X-Git-Url: https://git.distorted.org.uk/~mdw/firewall/blobdiff_plain/fc10e52bb75abaae6b8698d0e68aad207a0acf3a..6f0a7bc1a8dec07b7768a1b6d8f592190c7e63d4:/functions.m4?ds=sidebyside diff --git a/functions.m4 b/functions.m4 index 80caf1d..85afc10 100644 --- a/functions.m4 +++ b/functions.m4 @@ -126,6 +126,20 @@ conntrack () { run iptables -A $chain -p tcp ! --syn -g bad-tcp } +## commonrules CHAIN +## +## Add standard IP filtering rules to the CHAIN. +commonrules () { + set -e + chain=$1 + + ## Pass fragments through, assuming that the eventual destination will sort + ## things out properly. Except for TCP, that is, which should never be + ## fragmented. + run iptables -A $chain -p tcp -f -g tcp-fragment + run iptables -A $chain -f -j ACCEPT +} + ## allowservices CHAIN PROTO SERVICE ... ## ## Add rules to allow the SERVICES on the CHAIN.