aboutsummaryrefslogtreecommitdiffstats
path: root/setup2hd/rc.firewall.tpl
diff options
context:
space:
mode:
Diffstat (limited to 'setup2hd/rc.firewall.tpl')
-rw-r--r--setup2hd/rc.firewall.tpl141
1 files changed, 141 insertions, 0 deletions
diff --git a/setup2hd/rc.firewall.tpl b/setup2hd/rc.firewall.tpl
new file mode 100644
index 0000000..4019b1a
--- /dev/null
+++ b/setup2hd/rc.firewall.tpl
@@ -0,0 +1,141 @@
+#!/bin/bash
+
+# ---------------------------------------------------------------------------
+# Slackware init script for iptables firewall:
+# /etc/rc.d/rc.firewall
+# Written by Eric Hameleers <alien@slackware.com> for the liveslak project.
+# ---------------------------------------------------------------------------
+
+# Specify path to the iptables binaries:
+IPT_PATH="/usr/sbin"
+
+# Save location for firewall rules:
+[ ! -d /etc/firewall ] && mkdir /etc/firewall
+
+# Is ipv6 supported on this computer?
+if [ $(cat /sys/module/ipv6/parameters/disable) -eq 1 ]; then
+ HAVE_IPV6=0
+else
+ HAVE_IPV6=1
+fi
+
+fwflush() {
+ local IPT=${1:-iptables}
+ # Accept all traffic first:
+ ${IPT_PATH}/${IPT} -P INPUT ACCEPT
+ ${IPT_PATH}/${IPT} -P FORWARD ACCEPT
+ ${IPT_PATH}/${IPT} -P OUTPUT ACCEPT
+ # Flush all iptables chains and rules:
+ ${IPT_PATH}/${IPT} -F
+ # Delete all iptables chains:
+ ${IPT_PATH}/${IPT} -X
+ # Flush all counters:
+ ${IPT_PATH}/${IPT} -Z
+ # Flush/delete all nat and mangle rules:
+ if [ "$IPT" != "ip6tables" ]; then
+ ${IPT_PATH}/${IPT} -t nat -F
+ ${IPT_PATH}/${IPT} -t nat -X
+ fi
+ ${IPT_PATH}/${IPT} -t mangle -F
+ ${IPT_PATH}/${IPT} -t mangle -X
+ ${IPT_PATH}/${IPT} -t raw -F
+ ${IPT_PATH}//${IPT} -t raw -X
+}
+
+basic_protection() {
+ # Basic measures to applied on first start:
+
+ # Turn off packet forwarding in the kernel
+ echo 0 > /proc/sys/net/ipv4/ip_forward
+ # Enable TCP SYN Cookie Protection
+ echo 1 > /proc/sys/net/ipv4/tcp_syncookies
+ # Disable ICMP Redirect Acceptance
+ echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
+ # Accept only from gateways in the default gateways list
+ echo 1 > /proc/sys/net/ipv4/conf/all/secure_redirects
+ # Do not send Redirect Messages
+ echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
+ # Enable bad error message protection
+ echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
+ # Enable broadcast echo protection
+ echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
+ # Disable source-routed packets
+ echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
+ # Do not log spoofed packets, source-routed packets, and redirect packets
+ echo 0 > /proc/sys/net/ipv4/conf/all/log_martians
+}
+
+fw_start() {
+ echo "Loading firewall rules..."
+ # Apply basic protection in the kernel:
+ basic_protection
+ # Restore firewall rules:
+ if [ -f /etc/firewall/ipv4 ]; then
+ ${IPT_PATH}/iptables-restore < /etc/firewall/ipv4
+ else
+ echo "** No saved ipv4 firewall rules found. Run 'myfwconf' first."
+ fi
+ if [ $HAVE_IPV6 -eq 1 ]; then
+ if [ -f /etc/firewall/ipv6 ]; then
+ ${IPT_PATH}/ip6tables-restore < /etc/firewall/ipv6
+ else
+ echo "** No saved ipv6 firewall rules found. Run 'myfwconf' first."
+ fi
+ fi
+}
+
+fw_reload() {
+ fw_flush
+ fw_start
+}
+
+fw_save() {
+ # Save firewall rules:
+ echo "Saving firewall rules..."
+ ${IPT_PATH}/iptables -Ln 2>/dev/null
+ [ $? -eq 0 ] && ${IPT_PATH}/iptables-save > /etc/firewall/ipv4
+ ${IPT_PATH}/ip6tables -Ln 2>/dev/null
+ [ $? -eq 0 ] && ${IPT_PATH}/ip6tables-save > /etc/firewall/ipv6
+}
+
+fw_flush() {
+ # Flush firewall rules, delete all custom chains and reset counters:
+ # also resetting all policies to ACCEPT:
+ echo "Flushing firewall rules..."
+ fwflush iptables
+ if [ $HAVE_IPV6 -eq 1 ]; then
+ fwflush ip6tables
+ fi
+}
+
+fw_status() {
+ ${IPT_PATH}/iptables -L -n 2>/dev/null
+ [ $? -ne 0 ] && echo "** No ipv4 support in the kernel!"
+ ${IPT_PATH}/ip6tables -L -n 2>/dev/null
+ [ $? -ne 0 ] && echo "** No ipv6 support in the kernel!"
+}
+
+case "$1" in
+ start)
+ fw_start
+ ;;
+ stop|flush)
+ fw_flush
+ ;;
+ reload)
+ fw_reload
+ ;;
+ save)
+ fw_save
+ ;;
+ status)
+ fw_status
+ ;;
+ *)
+ echo "Usage: $0 start|stop|reload|save|flush|status"
+ exit 1
+ ;;
+esac
+
+exit 0
+