summaryrefslogtreecommitdiffstats
path: root/setup2hd/rc.firewall.tpl
blob: 4019b1a62c828ed72719349f35e1c29a90cde0bd (about) (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
#!/bin/bash

# ---------------------------------------------------------------------------
# Slackware init script for iptables firewall:
# /etc/rc.d/rc.firewall
# Written by Eric Hameleers <alien@slackware.com> for the liveslak project.
# ---------------------------------------------------------------------------

# Specify path to the iptables binaries:
IPT_PATH="/usr/sbin"

# Save location for firewall rules:
[ ! -d /etc/firewall ] && mkdir /etc/firewall

# Is ipv6 supported on this computer?
if [ $(cat /sys/module/ipv6/parameters/disable) -eq 1 ]; then
  HAVE_IPV6=0
else
  HAVE_IPV6=1
fi

fwflush() {
  local IPT=${1:-iptables}
  # Accept all traffic first:
  ${IPT_PATH}/${IPT} -P INPUT ACCEPT
  ${IPT_PATH}/${IPT} -P FORWARD ACCEPT
  ${IPT_PATH}/${IPT} -P OUTPUT ACCEPT
  # Flush all iptables chains and rules:
  ${IPT_PATH}/${IPT} -F
  # Delete all iptables chains:
  ${IPT_PATH}/${IPT} -X
  # Flush all counters:
  ${IPT_PATH}/${IPT} -Z 
  # Flush/delete all nat and mangle rules:
  if [ "$IPT" != "ip6tables" ]; then
    ${IPT_PATH}/${IPT} -t nat -F
    ${IPT_PATH}/${IPT} -t nat -X
  fi
  ${IPT_PATH}/${IPT} -t mangle -F
  ${IPT_PATH}/${IPT} -t mangle -X
  ${IPT_PATH}/${IPT} -t raw -F
  ${IPT_PATH}//${IPT} -t raw -X
}

basic_protection() {
  # Basic measures to applied on first start:

  # Turn off packet forwarding in the kernel
  echo 0 > /proc/sys/net/ipv4/ip_forward
  # Enable TCP SYN Cookie Protection
  echo 1 > /proc/sys/net/ipv4/tcp_syncookies
  # Disable ICMP Redirect Acceptance
  echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
  # Accept only from gateways in the default gateways list
  echo 1 > /proc/sys/net/ipv4/conf/all/secure_redirects
  # Do not send Redirect Messages
  echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
  # Enable bad error message protection
  echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
  # Enable broadcast echo protection
  echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
  # Disable source-routed packets
  echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
  # Do not log spoofed packets, source-routed packets, and redirect packets
  echo 0 > /proc/sys/net/ipv4/conf/all/log_martians
}

fw_start() {
  echo "Loading firewall rules..."
  # Apply basic protection in the kernel:
  basic_protection
  # Restore firewall rules:
  if [ -f /etc/firewall/ipv4 ]; then
    ${IPT_PATH}/iptables-restore  < /etc/firewall/ipv4
  else
    echo "** No saved ipv4 firewall rules found. Run 'myfwconf' first."
  fi
  if [ $HAVE_IPV6 -eq 1 ]; then
    if [ -f /etc/firewall/ipv6 ]; then
      ${IPT_PATH}/ip6tables-restore < /etc/firewall/ipv6
    else
      echo "** No saved ipv6 firewall rules found. Run 'myfwconf' first."
    fi
  fi
}

fw_reload() {
  fw_flush
  fw_start
}

fw_save() {
  # Save firewall rules:
  echo "Saving firewall rules..."
  ${IPT_PATH}/iptables -Ln 2>/dev/null
  [ $? -eq 0 ] && ${IPT_PATH}/iptables-save  > /etc/firewall/ipv4
  ${IPT_PATH}/ip6tables -Ln 2>/dev/null
  [ $? -eq 0 ] && ${IPT_PATH}/ip6tables-save > /etc/firewall/ipv6
}

fw_flush() {
  # Flush firewall rules, delete all custom chains and reset counters:
  # also resetting all policies to ACCEPT:
  echo "Flushing firewall rules..."
  fwflush iptables
  if [ $HAVE_IPV6 -eq 1 ]; then
    fwflush ip6tables
  fi
}

fw_status() {
  ${IPT_PATH}/iptables -L -n 2>/dev/null
  [ $? -ne 0 ] && echo "** No ipv4 support in the kernel!"
  ${IPT_PATH}/ip6tables -L -n 2>/dev/null
  [ $? -ne 0 ] && echo "** No ipv6 support in the kernel!"
}

case "$1" in
  start)
    fw_start
    ;;
  stop|flush)
    fw_flush
    ;;
  reload)
    fw_reload
    ;;
  save)
    fw_save
    ;;
  status)
    fw_status
    ;;
  *)
    echo "Usage: $0 start|stop|reload|save|flush|status"
    exit 1
    ;;
esac

exit 0