blob: df5b137367bf501a1ec87c74970a91ed22cb2d28 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
|
#!/bin/sh
PUBLIC_IPS="{% if item == 4 %}{{ srv_network_public_firewall_ipv4 | join(' ') }}{% else %}{{ srv_network_public_firewall_ipv6 | join(' ') }}{% endif %}"
PUBLIC_IF="$2"
TCP_PORTS="{{ srv_network.public.firewall.tcp_ports | default([]) | join(' ') }}"
UDP_PORTS="{{ srv_network.public.firewall.udp_ports | default([]) | join(' ') }}"
#####
IPTABLES="/sbin/ip{% if item == 6 %}6{% endif %}tables"
ICMP="icmp{% if item == 6 %}v6{% endif %}"
case "$1" in
start)
$IPTABLES -A INPUT -i $PUBLIC_IF -p $ICMP -j ACCEPT
$IPTABLES -A INPUT -i $PUBLIC_IF -m state --state related,established -j ACCEPT
for port in $TCP_PORTS; do
for ip in $PUBLIC_IPS; do
$IPTABLES -A INPUT -i $PUBLIC_IF -d $ip -p tcp --dport $port -j ACCEPT
done
done
for port in $UDP_PORTS; do
for ip in $PUBLIC_IPS; do
$IPTABLES -A INPUT -i $PUBLIC_IF -d $ip -p udp --dport $port -j ACCEPT
done
done
$IPTABLES -A INPUT -i $PUBLIC_IF -j DROP
;;
stop)
$IPTABLES -D INPUT -i $PUBLIC_IF -j DROP
for port in $UDP_PORTS; do
for ip in $PUBLIC_IPS; do
$IPTABLES -D INPUT -i $PUBLIC_IF -d $ip -p udp --dport $port -j ACCEPT
done
done
for port in $TCP_PORTS; do
for ip in $PUBLIC_IPS; do
$IPTABLES -D INPUT -i $PUBLIC_IF -d $ip -p tcp --dport $port -j ACCEPT
done
done
$IPTABLES -D INPUT -i $PUBLIC_IF -m state --state related,established -j ACCEPT
$IPTABLES -D INPUT -i $PUBLIC_IF -p $ICMP -j ACCEPT
;;
*)
echo "Usage: $0 (start|stop)"
exit 1
;;
esac
exit 0
|
