#!/bin/sh # # Startup script to implement masquerading and firewalling # # chkconfig: 2345 48 67 # # description: Automates a packet filtering firewall with iptables. # # by beroATredhat.com, based on the ipchains script: # Script Author: Joshua Jensen # -- hacked up by gafton with help from notting # modified by Anton Altaparmakov : # modified by Nils Philippsen # modified by alexeytATfreeshell.org # # customized for CHANGEME # Source 'em up . /etc/init.d/functions #### CONFIG #### #### END CONFIG #### if [ ! -x /sbin/iptables ]; then { exit 0 } fi start() { # need to insmod these manually modprobe ip_conntrack_ftp modprobe ip_nat_ftp # modprobe ip_conntrack_irc # modprobe ip_nat_irc # If we don't clear these first, we might be adding to # pre-existing rules. chains=`cat /proc/net/ip_tables_names 2>/dev/null` echo -n "Flushing all chains:" for i in $chains; do iptables -t $i -F; done && \ success $"Flushing all chains:" || \ failure $"Flushing all chains:" echo echo -n "Removing user defined chains:" for i in $chains; do iptables -t $i -X; done && \ success $"Removing user defined chains:" || \ failure $"Removing user defined chains:" echo for i in $chains; do iptables -t $i -Z; done echo -n "Applying iptables firewall rules: " # set policies iptables -P INPUT ACCEPT && \ iptables -P FORWARD DROP && \ iptables -P OUTPUT ACCEPT && \ iptables -t nat -P PREROUTING ACCEPT && \ iptables -t nat -P POSTROUTING ACCEPT && \ iptables -t nat -P OUTPUT ACCEPT && \ # input # output # forwarding rules iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT && \ # log everything else iptables -A FORWARD -m limit --limit 30/hour -j LOG && \ # nat prerouting # nat postrouting # message success $"Applying iptables firewall rules:" || \ failure $"Applying iptables firewall rules:" echo echo -n "Enabling IPv4 forwarding:" echo "1" > /proc/sys/net/ipv4/ip_forward && \ success "Enabling IPv4 forwarding:" || \ failure "Enabling IPv4 forwarding:" echo touch /var/lock/subsys/ipmagic } stop() { echo -n "Disabling IPv4 forwarding:" echo "0" > /proc/sys/net/ipv4/ip_forward && \ success "Disabling IPv4 forwarding:" || \ failure "Disabling IPv4 forwarding:" echo chains=`cat /proc/net/ip_tables_names 2>/dev/null` echo -n "Flushing all chains:" for i in $chains; do iptables -t $i -F; done && \ success $"Flushing all chains:" || \ failure $"Flushing all chains:" echo echo -n "Removing user defined chains:" for i in $chains; do iptables -t $i -X; done && \ success $"Removing user defined chains:" || \ failure $"Removing user defined chains:" echo echo -n $"Resetting built-in chains to the default ACCEPT policy:" iptables -P INPUT ACCEPT && \ iptables -P OUTPUT ACCEPT && \ iptables -P FORWARD ACCEPT && \ iptables -t nat -P PREROUTING ACCEPT && \ iptables -t nat -P POSTROUTING ACCEPT && \ iptables -t nat -P OUTPUT ACCEPT && \ # iptables -t mangle -P PREROUTING ACCEPT && \ # iptables -t mangle -P OUTPUT ACCEPT && \ success $"Resetting built-in chains to the default ACCEPT policy" || \ failure $"Resetting built-in chains to the default ACCEPT policy" echo rm -f /var/lock/subsys/ipmagic } case "$1" in start) start ;; stop) stop ;; restart) # "restart" is really just "start" as this isn't a daemon, # and "start" clears any pre-defined rules anyway. # This is really only here to make those who expect it happy # # the next line needs to be here so that we don't have an open # firewall during resets --alexeyt echo "0" > /proc/sys/net/ipv4/ip_forward start ;; status) echo $"Table: filter" iptables -n -v --list echo $"Table: nat" iptables -t nat -n -v --list # echo $"Table: mangle" # iptables -t mangle -n -v --list ;; panic) echo -n "Changing target policies to DROP:" iptables -P INPUT DROP && \ iptables -P FORWARD DROP && \ iptables -P OUTPUT DROP && \ iptables -t nat -P PREROUTING DROP && \ iptables -t nat -P POSTROUTING DROP && \ iptables -t nat -P OUTPUT DROP && \ # iptables -t mangle -P PREROUTING DROP && \ # iptables -t mangle -P OUTPUT DROP && \ success $"Changing target policies to DROP:" || \ failure $"Changing target policies to DROP:" echo echo -n "Flushing all chains:" iptables -F INPUT && \ iptables -F FORWARD && \ iptables -F OUTPUT && \ iptables -t nat -F PREROUTING && \ iptables -t nat -F POSTROUTING && \ iptables -t nat -F OUTPUT && \ # iptables -t mangle -F PREROUTING && \ # iptables -t mangle -F OUTPUT && \ success $"Flushing all chains:" || \ failure $"Flushing all chains:" echo echo -n "Removing user defined chains:" iptables -X && \ iptables -t nat -X && \ # iptables -t mangle -X && \ success $"Removing user defined chains:" || \ failure $"Removing user defined chains:" echo ;; *) echo $"Usage: $0 {start|stop|restart|status|panic}" exit 1 esac exit 0