[chuug] Firewall script

[Max]

On 11/3/06, David Clymer <david at zettazebra.com> wrote:
> That's ok, I guess, but it's kind of annoying. Is there any other way I
> could allow the use of variables in rule definitions, or is the best I
> can do? Simpler is better, of course.

How about this?

#! /bin/bash

### Rule Variables

DAVID_NET=192.168.11.0/24
DAVID2_NET=192.168.10.0/24

# -- hosts -- #

GATEWAY=192.168.11.1
DAVID_PC=192.168.10.97

######
while true; do break
######

### Start Rules
*filter
:INPUT DROP
:FORWARD DROP
:OUTPUT DROP
-A INPUT -s $DAVID_PC -d $DAVID_NET -i eth1 -p tcp -m tcp --dport 25
-j LOG --log-prefix "david is sending mail: "
-A FORWARD -s $DAVID_PC -d $DAVID_NET -i eth1 -p tcp -m tcp --dport 25
-j ACCEPT
COMMIT
### End Rules

######
done
######

### Control logic
handler=cat
if [ "_$1" == "_start" ]; then
  handler=iptables-restore
elif [ "_$1" == "_show" ]; then
  handler=cat
elif [ "_$1" == "_stop" ]; then
  for chain in INPUT OUTPUT FORWARD; do iptables --policy $chain ACCEPT; done
  for table in nat filter mangle; do iptables -t $table --flush; done
  for chain in `iptables --list |grep Chain |cut -d ' ' -f2 |grep -vE
'(INPUT|OUTPUT|FORWARD)'`; do iptables -X $chain; done
  exit
fi

[[ $EUID != 0 ]] && {
    echo "You must be root to run this script."
    exit 1
}

#  Need to use space meta character to make sure the perl script doesn't
#  print itself out too :).

perl -n -e 'next unless (/Start\s+Rules/ ... /End\s+Rules/);
            s#([()"])#\\$1#g; print'  $0 | $handler