add bridge script

2006-07-27 12:02:52 +02:00 · 2006-07-27 12:02:52 +02:00 · af78c47910
commit af78c47910
parent 47933cdde2
1 changed files with 73 additions and 0 deletions
--- a/bridge.sh
+++ b/bridge.sh
@ -0,0 +1,73 @@
+#!/bin/bash
+
+# internal interfaces
+INT_DEV="eth0 ath0 tap0 tap5"
+
+# allowed protos on internal interfaces
+INT_PROTO="ARP IPv4 IPv6"
+
+# allowed protos on external interfaces
+EXT_PROTO="ARP IPv4"
+
+# blocked v4 IPs
+BLOCKED_IP="10.10.0.1 10.10.0.2 10.10.250.250"
+
+# blocked v4 udp
+BLOCKED_UDP="67:68"
+
+# ---
+
+ebt=`which ebtables`
+#ebt="echo ebtables"
+
+# ---
+
+$ebt -F
+$ebt -X
+$ebt -N tapblock
+$ebt -N protoblock
+
+
+for dev in $INT_DEV; do
+    $ebt -A INPUT -i $dev -j ACCEPT
+    for dev2 in $INT_DEV; do
+        if [ "$dev" != "$dev2" ]; then
+            $ebt -A FORWARD -i $dev -o $dev2 -j ACCEPT
+        fi
+    done
+    $ebt -A OUTPUT -o $dev -j ACCEPT
+done
+
+
+for prot in $INT_PROTO; do
+    $ebt -A INPUT -p $prot -j tapblock
+    $ebt -A OUTPUT -p $prot -j tapblock
+done
+$ebt -A INPUT -j DROP
+$ebt -A OUTPUT -j DROP
+
+
+for dev in $INT_DEV; do
+    $ebt -A FORWARD -i $dev -j protoblock
+    $ebt -A FORWARD -o $dev -j protoblock
+done
+$ebt -A FORWARD -j DROP
+
+
+for prot in $EXT_PROTO; do
+    $ebt -A protoblock -p $prot -j tapblock
+done
+$ebt -A protoblock -j DROP
+
+for ip in $BLOCKED_IP; do
+    $ebt -A tapblock -p ARP --arp-ip-src $ip -j DROP
+    $ebt -A tapblock -p ARP --arp-ip-dst $ip -j DROP
+    $ebt -A tapblock -p IPv4 --ip-src $ip -j DROP
+    $ebt -A tapblock -p IPv4 --ip-dst $ip -j DROP
+done
+
+for port in $BLOCKED_UDP; do
+    $ebt -A tapblock -p IPv4 --ip-proto UDP --ip-sport $port -j DROP
+    $ebt -A tapblock -p IPv4 --ip-proto UDP --ip-dport $port -j DROP
+done
+$ebt -A tapblock -j ACCEPT