blob: 4019b1a62c828ed72719349f35e1c29a90cde0bd (
plain) (
tree)
|
|
#!/bin/bash
# ---------------------------------------------------------------------------
# Slackware init script for iptables firewall:
# /etc/rc.d/rc.firewall
# Written by Eric Hameleers <alien@slackware.com> for the liveslak project.
# ---------------------------------------------------------------------------
# Specify path to the iptables binaries:
IPT_PATH="/usr/sbin"
# Save location for firewall rules:
[ ! -d /etc/firewall ] && mkdir /etc/firewall
# Is ipv6 supported on this computer?
if [ $(cat /sys/module/ipv6/parameters/disable) -eq 1 ]; then
HAVE_IPV6=0
else
HAVE_IPV6=1
fi
fwflush() {
local IPT=${1:-iptables}
# Accept all traffic first:
${IPT_PATH}/${IPT} -P INPUT ACCEPT
${IPT_PATH}/${IPT} -P FORWARD ACCEPT
${IPT_PATH}/${IPT} -P OUTPUT ACCEPT
# Flush all iptables chains and rules:
${IPT_PATH}/${IPT} -F
# Delete all iptables chains:
${IPT_PATH}/${IPT} -X
# Flush all counters:
${IPT_PATH}/${IPT} -Z
# Flush/delete all nat and mangle rules:
if [ "$IPT" != "ip6tables" ]; then
${IPT_PATH}/${IPT} -t nat -F
${IPT_PATH}/${IPT} -t nat -X
fi
${IPT_PATH}/${IPT} -t mangle -F
${IPT_PATH}/${IPT} -t mangle -X
${IPT_PATH}/${IPT} -t raw -F
${IPT_PATH}//${IPT} -t raw -X
}
basic_protection() {
# Basic measures to applied on first start:
# Turn off packet forwarding in the kernel
echo 0 > /proc/sys/net/ipv4/ip_forward
# Enable TCP SYN Cookie Protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# Disable ICMP Redirect Acceptance
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
# Accept only from gateways in the default gateways list
echo 1 > /proc/sys/net/ipv4/conf/all/secure_redirects
# Do not send Redirect Messages
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
# Enable bad error message protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# Enable broadcast echo protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Disable source-routed packets
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
# Do not log spoofed packets, source-routed packets, and redirect packets
echo 0 > /proc/sys/net/ipv4/conf/all/log_martians
}
fw_start() {
echo "Loading firewall rules..."
# Apply basic protection in the kernel:
basic_protection
# Restore firewall rules:
if [ -f /etc/firewall/ipv4 ]; then
${IPT_PATH}/iptables-restore < /etc/firewall/ipv4
else
echo "** No saved ipv4 firewall rules found. Run 'myfwconf' first."
fi
if [ $HAVE_IPV6 -eq 1 ]; then
if [ -f /etc/firewall/ipv6 ]; then
${IPT_PATH}/ip6tables-restore < /etc/firewall/ipv6
else
echo "** No saved ipv6 firewall rules found. Run 'myfwconf' first."
fi
fi
}
fw_reload() {
fw_flush
fw_start
}
fw_save() {
# Save firewall rules:
echo "Saving firewall rules..."
${IPT_PATH}/iptables -Ln 2>/dev/null
[ $? -eq 0 ] && ${IPT_PATH}/iptables-save > /etc/firewall/ipv4
${IPT_PATH}/ip6tables -Ln 2>/dev/null
[ $? -eq 0 ] && ${IPT_PATH}/ip6tables-save > /etc/firewall/ipv6
}
fw_flush() {
# Flush firewall rules, delete all custom chains and reset counters:
# also resetting all policies to ACCEPT:
echo "Flushing firewall rules..."
fwflush iptables
if [ $HAVE_IPV6 -eq 1 ]; then
fwflush ip6tables
fi
}
fw_status() {
${IPT_PATH}/iptables -L -n 2>/dev/null
[ $? -ne 0 ] && echo "** No ipv4 support in the kernel!"
${IPT_PATH}/ip6tables -L -n 2>/dev/null
[ $? -ne 0 ] && echo "** No ipv6 support in the kernel!"
}
case "$1" in
start)
fw_start
;;
stop|flush)
fw_flush
;;
reload)
fw_reload
;;
save)
fw_save
;;
status)
fw_status
;;
*)
echo "Usage: $0 start|stop|reload|save|flush|status"
exit 1
;;
esac
exit 0
|