tbfw - bfw - simple Bridge FireWall
git clone git://r-36.net/bfw
Log
Files
Refs
README
LICENSE
---
tbfw (2477B)
---
1 #!/bin/sh
2 #
3 # Bridge Firewall to restrict a malicious device.
4 #
5
6 PATH=/sbin:/bin
7
8 # Interfacd to the malicious device.
9 INIF="in0"
10 # Interface to the outside network.
11 OUTIF="out0"
12
13 BRIF="br0"
14 ALLOWEDHOSTS="/etc/bfw.allowed.conf"
15 BLOCKEDHOSTS="/etc/bfw.blocked.conf"
16
17 do_start() {
18 iptables -F FORWARD
19 iptables -P FORWARD DROP
20
21 # enable connection tracking
22 iptables -I FORWARD -s 0.0.0.0/0.0.0.0 \
23 -d 0.0.0.0/0.0.0.0 -m state --state INVALID -j DROP
24 iptables -I FORWARD -m state --state RELATED,ESTABLISHED \
25 -j ACCEPT
26
27 # fun
28 # iptables -A FORWARD -p icmp -m limit --limt 4/s -j ACCEPT
29 # iptables -I FORWARD -j DROP -p tcp -s 0.0.0.0/0 \
30 # -m string --string "cmd.exe"
31
32 # allow ICMP
33 iptables -A FORWARD -p icmp -j ACCEPT
34
35 # allow DNS
36 iptables -A FORWARD -p udp --dport 53 -j ACCEPT
37
38 # allow local network
39 iptables -A FORWARD -s 192.168.0.0/255.255.0.0 \
40 -d 192.168.0.0/255.255.0.0 -j ACCEPT
41
42 # blocked hosts
43 [ -e "$BLOCKEDHOSTS" ] && {
44 cat "$BLOCKEDHOSTS" \
45 | while read -r line;
46 do
47 [ -z "$line" ] && continue
48
49 case "$line" in
50 \#*)
51 ;;
52 *)
53 iptables -A FORWARD \
54 -s 192.168.0.0/255.255.0.0 \
55 -d $line \
56 -j LOG \
57 --log-prefix \
58 "FORWARD(${INIF}) rule blocked:"
59 iptables -A FORWARD \
60 -s 192.168.0.0/255.255.0.0 \
61 -d $line \
62 -j DROP
63
64 iptables -A FORWARD \
65 -d 192.168.0.0/255.255.0.0 \
66 -s $line \
67 -j LOG \
68 --log-prefix \
69 "FORWARD(${INIF}) rule blocked:"
70 iptables -A FORWARD \
71 -d 192.168.0.0/255.255.0.0 \
72 -s $line \
73 -j DROP
74 ;;
75 esac
76 done
77 }
78
79 # allowed hosts
80 [ -e "$ALLOWEDHOSTS" ] && {
81 cat "$ALLOWEDHOSTS" \
82 | while read -r line;
83 do
84 [ -z "$line" ] && continue
85
86 case "$line" in
87 \#*)
88 ;;
89 *)
90 iptables -A FORWARD \
91 -s 192.168.0.0/255.255.0.0 \
92 -d $line \
93 -j ACCEPT
94 iptables -A FORWARD \
95 -d 192.168.0.0/255.255.0.0 \
96 -s $line \
97 -j ACCEPT
98 ;;
99 esac
100 done
101 }
102
103 # log all remaining rejects
104 iptables -A FORWARD -j LOG \
105 --log-prefix "FORWARD(${INIF}) blocked:"
106 # reject everything else coming from the malicious device
107 iptables -A FORWARD -j REJECT
108 }
109
110 do_unload() {
111 iptables -F FORWARD
112 iptables -P FORWARD ACCEPT
113 }
114
115 usage() {
116 printf "usage: %s [start|stop|reload]\n" "$(basename "$1")" >&2
117 exit 1
118 }
119
120 if [ $# -lt 1 ];
121 then
122 usage $0
123 fi
124
125 cmd="$1"
126 case "$cmd" in
127 start)
128 do_start
129 ;;
130 reload|restart)
131 do_unload
132 do_start
133 ;;
134 stop)
135 do_unload
136 ;;
137 *)
138 usage $0
139 ;;
140 esac
141
142
.
