blob: 4019b1a62c828ed72719349f35e1c29a90cde0bd (
about) (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
|
#!/bin/bash
# ---------------------------------------------------------------------------
# Slackware init script for iptables firewall:
# /etc/rc.d/rc.firewall
# Written by Eric Hameleers <alien@slackware.com> for the liveslak project.
# ---------------------------------------------------------------------------
# Specify path to the iptables binaries:
IPT_PATH="/usr/sbin"
# Save location for firewall rules:
[ ! -d /etc/firewall ] && mkdir /etc/firewall
# Is ipv6 supported on this computer?
if [ $(cat /sys/module/ipv6/parameters/disable) -eq 1 ]; then
HAVE_IPV6=0
else
HAVE_IPV6=1
fi
fwflush() {
local IPT=${1:-iptables}
# Accept all traffic first:
${IPT_PATH}/${IPT} -P INPUT ACCEPT
${IPT_PATH}/${IPT} -P FORWARD ACCEPT
${IPT_PATH}/${IPT} -P OUTPUT ACCEPT
# Flush all iptables chains and rules:
${IPT_PATH}/${IPT} -F
# Delete all iptables chains:
${IPT_PATH}/${IPT} -X
# Flush all counters:
${IPT_PATH}/${IPT} -Z
# Flush/delete all nat and mangle rules:
if [ "$IPT" != "ip6tables" ]; then
${IPT_PATH}/${IPT} -t nat -F
${IPT_PATH}/${IPT} -t nat -X
fi
${IPT_PATH}/${IPT} -t mangle -F
${IPT_PATH}/${IPT} -t mangle -X
${IPT_PATH}/${IPT} -t raw -F
${IPT_PATH}//${IPT} -t raw -X
}
basic_protection() {
# Basic measures to applied on first start:
# Turn off packet forwarding in the kernel
echo 0 > /proc/sys/net/ipv4/ip_forward
# Enable TCP SYN Cookie Protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# Disable ICMP Redirect Acceptance
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
# Accept only from gateways in the default gateways list
echo 1 > /proc/sys/net/ipv4/conf/all/secure_redirects
# Do not send Redirect Messages
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
# Enable bad error message protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# Enable broadcast echo protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Disable source-routed packets
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
# Do not log spoofed packets, source-routed packets, and redirect packets
echo 0 > /proc/sys/net/ipv4/conf/all/log_martians
}
fw_start() {
echo "Loading firewall rules..."
# Apply basic protection in the kernel:
basic_protection
# Restore firewall rules:
if [ -f /etc/firewall/ipv4 ]; then
${IPT_PATH}/iptables-restore < /etc/firewall/ipv4
else
echo "** No saved ipv4 firewall rules found. Run 'myfwconf' first."
fi
if [ $HAVE_IPV6 -eq 1 ]; then
if [ -f /etc/firewall/ipv6 ]; then
${IPT_PATH}/ip6tables-restore < /etc/firewall/ipv6
else
echo "** No saved ipv6 firewall rules found. Run 'myfwconf' first."
fi
fi
}
fw_reload() {
fw_flush
fw_start
}
fw_save() {
# Save firewall rules:
echo "Saving firewall rules..."
${IPT_PATH}/iptables -Ln 2>/dev/null
[ $? -eq 0 ] && ${IPT_PATH}/iptables-save > /etc/firewall/ipv4
${IPT_PATH}/ip6tables -Ln 2>/dev/null
[ $? -eq 0 ] && ${IPT_PATH}/ip6tables-save > /etc/firewall/ipv6
}
fw_flush() {
# Flush firewall rules, delete all custom chains and reset counters:
# also resetting all policies to ACCEPT:
echo "Flushing firewall rules..."
fwflush iptables
if [ $HAVE_IPV6 -eq 1 ]; then
fwflush ip6tables
fi
}
fw_status() {
${IPT_PATH}/iptables -L -n 2>/dev/null
[ $? -ne 0 ] && echo "** No ipv4 support in the kernel!"
${IPT_PATH}/ip6tables -L -n 2>/dev/null
[ $? -ne 0 ] && echo "** No ipv6 support in the kernel!"
}
case "$1" in
start)
fw_start
;;
stop|flush)
fw_flush
;;
reload)
fw_reload
;;
save)
fw_save
;;
status)
fw_status
;;
*)
echo "Usage: $0 start|stop|reload|save|flush|status"
exit 1
;;
esac
exit 0
|
