Mercurial > mbse-firewall / changeset
changeset
Added global block ipset tables. Bumped to version 0.0.18
Mon, 13 Apr 2015 17:22:53 +0200
- author
- Michiel Broek <mbroek@mbse.eu>
- date
- Mon, 13 Apr 2015 17:22:53 +0200
- changeset 7
- c846ebedfff3
- parent 6
- be2d7c142726
- child 8
- c8e957eb1b36
Added global block ipset tables. Bumped to version 0.0.18
| etc/firewall.conf | file | annotate | diff | comparison | revisions | |
| sbin/mbse-firewall | file | annotate | diff | comparison | revisions |
--- a/etc/firewall.conf Fri Dec 19 09:45:21 2014 +0100 +++ b/etc/firewall.conf Mon Apr 13 17:22:53 2015 +0200 @@ -1,7 +1,7 @@ # /etc/mbse-firewall/firewall.conf # --------------------------------------------------------------------------- -# Copyright (C) 2013-2014 by Michiel Broek. +# Copyright (C) 2013-2015 by Michiel Broek. # Homepage http://www.mbse.eu # Email mbse At mbse dOt eu # @@ -49,6 +49,11 @@ # These hosts are blocked using ipset for one hour. #IF_EXT_AUTO_BLOCK="1" +# Use global blocking table. This just inserts rules to block hosts that +# are found in the sets global-blk4 or global-blk6. Other programs like +# ossec, fail2ban etc need to put the bad hosts in these tables. +#IF_EXT_GLOBAL_BLOCK="1" + # Block time in seconds when a host is blocked. Default is 3600. #IF_EXT_AUTO_TO=172800
--- a/sbin/mbse-firewall Fri Dec 19 09:45:21 2014 +0100 +++ b/sbin/mbse-firewall Mon Apr 13 17:22:53 2015 +0200 @@ -1,7 +1,7 @@ #!/bin/bash # --------------------------------------------------------------------------- -# Copyright (C) 2013-2014 by Michiel Broek. +# Copyright (C) 2013-2015 by Michiel Broek. # Homepage http://www.mbse.eu # Email mbse At mbse dOt eu # @@ -22,7 +22,7 @@ # Software Foundation, 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. # --------------------------------------------------------------------------- -MBSEFW_VERSION="0.0.17" +MBSEFW_VERSION="0.0.18" # Sanity checks if [ "$(id -u)" != "0" ]; then @@ -276,6 +276,26 @@ echo -n "." fi + # If we use the global blocktables. + if [ "$IF_EXT_GLOBAL_BLOCK" == "1" ]; then + $IPTABLES -A INPUT -i $IF_EXT -m state --state NEW -m set --match-set global-blk4 src -j DROP + if [ "$FW_FORWARD" = "1" ]; then + $IPTABLES -A FORWARD -i $IF_EXT -m state --state NEW -m set --match-set global-blk4 src -j DROP + fi + if [ "$USE_IPV6" == "1" ]; then + if [ -n "$IF_EXT6" ]; then + IF6=$IF_EXT6 + else + IF6=$IF_EXT + fi + $IP6TABLES -A INPUT -i $IF6 -m state --state NEW -m set --match-set global-blk6 src -j DROP + if [ "$FW_FORWARD" = "1" ]; then + $IP6TABLES -A FORWARD -i $IF6 -m state --state NEW -m set --match-set global-blk6 src -j DROP + fi + fi + echo -n "." + fi + fw_init_nfacct echo -n "."
