#!/bin/bash if [ "$1" == 'debug' ]; then set -x; shift; fi if [ "$1" == 'debug2' ]; then set -xvT; shift; fi # # - FillFW - (IPSETs) # Have a loadfile created by each module or dynloader # and load the firewall from this information # #------------------------ REALPATH=`realpath $0` WHERE=`dirname $REALPATH` ME=`basename $REALPATH` cd $WHERE . system.conf . common.conf . common.bashlib #------------------------ logger "$ME[$$]: Started (re)loading firewall ..." # # Request load information from dynloaders & modules # . loader.conf # # Establish link with internal ipset DROP lists # Modules & Dynloaders do this 'on the fly' # NOTE: mk-ipset always creates DROP set # Don't use for whitelist !!! mk-ipset blacklist 'hash:net' 'comment counters' mk-ipset tarpit 'hash:ip' 'comment timeout 60 counters' mk-ipset custody 'hash:net' 'comment counters' mk-ipset hijackers 'hash:net' 'comment counters' # Load local blacklist file Blacklist # Load the local whitelist file # Establish link with ipset 'whitelist' # THIS MUST COME LAST to go on top in iptables as 'ACCEPT'!!!) # ipset -exist create whitelist 'hash:net' 'comment' if ! $IPTABLES -nL INPUT | grep "match-set whitelist" | grep -q ACCEPT then $IPTABLES -t filter -I INPUT -m set --match-set whitelist src -j ACCEPT $IPTABLES -t filter -I FORWARD -m set --match-set whitelist src -j ACCEPT fi Whitelist # A dummy IPSET for validation of IP addresses (needed for DEBIAN/UBUNTU) # Establish a dummy ipset just for ip addr validation # --- DON'T CONNECT THIS WITH IPTABLES! --- # Just 'add' and verify the return code ipset -exist create validate 'hash:net' comment timeout 1 logger "$ME[$$]: Finished - Firewall (re)loaded"