74 lines
1.5 KiB
Bash
74 lines
1.5 KiB
Bash
#!/bin/bash
|
|
|
|
# internal interfaces
|
|
INT_DEV="eth0 ath0 tap0 tap5"
|
|
|
|
# allowed protos on internal interfaces
|
|
INT_PROTO="ARP IPv4 IPv6"
|
|
|
|
# allowed protos on external interfaces
|
|
EXT_PROTO="ARP IPv4"
|
|
|
|
# blocked v4 IPs
|
|
BLOCKED_IP="10.10.0.1 10.10.0.2 10.10.250.250"
|
|
|
|
# blocked v4 udp
|
|
BLOCKED_UDP="67:68"
|
|
|
|
# ---
|
|
|
|
ebt=`which ebtables`
|
|
#ebt="echo ebtables"
|
|
|
|
# ---
|
|
|
|
$ebt -F
|
|
$ebt -X
|
|
$ebt -N tapblock
|
|
$ebt -N protoblock
|
|
|
|
|
|
for dev in $INT_DEV; do
|
|
$ebt -A INPUT -i $dev -j ACCEPT
|
|
for dev2 in $INT_DEV; do
|
|
if [ "$dev" != "$dev2" ]; then
|
|
$ebt -A FORWARD -i $dev -o $dev2 -j ACCEPT
|
|
fi
|
|
done
|
|
$ebt -A OUTPUT -o $dev -j ACCEPT
|
|
done
|
|
|
|
|
|
for prot in $INT_PROTO; do
|
|
$ebt -A INPUT -p $prot -j tapblock
|
|
$ebt -A OUTPUT -p $prot -j tapblock
|
|
done
|
|
$ebt -A INPUT -j DROP
|
|
$ebt -A OUTPUT -j DROP
|
|
|
|
|
|
for dev in $INT_DEV; do
|
|
$ebt -A FORWARD -i $dev -j protoblock
|
|
$ebt -A FORWARD -o $dev -j protoblock
|
|
done
|
|
$ebt -A FORWARD -j DROP
|
|
|
|
|
|
for prot in $EXT_PROTO; do
|
|
$ebt -A protoblock -p $prot -j tapblock
|
|
done
|
|
$ebt -A protoblock -j DROP
|
|
|
|
for ip in $BLOCKED_IP; do
|
|
$ebt -A tapblock -p ARP --arp-ip-src $ip -j DROP
|
|
$ebt -A tapblock -p ARP --arp-ip-dst $ip -j DROP
|
|
$ebt -A tapblock -p IPv4 --ip-src $ip -j DROP
|
|
$ebt -A tapblock -p IPv4 --ip-dst $ip -j DROP
|
|
done
|
|
|
|
for port in $BLOCKED_UDP; do
|
|
$ebt -A tapblock -p IPv4 --ip-proto UDP --ip-sport $port -j DROP
|
|
$ebt -A tapblock -p IPv4 --ip-proto UDP --ip-dport $port -j DROP
|
|
done
|
|
$ebt -A tapblock -j ACCEPT
|