From d17940bf4d2f7502d78b18eac380865c77e0444d Mon Sep 17 00:00:00 2001
From: Eric Hameleers <alien@slackware.com>
Date: Mon, 20 Dec 2021 14:56:53 +0100
Subject: Add an (optional) basic firewall configuration to setup2hd

The firewall will be configured and installed only when you use setup2hd
to install the Live OS to your hard drive.
The scripts are not particular to Slackware Live; you can easily copy
the resulting files /usr/sbin/myfwconfig, /etc/rc.d/rc.firewall
and /var/lib/pkgtools/setup/setup.firewall out of the installed system
and use them anywhere on a Slackware-compatible OS.

- The 'myfwconfig' script will ask a few simple questions and generate the
ipv4 and ipv6 configuration in /etc/firewall/.
- The 'rc.firewall' script will load/save its iptables/ip6tables
  configuration from /etc/firewall/ files.
- The 'setup.firewall' script is a convenient way to call the firewall
  configurator from pkgtools or during Slackware's installation to harddisk.
---
 setup2hd/rc.firewall.tpl | 141 +++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 141 insertions(+)
 create mode 100644 setup2hd/rc.firewall.tpl

(limited to 'setup2hd/rc.firewall.tpl')

diff --git a/setup2hd/rc.firewall.tpl b/setup2hd/rc.firewall.tpl
new file mode 100644
index 0000000..4019b1a
--- /dev/null
+++ b/setup2hd/rc.firewall.tpl
@@ -0,0 +1,141 @@
+#!/bin/bash
+
+# ---------------------------------------------------------------------------
+# Slackware init script for iptables firewall:
+# /etc/rc.d/rc.firewall
+# Written by Eric Hameleers <alien@slackware.com> for the liveslak project.
+# ---------------------------------------------------------------------------
+
+# Specify path to the iptables binaries:
+IPT_PATH="/usr/sbin"
+
+# Save location for firewall rules:
+[ ! -d /etc/firewall ] && mkdir /etc/firewall
+
+# Is ipv6 supported on this computer?
+if [ $(cat /sys/module/ipv6/parameters/disable) -eq 1 ]; then
+  HAVE_IPV6=0
+else
+  HAVE_IPV6=1
+fi
+
+fwflush() {
+  local IPT=${1:-iptables}
+  # Accept all traffic first:
+  ${IPT_PATH}/${IPT} -P INPUT ACCEPT
+  ${IPT_PATH}/${IPT} -P FORWARD ACCEPT
+  ${IPT_PATH}/${IPT} -P OUTPUT ACCEPT
+  # Flush all iptables chains and rules:
+  ${IPT_PATH}/${IPT} -F
+  # Delete all iptables chains:
+  ${IPT_PATH}/${IPT} -X
+  # Flush all counters:
+  ${IPT_PATH}/${IPT} -Z 
+  # Flush/delete all nat and mangle rules:
+  if [ "$IPT" != "ip6tables" ]; then
+    ${IPT_PATH}/${IPT} -t nat -F
+    ${IPT_PATH}/${IPT} -t nat -X
+  fi
+  ${IPT_PATH}/${IPT} -t mangle -F
+  ${IPT_PATH}/${IPT} -t mangle -X
+  ${IPT_PATH}/${IPT} -t raw -F
+  ${IPT_PATH}//${IPT} -t raw -X
+}
+
+basic_protection() {
+  # Basic measures to applied on first start:
+
+  # Turn off packet forwarding in the kernel
+  echo 0 > /proc/sys/net/ipv4/ip_forward
+  # Enable TCP SYN Cookie Protection
+  echo 1 > /proc/sys/net/ipv4/tcp_syncookies
+  # Disable ICMP Redirect Acceptance
+  echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
+  # Accept only from gateways in the default gateways list
+  echo 1 > /proc/sys/net/ipv4/conf/all/secure_redirects
+  # Do not send Redirect Messages
+  echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
+  # Enable bad error message protection
+  echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
+  # Enable broadcast echo protection
+  echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
+  # Disable source-routed packets
+  echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
+  # Do not log spoofed packets, source-routed packets, and redirect packets
+  echo 0 > /proc/sys/net/ipv4/conf/all/log_martians
+}
+
+fw_start() {
+  echo "Loading firewall rules..."
+  # Apply basic protection in the kernel:
+  basic_protection
+  # Restore firewall rules:
+  if [ -f /etc/firewall/ipv4 ]; then
+    ${IPT_PATH}/iptables-restore  < /etc/firewall/ipv4
+  else
+    echo "** No saved ipv4 firewall rules found. Run 'myfwconf' first."
+  fi
+  if [ $HAVE_IPV6 -eq 1 ]; then
+    if [ -f /etc/firewall/ipv6 ]; then
+      ${IPT_PATH}/ip6tables-restore < /etc/firewall/ipv6
+    else
+      echo "** No saved ipv6 firewall rules found. Run 'myfwconf' first."
+    fi
+  fi
+}
+
+fw_reload() {
+  fw_flush
+  fw_start
+}
+
+fw_save() {
+  # Save firewall rules:
+  echo "Saving firewall rules..."
+  ${IPT_PATH}/iptables -Ln 2>/dev/null
+  [ $? -eq 0 ] && ${IPT_PATH}/iptables-save  > /etc/firewall/ipv4
+  ${IPT_PATH}/ip6tables -Ln 2>/dev/null
+  [ $? -eq 0 ] && ${IPT_PATH}/ip6tables-save > /etc/firewall/ipv6
+}
+
+fw_flush() {
+  # Flush firewall rules, delete all custom chains and reset counters:
+  # also resetting all policies to ACCEPT:
+  echo "Flushing firewall rules..."
+  fwflush iptables
+  if [ $HAVE_IPV6 -eq 1 ]; then
+    fwflush ip6tables
+  fi
+}
+
+fw_status() {
+  ${IPT_PATH}/iptables -L -n 2>/dev/null
+  [ $? -ne 0 ] && echo "** No ipv4 support in the kernel!"
+  ${IPT_PATH}/ip6tables -L -n 2>/dev/null
+  [ $? -ne 0 ] && echo "** No ipv6 support in the kernel!"
+}
+
+case "$1" in
+  start)
+    fw_start
+    ;;
+  stop|flush)
+    fw_flush
+    ;;
+  reload)
+    fw_reload
+    ;;
+  save)
+    fw_save
+    ;;
+  status)
+    fw_status
+    ;;
+  *)
+    echo "Usage: $0 start|stop|reload|save|flush|status"
+    exit 1
+    ;;
+esac
+
+exit 0
+
-- 
cgit v1.2.3