template_iptables.sh: added rules to block countries netblocks via ipset

2019-03-04 22:59:39 +01:00 · 2019-03-04 22:59:39 +01:00 · 22c3c138ec
commit 22c3c138ec
parent 91e840746a
1 changed files with 21 additions and 8 deletions
--- a/template_iptables.sh
+++ b/template_iptables.sh
@ -22,20 +22,33 @@ check_error()
 trap check_error EXIT
 # Flush rules and set default rules
-$IPT -F
+${IPT} -F
-$IPT -P INPUT DROP
+${IPT} -P INPUT DROP
-$IPT -P FORWARD DROP
+${IPT} -P FORWARD DROP
-$IPT -P OUTPUT ACCEPT
+${IPT} -P OUTPUT ACCEPT
 # Set host sepcific rules
 ### Accept all data from "lo" interface
-$IPT -A INPUT -i lo -j ACCEPT
+${IPT} -A INPUT -i lo -j ACCEPT
 ### Accept all connections after the three-way handshake
-$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+${IPT} -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 ### Block country zones
 if [ "${IPSET}" == "" ]; then
        echo "No ipset command found. Skipping"
 else
    for chain in $(${IPSET} list -name);
    do if [ "${chain}" == "" ]; then
 	   echo "No ipset chain found. Skipping"
       else
 	   ${IPT} -A INPUT -p tcp -m set --match-set ${chain} src -j DROP;
       fi
    done
 fi
 ### Services rules
 ##### Allow connections to the server main ip for SSH, MOSH and psyBNC
 ##### Use multiports extension to set more ports in a oneline rule
-$IPT -A INPUT -p tcp -d $MAINIP -m multiport --dports $DPORTSIN -j ACCEPT
+${IPT} -A INPUT -p tcp -d ${MAINIP} -m multiport --dports ${DPORTSIN} -j ACCEPT
-$IPT -A INPUT -p udp -d $MAINIP -m multiport --dports $MOSHIN -j ACCEPT
+${IPT} -A INPUT -p udp -d ${MAINIP} -m multiport --dports ${MOSHIN} -j ACCEPT