#!/bin/sh # firewall # Source functions library source /etc/rc.d/init.d/functions log_script_name "$0 $*" # Load global network parameters source /etc/sysconfig/network/network-parameters if [ "x${FIREWALL_ENA}" != "xyes" -a "x${FIREWALL_ENA}" != "xYes" -a "x${FIREWALL_ENA}" != "xYES" ]; then # Firewall is not enabled msg_log "Firewall disabled in '/etc/sysconfig/network/network-parameters'" exit ${EXIT_CODE_WARNING} fi # Setting the EXTERNAL and INTERNAL interfaces for the network # from values in /etc/sysconfig/network/network-parameters: INTERNET=${FIREWALL_WWW} INTRANET=${FIREWALL_LAN} firewall_start() { # Insert iptables modules (not needed if built into the kernel). modprobe ip_tables && modprobe iptable_filter && modprobe ip_conntrack && modprobe ip_conntrack_ftp && modprobe ipt_state && modprobe iptable_nat && modprobe ip_nat_ftp && modprobe ipt_MASQUERADE && modprobe ipt_LOG && modprobe ipt_REJECT && # Clearing any previous configuration. # Unless specified, the defaults for INPUT and OUTPUT is ACCEPT. # The default for FORWARD is REJECT. iptables -F INPUT && iptables -F OUTPUT && iptables -F FORWARD && iptables -t nat -F && # Allow local-only connections iptables -A INPUT -i lo -j ACCEPT && iptables -A INPUT -i ${INTRANET} -j ACCEPT && iptables -A INPUT -i ${INTERNET} -j ACCEPT && iptables -A OUTPUT -o lo -j ACCEPT && iptables -A OUTPUT -o ${INTRANET} -j ACCEPT && iptables -A OUTPUT -o ${INTERNET} -j ACCEPT && # Allow forwarding iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT && iptables -A FORWARD -m state --state NEW -i ! ${INTERNET}+ -j ACCEPT && # Do masquerading iptables -t nat -A POSTROUTING -o ${INTERNET}+ -j MASQUERADE && # Log everything for debugging (last of all rules, but before DROP/REJECT) iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT " && iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD" && iptables -A OUTPUT -j LOG --log-prefix "FIREWALL:OUTPUT " && # Set a sane policy iptables -P INPUT DROP && iptables -P FORWARD DROP && iptables -P OUTPUT DROP && # Be verbose on dynamic ip-addresses # If you get your IP address dynamically from SLIP, PPP, or DHCP, enable # this following option. This enables dynamic-address hacking which # makes the life with Diald and similar programs much easier. echo 2 > /proc/sys/net/ipv4/ip_dynaddr && # Disable ExplicitCongestionNotification echo 0 > /proc/sys/net/ipv4/tcp_ecn && # Activate TCPsyncookies echo 1 > /proc/sys/net/ipv4/tcp_syncookies if [ $? -ne 0 ]; then return 1 fi # Activate Route-Verification = IP-Spoofing_protection for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f || return 1 done # Activate IP-Forwarding echo 1 > /proc/sys/net/ipv4/ip_forward return $? } firewall_stop() { # Deactivate IP-Forwarding echo 0 > /proc/sys/net/ipv4/ip_forward && iptables -Z && iptables -F && iptables -t nat -F PREROUTING && iptables -t nat -F OUTPUT && iptables -t nat -F POSTROUTING && iptables -t mangle -F PREROUTING && iptables -t mangle -F OUTPUT && iptables -X && iptables -P INPUT ACCEPT && iptables -P FORWARD ACCEPT && iptables -P OUTPUT ACCEPT return $? } firewall_restart() { firewall_stop && firewall_start return $? } firewall_status() { echo "iptables.mangling:" iptables -t mangle -v -L -n --line-numbers echo echo "iptables.nat:" iptables -t nat -v -L -n --line-numbers echo echo "iptables.filter:" iptables -v -L -n --line-numbers } case "$1" in start) cmd_run_log_box "Starting Firewall" firewall_start ;; stop) cmd_run_log_box "Stopping Firewall" firewall_stop ;; restart) cmd_run_log_box "Restarting Firewall" firewall_restart ;; status) firewall_status ;; *) echo "Usage: $0 {start|stop|restart|status}" exit ${EXIT_CODE_FAILURE} ;; esac exit $?