#!/bin/sh ## Adjust these to your own environment if needed # ## The locations of the files containing the government and ## iran related networks, plus the list of listening ports IRAN_ALLOWED="/etc/iran/iran_allowed.txt" IRAN_DROPPED="/etc/iran/iran_dropped.txt" IRAN_PORTS="/etc/iran/iran_inbound_ports.txt" # ## Name of the interface that connects to the internet EXT_IF="eth1" # ## Path to iptables IPTABLES="/sbin/iptables" case "${1}" in start) echo -n "Loading Iran related FW rules: " ## Prepare statefull fw rules ${IPTABLES} -A INPUT -m state \ --state ESTABLISHED,RELATED -j ACCEPT ## Lock&block off the government ranges ${IPTABLES} -N IRAN_DROPPED ${IPTABLES} -A IRAN_DROPPED -j LOG \ --log-prefix "IRAN-GOV-ACCESS:" ${IPTABLES} -A IRAN_DROPPED -j DROP cat ${IRAN_DROPPED} | while read NET; do ${IPTABLES} -A INPUT -s ${NET} -j IRAN_DROPPED done ## Setup a chain of allowed iran netblocks and ## log&block the rest ${IPTABLES} -N IRAN_ACCESS cat ${IRAN_ALLOWED} | while read NET; do ${IPTABLES} -A IRAN_ACCESS -s ${NET} -j ACCEPT done ${IPTABLES} -A IRAN_ACCESS \ -j LOG --log-prefix "ILLEGAL-PROXY-ACCESS:" ${IPTABLES} -A IRAN_ACCESS -j DROP ## Hookup your listening ports to the chain cat ${IRAN_PORTS} | while read PORT; do ${IPTABLES} -A INPUT -p tcp --dport ${PORT} \ -m state --state NEW \ -j IRAN_ACCESS done echo "done" ;; stop) echo -n "Unloading Iran related FW rules: " ## Remove the chain from the listening ports cat ${IRAN_PORTS} | while read PORT; do ${IPTABLES} -D INPUT -p tcp --dport ${PORT} \ -m state --state NEW \ -j IRAN_ACCESS done ## Flush & remove the chains ${IPTABLES} -F IRAN_ACCESS ${IPTABLES} -X IRAN_ACCESS ## Remove government ip blocks cat ${IRAN_DROPPED} | while read NET; do ${IPTABLES} -D INPUT -s ${NET} -j IRAN_DROPPED done ${IPTABLES} -F IRAN_DROPPED ${IPTABLES} -X IRAN_DROPPED echo "done" ;; restart) ${0} stop sleep 1 ${0} start ;; *) echo "Usage: `basename ${0}` " exit 1 ;; esac exit 0