On Sat, Sep 27, 2003 at 07:39:20AM +0100, Adam Mercer wrote: > I've attached my firewall script...
This time really attached Cheers Adam
#!/sbin/runscript IPTABLES=/sbin/iptables IPTABLESSAVE=/sbin/iptables-save IPTABLESRESTORE=/sbin/iptables-restore FIREWALL=/etc/firewall.rules opts="${opts} showstatus panic save restore showoptions" depend() { need net } rules() { stop # insert connection tracking modules modprobe ip_tables modprobe iptable_filter modprobe ip_conntrack modprobe ip_conntrack_ftp modprobe ipt_state modprobe ipt_LOG modprobe iptable_nat # allow local-only connections ${IPTABLES} -A INPUT -i lo -j ACCEPT # free output on any interface to any ip for any service ${IPTABLES} -A OUTPUT -j ACCEPT # permit answers on already established connections # and permit new connections related to established ones ${IPTABLES} -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # allow incomg ssh connections ${IPTABLES} -A INPUT -p tcp --dport ssh -j ACCEPT # NAT ${IPTABLES} -t nat -A POSTROUTING -o eth0 -j MASQUERADE # log everything else ${IPTABLES} -A INPUT -j LOG --log-prefix "FIREWALL:INPUT " # everything not accepted > /dev/null ${IPTABLES} -P INPUT DROP ${IPTABLES} -P FORWARD DROP ${IPTABLES} -P OUTPUT DROP # be verbose on dynamic ip-addresses echo 2 > /proc/sys/net/ipv4/ip_dynaddr # disable ExplicitCongestionNotification echo 0 > /proc/sys/net/ipv4/tcp_ecn # turn on IP forwarding echo 1 > /proc/sys/net/ipv4/ip_forward eend $? } start() { ebegin "Starting firewall" if [ -e "${FIREWALL}" ]; then restore else einfo "${FIREWALL} does not exists. Using default rules." rules fi eend $? } stop() { ebegin "Stopping firewall" ${IPTABLES} -F ${IPTABLES} -t nat -F ${IPTABLES} -X ${IPTABLES} -P FORWARD ACCEPT ${IPTABLES} -P INPUT ACCEPT ${IPTABLES} -P OUTPUT ACCEPT eend $? } showstatus() { ebegin "Status" ${IPTABLES} -L -n -v --line-numbers einfo "NAT status" ${IPTABLES} -L -n -v --line-numbers -t nat eend $? } panic() { ebegin "Setting panic rules" ${IPTABLES} -F ${IPTABLES} -X ${IPTABLES} -t nat -F ${IPTABLES} -P FORWARD DROP ${IPTABLES} -P INPUT DROP ${IPTABLES} -P OUTPUT DROP ${IPTABLES} -A INPUT -i lo -j ACCEPT ${IPTABLES} -A OUTPUT -o lo -j ACCEPT eend $? } save() { ebegin "Saving Firewall rules" ${IPTABLESSAVE} > ${FIREWALL} eend $? } restore() { ebegin "Restoring Firewall rules" ${IPTABLESRESTORE} < ${FIREWALL} eend $? } restart() { svc_stop; svc_start } showoptions() { echo "Usage: $0 {start|save|restore|panic|stop|restart|showstatus}" echo "start) will restore setting if exists else force rule settings" echo "stop) delete all rules and set all to accept" echo "rules) force settings of new rules" echo "save) will store settings in ${FIREWALL}" echo "restore) will restore settings from ${FIREWALL}" echo "showstatus) Shows the status" }
-- [EMAIL PROTECTED] mailing list