Parameterized INPUT/OUTPUT chains

scripts/lfirewall

@@ -53,6 +53,11 @@ fi
 
 eval set -- "$options"
 
+IT_INPUT=INPUT
+IT_INPUT_LOG=LOGINPUT
+IT_OUTPUT=OUTPUT
+IT_OUTPUT_LOG=LOGOUTPUT
+
 verbose=0
 logging=" "
 
@@ -80,6 +85,8 @@ do
 			;;
 		-l|--logging)
 			logging="-j LOG --log-prefix 'iptables-logging'"
+			IT_INPUT=${IT_INPUT_LOG}
+			IT_OUTPUT=${IT_OUTPUT_LOG}
 			;;
 		--)
 			shift
@@ -194,72 +201,72 @@ fw_start () {
 	#**************************************************************************#
 
 	### Keep existing connections
-	$do_action $IPTABLES_ADD INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+	$do_action $IPTABLES_ADD $IT_INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 	# Services
 	if [ -n "$TCP_SERVICES" ] ; then
 		for PORT in $TCP_SERVICES; do
-			$do_action $IPTABLES_ADD INPUT -p tcp --dport ${PORT} -j ACCEPT
+			$do_action $IPTABLES_ADD $IT_INPUT -p tcp --dport ${PORT} -j ACCEPT
 		done
 	fi
 	if [ -n "$UDP_SERVICES" ] ; then
 		for PORT in $UDP_SERVICES; do
-			$do_action $IPTABLES_ADD INPUT -p udp --dport ${PORT} -j ACCEPT
+			$do_action $IPTABLES_ADD $IT_INPUT -p udp --dport ${PORT} -j ACCEPT
 		done
 	fi
 	# Remote management
 	if [ "${NETWORK_MGMT:=UNBOUND_VARIABLE}" != "UNBOUND_VARIABLE" ] ; then
-		$do_action $IPTABLES_ADD INPUT -p tcp --src ${NETWORK_MGMT} --dport ${SSH_PORT} -j ACCEPT
+		$do_action $IPTABLES_ADD $IT_INPUT -p tcp --src ${NETWORK_MGMT} --dport ${SSH_PORT} -j ACCEPT
 	else
-		$do_action $IPTABLES_ADD INPUT -p tcp --dport ${SSH_PORT}  -j ACCEPT
+		$do_action $IPTABLES_ADD $IT_INPUT -p tcp --dport ${SSH_PORT}  -j ACCEPT
 	fi
 
 	#**************************************************************************#
 	# NGINX
 	#**************************************************************************#
-	$do_action $IPTABLES_ADD INPUT -i lo -s localhost -d localhost -j ACCEPT
-	$do_action $IPTABLES_ADD OUTPUT -o lo -s localhost -d localhost -j ACCEPT
-	$do_action $IPTABLES_ADD INPUT  -p tcp --dport http -j ACCEPT
-        $do_action $IPTABLES_ADD INPUT  -p tcp --dport https -j ACCEPT
+	$do_action $IPTABLES_ADD $IT_INPUT -i lo -s localhost -d localhost -j ACCEPT
+	$do_action $IPTABLES_ADD $IT_OUTPUT -o lo -s localhost -d localhost -j ACCEPT
+	$do_action $IPTABLES_ADD $IT_INPUT  -p tcp --dport http -j ACCEPT
+	$do_action $IPTABLES_ADD $IT_INPUT  -p tcp --dport https -j ACCEPT
 
 
 	# Remote testing
 	### Allows PING
-	$do_action $IPTABLES_ADD INPUT -p icmp -j ACCEPT
+	$do_action $IPTABLES_ADD $IT_INPUT -p icmp -j ACCEPT
 
 	### Allows LOOPBACK
-	$do_action $IPTABLES_ADD INPUT -i lo -j ACCEPT
+	$do_action $IPTABLES_ADD $IT_INPUT -i lo -j ACCEPT
 
-	$IP_TABLES -P INPUT DROP
-	$do_action $IPTABLES_ADD INPUT -j LOG
+	$IP_TABLES -P $IT_INPUT DROP
+	$do_action $IPTABLES_ADD $IT_INPUT -j LOG
 
 	#**************************************************************************#
 	# Output:
 	#**************************************************************************#
 	### Allows LOOPBACK
-	$do_action $IPTABLES_ADD OUTPUT -j ACCEPT -o lo
+	$do_action $IPTABLES_ADD $IT_OUTPUT -j ACCEPT -o lo
 
 	###
-	$do_action $IPTABLES_ADD OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+	$do_action $IPTABLES_ADD $IT_OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 
 	# ICMP is permitted:
 	### Allows ping:
-	$do_action $IPTABLES_ADD OUTPUT -p icmp -j ACCEPT
+	$do_action $IPTABLES_ADD $IT_OUTPUT -p icmp -j ACCEPT
 
 	# As well as the services we have defined:
 	if [ -n "$REMOTE_TCP_SERVICES" ] ; then
 		for PORT in $REMOTE_TCP_SERVICES; do
-			$do_action $IPTABLES_ADD OUTPUT -p tcp --dport ${PORT} -j ACCEPT
+			$do_action $IPTABLES_ADD $IT_OUTPUT -p tcp --dport ${PORT} -j ACCEPT
 		done
 	fi
 	if [ -n "$REMOTE_UDP_SERVICES" ] ; then
 		for PORT in $REMOTE_UDP_SERVICES; do
-			$do_action $IPTABLES_ADD OUTPUT -p udp --dport ${PORT} -j ACCEPT
+			$do_action $IPTABLES_ADD $IT_OUTPUT -p udp --dport ${PORT} -j ACCEPT
 		done
 	fi
 	# All other connections are registered in syslog
-	$do_action $IPTABLES_ADD OUTPUT -j LOG
-	$do_action $IPTABLES_ADD OUTPUT -j REJECT
-	$do_action $IPTABLES_SET_POLICY OUTPUT DROP
+	$do_action $IPTABLES_ADD $IT_OUTPUT -j LOG
+	$do_action $IPTABLES_ADD $IT_OUTPUT -j REJECT
+	$do_action $IPTABLES_SET_POLICY $IT_OUTPUT DROP
 
 	$do_action $IPTABLES_ADD FORWARD -j LOG
 
@@ -268,10 +275,10 @@ fw_start () {
 	#**************************************************************************#
 	# See http://rockdio.org/ayudatech/how-to-stop-small-ddos-attacks-some-basic-security-advice/
 	#
-	$IP_TABLES -I INPUT -p tcp --dport 80 -i $NETWORK_IF -m state --state NEW -m recent --set
-	$IP_TABLES -I INPUT -p tcp --dport 80 -i $NETWORK_IF -m state --state NEW -m recent --update --seconds 30 --hitcount 20 -j DROP
-	$IP_TABLES -I INPUT -p tcp --dport 443 -i $NETWORK_IF -m state --state NEW -m recent --set
-	$IP_TABLES -I INPUT -p tcp --dport 443 -i $NETWORK_IF -m state --state NEW -m recent --update --seconds 30 --hitcount 20 -j DROP
+	$IP_TABLES -I $IT_INPUT -p tcp --dport 80 -i $NETWORK_IF -m state --state NEW -m recent --set
+	$IP_TABLES -I $IT_INPUT -p tcp --dport 80 -i $NETWORK_IF -m state --state NEW -m recent --update --seconds 30 --hitcount 20 -j DROP
+	$IP_TABLES -I $IT_INPUT -p tcp --dport 443 -i $NETWORK_IF -m state --state NEW -m recent --set
+	$IP_TABLES -I $IT_INPUT -p tcp --dport 443 -i $NETWORK_IF -m state --state NEW -m recent --update --seconds 30 --hitcount 20 -j DROP
 
 	#**************************************************************************#
 	# Other network protections
@@ -286,8 +293,8 @@ fw_start () {
 	echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
 	echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
 
-	iptables -t filter -A OUTPUT -p tcp --dport 22 -j ACCEPT
-	iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT
+	iptables -t filter -A $IT_OUTPUT -p tcp --dport 22 -j ACCEPT
+	iptables -t filter -A $IT_INPUT -p tcp --dport 22 -j ACCEPT
 }
 
 do_this(){
@@ -305,9 +312,9 @@ fw_stop () {
 	do_this $IP_TABLES -F
 	do_this $IP_TABLES -t nat -F
 	do_this $IP_TABLES -t mangle -F
-	do_this $IP_TABLES -P INPUT DROP
+	do_this $IP_TABLES -P $IT_INPUT DROP
 	do_this $IP_TABLES -P FORWARD DROP
-	do_this $IP_TABLES -P OUTPUT ACCEPT
+	do_this $IP_TABLES -P $IT_OUTPUT ACCEPT
 }
 
 ##########################
@@ -318,9 +325,9 @@ fw_clear () {
 	do_this $IP_TABLES -F
 	do_this $IP_TABLES -t nat -F
 	do_this $IP_TABLES -t mangle -F
-	do_this $IP_TABLES -P INPUT ACCEPT
+	do_this $IP_TABLES -P $IT_INPUT ACCEPT
 	do_this $IP_TABLES -P FORWARD ACCEPT
-	do_this $IP_TABLES -P OUTPUT ACCEPT
+	do_this $IP_TABLES -P $IT_OUTPUT ACCEPT
 }
 
 ##########################