37 lines
1.1 KiB
Bash
Executable File
37 lines
1.1 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
if [[ "$2" == "started" ]]; then
|
|
## CONFIG ##
|
|
# libvirt network interface
|
|
libvirt_iface="virbr0"
|
|
|
|
# list of forbidden subnets
|
|
declare -a forbidden_subnet_list=("0.0.0.0/8" "10.0.0.0/8" "100.64.0.0/10" "127.0.0.0/8" "169.254.0.0/16" "172.16.0.0/12" "192.0.0.0/24" "192.0.2.0/24" "192.88.99.0/24" "192.168.0.0/16" "198.18.0.0/15" "198.51.100.0/24" "203.0.113.0/24" "233.252.0.0/24" "255.255.255.255/32")
|
|
|
|
|
|
## MAKE SURE FIREWALL TABLE IS ON TOP ##
|
|
# create firewall table
|
|
iptables -N LIBVIRT_FIREWALL
|
|
|
|
# delete old references
|
|
iptables -D INPUT -i ${libvirt_iface} -j LIBVIRT_FIREWALL
|
|
iptables -D FORWARD -i ${libvirt_iface} -j LIBVIRT_FIREWALL
|
|
|
|
# inject new references at top
|
|
iptables -I INPUT 1 -i ${libvirt_iface} -j LIBVIRT_FIREWALL
|
|
iptables -I FORWARD 1 -i ${libvirt_iface} -j LIBVIRT_FIREWALL
|
|
|
|
|
|
## APPLY CONFIG ##
|
|
# clear old rules
|
|
iptables -F LIBVIRT_FIREWALL
|
|
|
|
# add new rules
|
|
for forbidden_subnet in "${forbidden_subnet_list[@]}"; do
|
|
iptables -A LIBVIRT_FIREWALL -d ${forbidden_subnet} -j REJECT --reject-with icmp-host-unreachable
|
|
done
|
|
|
|
# rule for all other traffic
|
|
iptables -A LIBVIRT_FIREWALL -j RETURN
|
|
fi
|