Re: Grammar in a bash script

Mario Vittorio Guenzi <jclark@xxxxxxxxxx> · Tue, 18 Aug 2020 12:28:04 +0200



Il 18/08/20 12:11, Pablo Neira Ayuso ha scritto:
> On Tue, Aug 18, 2020 at 07:12:38AM +0200, Mario V Guenzi wrote:
>> Il 17/08/20 10:56, Pablo Neira Ayuso ha scritto:
>>> Hi,
>>
>>> You can set default policy to drop wehn defining the chain (in the
>>> same go), no need to call it twice, my suggestion for your ruleset is
>>> to place this in ruleset.nft:
>>>
>>> add table inet firewall
>>> add table inet nat
>>> add table netdev noddos
>>>
>>> add chain inet firewall INPUT { type filter hook input priority 0; policy drop; }
>>> add chain inet firewall OUTPUT { type filter hook output priority 0; policy drop; }
>>> add chain inet firewall FORWARD { type filter hook forward priority 0; policy drop; }
>>> ...
>>>
>>> my rules
>>> my rules
>>> my rules
>>>
>>
>> At first many thanks.
>> another question given your kindness,
>> I can use bash only to define my variables eg
>> EXTIF = "eth0"
>> LAN = "192.168.2.0/24"
>> etc
>> use the variables defined in writing the rules.nft file as per your
>> example and then write
>> nft -f /path/rules.nft in my bash script?
> 
> You can define variables in nftables, e.g.
> 
>   define EXTIF = "eth0"
> 
>   add rule inet firewall INPUT iifname $EXTIF accept
> 
Again Thank You.
Yes I have read about, but for my convenience I do take the IPs with
command and do not believe that nft can execute it.
This are my variables You can see how take IP from eth

NFT="`whereis -b nft | cut -d \" \" -f 2`"
EXTIF="eth0"  ## word interface
INTIF="eth1" ## lan interface
VPNIF="eth0:0"
LO="lo"
LO_IP="127.0.0.1"
LAN="192.168.2.0/23" #our lan
BCAST="192.168.3.255"
EXTIP=`ifconfig $EXTIF | awk '$1 == "inet" { print $2 }'`
INTIP=`ifconfig $INTIF | awk '$1 == "inet" { print $2 }'`
VPNIP=`ifconfig $VPNIF | awk '$1 == "inet" { print $2 }'`
CHIMERA="192.168.2.224"
GRECALE="192.168.2.251"
PERSEO="192.168.2.240"
STROMBOLI="192.168.2.232"
RESERVED_NET="0.0.0.0/8, 1.0.0.0/8, 2.0.0.0/8, 10.0.0.0/8,
100.64.0.0/10, 127.0.0.0/16, 169.254.0.0/16, 172.16.0.0/12, \
192.0.0.0/24, 192.0.2.0/24, 192.168.0.0/16, 198.18.0.0/15,
198.51.100.0/24, 203.0.113.0/24, 224.0.0.0/4, 240.0.0.0/5"
GOOD_BOYS="2.233.119.3, 88.149.179.177, 81.208.25.146, 82.85.80.100"


-- 

Mario Vittorio Guenzi
E-mail jclark@xxxxxxxxxx
Si vis pacem, para bellum

Attachment:
signature.asc

Description: OpenPGP digital signature