VirtualBox

Ticket #3817: squeezecenter.fw

File squeezecenter.fw, 6.6 KB (added by dimitris, 15 years ago)

Guest's iptables firewall script

Line 
1#!/bin/sh
2#
3# This is automatically generated file. DO NOT MODIFY !
4#
5# Firewall Builder fwb_ipt v3.0.2-676
6#
7# Generated Wed Apr 22 14:06:45 2009 PDT by d
8#
9# files: * squeezecenter.fw
10#
11#
12# Compiled for iptables 1.4.0
13#
14# squeezecenter's firewall.
15#
16#
17#
18
19
20PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"
21export PATH
22
23LSMOD="/sbin/lsmod"
24MODPROBE="/sbin/modprobe"
25IPTABLES="/sbin/iptables"
26IP6TABLES="/sbin/ip6tables"
27IPTABLES_RESTORE="/sbin/iptables-restore"
28IP6TABLES_RESTORE="/sbin/ip6tables-restore"
29IP="/sbin/ip"
30LOGGER="/usr/bin/logger"
31
32
33#
34# Prolog script
35#
36
37#
38# End of prolog script
39#
40
41log() {
42 echo "$1"
43 test -x "$LOGGER" && $LOGGER -p info "$1"
44}
45
46check_file() {
47 test -r "$2" || {
48 echo "Can not find file $2 referenced by AddressTable object $1"
49 exit 1
50 }
51}
52
53va_num=1
54add_addr() {
55 addr=$1
56 nm=$2
57 dev=$3
58
59 type=""
60 aadd=""
61
62 L=`$IP -4 link ls $dev | head -n1`
63 if test -n "$L"; then
64 OIFS=$IFS
65 IFS=" /:,<"
66 set $L
67 type=$4
68 IFS=$OIFS
69 if test "$type" = "NO-CARRIER"; then
70 type=$5
71 fi
72
73 L=`$IP -4 addr ls $dev to $addr | grep inet | grep -v :`
74 if test -n "$L"; then
75 OIFS=$IFS
76 IFS=" /"
77 set $L
78 aadd=$2
79 IFS=$OIFS
80 fi
81 fi
82 if test -z "$aadd"; then
83 if test "$type" = "POINTOPOINT"; then
84 $IP -4 addr add $addr dev $dev scope global label $dev:FWB${va_num}
85 va_num=`expr $va_num + 1`
86 fi
87 if test "$type" = "BROADCAST"; then
88 $IP -4 addr add $addr/$nm dev $dev brd + scope global label $dev:FWB${va_num}
89 va_num=`expr $va_num + 1`
90 fi
91 fi
92}
93
94getInterfaceVarName() {
95 echo $1 | sed 's/\./_/'
96}
97
98getaddr() {
99 dev=$1
100 name=$2
101 L=`$IP -4 addr show dev $dev | grep inet | grep -v :`
102 test -z "$L" && {
103 eval "$name=''"
104 return
105 }
106 OIFS=$IFS
107 IFS=" /"
108 set $L
109 eval "$name=$2"
110 IFS=$OIFS
111}
112
113getaddr6() {
114 dev=$1
115 name=$2
116 L=`$IP -6 addr show dev $dev | grep inet6 | grep -v :`
117 test -z "$L" && {
118 eval "$name=''"
119 return
120 }
121 OIFS=$IFS
122 IFS=" /"
123 set $L
124 eval "$name=$2"
125 IFS=$OIFS
126}
127
128
129getinterfaces() {
130 NAME=$1
131 $IP link show | grep ": $NAME" | while read L; do
132 OIFS=$IFS
133 IFS=" :"
134 set $L
135 IFS=$OIFS
136 echo $2
137 done
138}
139
140
141# increment ip address
142incaddr()
143{
144 n1=$4
145 n2=$3
146 n3=$2
147 n4=$1
148
149 vn1=`eval "echo \\$$n1"`
150
151 R=`expr $vn1 \< 255`
152 if test $R = "1"; then
153 eval "$n1=`expr $vn1 + 1`"
154 else
155 eval "$n1=0"
156 incaddr XX $n4 $n3 $n2
157 fi
158}
159
160if $IP link ls >/dev/null 2>&1; then
161 echo;
162else
163 echo "iproute not found"
164 exit 1
165fi
166
167
168
169MODULES_DIR="/lib/modules/`uname -r`/kernel/net/"
170MODULES=`find $MODULES_DIR -name '*conntrack*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/'`
171for module in $MODULES; do
172 if $LSMOD | grep ${module} >/dev/null; then continue; fi
173 $MODPROBE ${module} || exit 1
174done
175
176
177# Using 0 address table files
178
179
180INTERFACES="eth0 lo "
181for i in $INTERFACES ; do
182 $IP link show "$i" > /dev/null 2>&1 || {
183 log "Interface $i does not exist"
184 exit 1
185 }
186done
187
188
189# Configure interfaces
190
191
192add_addr 127.0.0.1 8 lo
193$IP link set lo up
194
195getaddr eth0 i_eth0
196getaddr6 eth0 i_eth0_v6
197
198# Add virtual addresses for NAT rules
199
200
201log 'Activating firewall script generated Wed Apr 22 14:06:45 2009 by d'
202
203
204
205# ================ IPv4
206
207
208# ================ Table 'filter', automatic rules
209$IPTABLES -P OUTPUT DROP
210$IPTABLES -P INPUT DROP
211$IPTABLES -P FORWARD DROP
212
213cat /proc/net/ip_tables_names | while read table; do
214 $IPTABLES -t $table -L -n | while read c chain rest; do
215 if test "X$c" = "XChain" ; then
216 $IPTABLES -t $table -F $chain
217 fi
218 done
219 $IPTABLES -t $table -X
220done
221
222
223$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
224$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
225$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
226
227# ================ Table 'mangle', automatic rules
228
229# ================ Table 'filter', rule set Policy
230# Policy compiler errors and warnings:
231#
232#
233# Rule 0 (eth0)
234#
235echo "Rule 0 (eth0)"
236#
237# anti spoofing rule
238#
239$IPTABLES -N In_RULE_0
240test -n "$i_eth0" && $IPTABLES -A INPUT -i eth0 -s $i_eth0 -m state --state NEW -j In_RULE_0
241test -n "$i_eth0" && $IPTABLES -A FORWARD -i eth0 -s $i_eth0 -m state --state NEW -j In_RULE_0
242$IPTABLES -A In_RULE_0 -m limit --limit 10/minute -j LOG --log-level info --log-prefix "RULE 0 -- DENY "
243$IPTABLES -A In_RULE_0 -j DROP
244#
245# Rule 1 (lo)
246#
247echo "Rule 1 (lo)"
248#
249#
250#
251$IPTABLES -A INPUT -i lo -m state --state NEW -j ACCEPT
252$IPTABLES -A OUTPUT -o lo -m state --state NEW -j ACCEPT
253#
254# Rule 2 (global)
255#
256echo "Rule 2 (global)"
257#
258# SSH Access to the host; useful ICMP
259# types; ping request
260#
261$IPTABLES -N Cid2260X13002.0
262test -n "$i_eth0" && $IPTABLES -A OUTPUT -d $i_eth0 -m state --state NEW -j Cid2260X13002.0
263$IPTABLES -A Cid2260X13002.0 -p icmp -m icmp --icmp-type 11/0 -j ACCEPT
264$IPTABLES -A Cid2260X13002.0 -p icmp -m icmp --icmp-type 11/1 -j ACCEPT
265$IPTABLES -A Cid2260X13002.0 -p icmp -m icmp --icmp-type 0/0 -j ACCEPT
266$IPTABLES -A Cid2260X13002.0 -p icmp -m icmp --icmp-type 3 -j ACCEPT
267$IPTABLES -A Cid2260X13002.0 -p icmp -m icmp --icmp-type 8/0 -j ACCEPT
268$IPTABLES -A Cid2260X13002.0 -p tcp -m tcp --dport 22 -j ACCEPT
269$IPTABLES -A INPUT -p icmp -m icmp --icmp-type 11/0 -m state --state NEW -j ACCEPT
270$IPTABLES -A INPUT -p icmp -m icmp --icmp-type 11/1 -m state --state NEW -j ACCEPT
271$IPTABLES -A INPUT -p icmp -m icmp --icmp-type 0/0 -m state --state NEW -j ACCEPT
272$IPTABLES -A INPUT -p icmp -m icmp --icmp-type 3 -m state --state NEW -j ACCEPT
273$IPTABLES -A INPUT -p icmp -m icmp --icmp-type 8/0 -m state --state NEW -j ACCEPT
274$IPTABLES -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
275#
276# Rule 3 (global)
277#
278echo "Rule 3 (global)"
279#
280# LAN hosts can access SqueezeCenter
281#
282$IPTABLES -A INPUT -p tcp -m tcp -m multiport -s 192.168.11.0/24 --dports 3483,9000 -m state --state NEW -j ACCEPT
283$IPTABLES -A INPUT -p udp -m udp -s 192.168.11.0/24 --sport 3483 --dport 3483 -m state --state NEW -j ACCEPT
284#
285# Rule 4 (global)
286#
287echo "Rule 4 (global)"
288#
289#
290#
291test -n "$i_eth0" && $IPTABLES -A INPUT -s $i_eth0 -m state --state NEW -j ACCEPT
292$IPTABLES -A OUTPUT -m state --state NEW -j ACCEPT
293#
294# Rule 5 (global)
295#
296echo "Rule 5 (global)"
297#
298#
299#
300$IPTABLES -N RULE_5
301$IPTABLES -A OUTPUT -m state --state NEW -j RULE_5
302$IPTABLES -A INPUT -m state --state NEW -j RULE_5
303$IPTABLES -A FORWARD -m state --state NEW -j RULE_5
304$IPTABLES -A RULE_5 -m limit --limit 10/minute -j LOG --log-level info --log-prefix "RULE 5 -- DENY "
305$IPTABLES -A RULE_5 -j DROP
306
307#
308#
309echo 1 > /proc/sys/net/ipv4/ip_forward
310
311
312#
313# Epilog script
314#
315
316
317# End of epilog script
318#
319
320

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy