Style: `ip -o` -> `ip --oneline`

[ansible.git] / playbooks / roles / redhat / firewall / files / etc / network / functions.phd

IPTABLES=/sbin/iptables
PATH=/sbin:/bin:/usr/sbin:/usr/bin

my_ip() {
   MYIP=$1

   # Allow everything from this host
   $IPTABLES -A INPUT -s $MYIP -j ACCEPT

   # Allow ICMP
   $IPTABLES -A INPUT -d $MYIP -p icmp -j ACCEPT

   # Allow ports >1024
   $IPTABLES -A INPUT -d $MYIP -p tcp --dport 1024: ! --syn -j ACCEPT
   $IPTABLES -A INPUT -d $MYIP -p udp --dport 1024: -j ACCEPT
}

start_firewall() {
   # Allow everything from localhost
   $IPTABLES -A INPUT -s 127.0.0.1 -j ACCEPT

   # Specifically block access to NFS and XWindows. Neccessary because these are ports >1024
   $IPTABLES -A INPUT -p tcp --dport 2049 -j DROP
   $IPTABLES -A INPUT -p udp --dport 2049 -j DROP
   $IPTABLES -A INPUT -p tcp --dport 6000:6063 -j DROP
   $IPTABLES -A INPUT -p udp --dport 6000:6063 -j DROP

   # Allow incoming ssh, smtp, dns, dhcp, www, ident, ntp, smb, OpenVPN, git-daemon
   $IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
   $IPTABLES -A INPUT -p tcp --dport 25 -j ACCEPT
   $IPTABLES -A INPUT -p tcp --dport 53 -j ACCEPT
   $IPTABLES -A INPUT -p udp --dport 53 -j ACCEPT
   $IPTABLES -A INPUT -p udp --sport 53 --dport 1024: -j ACCEPT
   $IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT
   $IPTABLES -A INPUT -p tcp --dport 113 -j ACCEPT
   $IPTABLES -A INPUT -p tcp --dport 123 -j ACCEPT
   $IPTABLES -A INPUT -p udp --dport 123 -j ACCEPT
   $IPTABLES -A INPUT -p tcp --dport 137:139 -j ACCEPT
   $IPTABLES -A INPUT -p udp --dport 137:139 -j ACCEPT
   $IPTABLES -A INPUT -p tcp --dport 443 -j ACCEPT
   $IPTABLES -A INPUT -p tcp --dport 445 -j ACCEPT
   $IPTABLES -A INPUT -p udp --dport 1194 -j ACCEPT
   $IPTABLES -A INPUT -p tcp --dport 9418 -j ACCEPT

   # FTP
   $IPTABLES -A INPUT -p tcp --dport 20 -j ACCEPT
   $IPTABLES -A INPUT -p tcp --dport 21 -j ACCEPT
   # Allow ftp-data for active connections
   #$IPTABLES -A INPUT -p tcp --sport 20 --dport 1024: -j ACCEPT

   # Track FTP connections to allow active and passive mode FTP
   $IPTABLES -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
   $IPTABLES -A INPUT -p tcp --dport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
   $IPTABLES -A INPUT -p tcp --sport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
   $IPTABLES -A INPUT -p tcp --dport 21 -m state --state ESTABLISHED,RELATED -j ACCEPT
   $IPTABLES -A INPUT -p tcp --sport 1024:65535  -m state --state ESTABLISHED,RELATED -j ACCEPT
   $IPTABLES -A INPUT -p tcp --dport 1024:65535  -m state --state ESTABLISHED,RELATED -j ACCEPT

   MY_IP=$(ip --oneline -4 address show up | awk '{split($4,a,/\//); if (a[1] != "127.0.0.1") print a[1]}')
   for ip in $MY_IP; do my_ip "$ip"; done
}