Mercurial > mbse-firewall / changeset
changeset
Make sure ipset tables exist.
Sun, 26 Feb 2023 15:23:19 +0100
- author
- Michiel Broek <mbroek@mbse.eu>
- date
- Sun, 26 Feb 2023 15:23:19 +0100
- changeset 12
- 8aaa305805df
- parent 11
- c5697bee6884
- child 13
- 06b03eeae540
Make sure ipset tables exist.
| etc/firewall.conf | file | annotate | diff | comparison | revisions | |
| sbin/mbse-firewall | file | annotate | diff | comparison | revisions |
--- a/etc/firewall.conf Wed Jul 12 22:21:28 2017 +0200 +++ b/etc/firewall.conf Sun Feb 26 15:23:19 2023 +0100 @@ -1,7 +1,7 @@ # /etc/mbse-firewall/firewall.conf # --------------------------------------------------------------------------- -# Copyright (C) 2013-2015 by Michiel Broek. +# Copyright (C) 2013-2023 by Michiel Broek. # Homepage http://www.mbse.eu # Email mbse At mbse dOt eu #
--- a/sbin/mbse-firewall Wed Jul 12 22:21:28 2017 +0200 +++ b/sbin/mbse-firewall Sun Feb 26 15:23:19 2023 +0100 @@ -1,7 +1,7 @@ #!/bin/bash # --------------------------------------------------------------------------- -# Copyright (C) 2013-2017 by Michiel Broek. +# Copyright (C) 2013-2023 by Michiel Broek. # Homepage http://www.mbse.eu # Email mbse At mbse dOt eu # @@ -22,7 +22,7 @@ # Software Foundation, 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. # --------------------------------------------------------------------------- -MBSEFW_VERSION="0.0.23" +MBSEFW_VERSION="0.0.25" # Sanity checks if [ "$(id -u)" != "0" ]; then @@ -278,6 +278,7 @@ # If we use the global blocktables. if [ "$IF_EXT_GLOBAL_BLOCK" == "1" ]; then + $IPSET create global-blk4 hash:ip counters -exist $IPTABLES -A INPUT -i $IF_EXT -m set --match-set global-blk4 src -j DROP if [ "$FW_FORWARD" = "1" ]; then $IPTABLES -A FORWARD -i $IF_EXT -m set --match-set global-blk4 src -j DROP @@ -288,6 +289,7 @@ else IF6=$IF_EXT fi + $IPSET create global-blk6 hash:net family inet6 counters -exist $IP6TABLES -A INPUT -i $IF6 -m set --match-set global-blk6 src -j DROP if [ "$FW_FORWARD" = "1" ]; then $IP6TABLES -A FORWARD -i $IF6 -m set --match-set global-blk6 src -j DROP @@ -330,8 +332,9 @@ # Anti spoofing on the external interface. Methods since the 3.3 kernel! if [ -n "$IF_EXT" ]; then + # was 1, now 2 for IPTV. for f in $(ls /proc/sys/net/ipv4/conf/*/rp_filter); do - echo 1 > $f + echo 2 > $f done $IPTABLES -A PREROUTING -t raw -i $IF_EXT -m rpfilter --invert -j DROP if [ "$USE_IPV6" == "1" ]; then @@ -745,7 +748,7 @@ reset_iptables DROP echo -n "." fw_init_sysctl - $IPSET restore < /etc/mbse-firewall/data/firewall-ipset.data + $IPSET restore -exist < /etc/mbse-firewall/data/firewall-ipset.data echo " Restored /etc/mbse-firewall/data/firewall-ipset.data" | $LOGGER echo -n "." $IPTABLES_RESTORE < /etc/mbse-firewall/data/firewall-ipv4.data @@ -794,6 +797,12 @@ rm -f /etc/mbse-firewall/data/firewall-ipset.data touch /etc/mbse-firewall/data/firewall-ipset.data + if [ "$IF_EXT_GLOBAL_BLOCK" == "1" ]; then + $IPSET save global-blk4 -t >> /etc/mbse-firewall/data/firewall-ipset.data + if [ "$USE_IPV6" == "1" ]; then + $IPSET save global-blk6 -t >> /etc/mbse-firewall/data/firewall-ipset.data + fi + fi HOST="$(hostname)" SETS="$($IPSET list -n | grep ${HOST})" for set in $SETS ; do
