QueuingKoala · December 29, 2014 05:49
diff --git a/v4-features.sh b/v4-features.sh
 #!/bin/sh

 # Extremely-basic Netfilter conditional rule loading example.
 # This uses a pipeline to iptables-restore(8) for atomic loading.

 # In particular, only the filter table is adjusted.

 # Available under the BSD 3-clause license in the hopes this may be a useful
 # example or template.
 # http://opensource.org/licenses/BSD-3-Clause


 # Start a compound shell statement that will feed output to the
 # iptables-restore(8) command at the bottom of this script:
 {

 # First, set up some "operational" switches. 0=OFF, 1=ON
 SVR_HTTP=0
 SVR_HTTPS=0
 SVR_DNS=0
 ALLOW_PING=1

 ##
 ## Set up the filter table

 # Table + default policies:
 echo '*filter'
 echo ':INPUT DROP'
 echo ':FORWARD DROP'
 echo ':OUTPUT ACCEPT'

 # Act as a stateful firewall, allowing traffic that is established or related
 # to things we've already accepted to pass:
 echo '-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT'

 # Then, conditionally allow more based on program-settings:
 [ "$SVR_HTTP" -eq 1 ] && echo '-A INPUT -p tcp --dport 80 -j ACCEPT'
 [ "$SVR_HTTPS" -eq 1 ] && echo '-A INPUT -p tcp --dport 443 -j ACCEPT'
 if [ "$SVR_DNS" -eq 1 ]; then
 	echo '-A INPUT -p udp --dport 53 -j ACCEPT'
 	echo '-A INPUT -p tcp --dport 53 -j ACCEPT'
 fi
 [ "$ALLOW_PING" -eq 1 ] && echo '-A INPUT -p icmp --icmp-type echo-request -j ACCEPT'

 # End the filter table definition:
 echo 'COMMIT'

 # Finally, close the compound statement and feed the pipeline into
 # iptables-restore(8) for atomic processing.
 } | iptables-restore
	#!/bin/sh

	# Extremely-basic Netfilter conditional rule loading example.
	# This uses a pipeline to iptables-restore(8) for atomic loading.

	# In particular, only the filter table is adjusted.

	# Available under the BSD 3-clause license in the hopes this may be a useful
	# example or template.
	# http://opensource.org/licenses/BSD-3-Clause


	# Start a compound shell statement that will feed output to the
	# iptables-restore(8) command at the bottom of this script:
	{

	# First, set up some "operational" switches. 0=OFF, 1=ON
	SVR_HTTP=0
	SVR_HTTPS=0
	SVR_DNS=0
	ALLOW_PING=1

	##
	## Set up the filter table

	# Table + default policies:
	echo '*filter'
	echo ':INPUT DROP'
	echo ':FORWARD DROP'
	echo ':OUTPUT ACCEPT'

	# Act as a stateful firewall, allowing traffic that is established or related
	# to things we've already accepted to pass:
	echo '-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT'

	# Then, conditionally allow more based on program-settings:
	[ "$SVR_HTTP" -eq 1 ] && echo '-A INPUT -p tcp --dport 80 -j ACCEPT'
	[ "$SVR_HTTPS" -eq 1 ] && echo '-A INPUT -p tcp --dport 443 -j ACCEPT'
	if [ "$SVR_DNS" -eq 1 ]; then
	echo '-A INPUT -p udp --dport 53 -j ACCEPT'
	echo '-A INPUT -p tcp --dport 53 -j ACCEPT'
	fi
	[ "$ALLOW_PING" -eq 1 ] && echo '-A INPUT -p icmp --icmp-type echo-request -j ACCEPT'

	# End the filter table definition:
	echo 'COMMIT'

	# Finally, close the compound statement and feed the pipeline into
	# iptables-restore(8) for atomic processing.
	} \| iptables-restore