From 33000b5d4d6b367235ef101c51ce622bdb01b89c Mon Sep 17 00:00:00 2001 From: Maximilian Friedersdorff Date: Wed, 12 Sep 2018 09:11:58 +0100 Subject: [PATCH] Allow admin to specify exceptions to blocklist Exceptions can be specified at /etc/glocker/allowed_hosts --- glocker.sh | 13 +++++++++++++ iptables.rules | 4 ++++ 2 files changed, 17 insertions(+) diff --git a/glocker.sh b/glocker.sh index f397ebb..2ee2da4 100755 --- a/glocker.sh +++ b/glocker.sh @@ -4,6 +4,7 @@ BANNED_HOSTS=$(curl -s https://www.friedersdorff.com/.banned | grep -o -E '([[:digit:]]{1,3}\.){3}[[:digit:]]{1,3}/[[:digit:]]{1,2}') +ALLOWED_HOSTS=$(cat /etc/glocker/allowed_hosts) ipset create glocker-tmp hash:net --hashsize 64 for host in $(echo $BANNED_HOSTS); do @@ -14,3 +15,15 @@ ipset create -exist glocker hash:net --hashsize 64 ipset swap glocker-tmp glocker ipset destroy glocker-tmp echo "IPSet: glocker updated" + +# Use local list of explicitly allowed IP addresses from the local machine +ipset create glocker-tmp hash:net --hashsize 64 +for host in $(echo $ALLOWED_HOSTS); do + ip=$(nslookup $host | tail -n2 | head -n1 | sed 's/Address: //') + ipset add glocker-tmp $host +done + +ipset create -exist glocker-except hash:net --hashsize 64 +ipset swap glocker-tmp glocker-except +ipset destroy glocker-tmp +echo "IPSet: glocker-except updated" diff --git a/iptables.rules b/iptables.rules index a884c60..bdeb1b9 100644 --- a/iptables.rules +++ b/iptables.rules @@ -33,6 +33,10 @@ COMMIT -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable -A INPUT -p tcp -j REJECT --reject-with tcp-reset -A INPUT -j REJECT --reject-with icmp-proto-unreachable +# Explicitly allow outgoing traffic to the following IP addresses. This is +# for things like Google cloud addresses which are owned by but not operated +# by google. +-A OUTPUT -m set --match-set glocker-except dst -j ACCEPT # Prevent all outgoing traffic to banned IP addresses also -A OUTPUT -m set --match-set glocker dst -j DROP -- 2.46.2