summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMike Crute <mcrute@gmail.com>2010-07-29 21:54:52 -0400
committerMike Crute <mcrute@gmail.com>2010-07-29 21:54:52 -0400
commit347eb1547fa3831998162f5c0c203eacd7a2b6aa (patch)
tree27579c4b37319ff3f88411961ffb41d2f1833f75
parent5440e44cdad939887a3ef351f8d8d83f2791ae44 (diff)
downloadiptables_scripts-347eb1547fa3831998162f5c0c203eacd7a2b6aa.tar.bz2
iptables_scripts-347eb1547fa3831998162f5c0c203eacd7a2b6aa.tar.xz
iptables_scripts-347eb1547fa3831998162f5c0c203eacd7a2b6aa.zip
Allow blocking of funny business.
Diffstat
-rw-r--r--firewall14
1 files changed, 13 insertions, 1 deletions
diff --git a/firewall b/firewall
index 9661098..1117ee5 100644
--- a/firewall
+++ b/firewall
@@ -20,6 +20,7 @@ WHITE='\033[0m'
20RED='\033[0;31m' 20RED='\033[0;31m'
21 21
22ALLOW_PING=0 22ALLOW_PING=0
23FUNNY_BUSINESS=0
23 24
24function do_log 25function do_log
25{ 26{
@@ -51,6 +52,16 @@ function flush_all
51 do_log "All chains flushed" $? 52 do_log "All chains flushed" $?
52} 53}
53 54
55function block_shenanigans
56{
57 iptables -A INPUT -f -j DROP
58 do_log "Blocking packet fragments" $?
59 iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
60 do_log "Blocking null packets" $?
61 iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
62 do_log "Blocking christmas-tree packets" $?
63}
64
54function set_ping 65function set_ping
55{ 66{
56 policy="ACCEPT" 67 policy="ACCEPT"
@@ -74,7 +85,7 @@ function load_policy
74 LOADFILE="/etc/firewall/iptables-$policy" 85 LOADFILE="/etc/firewall/iptables-$policy"
75 86
76 if [ -r $LOADFILE ]; then 87 if [ -r $LOADFILE ]; then
77 . $LOADFILE 88 source $LOADFILE
78 flush_all 89 flush_all
79 do_log "Loading ruleset $LOADFILE" $? 90 do_log "Loading ruleset $LOADFILE" $?
80 else 91 else
@@ -138,6 +149,7 @@ function lockdown
138function build_firewall 149function build_firewall
139{ 150{
140 load_policy $1 151 load_policy $1
152 [[ $FUNNY_BUSINESS == 0 ]] && block_shenanigans
141 set_defaults 153 set_defaults
142 set_ping $ALLOW_PING 154 set_ping $ALLOW_PING
143 155
© 2015 Mike Crute