mirror of
https://github.com/fwbuilder/fwbuilder
synced 2025-10-16 15:38:43 +02:00
630 lines
17 KiB
Bash
Executable File
630 lines
17 KiB
Bash
Executable File
#!/bin/sh
|
|
#
|
|
# This is automatically generated file. DO NOT MODIFY !
|
|
#
|
|
# Firewall Builder fwb_ipt v4.2.0.3483
|
|
#
|
|
# Generated Sun Feb 20 20:08:47 2011 PST by vadim
|
|
#
|
|
# files: * test_fw.fw /etc/test_fw.fw
|
|
#
|
|
# Compiled for iptables (any version)
|
|
#
|
|
# This firewall has three interfaces. Eth0 faces outside and has a static routable address; eth1 faces inside; eth2 is connected to DMZ subnet.
|
|
# Policy includes basic rules to permit unrestricted outbound access and anti-spoofing rules. Access to the firewall is permitted only from internal network and only using SSH. The firewall uses one of the machines on internal network for DNS. Internal network is configured with address 192.168.1.0/255.255.255.0, DMZ is 192.168.2.0/255.255.255.0. Since DMZ used private IP address, it needs NAT. There is a mail relay host located on DMZ (object 'server on dmz'). Policy rules permit SMTP connections to it from the Internet and allow this server to connect to a host on internal network 'internal server'. All other access from DMZ to internal net is denied. To provide access to the mail relay its private address is mapped to firewall's outside interface address by NAT rule #1.
|
|
|
|
|
|
|
|
|
|
FWBDEBUG=""
|
|
|
|
PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"
|
|
export PATH
|
|
|
|
|
|
|
|
LSMOD="/sbin/lsmod"
|
|
MODPROBE="/sbin/modprobe"
|
|
IPTABLES="/sbin/iptables"
|
|
IP6TABLES="/sbin/ip6tables"
|
|
IPTABLES_RESTORE="/sbin/iptables-restore"
|
|
IP6TABLES_RESTORE="/sbin/ip6tables-restore"
|
|
IP="/sbin/ip"
|
|
IFCONFIG="/sbin/ifconfig"
|
|
VCONFIG="/sbin/vconfig"
|
|
BRCTL="/sbin/brctl"
|
|
IFENSLAVE="/sbin/ifenslave"
|
|
IPSET="/usr/sbin/ipset"
|
|
LOGGER="/usr/bin/logger"
|
|
|
|
log() {
|
|
echo "$1"
|
|
command -v "$LOGGER" &>/dev/null && $LOGGER -p info "$1"
|
|
}
|
|
|
|
getInterfaceVarName() {
|
|
echo $1 | sed 's/\./_/'
|
|
}
|
|
|
|
getaddr_internal() {
|
|
dev=$1
|
|
name=$2
|
|
af=$3
|
|
L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//')
|
|
test -z "$L" && {
|
|
eval "$name=''"
|
|
return
|
|
}
|
|
eval "${name}_list=\"$L\""
|
|
}
|
|
|
|
getaddr() {
|
|
getaddr_internal $1 $2 "-4"
|
|
}
|
|
|
|
getaddr6() {
|
|
getaddr_internal $1 $2 "-6"
|
|
}
|
|
|
|
# function getinterfaces is used to process wildcard interfaces
|
|
getinterfaces() {
|
|
NAME=$1
|
|
$IP link show | grep ": $NAME" | while read L; do
|
|
OIFS=$IFS
|
|
IFS=" :"
|
|
set $L
|
|
IFS=$OIFS
|
|
echo $2
|
|
done
|
|
}
|
|
|
|
diff_intf() {
|
|
func=$1
|
|
list1=$2
|
|
list2=$3
|
|
cmd=$4
|
|
for intf in $list1
|
|
do
|
|
echo $list2 | grep -q $intf || {
|
|
# $vlan is absent in list 2
|
|
$func $intf $cmd
|
|
}
|
|
done
|
|
}
|
|
|
|
find_program() {
|
|
PGM=$1
|
|
command -v $PGM &>/dev/null || {
|
|
echo "$PGM not found"
|
|
exit 1
|
|
}
|
|
}
|
|
check_tools() {
|
|
find_program $IPTABLES
|
|
find_program $MODPROBE
|
|
find_program $IP
|
|
}
|
|
reset_iptables_v4() {
|
|
$IPTABLES -P OUTPUT DROP
|
|
$IPTABLES -P INPUT DROP
|
|
$IPTABLES -P FORWARD DROP
|
|
|
|
cat /proc/net/ip_tables_names | while read table; do
|
|
$IPTABLES -t $table -L -n | while read c chain rest; do
|
|
if test "X$c" = "XChain" ; then
|
|
$IPTABLES -t $table -F $chain
|
|
fi
|
|
done
|
|
$IPTABLES -t $table -X
|
|
done
|
|
}
|
|
|
|
reset_iptables_v6() {
|
|
$IP6TABLES -P OUTPUT DROP
|
|
$IP6TABLES -P INPUT DROP
|
|
$IP6TABLES -P FORWARD DROP
|
|
|
|
cat /proc/net/ip6_tables_names | while read table; do
|
|
$IP6TABLES -t $table -L -n | while read c chain rest; do
|
|
if test "X$c" = "XChain" ; then
|
|
$IP6TABLES -t $table -F $chain
|
|
fi
|
|
done
|
|
$IP6TABLES -t $table -X
|
|
done
|
|
}
|
|
|
|
|
|
P2P_INTERFACE_WARNING=""
|
|
|
|
missing_address() {
|
|
address=$1
|
|
cmd=$2
|
|
|
|
oldIFS=$IFS
|
|
IFS="@"
|
|
set $address
|
|
addr=$1
|
|
interface=$2
|
|
IFS=$oldIFS
|
|
|
|
|
|
|
|
$IP addr show dev $interface | grep -q POINTOPOINT && {
|
|
test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet"
|
|
P2P_INTERFACE_WARNING="yes"
|
|
return
|
|
}
|
|
|
|
test "$cmd" = "add" && {
|
|
echo "# Adding ip address: $interface $addr"
|
|
echo $addr | grep -q ':' && {
|
|
$FWBDEBUG $IP addr $cmd $addr dev $interface
|
|
} || {
|
|
$FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface
|
|
}
|
|
}
|
|
|
|
test "$cmd" = "del" && {
|
|
echo "# Removing ip address: $interface $addr"
|
|
$FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1
|
|
}
|
|
|
|
$FWBDEBUG $IP link set $interface up
|
|
}
|
|
|
|
list_addresses_by_scope() {
|
|
interface=$1
|
|
scope=$2
|
|
ignore_list=$3
|
|
$IP addr ls dev $interface | \
|
|
awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \
|
|
'BEGIN {
|
|
split(IGNORED,ignored_arr);
|
|
for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;}
|
|
}
|
|
(/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \
|
|
while read addr; do
|
|
echo "${addr}@$interface"
|
|
done | sort
|
|
}
|
|
|
|
|
|
update_addresses_of_interface() {
|
|
ignore_list=$2
|
|
set $1
|
|
interface=$1
|
|
shift
|
|
|
|
FWB_ADDRS=$(
|
|
for addr in $*; do
|
|
echo "${addr}@$interface"
|
|
done | sort
|
|
)
|
|
|
|
CURRENT_ADDRS_ALL_SCOPES=""
|
|
CURRENT_ADDRS_GLOBAL_SCOPE=""
|
|
|
|
$IP link show dev $interface >/dev/null 2>&1 && {
|
|
CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list")
|
|
CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list")
|
|
} || {
|
|
echo "# Interface $interface does not exist"
|
|
# Stop the script if we are not in test mode
|
|
test -z "$FWBDEBUG" && exit 1
|
|
}
|
|
|
|
diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add
|
|
diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del
|
|
}
|
|
|
|
clear_addresses_except_known_interfaces() {
|
|
$IP link show | sed 's/://g' | awk -v IGNORED="$*" \
|
|
'BEGIN {
|
|
split(IGNORED,ignored_arr);
|
|
for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;}
|
|
}
|
|
(/state/ && !($2 in ignored_dict)) {print $2;}' | \
|
|
while read intf; do
|
|
echo "# Removing addresses not configured in fwbuilder from interface $intf"
|
|
$FWBDEBUG $IP addr flush dev $intf scope global
|
|
$FWBDEBUG $IP link set $intf down
|
|
done
|
|
}
|
|
|
|
check_file() {
|
|
test -r "$2" || {
|
|
echo "Can not find file $2 referenced by address table object $1"
|
|
exit 1
|
|
}
|
|
}
|
|
|
|
check_run_time_address_table_files() {
|
|
:
|
|
|
|
}
|
|
|
|
load_modules() {
|
|
:
|
|
OPTS=$1
|
|
MODULES_DIR="/lib/modules/`uname -r`/kernel/net/"
|
|
MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')
|
|
echo $OPTS | grep -q nat && {
|
|
MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')"
|
|
}
|
|
echo $OPTS | grep -q ipv6 && {
|
|
MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')"
|
|
}
|
|
for module in $MODULES; do
|
|
if $LSMOD | grep ${module} >/dev/null; then continue; fi
|
|
$MODPROBE ${module} || exit 1
|
|
done
|
|
}
|
|
|
|
verify_interfaces() {
|
|
:
|
|
echo "Verifying interfaces: eth0 eth1 lo eth2"
|
|
for i in eth0 eth1 lo eth2 ; do
|
|
$IP link show "$i" > /dev/null 2>&1 || {
|
|
log "Interface $i does not exist"
|
|
exit 1
|
|
}
|
|
done
|
|
}
|
|
|
|
prolog_commands() {
|
|
echo "Running prolog script"
|
|
|
|
}
|
|
|
|
epilog_commands() {
|
|
echo "Running epilog script"
|
|
|
|
}
|
|
|
|
run_epilog_and_exit() {
|
|
epilog_commands
|
|
exit $1
|
|
}
|
|
|
|
configure_interfaces() {
|
|
:
|
|
# Configure interfaces
|
|
update_addresses_of_interface "eth0 192.0.2.1/24" ""
|
|
update_addresses_of_interface "eth1 fe80::20c:29ff:fed2:cca1/64 192.168.1.1/24" ""
|
|
update_addresses_of_interface "lo 127.0.0.1/8" ""
|
|
update_addresses_of_interface "eth2 192.168.2.1/24" ""
|
|
}
|
|
|
|
script_body() {
|
|
# ================ IPv4
|
|
|
|
|
|
# ================ Table 'filter', automatic rules
|
|
# accept established sessions
|
|
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
|
|
|
|
# ================ Table 'nat', rule set NAT
|
|
#
|
|
# Rule 0 (NAT)
|
|
#
|
|
echo "Rule 0 (NAT)"
|
|
#
|
|
# no need to translate
|
|
# between DMZ and
|
|
# internal net
|
|
$IPTABLES -t nat -A POSTROUTING -s 192.168.2.0/24 -d 192.168.1.0/24 -j ACCEPT
|
|
$IPTABLES -t nat -A PREROUTING -s 192.168.2.0/24 -d 192.168.1.0/24 -j ACCEPT
|
|
#
|
|
# Rule 1 (NAT)
|
|
#
|
|
echo "Rule 1 (NAT)"
|
|
#
|
|
# Translate source address
|
|
# for outgoing connections
|
|
$IPTABLES -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j SNAT --to-source 192.0.2.1
|
|
$IPTABLES -t nat -A POSTROUTING -o eth0 -s 192.168.2.0/24 -j SNAT --to-source 192.0.2.1
|
|
#
|
|
# Rule 2 (NAT)
|
|
#
|
|
echo "Rule 2 (NAT)"
|
|
#
|
|
$IPTABLES -t nat -A PREROUTING -d 192.0.2.1 -j DNAT --to-destination 192.168.2.10
|
|
|
|
|
|
|
|
# ================ Table 'filter', rule set Policy
|
|
#
|
|
# Rule 0 (eth0)
|
|
#
|
|
echo "Rule 0 (eth0)"
|
|
#
|
|
# anti spoofing rule
|
|
$IPTABLES -N In_RULE_0
|
|
$IPTABLES -A INPUT -i eth0 -s 192.0.2.1 -m state --state NEW -j In_RULE_0
|
|
$IPTABLES -A INPUT -i eth0 -s 192.168.1.1 -m state --state NEW -j In_RULE_0
|
|
$IPTABLES -A INPUT -i eth0 -s 192.168.2.1 -m state --state NEW -j In_RULE_0
|
|
$IPTABLES -A INPUT -i eth0 -s 192.168.1.0/24 -m state --state NEW -j In_RULE_0
|
|
$IPTABLES -A INPUT -i eth0 -s 192.168.2.0/24 -m state --state NEW -j In_RULE_0
|
|
$IPTABLES -A FORWARD -i eth0 -s 192.0.2.1 -m state --state NEW -j In_RULE_0
|
|
$IPTABLES -A FORWARD -i eth0 -s 192.168.1.1 -m state --state NEW -j In_RULE_0
|
|
$IPTABLES -A FORWARD -i eth0 -s 192.168.2.1 -m state --state NEW -j In_RULE_0
|
|
$IPTABLES -A FORWARD -i eth0 -s 192.168.1.0/24 -m state --state NEW -j In_RULE_0
|
|
$IPTABLES -A FORWARD -i eth0 -s 192.168.2.0/24 -m state --state NEW -j In_RULE_0
|
|
$IPTABLES -A In_RULE_0 -j LOG --log-level info --log-prefix "RULE 0 -- DENY "
|
|
$IPTABLES -A In_RULE_0 -j DROP
|
|
#
|
|
# Rule 1 (lo)
|
|
#
|
|
echo "Rule 1 (lo)"
|
|
#
|
|
$IPTABLES -A INPUT -i lo -m state --state NEW -j ACCEPT
|
|
$IPTABLES -A OUTPUT -o lo -m state --state NEW -j ACCEPT
|
|
#
|
|
# Rule 2 (global)
|
|
#
|
|
echo "Rule 2 (global)"
|
|
#
|
|
# SSH Access to firewall is permitted
|
|
# only from internal network
|
|
$IPTABLES -A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 22 -m state --state NEW -j ACCEPT
|
|
#
|
|
# Rule 3 (global)
|
|
#
|
|
echo "Rule 3 (global)"
|
|
#
|
|
# Firewall uses one of the machines
|
|
# on internal network for DNS
|
|
$IPTABLES -A OUTPUT -p tcp -m tcp -d 192.168.1.10 --dport 53 -m state --state NEW -j ACCEPT
|
|
$IPTABLES -A OUTPUT -p udp -m udp -d 192.168.1.10 --dport 53 -m state --state NEW -j ACCEPT
|
|
#
|
|
# Rule 4 (global)
|
|
#
|
|
echo "Rule 4 (global)"
|
|
#
|
|
# All other attempts to connect to
|
|
# the firewall are denied and logged
|
|
$IPTABLES -N RULE_4
|
|
$IPTABLES -A OUTPUT -d 192.0.2.1 -m state --state NEW -j RULE_4
|
|
$IPTABLES -A OUTPUT -d 192.168.1.1 -m state --state NEW -j RULE_4
|
|
$IPTABLES -A OUTPUT -d 192.168.2.1 -m state --state NEW -j RULE_4
|
|
$IPTABLES -A INPUT -m state --state NEW -j RULE_4
|
|
$IPTABLES -A RULE_4 -j LOG --log-level info --log-prefix "RULE 4 -- DENY "
|
|
$IPTABLES -A RULE_4 -j DROP
|
|
#
|
|
# Rule 5 (global)
|
|
#
|
|
echo "Rule 5 (global)"
|
|
#
|
|
# Quickly reject attempts to connect
|
|
# to ident server to avoid SMTP delays
|
|
$IPTABLES -A OUTPUT -p tcp -m tcp --dport 113 -j REJECT
|
|
$IPTABLES -A INPUT -p tcp -m tcp --dport 113 -j REJECT
|
|
$IPTABLES -A FORWARD -p tcp -m tcp --dport 113 -j REJECT
|
|
#
|
|
# Rule 6 (global)
|
|
#
|
|
echo "Rule 6 (global)"
|
|
#
|
|
# Mail relay on DMZ can accept
|
|
# connections from hosts on the
|
|
# Internet
|
|
$IPTABLES -A OUTPUT -p tcp -m tcp -d 192.168.2.10 --dport 25 -m state --state NEW -j ACCEPT
|
|
$IPTABLES -A FORWARD -p tcp -m tcp -d 192.168.2.10 --dport 25 -m state --state NEW -j ACCEPT
|
|
#
|
|
# Rule 7 (global)
|
|
#
|
|
echo "Rule 7 (global)"
|
|
#
|
|
# this rule permits a mail relay
|
|
# located on DMZ to connect
|
|
# to internal mail server
|
|
$IPTABLES -A FORWARD -p tcp -m tcp -s 192.168.2.10 -d 192.168.1.10 --dport 25 -m state --state NEW -j ACCEPT
|
|
#
|
|
# Rule 8 (global)
|
|
#
|
|
echo "Rule 8 (global)"
|
|
#
|
|
# Mail relay needs DNS and can
|
|
# connect to mail servers on the
|
|
# Internet
|
|
$IPTABLES -A INPUT -p tcp -m tcp -m multiport -s 192.168.2.10 -d ! 192.168.1.0/24 --dports 53,25 -m state --state NEW -j ACCEPT
|
|
$IPTABLES -A INPUT -p udp -m udp -s 192.168.2.10 -d ! 192.168.1.0/24 --dport 53 -m state --state NEW -j ACCEPT
|
|
$IPTABLES -A FORWARD -p tcp -m tcp -m multiport -s 192.168.2.10 -d ! 192.168.1.0/24 --dports 53,25 -m state --state NEW -j ACCEPT
|
|
$IPTABLES -A FORWARD -p udp -m udp -s 192.168.2.10 -d ! 192.168.1.0/24 --dport 53 -m state --state NEW -j ACCEPT
|
|
#
|
|
# Rule 9 (global)
|
|
#
|
|
echo "Rule 9 (global)"
|
|
#
|
|
# All other access from DMZ to
|
|
# internal net is denied
|
|
$IPTABLES -N RULE_9
|
|
$IPTABLES -A OUTPUT -s 192.168.2.0/24 -d 192.168.1.0/24 -j RULE_9
|
|
$IPTABLES -A INPUT -s 192.168.2.0/24 -d 192.168.1.0/24 -j RULE_9
|
|
$IPTABLES -A FORWARD -s 192.168.2.0/24 -d 192.168.1.0/24 -j RULE_9
|
|
$IPTABLES -A RULE_9 -j LOG --log-level info --log-prefix "RULE 9 -- DENY "
|
|
$IPTABLES -A RULE_9 -j DROP
|
|
#
|
|
# Rule 10 (global)
|
|
#
|
|
echo "Rule 10 (global)"
|
|
#
|
|
# This permits access from internal net
|
|
# to the Internet and DMZ
|
|
$IPTABLES -A INPUT -s 192.168.1.0/24 -m state --state NEW -j ACCEPT
|
|
$IPTABLES -A OUTPUT -s 192.168.1.0/24 -m state --state NEW -j ACCEPT
|
|
$IPTABLES -A FORWARD -s 192.168.1.0/24 -m state --state NEW -j ACCEPT
|
|
#
|
|
# Rule 11 (global)
|
|
#
|
|
echo "Rule 11 (global)"
|
|
#
|
|
$IPTABLES -N RULE_11
|
|
$IPTABLES -A OUTPUT -j RULE_11
|
|
$IPTABLES -A INPUT -j RULE_11
|
|
$IPTABLES -A FORWARD -j RULE_11
|
|
$IPTABLES -A RULE_11 -j LOG --log-level info --log-prefix "RULE 11 -- DENY "
|
|
$IPTABLES -A RULE_11 -j DROP
|
|
|
|
|
|
# ================ IPv6
|
|
|
|
|
|
# ================ Table 'filter', automatic rules
|
|
# accept established sessions
|
|
$IP6TABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
$IP6TABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
$IP6TABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# ================ Table 'filter', rule set Policy_OSPF
|
|
#
|
|
# Rule Policy_OSPF 0 (eth1)
|
|
#
|
|
echo "Rule Policy_OSPF 0 (eth1)"
|
|
#
|
|
$IP6TABLES -N Policy_OSPF
|
|
$IP6TABLES -A Policy_OSPF -i eth1 -s fe80::/10 -d ff00::/8 -j ACCEPT
|
|
$IP6TABLES -A Policy_OSPF -i eth1 -s fe80::/10 -d fe80::/10 -j ACCEPT
|
|
$IP6TABLES -A Policy_OSPF -o eth1 -s fe80::/10 -d ff00::/8 -j ACCEPT
|
|
$IP6TABLES -A Policy_OSPF -o eth1 -s fe80::/10 -d fe80::/10 -j ACCEPT
|
|
# ================ Table 'filter', rule set Policy_v6
|
|
#
|
|
# Rule Policy_v6 0 (eth1)
|
|
#
|
|
echo "Rule Policy_v6 0 (eth1)"
|
|
#
|
|
$IP6TABLES -A OUTPUT -o eth1 -s fe80::/10 -d ff00::/8 -j ACCEPT
|
|
#
|
|
# Rule Policy_v6 1 (global)
|
|
#
|
|
echo "Rule Policy_v6 1 (global)"
|
|
#
|
|
$IP6TABLES -A OUTPUT -p 89 -j Policy_OSPF
|
|
$IP6TABLES -A INPUT -p 89 -j Policy_OSPF
|
|
$IP6TABLES -A FORWARD -p 89 -j Policy_OSPF
|
|
}
|
|
|
|
ip_forward() {
|
|
:
|
|
echo 1 > /proc/sys/net/ipv4/ip_forward
|
|
}
|
|
|
|
reset_all() {
|
|
:
|
|
reset_iptables_v4
|
|
reset_iptables_v6
|
|
}
|
|
|
|
block_action() {
|
|
reset_all
|
|
}
|
|
|
|
stop_action() {
|
|
reset_all
|
|
$IPTABLES -P OUTPUT ACCEPT
|
|
$IPTABLES -P INPUT ACCEPT
|
|
$IPTABLES -P FORWARD ACCEPT
|
|
$IP6TABLES -P OUTPUT ACCEPT
|
|
$IP6TABLES -P INPUT ACCEPT
|
|
$IP6TABLES -P FORWARD ACCEPT
|
|
}
|
|
|
|
check_iptables() {
|
|
IP_TABLES="$1"
|
|
[ ! -e $IP_TABLES ] && return 151
|
|
NF_TABLES=$(cat $IP_TABLES 2>/dev/null)
|
|
[ -z "$NF_TABLES" ] && return 152
|
|
return 0
|
|
}
|
|
status_action() {
|
|
check_iptables "/proc/net/ip_tables_names"
|
|
ret_ipv4=$?
|
|
check_iptables "/proc/net/ip6_tables_names"
|
|
ret_ipv6=$?
|
|
[ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0
|
|
[ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && {
|
|
echo "iptables modules are not loaded"
|
|
}
|
|
[ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && {
|
|
echo "Firewall is not configured"
|
|
}
|
|
exit 3
|
|
}
|
|
|
|
# See how we were called.
|
|
# For backwards compatibility missing argument is equivalent to 'start'
|
|
|
|
cmd=$1
|
|
test -z "$cmd" && {
|
|
cmd="start"
|
|
}
|
|
|
|
case "$cmd" in
|
|
start)
|
|
log "Activating firewall script generated Sun Feb 20 20:08:47 2011 by vadim"
|
|
check_tools
|
|
prolog_commands
|
|
check_run_time_address_table_files
|
|
|
|
load_modules "nat ipv6"
|
|
configure_interfaces
|
|
verify_interfaces
|
|
|
|
reset_all
|
|
|
|
script_body
|
|
ip_forward
|
|
epilog_commands
|
|
RETVAL=$?
|
|
;;
|
|
|
|
stop)
|
|
stop_action
|
|
RETVAL=$?
|
|
;;
|
|
|
|
status)
|
|
status_action
|
|
RETVAL=$?
|
|
;;
|
|
|
|
block)
|
|
block_action
|
|
RETVAL=$?
|
|
;;
|
|
|
|
reload)
|
|
$0 stop
|
|
$0 start
|
|
RETVAL=$?
|
|
;;
|
|
|
|
interfaces)
|
|
configure_interfaces
|
|
RETVAL=$?
|
|
;;
|
|
|
|
test_interfaces)
|
|
FWBDEBUG="echo"
|
|
configure_interfaces
|
|
RETVAL=$?
|
|
;;
|
|
|
|
|
|
|
|
*)
|
|
echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]"
|
|
;;
|
|
|
|
esac
|
|
|
|
exit $RETVAL |