if [ $dry_run = on ]; then
IPT="echo iptables"
elif [ $dry_run = off ]; then
IPT="iptables"
fi
pass_out=" $IPT -A OUTPUT -j ACCEPT"
block_out="$IPT -A OUTPUT -j DROP"
pass_in=" $IPT -A INPUT -j ACCEPT"
block_in="$IPT -A INPUT -j DROP"
block_log="$IPT -A LOGGING -j DROP"
match_out_log="$IPT -A LOGGING -j LOG --log-level 4 --log-uid"
match_in_log=" $IPT -A LOGGING -j LOG --log-level 4"
match_out_label="$IPT -A OUTPUT -j CONNMARK --set-mark"
label="-m connmark --mark"
on_o="-o"
on_i="-i"
log_label="--log-prefix"
proto="-p"
from="-s"
from_not="! -s"
to="-d"
to_not="! -d"
st_port="-m tcp --sport"
dt_port="-m tcp --dport"
su_port="-m udp --sport"
du_port="-m udp --dport"
to_ipset="dst,dst"
from_ipset="src,src"
for_ipset="-m set --match-set"
ipt_module="-m"
user="-m owner --uid-owner"
user_not="-m owner ! --uid-owner"
keep_state="-m state --state ESTABLISHED"
state_invalid="-m state --state INVALID"
socket_exists="-m owner --socket-exists"
clear_all(){
$IPT -F
$IPT -X LOGGING
}
block_all(){
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
}
block_bug(){
local intf=$1
local srcIP=$2 local dstIP=$3 local dstPORT=$4
$block_out $on_o $intf $proto tcp $from $srcIP $to $dstIP $dt_port $dstPORT
$block_out $on_o $intf $proto tcp $from $dstIP $st_port $dstPORT $to $srcIP
}
block_bug_mports(){
local intf=$1
local srcIP=$2
local dstIP=$3
for i in $(seq 4 $local dstPORT=$(eval echo "\$$i")
block_bug $intf $srcIP $dstIP $dstPORT
done
}
allow_out(){
local intf=$1
local our_proto=$2
local srcIP=$3 local dstIP=$4 local dstPORT=$5 local our_user=$6
if [ $dstIP = all ]; then
if [ $our_proto = tcp ]; then
$pass_out $on_o $intf $proto tcp $from $srcIP \
$to_not $srcIP/24 $dt_port $dstPORT $user $our_user
$pass_in $on_i $intf $proto tcp $from_not $srcIP/24 $st_port $dstPORT \
$to $srcIP $keep_state
elif [ $our_proto = udp ]; then
$pass_out $on_o $intf $proto udp $from $srcIP \
$to_not $srcIP/24 $du_port $dstPORT $user $our_user
$pass_in $on_i $intf $proto udp $from_not $srcIP/24 $su_port $dstPORT \
$to $srcIP $keep_state
fi
else
if [ $our_proto = tcp ]; then
$pass_out $on_o $intf $proto tcp $from $srcIP \
$to $dstIP $dt_port $dstPORT $user $our_user
$pass_in $on_i $intf $proto tcp $from $dstIP $st_port $dstPORT \
$to $srcIP $keep_state
elif [ $our_proto = udp ]; then
$pass_out $on_o $intf $proto udp $from $srcIP \
$to $dstIP $du_port $dstPORT $user $our_user
$pass_in $on_i $intf $proto udp $from $dstIP $su_port $dstPORT \
$to $srcIP $keep_state
fi
fi
}
allow_out_ipset(){
local intf=$1
local our_proto=$2
local srcIP=$3 local ipset_list=$4
local our_user=$5
$pass_out $on_o $intf $proto $our_proto $from $srcIP \
$for_ipset $ipset_list $to_ipset $ipt_module $our_proto $user $our_user
$pass_in $on_i $intf $proto $our_proto $to $srcIP \
$for_ipset $ipset_list $from_ipset $ipt_module $our_proto $keep_state
}
multi_allow_out(){
local intf=$1
local our_proto=$2
local srcIP=$3 local dstIPandPORT_list=$4 local our_user=$5
old_IFS=$IFS
cat $dstIPandPORT_list | sed 's/#.*//;/^[[:space:]]*$/d' \
| while IFS=: read dstIP dstPORT; do
allow_out $intf $our_proto $srcIP $dstIP $dstPORT $our_user
done
IFS=$old_IFS
}
allow_out_tor(){
local intf=$1
local srcIP=$2
local dstIP=$3
local our_user=$(eval echo "\$$#")
for i in $(seq 4 $(($local dstPORT=$(eval echo "\$$i")
allow_out $intf tcp $srcIP $dstIP $dstPORT $our_user
done
}
allow_in(){
local intf=$1
local our_proto=$2
local srcIP=$3 local dstIP=$4 local dstPORT=$5 local our_user=$6
if [ $our_proto = tcp ]; then
$pass_in $on_i $intf $proto tcp $from $srcIP \
$to $dstIP $dt_port $dstPORT
$pass_out $on_o $intf $proto tcp $from $dstIP $st_port $dstPORT \
$to $srcIP $user $our_user $keep_state
elif [ $our_proto = udp ]; then
$pass_in $on_i $intf $proto udp $from $srcIP \
$to $dstIP $du_port $dstPORT
$pass_out $on_o $intf $proto udp $from $dstIP $su_port $dstPORT \
$to $srcIP $user $our_user $keep_state
fi
}
allow_in_tor(){
local intf=$1
local srcIP=$2
local dstIP=$3
local our_user=$(eval echo "\$$#")
for i in $(seq 4 $(($local dstPORT=$(eval echo "\$$i")
$pass_in $on_i $intf $proto tcp $from $srcIP \
$to $dstIP $dt_port $dstPORT
$pass_out $on_o $intf $proto tcp $from $dstIP $st_port $dstPORT \
$to $srcIP $user $our_user $keep_state
$pass_out $on_o $intf $proto tcp $from $dstIP $st_port $dstPORT \
$to $srcIP $user root $keep_state
done
}
lh_filter(){
local dstPORT=$1
local our_user=$2
allow_out lo tcp $lh $lh $dstPORT $our_user
allow_in lo tcp $lh $lh $dstPORT $our_user
}
tor_lh_filter(){
local dstPORT=$1
local our_user=$2
$match_out_label 1 $on_o lo $proto tcp $from $lh \
$to $lh $dt_port $dstPORT $user $our_user
$pass_out $on_o lo $proto tcp $from $lh \
$to $lh $dt_port $dstPORT $user $our_user
$pass_in $on_i lo $proto tcp $from $lh $st_port $dstPORT \
$to $lh $keep_state
$pass_in $on_i lo $proto tcp $from $lh $st_port $dstPORT \
$to $lh $label 1
$pass_in $on_i lo $proto tcp $from $lh \
$to $lh $dt_port $dstPORT
$pass_out $on_o lo $proto tcp $from $lh $st_port $dstPORT \
$to $lh $user $our_user $keep_state
$pass_out $on_o lo $proto tcp $from $lh $st_port $dstPORT \
$to $lh $keep_state $label 1
$pass_out $on_o lo $proto tcp $from $lh $st_port $dstPORT \
$to $lh $label 1
}
allow_dns(){
local our_user=$1
for DNS_server in $DNS_inet_1 $DNS_inet_2; do
allow_out $oIF udp $oIP $DNS_server 53 $our_user
done
}
allow_dhcp(){
local dhcp_server=$1
$pass_out $on_o $oIF $proto udp $from $az $su_port 68 \
$to $a255 $du_port 67 $user root
$pass_in $on_i $oIF $proto udp $from $dhcp_server $su_port 67 \
$to $az $du_port 68 $keep_state
}
bug_workaround(){
$pass_out $on_o lo $proto tcp $from $lh $st_port 9150:9151 \
$to $lh $socket_exists $user_not 0-2000 $keep_state
$pass_out $on_o lo $proto tcp $from $lh $st_port 9150:9151 \
$to $lh $user_not 0-2000 $keep_state
}
start_logging(){
$IPT -N LOGGING
$IPT -A OUTPUT -j LOGGING
$IPT -A INPUT -j LOGGING
}
log_out(){
local our_log_label=$1
local intf=$2
local our_proto=$3
if [ $
$match_out_log $log_label ${our_log_label} $on_o $intf $proto $our_proto
$block_log $on_o $intf $proto $our_proto
elif [ $
$match_out_log $log_label ${our_log_label} $on_o $intf
$block_log $on_o $intf
else
echo Wrong number of arguments in function log_out
exit 8
fi
}
log_in(){
local our_log_label=$1
local intf=$2
local our_proto=$3
local dstIP=$4
if [ $
$match_in_log $log_label ${our_log_label} $on_i $intf $proto $our_proto \
$to $dstIP
$block_log $on_i $intf $proto $our_proto $to $dstIP
elif [ $local dstIP=$3
$match_in_log $log_label ${our_log_label} $on_i $intf $to $dstIP
$block_log $on_i $intf $to $dstIP
elif [ $local intf=$1
$block_log $on_i $intf
else
echo Wrong number of arguments in function log_in
exit 7
fi
}