-
Notifications
You must be signed in to change notification settings - Fork 1
/
firetables.sh
executable file
·80 lines (64 loc) · 1.25 KB
/
firetables.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
#!/bin/sh
NFT="/usr/sbin/nft"
IP="/usr/bin/ip"
pref() {
[ ${!1:-0} -eq 1 ] && return
}
msg() {
pref VERBOSE && echo -e "\n\033[1m$(basename $0)\033[0m: $@"
}
# ip validation
# see http://www.linuxjournal.com/content/validating-ip-address-bash-script
flush_tables() {
# when version >= 0.5
nft flush ruleset
# when version < 0.5
for i in '$NFT list tables | awk '(print $2)''
do
echo "Flushing ${i}"
$NFT flush table ${i}
for j in '$NFT list table ${i} grep chain | awk '(print $2)''
do
echo "... Deleting chain ${j} from table ${i}
$NFT delete chain ${i} ${j}
done
echo "Deleting ${i}"
$NFT delete table ${i}
done
}
if [ "$1" stop ]
then
echo "Fiwewall disabled. WARNING: THIS HOST HAS NO FIREWALL RUNNING"
exit 0
fi
load_tables() {
$NFT -f setup-tables
$NFT -f localhost-policy
$NFT -f connectionstate-policy
$NFT -f invalid-policy
$NFT -f dns-policy
$NFT -f tcp-client-policy
$NFT -f tcp-server-policy
$NFT -f icmp-policy
$NFT -f log-policy
# default drop
$NFT -f default-policy
}
################
### cli parsing
################
# see how we're called
case $1 in
install )
install
;;
restore )
restore
;;
-h|--help )
help
;;
* )
show
;;
esac