#!/bin/sh # set -x set -e ipset=${IPSET_BIN:-../src/ipset} # We play with the following networks: # inet: 10.255.255.0/24 # 10.255.255.0-31 in ip1 # 10.255.255.32-63 in ip2 # rest in ipport # inet6: 1002:1002:1002:1002::/64 # 1002:1002:1002:1002::1 in ip1 # 1002:1002:1002:1002::32 in ip2 # rest in ipport case "$1" in inet) cmd=iptables family= NET=10.255.255.0/24 IP1=10.255.255.1 IP2=10.255.255.32 ;; inet6) cmd=ip6tables family="family inet6" NET=1002:1002:1002:1002::/64 IP1=1002:1002:1002:1002::1 IP2=1002:1002:1002:1002::32 ;; *) echo "Usage: $0 inet|inet6 start|stop" exit 1 ;; esac case "$2" in start) $ipset n ip1 hash:ip $family 2>/dev/null $ipset a ip1 $IP1 2>/dev/null $ipset n ip2 hash:ip $family 2>/dev/null $ipset a ip2 $IP2 2>/dev/null $ipset n ipport hash:ip,port $family 2>/dev/null $ipset n list list:set 2>/dev/null $ipset a list ipport 2>/dev/null $ipset a list ip1 2>/dev/null $cmd -A INPUT ! -s $NET -j ACCEPT $cmd -A INPUT -m set ! --match-set ip1 src \ -m set ! --match-set ip2 src \ -j SET --add-set ipport src,src $cmd -A INPUT -m set --match-set ip1 src \ -j LOG --log-prefix "in set ip1: " $cmd -A INPUT -m set --match-set ip2 src \ -j LOG --log-prefix "in set ip2: " $cmd -A INPUT -m set --match-set ipport src,src \ -j LOG --log-prefix "in set ipport: " $cmd -A INPUT -m set --match-set list src,src \ -j LOG --log-prefix "in set list: " $cmd -A OUTPUT -d $NET -j DROP cat /dev/null > .foo.err cat /dev/null > /var/log/kern.log ;; start_flags) $ipset n test hash:net $family 2>/dev/null $ipset a test 10.0.0.0/16 2>/dev/null $ipset a test 10.0.0.0/24 nomatch 2>/dev/null $ipset a test 10.0.0.1 2>/dev/null $cmd -A INPUT ! -s 10.0.0.0/16 -j ACCEPT $cmd -A INPUT -m set --match-set test src \ -j LOG --log-prefix "in set test: " $cmd -A INPUT -m set --match-set test src --return-nomatch \ -j LOG --log-prefix "in set test-nomatch: " $cmd -A INPUT -s 10.0.0.0/16 -j DROP cat /dev/null > .foo.err cat /dev/null > /var/log/kern.log ;; start_flags_reversed) $ipset n test hash:net $family 2>/dev/null $ipset a test 10.0.0.0/16 2>/dev/null $ipset a test 10.0.0.0/24 nomatch 2>/dev/null $ipset a test 10.0.0.1 2>/dev/null $cmd -A INPUT ! -s 10.0.0.0/16 -j ACCEPT $cmd -A INPUT -m set --match-set test src --return-nomatch \ -j LOG --log-prefix "in set test-nomatch: " $cmd -A INPUT -m set --match-set test src \ -j LOG --log-prefix "in set test: " $cmd -A INPUT -s 10.0.0.0/16 -j DROP cat /dev/null > .foo.err cat /dev/null > /var/log/kern.log ;; del) $cmd -F INPUT $cmd -A INPUT -j SET --del-set ipport src,src ;; timeout) $ipset n test hash:ip,port timeout 2 $cmd -A INPUT -j SET --add-set test src,src --timeout 10 --exist ;; mangle) $ipset n test hash:net $family skbinfo 2>/dev/null $ipset a test 10.255.0.0/16 skbmark 0x1234 2>/dev/null $cmd -t mangle -A INPUT -j SET --map-set test src --map-mark $cmd -t mangle -A INPUT -m mark --mark 0x1234 -j LOG --log-prefix "in set mark: " $cmd -t mangle -A INPUT -s 10.255.0.0/16 -j DROP ;; stop) $cmd -F $cmd -X $cmd -F -t mangle $cmd -X -t mangle $ipset -F 2>/dev/null $ipset -X 2>/dev/null ;; *) echo "Usage: $0 start|stop" exit 1 ;; esac