#!/bin/bash # # firewall IPv4/IPv6 firewalling # # (P) & (C) 2004-2007 by # AERAsec Network Services and Security GmbH, Peter Bieringer # and # Peter Bieringer # # description: This script sets various IPv4/IPv6 related firewall rules # # chkconfig: 2345 13 87 # # processname: firewall # Changes: # 20070529/PB: add support for OpenWRT, minor rewrite # Action depending on Linux release if [ -f /etc/openwrt_version ];then # OpenWRT # Location of firewall library file LIBFILE="/etc/init.d/firewall-lib" # Location of firewall config file CONFIGFILE="/etc/firewall" # Location of lock file LOCKFILE="/var/lock/firewall" # Workaround for missing function library STARTUP_OK=0 else # Default (Red Hat/CentOS/Fedora Linux) # Source function library. . /etc/rc.d/init.d/functions # Get config. . /etc/sysconfig/network # Check that networking is up. if [ ${NETWORKING} = "no" ]; then exit 0 fi # Location of firewall library file LIBFILE="/etc/rc.d/init.d/firewall-lib" # Location of firewall config file CONFIGFILE="/etc/sysconfig/firewall" # Location of lock file LOCKFILE="/var/lock/subsys/firewall" fi # Source firewall library if [ ! -f $LIBFILE ]; then echo "MAJOR PROBLEM: firewall library file missing: $LIBFILE" exit 1 fi . $LIBFILE if [ $? -ne 0 ]; then echo "MAJOR PROBLEM: firewall library file has problems, fix it: $LIBFILE" exit 1 fi # Source user configuration if [ ! -f $CONFIGFILE ]; then echo "MAJOR PROBLEM: configuration file missing: $CONFIGFILE" exit 1 fi . $CONFIGFILE if [ $? -ne 0 ]; then echo "MAJOR PROBLEM: configuration file has problems, fix it: $CONFIGFILE" exit 1 fi # Show info showinfo() { if [ -f /proc/net/ip_tables_names ]; then cat /proc/net/ip_tables_names; while read table; do echo "# Table: $table" /sbin/iptables -n -v -L -t $table done fi if [ -f /proc/net/ip6_tables_names ]; then # Only if IPv6 is active (prohibit autoload of IPv6 module) cat /proc/net/ip6_tables_names; while read table; do echo "# Table: $table" /sbin/ip6tables -n -v -L -t $table done fi } # Insert Firewall rules fwrules_insert() { # Function defined in /etc/sysconfig/firewall firewall_rules } # Remove rulesets fwrules_remove() { firewall_remove_rules } # Set ruleset to insecure fwrules_accept_all() { firewall_accept_all } case "$1" in 'start') echo "firewall: starting..." if [ -f "$LOCKFILE" ]; then echo -e "\a Alredy running, stop first!" fi fwrules_insert [ -n "$LOCKFILE" ] && touch $LOCKFILE # Start accounting (optional) if [ -x /usr/local/sbin/ipacc-get ]; then echo "Start accounting (ipacc-get)" /usr/local/sbin/ipacc-get start fi ;; 'stop') if [ "$2" != "fast" -a -t 0 ]; then if [ "$RUNLEVEL" != "6" -a "$RUNLEVEL" != 0 ]; then echo "WARNING: You really want to stop firewalling? You have 10 seconds for a break!" sleep 10 fi fi # Stop accounting if [ -x /usr/local/sbin/ipacc-get ]; then echo "Stop accounting (ipacc-get)" /usr/local/sbin/ipacc-get stop fi echo "firewall: stop firewalling (this will normally block all traffic)..." fwrules_remove echo [ -n "$LOCKFILE" ] && rm -f $LOCKFILE ;; 'insecure') $0 stop $2 echo "firewall: reset default policies to ACCEPT" fwrules_accept_all ;; 'restart'|'reload') $0 stop fast $0 start exit $? ;; 'status') showinfo exit 0 ;; *) echo "firewall: usage: $0 {start|stop [fast]|restart|status|insecure [fast]}" exit 1 ;; esac exit $STARTUP_OK .