#!/bin/sh # # Author: Arno, 2011 # # /etc/init.d/firewall # and its symbolic link # /{not used} # # firewall This shell script takes care of starting and stopping # custom firewall script, i.e. the uploaded fwbuilder script. # # changes 20110128, created the script. # 201112, added custom script file. # ### BEGIN INIT INFO # Provides: firewall # Required-Start: $network # Required-Stop: # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Starts and stops firewall script,ice # Description: The bar daemon is a vpn network service. # We want it to be active in runlevels 2,3,4 and 5, # as these are the runlevels with the network available. ### END INIT INFO # Source function library. if [ -f /etc/init.d/functions ] ; then . /etc/init.d/functions elif [ -f /etc/rc.d/init.d/functions ] ; then . /etc/rc.d/init.d/functions else exit 1 fi # Source networking configuration. . /etc/sysconfig/network # Check that networking is up. [ ${NETWORKING} = "no" ] && exit 0 RETVAL=0 prog="firewall" fwpath="/etc/firewall" fwname="firewall.sh" fwcustom="custom.firewall.sh" fwstoprule="ALLOW" # set iptables vars IPTABLES=iptables IPV=${IPTABLES%tables} # ip for ipv4 | ip6 for ipv6 PROC_IPTABLES_NAMES=/proc/net/${IPV}_tables_names # Get active tables NF_TABLES=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null) # if file not exist exit [ -f $fwpath/$fwname ] || exit 0 # Functions flush_n_delete() { # Flush firewall rules and delete chains. [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0 # Check if firewall is configured (has tables) [ -z "$NF_TABLES" ] && return 1 echo -n $"[ ${IPTABLES}: Flushing firewall rules: ]" ret=0 # For all tables for i in $NF_TABLES; do # Flush firewall rules. $IPTABLES -t $i -F; let ret+=$?; # Delete firewall chains. $IPTABLES -t $i -X; let ret+=$?; # Set counter to zero. $IPTABLES -t $i -Z; let ret+=$?; done [ $ret -eq 0 ] && success || failure echo return $ret } set_policy() { # Set policy for configured tables. policy=$1 # Check if iptable module is loaded [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0 # Check if firewall is configured (has tables) tables=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null) [ -z "$tables" ] && return 1 echo -n $"[ ${IPTABLES}: Setting chains to policy $policy: ] " ret=0 for i in $tables; do echo -n "$i " case "$i" in raw) $IPTABLES -t raw -P PREROUTING $policy \ && $IPTABLES -t raw -P OUTPUT $policy \ || let ret+=1 ;; filter) $IPTABLES -t filter -P INPUT $policy \ && $IPTABLES -t filter -P OUTPUT $policy \ && $IPTABLES -t filter -P FORWARD $policy \ || let ret+=1 ;; nat) $IPTABLES -t nat -P PREROUTING $policy \ && $IPTABLES -t nat -P POSTROUTING $policy \ && $IPTABLES -t nat -P OUTPUT $policy \ || let ret+=1 ;; mangle) $IPTABLES -t mangle -P PREROUTING $policy \ && $IPTABLES -t mangle -P POSTROUTING $policy \ && $IPTABLES -t mangle -P INPUT $policy \ && $IPTABLES -t mangle -P OUTPUT $policy \ && $IPTABLES -t mangle -P FORWARD $policy \ || let ret+=1 ;; *) let ret+=1 ;; esac done [ $ret -eq 0 ] && success || failure echo return $ret } start() { # Start daemons. echo -n $"[ Starting $prog: ]" daemon $fwpath/$fwname RETVAL=$? echo [ $RETVAL -eq 0 ] && touch /var/lock/subsys/firewall return $RETVAL } stop() { # Stop daemons. echo -n $"[ Shutting down $prog: ]" flush_n_delete # set stop policy set_policy ACCEPT echo -n $"[ Shutting down $prog: ]" success $"Resetting built-in chains to the default policy" || \ failure $"Resetting built-in chains to the default policy" RETVAL=$? echo [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/firewall return $RETVAL } custom() { # Start custom rules echo -n $"[ Starting custom rules $prog: ]" daemon $fwpath/$fwcustom RETVAL=$? echo [ $RETVAL -eq 0 ] && touch /var/lock/subsys/firewall return $RETVAL } # Main, See how we were called. case "$1" in start) start custom ;; stop) stop ;; restart|reload) stop start custom RETVAL=$? ;; condrestart) if [ -f /var/lock/subsys/firewall ]; then stop start RETVAL=$? fi ;; status) iptables -L ;; *) echo $"Usage: $0 {start|stop|restart|condrestart|status}" exit 1 esac exit $RETVAL