[buug] another stupid hack
Ian Zimmerman
itz at speakeasy.org
Thu Mar 13 14:46:33 PST 2003
Just finished a dumb preprocessor for ipchains scripts. I am not sure
if it's worth uploading to CPAN, your opinion is welcome. It can be
found at
http://www.speakeasy.net/~itz/hacks/Gen.pm
and you use it like this (real addresses obliterated):
#! /usr/bin/perl -w
use IPChains::Gen;
$private_10_0_0_0_8 = '10.0.0.0/8';
$private_172_16_0_0_12 = '172.16.0.0/12';
$private_192_168_0_0_16 = '192.168.0.0/16';
$multicast = '224.0.0.0/3';
$broadcast = '255.0.0.0/8';
@reserved = ( $private_10_0_0_0_8,
$private_172_16_0_0_12,
$private_192_168_0_0_16,
$multicast,
$broadcast );
@scanners = ( 'x.y.z.w/32',
'a.b.c.d/32', );
$local_net_broadcast = 'x.y.z.0/32';
$local_broadcast = 'x.y.z.255/32';
@broadcast = ( $local_net_broadcast,
$local_broadcast );
@dns = ( 'ns1', 'ns2' );
@ntp = ( 'ntp1', 'ntp2', 'ntp3' );
$unpriv_port = '1024:65535';
$speakeasy = 'a.b.c.d/26';
%input = ( policy => 'DENY', label => 'input', rules =>
[{ interface => 'eth1', target => 'ACCEPT' },
{ interface => 'eth0', dest => 'kronstadt', label => 'scanners',
sources => \@scanners, log => 1, target => 'DENY' },
{ interface => 'eth0', label => 'reserved',
sources => \@reserved, log => 1, target => 'DENY' },
{ source => 'localhost', target => 'ACCEPT' },
{ source => 'kronstadt', target => 'ACCEPT' },
{ interface => 'eth0', not_source => 'kronstadt', proto => 'icmp',
label => 'icmp', rules =>
[{ type => 'echo-request', dests => \@broadcast, log => 1, target => 'DENY' },
{ type => 'redirect', dest => 'kronstadt', log => 1, target => 'DENY' },
{ frag => 1, log => 1, target => 'DENY' }]},
{ proto => 'icmp', target => 'ACCEPT' },
{ sources => \@dns, sport => 'domain', dport => $unpriv_port,
proto => 'udp', target => 'ACCEPT' },
{ sources => \@ntp, sport => 'ntp', dport => 'ntp', proto => 'udp',
label => 'ntp', target => 'ACCEPT' },
{ dports => [ 'talk', 'ntalk' ], proto => 'udp', target => 'ACCEPT' },
{ proto => 'tcp', syn => 1, log => 1, target => 'NONE' },
{ proto => 'tcp', syn => 0, target => 'ACCEPT' },
{ source => $speakeasy, proto => 'tcp', dport => 'smtp', target => 'ACCEPT' },
{ proto => 'tcp', dport => 'ssh', target => 'ACCEPT' },
{ proto => 'tcp', dport => 'auth', target => 'ACCEPT' },
]
);
%output = ( policy => 'ACCEPT', label => 'output', rules =>
[{ not_source => 'kronstadt', interface => 'eth0', target => 'REJECT' }]
);
&canonicalize_chain(\%input);
&print_chain(\%input);
&canonicalize_chain(\%output);
&print_chain(\%output);
--
Ian Zimmerman, Oakland, California, U.S.A.
if (sizeof(signed) > sizeof(unsigned) + 4) { delete this; }
GPG: 433BA087 9C0F 194F 203A 63F7 B1B8 6E5A 8CA3 27DB 433B A087
More information about the buug
mailing list