|
|
||||||
# HTTPS (TCP/443) authorizations
|
# HTTPS (TCP/443) authorizations
|
||||||
for x in ${HTTPSSITES}
|
for x in ${HTTPSSITES}; do
|
||||||
do
|
${IPT} -A INPUT -p tcp ! --syn --sport 443 --dport ${PORTSUSER} -s ${x} -j ACCEPT
|
||||||
${IPT} -A INPUT -p tcp ! --syn --sport 443 --dport ${PORTSUSER} -s ${x} -j ACCEPT
|
done
|
||||||
done
|
|
||||||
|
|
||||||
# FTP (so complex protocol...) authorizations
|
# FTP (so complex protocol...) authorizations
|
||||||
for x in ${FTPSITES}
|
for x in ${FTPSITES}; do
|
||||||
do
|
# requests on Control connection
|
||||||
# requests on Control connection
|
${IPT} -A INPUT -p tcp ! --syn --sport 21 --dport ${PORTSUSER} -s ${x} -j ACCEPT
|
||||||
${IPT} -A INPUT -p tcp ! --syn --sport 21 --dport ${PORTSUSER} -s ${x} -j ACCEPT
|
# FTP port-mode on Data Connection
|
||||||
# FTP port-mode on Data Connection
|
${IPT} -A INPUT -p tcp --sport 20 --dport ${PORTSUSER} -s ${x} -j ACCEPT
|
||||||
${IPT} -A INPUT -p tcp --sport 20 --dport ${PORTSUSER} -s ${x} -j ACCEPT
|
# FTP passive-mode on Data Connection
|
||||||
# FTP passive-mode on Data Connection
|
# WARNING, this allow all connections on TCP ports > 1024
|
||||||
# WARNING, this allow all connections on TCP ports > 1024
|
${IPT} -A INPUT -p tcp ! --syn --sport ${PORTSUSER} --dport ${PORTSUSER} -s ${x} -j ACCEPT
|
||||||
${IPT} -A INPUT -p tcp ! --syn --sport ${PORTSUSER} --dport ${PORTSUSER} -s ${x} -j ACCEPT
|
done
|
||||||
done
|
|
||||||
|
|
||||||
# SSH authorizations
|
# SSH authorizations
|
||||||
for x in ${SSHOK}
|
for x in ${SSHOK}; do
|
||||||
do
|
${IPT} -A INPUT -p tcp ! --syn --sport 22 -s ${x} -j ACCEPT
|
||||||
${IPT} -A INPUT -p tcp ! --syn --sport 22 -s ${x} -j ACCEPT
|
done
|
||||||
done
|
|
||||||
|
|
||||||
# SMTP authorizations
|
# SMTP authorizations
|
||||||
for x in ${SMTPOK}
|
for x in ${SMTPOK}; do
|
||||||
do
|
${IPT} -A INPUT -p tcp ! --syn --sport 25 --dport ${PORTSUSER} -s ${x} -j ACCEPT
|
||||||
${IPT} -A INPUT -p tcp ! --syn --sport 25 --dport ${PORTSUSER} -s ${x} -j ACCEPT
|
done
|
||||||
done
|
|
||||||
|
|
||||||
# secure SMTP (TCP/465 et TCP/587) authorizations
|
# secure SMTP (TCP/465 et TCP/587) authorizations
|
||||||
for x in ${SMTPSECUREOK}
|
for x in ${SMTPSECUREOK}; do
|
||||||
do
|
${IPT} -A INPUT -p tcp ! --syn --sport 465 --dport ${PORTSUSER} -s ${x} -j ACCEPT
|
||||||
${IPT} -A INPUT -p tcp ! --syn --sport 465 --dport ${PORTSUSER} -s ${x} -j ACCEPT
|
${IPT} -A INPUT -p tcp ! --syn --sport 587 --dport ${PORTSUSER} -s ${x} -j ACCEPT
|
||||||
${IPT} -A INPUT -p tcp ! --syn --sport 587 --dport ${PORTSUSER} -s ${x} -j ACCEPT
|
done
|
||||||
done
|
|
||||||
|
|
||||||
# NTP authorizations
|
# NTP authorizations
|
||||||
for x in ${NTPOK}
|
for x in ${NTPOK}; do
|
||||||
do
|
${IPT} -A INPUT -p udp --sport 123 -s ${x} -j ACCEPT
|
||||||
${IPT} -A INPUT -p udp --sport 123 -s ${x} -j ACCEPT
|
${IPT} -A OUTPUT -o ${INT} -p udp -d ${x} --dport 123 --match state --state NEW -j ACCEPT
|
||||||
${IPT} -A OUTPUT -o ${INT} -p udp -d ${x} --dport 123 --match state --state NEW -j ACCEPT
|
done
|
||||||
done
|
|
||||||
|
|
||||||
# Always allow ICMP
|
# Always allow ICMP
|
||||||
${IPT} -A INPUT -p icmp -j ACCEPT
|
${IPT} -A INPUT -p icmp -j ACCEPT
|
||||||
|
|
Loading…
Reference in a new issue