Re: [gentoo-user] Idiots guide to NAT and DHCP

Fri, 26 Sep 2003 23:43:39 -0700 

On Sat, Sep 27, 2003 at 07:39:20AM +0100, Adam Mercer wrote:
> I've attached my firewall script...

This time really attached

Cheers

Adam

#!/sbin/runscript
IPTABLES=/sbin/iptables
IPTABLESSAVE=/sbin/iptables-save
IPTABLESRESTORE=/sbin/iptables-restore
FIREWALL=/etc/firewall.rules

opts="${opts} showstatus panic save restore showoptions"

depend() {
        need net
}

rules() {
    stop

    # insert connection tracking modules
    modprobe ip_tables
    modprobe iptable_filter
    modprobe ip_conntrack
    modprobe ip_conntrack_ftp
    modprobe ipt_state
    modprobe ipt_LOG
    modprobe iptable_nat

    # allow local-only connections
    ${IPTABLES} -A INPUT -i lo -j ACCEPT

    # free output on any interface to any ip for any service
    ${IPTABLES} -A OUTPUT -j ACCEPT

    # permit answers on already established connections
    # and permit new connections related to established ones
    ${IPTABLES} -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

    # allow incomg ssh connections
    ${IPTABLES} -A INPUT -p tcp  --dport ssh -j ACCEPT

    # NAT
    ${IPTABLES} -t nat -A POSTROUTING -o eth0 -j MASQUERADE

    # log everything else
    ${IPTABLES} -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "

    # everything not accepted > /dev/null
    ${IPTABLES} -P INPUT DROP
    ${IPTABLES} -P FORWARD DROP
    ${IPTABLES} -P OUTPUT DROP

    # be verbose on dynamic ip-addresses
    echo 2 > /proc/sys/net/ipv4/ip_dynaddr

    # disable ExplicitCongestionNotification
    echo 0 > /proc/sys/net/ipv4/tcp_ecn

    # turn on IP forwarding
    echo 1 > /proc/sys/net/ipv4/ip_forward

    eend $?
}

start() {
    ebegin "Starting firewall"
    if [ -e "${FIREWALL}" ]; then
        restore
    else
        einfo "${FIREWALL} does not exists. Using default rules."
        rules
    fi
    eend $?
}

stop() {
    ebegin "Stopping firewall"
    ${IPTABLES} -F
    ${IPTABLES} -t nat -F
    ${IPTABLES} -X
    ${IPTABLES} -P FORWARD ACCEPT
    ${IPTABLES} -P INPUT   ACCEPT
    ${IPTABLES} -P OUTPUT  ACCEPT
    eend $?
}

showstatus() {
    ebegin "Status"
    ${IPTABLES} -L -n -v --line-numbers
    einfo "NAT status"
    ${IPTABLES} -L -n -v --line-numbers -t nat
    eend $?
}

panic() {
    ebegin "Setting panic rules"
    ${IPTABLES} -F
    ${IPTABLES} -X
    ${IPTABLES} -t nat -F
    ${IPTABLES} -P FORWARD DROP
    ${IPTABLES} -P INPUT   DROP
    ${IPTABLES} -P OUTPUT  DROP
    ${IPTABLES} -A INPUT -i lo -j ACCEPT
    ${IPTABLES} -A OUTPUT -o lo -j ACCEPT
    eend $?
}

save() {
    ebegin "Saving Firewall rules"
    ${IPTABLESSAVE} > ${FIREWALL}
    eend $?
}

restore() {
    ebegin "Restoring Firewall rules"
    ${IPTABLESRESTORE} < ${FIREWALL}
    eend $?
}

restart() {
    svc_stop; svc_start
}

showoptions() {
    echo "Usage: $0 {start|save|restore|panic|stop|restart|showstatus}"
    echo "start)      will restore setting if exists else force rule settings"
    echo "stop)       delete all rules and set all to accept"
    echo "rules)      force settings of new rules"
    echo "save)       will store settings in ${FIREWALL}"
    echo "restore)    will restore settings from ${FIREWALL}"
    echo "showstatus) Shows the status" 

}


--
[EMAIL PROTECTED] mailing list

Reply via email to