slitaz-tools annotate rootfs/etc/init.d/firewall @ rev 435
improve firewall and iptables_rules (thanks gokhlayeh)
| author | Rohit Joshi <jozee@slitaz.org> |
|---|---|
| date | Fri Mar 12 12:01:54 2010 +0000 (2010-03-12) |
| parents | db0e82bebc70 |
| children |
| rev | line source |
|---|---|
| pankso@10 | 1 #!/bin/sh |
| MikeDSmith25@252 | 2 # /etc/init.d/firewall - SliTaz firewall daemon script using iptables. |
| pankso@10 | 3 # Config file is: /etc/firewall.conf |
| pankso@10 | 4 # |
| pankso@10 | 5 . /etc/init.d/rc.functions |
| pankso@10 | 6 . /etc/firewall.conf |
| pankso@10 | 7 |
| pankso@10 | 8 case $1 in |
| pankso@10 | 9 start) |
| pankso@10 | 10 # Kernel security. 0 = disable, 1 = enable. |
| pankso@10 | 11 # |
| pankso@10 | 12 if [ "$KERNEL_SECURITY" = "yes" ] ; then |
| pankso@10 | 13 echo -n "Setting up kernel security rules... " |
| pankso@10 | 14 # ICMP redirects acceptance. |
| pankso@10 | 15 for conf in /proc/sys/net/ipv4/conf/*/accept_redirects ; do |
| pankso@10 | 16 echo "0" > $conf |
| pankso@10 | 17 done |
| pankso@10 | 18 for conf in /proc/sys/net/ipv4/conf/*/secure_redirects ; do |
| pankso@10 | 19 echo "0" > $conf |
| pankso@10 | 20 done |
| pankso@10 | 21 # IP source routing. |
| pankso@10 | 22 for conf in /proc/sys/net/ipv4/conf/*/accept_source_route ; do |
| pankso@10 | 23 echo "0" > $conf |
| pankso@10 | 24 done |
| pankso@10 | 25 # Log impossible addresses. |
| pankso@10 | 26 for conf in /proc/sys/net/ipv4/conf/*/log_martians ; do |
| pankso@10 | 27 echo "1" > $conf |
| pankso@10 | 28 done |
| pankso@10 | 29 # Ip spoofing protection. |
| pankso@10 | 30 for conf in /proc/sys/net/ipv4/conf/*/rp_filter ; do |
| pankso@10 | 31 echo "1" > $conf |
| pankso@10 | 32 done |
| pankso@10 | 33 echo "1" > /proc/sys/net/ipv4/tcp_syncookies |
| pankso@10 | 34 status |
| pankso@10 | 35 else |
| pankso@10 | 36 echo "Kernel security rules are disabled in: /etc/firewall.conf... " |
| pankso@10 | 37 fi |
| pankso@10 | 38 # Netfilter/iptables rules. We get the rules from /etc/firewall.conf. |
| pankso@10 | 39 # |
| pankso@10 | 40 if [ "$IPTABLES_RULES" = "yes" ] ; then |
| pankso@10 | 41 echo -n "Setting up iptables rules defined in: /etc/firewall.conf... " |
| pankso@10 | 42 iptables_rules |
| pankso@10 | 43 status |
| pankso@10 | 44 else |
| pankso@10 | 45 echo "Iptables rules are disabled in: /etc/firewall.conf... " |
| pankso@10 | 46 exit 0 |
| pankso@10 | 47 fi |
| pankso@10 | 48 ;; |
| pankso@10 | 49 stop) |
| pankso@10 | 50 if [ "$IPTABLES_RULES" = "yes" ] ; then |
| pankso@10 | 51 echo -n "Stopping iptables firewall rules... " |
| pankso@10 | 52 iptables -P INPUT ACCEPT |
| pankso@10 | 53 iptables -P OUTPUT ACCEPT |
| jozee@435 | 54 iptables -P FORWARD ACCEPT |
| pankso@10 | 55 iptables -F |
| pankso@10 | 56 iptables -X |
| pankso@10 | 57 status |
| pankso@10 | 58 else |
| pankso@10 | 59 echo "Iptables rules are disabled in: /etc/firewall.conf... " |
| pankso@10 | 60 exit 0 |
| pankso@10 | 61 fi |
| pankso@10 | 62 ;; |
| pankso@10 | 63 restart) |
| pankso@10 | 64 $0 stop |
| pankso@10 | 65 sleep 2 |
| pankso@10 | 66 $0 start |
| pankso@10 | 67 ;; |
| pankso@10 | 68 status) |
| pankso@10 | 69 echo "" |
| pankso@10 | 70 echo -e "\033[1m===================== SliTaz firewall statistics =====================\033[0m" |
| pankso@10 | 71 echo "" |
| pankso@10 | 72 if [ "$KERNEL_SECURITY" = "yes" ] ; then |
| pankso@10 | 73 echo "Kernel security: enabled" |
| pankso@10 | 74 else |
| pankso@10 | 75 echo "Kernel security: disabled" |
| pankso@10 | 76 fi |
| pankso@10 | 77 echo "" |
| pankso@10 | 78 echo "Netfilter/iptables rules: " |
| pankso@10 | 79 echo "" |
| pankso@10 | 80 iptables -nL |
| pankso@10 | 81 echo "" |
| pankso@10 | 82 ;; |
| pankso@10 | 83 *) |
| pankso@10 | 84 echo "" |
| pankso@10 | 85 echo -e "\033[1mUsage:\033[0m /etc/init.d/`basename $0` [start|stop|restart|status]" |
| pankso@10 | 86 echo "" |
| pankso@10 | 87 exit 1 |
| pankso@10 | 88 ;; |
| pankso@10 | 89 esac |
| pankso@10 | 90 |