#!/bin/bash #Copyright 2003 William Stearns #Released under the GPL. Me='autoreject' MyVersion='0.3.3' #DefaultActions='' [ -r /etc/firebricks/firebricks.conf ] && . /etc/firebricks/firebricks.conf [ -r /etc/firebricks/$Me.conf ] && . /etc/firebricks/$Me.conf [ -r ${FBLibDir:-'/usr/lib/firebricks/'}/firebrickslib ] && . ${FBLibDir:-'/usr/lib/firebricks/'}/firebrickslib if [ -z "$FBLibVer" ]; then echo 'It looks like firebrickslib was not loaded, why? Exiting' >&2 exit 1 fi for OneTask in $Tasks ; do case "$OneTask" in link) $IptablesBin -N $Me >/dev/null 2>&1 #No need to link in, this is called on demand. #$IptablesBin $AppIn INPUT -i \! lo -j $Me #$IptablesBin $AppIn FORWARD -j $Me #$IptablesBin $AppIn OUTPUT -j $Me ;; unlink) #$IptablesBin -D INPUT -i \! lo -j $Me #$IptablesBin -D FORWARD -j $Me #$IptablesBin -D OUTPUT -j $Me $IptablesBin -X $Me >/dev/null 2>&1 ;; create) echo "Starting $Me" >&2 FlushOrNewChain $Me LogAs='autorejectRst' $IptablesBin -A $Me -p tcp --tcp-flags RST RST -j DROP LogAs='autorejectTcp' $IptablesBin -A $Me -p tcp -j REJECT --reject-with tcp-reset LogAs='autorejectUdp' $IptablesBin -A $Me -p udp -j REJECT --reject-with port-unreach LogAs='autorejectUnrch' $IptablesBin -A $Me -p icmp --icmp-type destination-unreachable -j DROP LogAs='autorejectTimex' $IptablesBin -A $Me -p icmp --icmp-type time-exceeded -j DROP LogAs='autorejectParam' $IptablesBin -A $Me -p icmp --icmp-type parameter-problem -j DROP LogAs='autorejectIcmp' $IptablesBin -A $Me -p icmp -j REJECT --reject-with host-unreach LogAs='autorejectOther' $IptablesBin -A $Me -j REJECT --reject-with proto-unreach ;; destroy) echo "Stopping $Me" >&2 DestroyChain $Me ;; renamechain) echo "Renamechain not available for $Me" >&2 #TempChain="$Me-$RANDOM" #echo "Replacing existing rules in $Me with new rules" >&2 #$IptablesBin -E $Me $TempChain ;; replacelinks) echo "Replacelinks not available for $Me" >&2 #if [ -z "$TempChain" ]; then # echo "No temporary chain to relink in $Me replacelinks, replace operation incomplete." >&2 #elif ! $IptablesBin -L $Me -n >/dev/null 2>&1 ; then # echo "No $Me chain in $Me, replace operation incomplete." >&2 #elif ! $IptablesBin -L $TempChain -n >/dev/null 2>&1 ; then # echo "No $TempChain chain in $Me, replace operation incomplete." >&2 #elif [ "`$IptablesBin -L INPUT -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then # echo "Too few/many references to $TempChain in INPUT in $Me replacelinks, replace operation incomplete." >&2 #elif [ "`$IptablesBin -L FORWARD -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then # echo "Too few/many references to $TempChain in FORWARD in $Me replacelinks, replace operation incomplete." >&2 #elif [ "`$IptablesBin -L OUTPUT -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then # echo "Too few/many references to $TempChain in OUTPUT in $Me replacelinks, replace operation incomplete." >&2 #else # $IptablesBin -R INPUT `$IptablesBin -L INPUT -n --line-numbers | grep $TempChain | awk '{print $1}'` -i \! lo -j $Me # $IptablesBin -R FORWARD `$IptablesBin -L FORWARD -n --line-numbers | grep $TempChain | awk '{print $1}'` -j $Me # $IptablesBin -R OUTPUT `$IptablesBin -L OUTPUT -n --line-numbers | grep $TempChain | awk '{print $1}'` -j $Me # DestroyChain $TempChain # unset TempChain #fi ;; status) if $IptablesBin -L $Me -n >/dev/null 2>&1 ; then echo "$Me created" >&2 else echo "$Me destroyed" >&2 fi ;; version) echo "$Me $MyVersion, firebrickslib $FBLibVer" >&2 ;; help) DefaultHelp cat <&2 The $Me module sets up a chain that can be called from other firewall rules. It detects what kind of traffic is going by and sets up the appropriate reject for that traffic, as opposed to just calling -j REJECT which sends a port unreachable, even if the traffic is not udp. It specifically sends _no_ reject message in response to the following: tcp rst packets, icmp destination unreachables, icmp time exceededs, and icmp parameter problems (to avoid rfc-violating loops). EOTEXT ;; *) echo "Unknown action $Action in $Me, no action taken." >&2 ;; esac done