#!/bin/bash # internal interfaces INT_DEV="eth0 ath0 tap0 tap5" # allowed protos on internal interfaces INT_PROTO="ARP IPv4 IPv6" # allowed protos on external interfaces EXT_PROTO="ARP IPv4" # blocked v4 IPs BLOCKED_IP="10.10.0.1 10.10.0.2 10.10.250.250" # blocked v4 udp BLOCKED_UDP="67:68" # --- ebt=`which ebtables` #ebt="echo ebtables" # --- $ebt -F $ebt -X $ebt -N tapblock $ebt -N protoblock for dev in $INT_DEV; do $ebt -A INPUT -i $dev -j ACCEPT for dev2 in $INT_DEV; do if [ "$dev" != "$dev2" ]; then $ebt -A FORWARD -i $dev -o $dev2 -j ACCEPT fi done $ebt -A OUTPUT -o $dev -j ACCEPT done for prot in $INT_PROTO; do $ebt -A INPUT -p $prot -j tapblock $ebt -A OUTPUT -p $prot -j tapblock done $ebt -A INPUT -j DROP $ebt -A OUTPUT -j DROP for dev in $INT_DEV; do $ebt -A FORWARD -i $dev -j protoblock $ebt -A FORWARD -o $dev -j protoblock done $ebt -A FORWARD -j DROP for prot in $EXT_PROTO; do $ebt -A protoblock -p $prot -j tapblock done $ebt -A protoblock -j DROP for ip in $BLOCKED_IP; do $ebt -A tapblock -p ARP --arp-ip-src $ip -j DROP $ebt -A tapblock -p ARP --arp-ip-dst $ip -j DROP $ebt -A tapblock -p IPv4 --ip-src $ip -j DROP $ebt -A tapblock -p IPv4 --ip-dst $ip -j DROP done for port in $BLOCKED_UDP; do $ebt -A tapblock -p IPv4 --ip-proto UDP --ip-sport $port -j DROP $ebt -A tapblock -p IPv4 --ip-proto UDP --ip-dport $port -j DROP done $ebt -A tapblock -j ACCEPT