Exceptions can be specified at /etc/glocker/allowed_hosts
BANNED_HOSTS=$(curl -s https://www.friedersdorff.com/.banned |
grep -o -E '([[:digit:]]{1,3}\.){3}[[:digit:]]{1,3}/[[:digit:]]{1,2}')
BANNED_HOSTS=$(curl -s https://www.friedersdorff.com/.banned |
grep -o -E '([[:digit:]]{1,3}\.){3}[[:digit:]]{1,3}/[[:digit:]]{1,2}')
+ALLOWED_HOSTS=$(cat /etc/glocker/allowed_hosts)
ipset create glocker-tmp hash:net --hashsize 64
for host in $(echo $BANNED_HOSTS); do
ipset create glocker-tmp hash:net --hashsize 64
for host in $(echo $BANNED_HOSTS); do
ipset swap glocker-tmp glocker
ipset destroy glocker-tmp
echo "IPSet: glocker updated"
ipset swap glocker-tmp glocker
ipset destroy glocker-tmp
echo "IPSet: glocker updated"
+
+# Use local list of explicitly allowed IP addresses from the local machine
+ipset create glocker-tmp hash:net --hashsize 64
+for host in $(echo $ALLOWED_HOSTS); do
+ ip=$(nslookup $host | tail -n2 | head -n1 | sed 's/Address: //')
+ ipset add glocker-tmp $host
+done
+
+ipset create -exist glocker-except hash:net --hashsize 64
+ipset swap glocker-tmp glocker-except
+ipset destroy glocker-tmp
+echo "IPSet: glocker-except updated"
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
+# Explicitly allow outgoing traffic to the following IP addresses. This is
+# for things like Google cloud addresses which are owned by but not operated
+# by google.
+-A OUTPUT -m set --match-set glocker-except dst -j ACCEPT
# Prevent all outgoing traffic to banned IP addresses also
-A OUTPUT -m set --match-set glocker dst -j DROP
# Prevent all outgoing traffic to banned IP addresses also
-A OUTPUT -m set --match-set glocker dst -j DROP