Commits

Yuya Nishihara committed d5d60fe

setup-iptables: add simple script to setup firewall of client pc

  • Participants
  • Parent commits 42c7b4f

Comments (0)

Files changed (1)

File scripts/setup-iptables.sh

+#!/bin/sh -e
+
+HOME_ADDRS=10.188.152.0/24,10.188.154.0/24
+
+flush_all () {
+    iptables -P INPUT ACCEPT  # temporarily
+    iptables -P OUTPUT ACCEPT
+    iptables -P FORWARD DROP
+    iptables -F
+    iptables -X
+}
+
+def_input () {
+    iptables -A INPUT -i lo -j ACCEPT
+    iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+    iptables -A INPUT -p icmp -j ACCEPT
+
+    def_in_home
+    iptables -A INPUT -s "$HOME_ADDRS" -j in_home
+
+    iptables -P INPUT DROP
+}
+
+def_in_home () {
+    iptables -N in_home
+    iptables -A in_home -p udp --sport mdns --dport mdns -j ACCEPT
+    iptables -A in_home -p udp --sport ipp --dport ipp -j ACCEPT \
+        -m comment --comment 'CUPS browsing'
+}
+
+disallow_ipv6 () {
+    ip6tables -P INPUT DROP
+    ip6tables -P OUTPUT DROP
+    ip6tables -P FORWARD DROP
+    ip6tables -A INPUT -i lo -j ACCEPT
+}
+
+flush_all
+def_input
+disallow_ipv6