diff options
author | Mike Crute <mcrute@gmail.com> | 2010-07-29 21:54:52 -0400 |
---|---|---|
committer | Mike Crute <mcrute@gmail.com> | 2010-07-29 21:54:52 -0400 |
commit | 347eb1547fa3831998162f5c0c203eacd7a2b6aa (patch) | |
tree | 27579c4b37319ff3f88411961ffb41d2f1833f75 | |
parent | 5440e44cdad939887a3ef351f8d8d83f2791ae44 (diff) | |
download | iptables_scripts-347eb1547fa3831998162f5c0c203eacd7a2b6aa.tar.bz2 iptables_scripts-347eb1547fa3831998162f5c0c203eacd7a2b6aa.tar.xz iptables_scripts-347eb1547fa3831998162f5c0c203eacd7a2b6aa.zip |
Allow blocking of funny business.
-rw-r--r-- | firewall | 14 |
1 files changed, 13 insertions, 1 deletions
@@ -20,6 +20,7 @@ WHITE='\033[0m' | |||
20 | RED='\033[0;31m' | 20 | RED='\033[0;31m' |
21 | 21 | ||
22 | ALLOW_PING=0 | 22 | ALLOW_PING=0 |
23 | FUNNY_BUSINESS=0 | ||
23 | 24 | ||
24 | function do_log | 25 | function do_log |
25 | { | 26 | { |
@@ -51,6 +52,16 @@ function flush_all | |||
51 | do_log "All chains flushed" $? | 52 | do_log "All chains flushed" $? |
52 | } | 53 | } |
53 | 54 | ||
55 | function block_shenanigans | ||
56 | { | ||
57 | iptables -A INPUT -f -j DROP | ||
58 | do_log "Blocking packet fragments" $? | ||
59 | iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP | ||
60 | do_log "Blocking null packets" $? | ||
61 | iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP | ||
62 | do_log "Blocking christmas-tree packets" $? | ||
63 | } | ||
64 | |||
54 | function set_ping | 65 | function set_ping |
55 | { | 66 | { |
56 | policy="ACCEPT" | 67 | policy="ACCEPT" |
@@ -74,7 +85,7 @@ function load_policy | |||
74 | LOADFILE="/etc/firewall/iptables-$policy" | 85 | LOADFILE="/etc/firewall/iptables-$policy" |
75 | 86 | ||
76 | if [ -r $LOADFILE ]; then | 87 | if [ -r $LOADFILE ]; then |
77 | . $LOADFILE | 88 | source $LOADFILE |
78 | flush_all | 89 | flush_all |
79 | do_log "Loading ruleset $LOADFILE" $? | 90 | do_log "Loading ruleset $LOADFILE" $? |
80 | else | 91 | else |
@@ -138,6 +149,7 @@ function lockdown | |||
138 | function build_firewall | 149 | function build_firewall |
139 | { | 150 | { |
140 | load_policy $1 | 151 | load_policy $1 |
152 | [[ $FUNNY_BUSINESS == 0 ]] && block_shenanigans | ||
141 | set_defaults | 153 | set_defaults |
142 | set_ping $ALLOW_PING | 154 | set_ping $ALLOW_PING |
143 | 155 | ||