#!/bin/bash #Copyright 2003 William Stearns #Released under the GPL. Me='address' MyVersion='0.3' [ -r /etc/firebricks/firebricks.conf ] && . /etc/firebricks/firebricks.conf [ -r /etc/firebricks/$Me.conf ] && . /etc/firebricks/$Me.conf [ -r ${FBLibDir:-'/usr/lib/firebricks/'}/firebrickslib ] && . ${FBLibDir:-'/usr/lib/firebricks/'}/firebrickslib if [ -z "$FBLibVer" ]; then echo 'It looks like firebrickslib was not loaded, why? Exiting' >&2 exit 1 fi for OneTask in $Tasks ; do case "$OneTask" in link) $IptablesBin -N $Me >/dev/null 2>&1 $IptablesBin $AppIn INPUT -i \! lo -j $Me $IptablesBin $AppIn FORWARD -j $Me $IptablesBin $AppIn OUTPUT -o \! lo -j $Me ;; unlink) $IptablesBin -D INPUT -i \! lo -j $Me $IptablesBin -D FORWARD -j $Me $IptablesBin -D OUTPUT -o \! lo -j $Me $IptablesBin -X $Me >/dev/null 2>&1 ;; create) echo "Starting $Me" FlushOrNewChain $Me LogAs='Addr-127-src' $Ipt -A $Me -s 127.0.0.0/8 $Tail LogAs='Addr-127-dst' $Ipt -A $Me -d 127.0.0.0/8 $Tail #224-239, only a problem as source or non-udp dest LogAs='Addr-mc-src' $Ipt -A $Me -s 224.0.0.0/4 $Tail LogAs='Addr-mc-not-udp' $Ipt -A $Me -p \! udp -d 224.0.0.0/4 $Tail #240-255 LogAs='Addr-240-src' $Ipt -A $Me -s 240.0.0.0/4 $Tail LogAs='Addr-240-dst' $Ipt -A $Me -d 240.0.0.0/4 $Tail LogAs='Addr-bc-src' $Ipt -A $Me -s 255.255.255.255/32 $Tail ;; destroy) echo "Stopping $Me" DestroyChain $Me ;; status) if $IptablesBin -L $Me >/dev/null 2>&1 ; then echo "$Me created" >&2 else echo "$Me destroyed" >&2 fi ;; version) echo "$Me $MyVersion, firebrickslib $FBLibVer" >&2 ;; help) cat <&2 The $Me module checks for _invalid_ source and destination addresses, such as loopback, multicast, and broadcast address usage. These rules should be safe to use on any network. EOTEXT DefaultHelp ;; *) echo "Unknown action $Action in $Me, no action taken." >&2 ;; esac done