From af78c47910cd619859a2bab82afede7f32e2b369 Mon Sep 17 00:00:00 2001 From: Olaf Rempel Date: Thu, 27 Jul 2006 12:02:52 +0200 Subject: [PATCH] add bridge script --- bridge.sh | 73 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 73 insertions(+) create mode 100644 bridge.sh diff --git a/bridge.sh b/bridge.sh new file mode 100644 index 0000000..bfa2c91 --- /dev/null +++ b/bridge.sh @@ -0,0 +1,73 @@ +#!/bin/bash + +# internal interfaces +INT_DEV="eth0 ath0 tap0 tap5" + +# allowed protos on internal interfaces +INT_PROTO="ARP IPv4 IPv6" + +# allowed protos on external interfaces +EXT_PROTO="ARP IPv4" + +# blocked v4 IPs +BLOCKED_IP="10.10.0.1 10.10.0.2 10.10.250.250" + +# blocked v4 udp +BLOCKED_UDP="67:68" + +# --- + +ebt=`which ebtables` +#ebt="echo ebtables" + +# --- + +$ebt -F +$ebt -X +$ebt -N tapblock +$ebt -N protoblock + + +for dev in $INT_DEV; do + $ebt -A INPUT -i $dev -j ACCEPT + for dev2 in $INT_DEV; do + if [ "$dev" != "$dev2" ]; then + $ebt -A FORWARD -i $dev -o $dev2 -j ACCEPT + fi + done + $ebt -A OUTPUT -o $dev -j ACCEPT +done + + +for prot in $INT_PROTO; do + $ebt -A INPUT -p $prot -j tapblock + $ebt -A OUTPUT -p $prot -j tapblock +done +$ebt -A INPUT -j DROP +$ebt -A OUTPUT -j DROP + + +for dev in $INT_DEV; do + $ebt -A FORWARD -i $dev -j protoblock + $ebt -A FORWARD -o $dev -j protoblock +done +$ebt -A FORWARD -j DROP + + +for prot in $EXT_PROTO; do + $ebt -A protoblock -p $prot -j tapblock +done +$ebt -A protoblock -j DROP + +for ip in $BLOCKED_IP; do + $ebt -A tapblock -p ARP --arp-ip-src $ip -j DROP + $ebt -A tapblock -p ARP --arp-ip-dst $ip -j DROP + $ebt -A tapblock -p IPv4 --ip-src $ip -j DROP + $ebt -A tapblock -p IPv4 --ip-dst $ip -j DROP +done + +for port in $BLOCKED_UDP; do + $ebt -A tapblock -p IPv4 --ip-proto UDP --ip-sport $port -j DROP + $ebt -A tapblock -p IPv4 --ip-proto UDP --ip-dport $port -j DROP +done +$ebt -A tapblock -j ACCEPT