[buug] another stupid hack

Ian Zimmerman itz at speakeasy.org
Thu Mar 13 14:46:33 PST 2003


Just finished a dumb preprocessor for ipchains scripts.  I am not sure
if it's worth uploading to CPAN, your opinion is welcome.  It can be
found at

http://www.speakeasy.net/~itz/hacks/Gen.pm

and you use it like this (real addresses obliterated):

#! /usr/bin/perl -w

use IPChains::Gen;

$private_10_0_0_0_8 = '10.0.0.0/8';
$private_172_16_0_0_12 = '172.16.0.0/12';
$private_192_168_0_0_16 = '192.168.0.0/16';
$multicast = '224.0.0.0/3';
$broadcast = '255.0.0.0/8';

@reserved = ( $private_10_0_0_0_8,
              $private_172_16_0_0_12, 
              $private_192_168_0_0_16,
              $multicast,
              $broadcast );

@scanners = ( 'x.y.z.w/32',
              'a.b.c.d/32', );

$local_net_broadcast = 'x.y.z.0/32';
$local_broadcast = 'x.y.z.255/32';

@broadcast = ( $local_net_broadcast,
               $local_broadcast );

@dns = ( 'ns1', 'ns2' );

@ntp = ( 'ntp1', 'ntp2', 'ntp3' );

$unpriv_port = '1024:65535';

$speakeasy = 'a.b.c.d/26';

%input = ( policy => 'DENY', label => 'input', rules =>

           [{ interface => 'eth1', target => 'ACCEPT' },

            { interface => 'eth0', dest => 'kronstadt', label => 'scanners', 
              sources => \@scanners, log => 1, target => 'DENY' },

            { interface => 'eth0', label => 'reserved',
              sources => \@reserved, log => 1, target => 'DENY' },

            { source => 'localhost', target => 'ACCEPT' },
            { source => 'kronstadt', target => 'ACCEPT' },
            { interface => 'eth0', not_source => 'kronstadt', proto => 'icmp',
              label => 'icmp', rules =>

                  [{ type => 'echo-request', dests => \@broadcast, log => 1, target => 'DENY' },
                   { type => 'redirect', dest => 'kronstadt', log => 1, target => 'DENY' },
                   { frag => 1, log => 1, target => 'DENY' }]},

            { proto => 'icmp', target => 'ACCEPT' },
            { sources => \@dns, sport => 'domain', dport => $unpriv_port,
              proto => 'udp', target => 'ACCEPT' },

            { sources => \@ntp, sport => 'ntp', dport => 'ntp', proto => 'udp',
              label => 'ntp', target => 'ACCEPT' },

            { dports => [ 'talk', 'ntalk' ], proto => 'udp', target => 'ACCEPT' },
            { proto => 'tcp', syn => 1, log => 1, target => 'NONE' },
            { proto => 'tcp', syn => 0, target => 'ACCEPT' },
            { source => $speakeasy, proto => 'tcp', dport => 'smtp', target => 'ACCEPT' },
            { proto => 'tcp', dport => 'ssh', target => 'ACCEPT' },
            { proto => 'tcp', dport => 'auth', target => 'ACCEPT' },
            ]
           );

%output = ( policy => 'ACCEPT', label => 'output', rules =>

            [{ not_source => 'kronstadt', interface => 'eth0', target => 'REJECT' }]

            );

&canonicalize_chain(\%input);
&print_chain(\%input);
&canonicalize_chain(\%output);
&print_chain(\%output);


-- 
Ian Zimmerman, Oakland, California, U.S.A. 
if (sizeof(signed) > sizeof(unsigned) + 4) { delete this; }
GPG: 433BA087  9C0F 194F 203A 63F7 B1B8  6E5A 8CA3 27DB 433B A087



More information about the buug mailing list