diff options
Diffstat (limited to '')
-rw-r--r-- | setup2hd/rc.firewall.tpl | 141 |
1 files changed, 141 insertions, 0 deletions
diff --git a/setup2hd/rc.firewall.tpl b/setup2hd/rc.firewall.tpl new file mode 100644 index 0000000..4019b1a --- /dev/null +++ b/setup2hd/rc.firewall.tpl @@ -0,0 +1,141 @@ +#!/bin/bash + +# --------------------------------------------------------------------------- +# Slackware init script for iptables firewall: +# /etc/rc.d/rc.firewall +# Written by Eric Hameleers <alien@slackware.com> for the liveslak project. +# --------------------------------------------------------------------------- + +# Specify path to the iptables binaries: +IPT_PATH="/usr/sbin" + +# Save location for firewall rules: +[ ! -d /etc/firewall ] && mkdir /etc/firewall + +# Is ipv6 supported on this computer? +if [ $(cat /sys/module/ipv6/parameters/disable) -eq 1 ]; then + HAVE_IPV6=0 +else + HAVE_IPV6=1 +fi + +fwflush() { + local IPT=${1:-iptables} + # Accept all traffic first: + ${IPT_PATH}/${IPT} -P INPUT ACCEPT + ${IPT_PATH}/${IPT} -P FORWARD ACCEPT + ${IPT_PATH}/${IPT} -P OUTPUT ACCEPT + # Flush all iptables chains and rules: + ${IPT_PATH}/${IPT} -F + # Delete all iptables chains: + ${IPT_PATH}/${IPT} -X + # Flush all counters: + ${IPT_PATH}/${IPT} -Z + # Flush/delete all nat and mangle rules: + if [ "$IPT" != "ip6tables" ]; then + ${IPT_PATH}/${IPT} -t nat -F + ${IPT_PATH}/${IPT} -t nat -X + fi + ${IPT_PATH}/${IPT} -t mangle -F + ${IPT_PATH}/${IPT} -t mangle -X + ${IPT_PATH}/${IPT} -t raw -F + ${IPT_PATH}//${IPT} -t raw -X +} + +basic_protection() { + # Basic measures to applied on first start: + + # Turn off packet forwarding in the kernel + echo 0 > /proc/sys/net/ipv4/ip_forward + # Enable TCP SYN Cookie Protection + echo 1 > /proc/sys/net/ipv4/tcp_syncookies + # Disable ICMP Redirect Acceptance + echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects + # Accept only from gateways in the default gateways list + echo 1 > /proc/sys/net/ipv4/conf/all/secure_redirects + # Do not send Redirect Messages + echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects + # Enable bad error message protection + echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses + # Enable broadcast echo protection + echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts + # Disable source-routed packets + echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route + # Do not log spoofed packets, source-routed packets, and redirect packets + echo 0 > /proc/sys/net/ipv4/conf/all/log_martians +} + +fw_start() { + echo "Loading firewall rules..." + # Apply basic protection in the kernel: + basic_protection + # Restore firewall rules: + if [ -f /etc/firewall/ipv4 ]; then + ${IPT_PATH}/iptables-restore < /etc/firewall/ipv4 + else + echo "** No saved ipv4 firewall rules found. Run 'myfwconf' first." + fi + if [ $HAVE_IPV6 -eq 1 ]; then + if [ -f /etc/firewall/ipv6 ]; then + ${IPT_PATH}/ip6tables-restore < /etc/firewall/ipv6 + else + echo "** No saved ipv6 firewall rules found. Run 'myfwconf' first." + fi + fi +} + +fw_reload() { + fw_flush + fw_start +} + +fw_save() { + # Save firewall rules: + echo "Saving firewall rules..." + ${IPT_PATH}/iptables -Ln 2>/dev/null + [ $? -eq 0 ] && ${IPT_PATH}/iptables-save > /etc/firewall/ipv4 + ${IPT_PATH}/ip6tables -Ln 2>/dev/null + [ $? -eq 0 ] && ${IPT_PATH}/ip6tables-save > /etc/firewall/ipv6 +} + +fw_flush() { + # Flush firewall rules, delete all custom chains and reset counters: + # also resetting all policies to ACCEPT: + echo "Flushing firewall rules..." + fwflush iptables + if [ $HAVE_IPV6 -eq 1 ]; then + fwflush ip6tables + fi +} + +fw_status() { + ${IPT_PATH}/iptables -L -n 2>/dev/null + [ $? -ne 0 ] && echo "** No ipv4 support in the kernel!" + ${IPT_PATH}/ip6tables -L -n 2>/dev/null + [ $? -ne 0 ] && echo "** No ipv6 support in the kernel!" +} + +case "$1" in + start) + fw_start + ;; + stop|flush) + fw_flush + ;; + reload) + fw_reload + ;; + save) + fw_save + ;; + status) + fw_status + ;; + *) + echo "Usage: $0 start|stop|reload|save|flush|status" + exit 1 + ;; +esac + +exit 0 + |