2011-03-07 18:12:12 +01:00
|
|
|
#!/bin/bash
|
|
|
|
|
2011-06-24 11:41:18 +02:00
|
|
|
. /lib/lsb/init-functions
|
|
|
|
|
2013-11-15 10:31:30 +01:00
|
|
|
NAME="eofirewall"
|
2011-03-16 20:43:22 +01:00
|
|
|
|
2011-03-07 18:12:12 +01:00
|
|
|
abort()
|
|
|
|
{
|
|
|
|
message=$@
|
2011-07-04 19:07:54 +02:00
|
|
|
log_failure_msg "$message"
|
2011-03-07 18:12:12 +01:00
|
|
|
exit 1
|
|
|
|
}
|
|
|
|
|
2013-11-14 18:56:58 +01:00
|
|
|
chain_exists()
|
|
|
|
{
|
|
|
|
local chain_name="$1" ; shift
|
|
|
|
[ $# -eq 1 ] && local table="--table $1"
|
2013-11-15 12:05:40 +01:00
|
|
|
$IPTABLES $table -n --list "$chain_name" >/dev/null 2>&1
|
2013-11-14 18:56:58 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
2011-06-21 17:54:06 +02:00
|
|
|
if [ -f "/etc/firewall/firewall.conf" ]; then
|
|
|
|
source /etc/firewall/firewall.conf
|
2011-06-21 14:21:52 +02:00
|
|
|
else
|
2014-02-03 10:15:15 +01:00
|
|
|
log_warning_msg "No configuration file /etc/firewall/firewall.conf"
|
|
|
|
exit 0
|
2011-06-21 14:21:52 +02:00
|
|
|
fi
|
|
|
|
|
2013-11-14 18:56:58 +01:00
|
|
|
flush()
|
2011-03-07 18:12:12 +01:00
|
|
|
{
|
2011-06-23 14:56:41 +02:00
|
|
|
$IPTABLES -t filter -F
|
|
|
|
$IPTABLES -t filter -X
|
|
|
|
|
|
|
|
$IPTABLES -t filter -P INPUT ACCEPT
|
|
|
|
$IPTABLES -t filter -P FORWARD ACCEPT
|
|
|
|
$IPTABLES -t filter -P OUTPUT ACCEPT
|
|
|
|
|
|
|
|
$IPTABLES -t nat -F
|
|
|
|
$IPTABLES -t nat -X
|
|
|
|
|
|
|
|
$IPTABLES -t nat -P PREROUTING ACCEPT
|
|
|
|
$IPTABLES -t nat -P OUTPUT ACCEPT
|
|
|
|
$IPTABLES -t nat -P POSTROUTING ACCEPT
|
|
|
|
|
|
|
|
$IPTABLES -t mangle -F
|
|
|
|
$IPTABLES -t mangle -X
|
|
|
|
|
|
|
|
$IPTABLES -t mangle -P PREROUTING ACCEPT
|
|
|
|
$IPTABLES -t mangle -P INPUT ACCEPT
|
|
|
|
$IPTABLES -t mangle -P FORWARD ACCEPT
|
2011-03-07 18:12:12 +01:00
|
|
|
}
|
|
|
|
|
2013-11-14 18:56:58 +01:00
|
|
|
clean()
|
|
|
|
{
|
|
|
|
$IPTABLES -t filter -P INPUT ACCEPT
|
|
|
|
$IPTABLES -t filter -P FORWARD ACCEPT
|
|
|
|
$IPTABLES -t filter -P OUTPUT ACCEPT
|
|
|
|
$IPTABLES -t nat -F
|
|
|
|
$IPTABLES -t nat -X
|
|
|
|
$IPTABLES -t mangle -F
|
|
|
|
$IPTABLES -t mangle -X
|
|
|
|
|
|
|
|
if chain_exists EO-INPUT; then
|
|
|
|
$IPTABLES -D INPUT -j EO-INPUT
|
|
|
|
$IPTABLES -D OUTPUT -j EO-OUTPUT
|
|
|
|
$IPTABLES -D FORWARD -j EO-FORWARD
|
2013-11-15 16:14:12 +01:00
|
|
|
$IPTABLES -D INPUT -j EO-LOGDROP
|
|
|
|
$IPTABLES -D OUTPUT -j EO-LOGDROP
|
|
|
|
$IPTABLES -D FORWARD -j EO-LOGDROP
|
2013-11-14 18:56:58 +01:00
|
|
|
fi
|
2013-11-15 16:14:12 +01:00
|
|
|
|
|
|
|
for chain in `$IPTABLES --list -n | grep '^Chain EO' | cut -f2 -d ' '`; do
|
|
|
|
$IPTABLES -F $chain
|
|
|
|
$IPTABLES -X $chain
|
|
|
|
done
|
|
|
|
|
2013-11-14 18:56:58 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
init()
|
|
|
|
{
|
|
|
|
clean
|
|
|
|
test_config
|
|
|
|
modprobe ip_conntrack
|
|
|
|
|
|
|
|
$IPTABLES -N EO-INPUT
|
|
|
|
$IPTABLES -N EO-OUTPUT
|
|
|
|
$IPTABLES -N EO-FORWARD
|
2013-11-15 16:14:12 +01:00
|
|
|
$IPTABLES -N EO-LOGDROP
|
2013-11-14 18:56:58 +01:00
|
|
|
|
|
|
|
|
|
|
|
# default policies
|
|
|
|
log_action_msg "DROP Input, Forward and Output by default"
|
|
|
|
$IPTABLES -P INPUT DROP
|
|
|
|
$IPTABLES -P FORWARD DROP
|
|
|
|
$IPTABLES -P OUTPUT DROP
|
|
|
|
}
|
|
|
|
|
2011-03-16 20:43:22 +01:00
|
|
|
test_config()
|
|
|
|
{
|
2011-06-23 14:56:41 +02:00
|
|
|
# FIXME: test if the interface and the ip exist
|
2011-03-16 20:43:22 +01:00
|
|
|
if [ ! "$WAN_INT" -o ! "$IP" ]; then
|
2011-07-04 19:07:54 +02:00
|
|
|
abort "Bad configuration please check /etc/firewall/firewall.conf"
|
2011-03-16 20:43:22 +01:00
|
|
|
fi
|
|
|
|
}
|
|
|
|
|
|
|
|
critical_return()
|
|
|
|
{
|
|
|
|
if [ `echo $?` != 0 ]; then
|
2011-07-04 19:07:54 +02:00
|
|
|
log_failure_msg "Error on the last command firewall will be stop"
|
2013-11-15 12:05:40 +01:00
|
|
|
clean
|
2011-03-16 20:43:22 +01:00
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
}
|
|
|
|
|
2011-03-07 18:12:12 +01:00
|
|
|
forward_port()
|
|
|
|
{
|
2011-05-09 22:44:46 +02:00
|
|
|
if [ $# != 4 ]; then
|
2011-07-04 19:07:54 +02:00
|
|
|
log_warning_msg "Bad syntax for port forward : $*"
|
2011-05-09 22:44:46 +02:00
|
|
|
return
|
|
|
|
fi
|
|
|
|
|
2011-06-23 16:53:25 +02:00
|
|
|
local source=$1
|
|
|
|
local port=$2
|
|
|
|
local destination=$3
|
|
|
|
local proto=$4
|
2011-05-09 22:44:46 +02:00
|
|
|
|
|
|
|
if echo "$destination" | grep -q ":"; then
|
|
|
|
dest_ip=$(echo $destination | cut -d ":" -f1)
|
|
|
|
dest_port=$(echo $destination | cut -d ":" -f2)
|
|
|
|
if [ ! "$LAN_INT" ]; then
|
2011-07-04 19:07:54 +02:00
|
|
|
log_warning_msg "You must add a LAN interface (LAN_INT) for a port forward"
|
2011-05-09 22:44:46 +02:00
|
|
|
else
|
2011-07-04 19:07:54 +02:00
|
|
|
log_action_msg "Forward $port to $destination for protocol $proto"
|
2014-02-12 14:28:25 +01:00
|
|
|
$IPTABLES -A EO-FORWARD -i $WAN_INT -o $LAN_INT -p $proto -s $source -d $dest_ip --dport $dest_port -m state --state NEW -j ACCEPT
|
2011-05-09 22:44:46 +02:00
|
|
|
$IPTABLES -t nat -A PREROUTING -i $WAN_INT -p $proto -s $source -d $IP --dport $port -j DNAT --to $destination
|
|
|
|
fi
|
2011-03-16 20:43:22 +01:00
|
|
|
fi
|
2011-05-09 22:44:46 +02:00
|
|
|
|
2011-03-16 20:43:22 +01:00
|
|
|
}
|
2013-11-15 12:05:40 +01:00
|
|
|
open_input_port()
|
2011-03-16 20:43:22 +01:00
|
|
|
{
|
|
|
|
if [ $# == 4 ]; then
|
2011-06-23 16:53:25 +02:00
|
|
|
local destination=$2
|
|
|
|
local proto=$3
|
|
|
|
local ports=$4
|
2011-03-16 20:43:22 +01:00
|
|
|
elif [ $# == 3 ]; then
|
2011-06-23 16:53:25 +02:00
|
|
|
local destination=$IP
|
|
|
|
local proto=$2
|
|
|
|
local ports=$3
|
2011-03-16 20:43:22 +01:00
|
|
|
else
|
2011-07-04 19:07:54 +02:00
|
|
|
log_warning_msg "Open port bad syntax : $*"
|
2011-03-16 20:43:22 +01:00
|
|
|
fi
|
|
|
|
source=$1
|
2011-07-04 19:07:54 +02:00
|
|
|
log_action_msg "Open port(s) $ports from $source to $destination for protocol $proto"
|
2013-11-14 18:56:58 +01:00
|
|
|
$IPTABLES -A EO-INPUT -i $WAN_INT -p $proto -s $source -d $destination -m multiport --dports $ports -m state --state NEW -j ACCEPT
|
2013-08-30 19:41:20 +02:00
|
|
|
critical_return
|
2011-03-07 18:12:12 +01:00
|
|
|
}
|
|
|
|
|
2013-11-15 12:05:40 +01:00
|
|
|
open_output_port()
|
|
|
|
{
|
|
|
|
if [ $# == 4 ]; then
|
|
|
|
local source=$2
|
|
|
|
local proto=$3
|
|
|
|
local ports=$4
|
|
|
|
elif [ $# == 3 ]; then
|
|
|
|
local source=$IP
|
|
|
|
local proto=$2
|
|
|
|
local ports=$3
|
|
|
|
else
|
|
|
|
log_warning_msg "Open output port bad syntax : $*"
|
|
|
|
fi
|
|
|
|
destination=$1
|
|
|
|
log_action_msg "Open output port(s) $ports from $source to $destination for protocol $proto"
|
|
|
|
$IPTABLES -A EO-OUTPUT -o $WAN_INT -p $proto -s $source -d $destination -m multiport --dports $ports -m state --state NEW -j ACCEPT
|
|
|
|
critical_return
|
|
|
|
}
|
|
|
|
|
2011-03-07 18:12:12 +01:00
|
|
|
port_redirection()
|
|
|
|
{
|
2011-05-09 22:44:46 +02:00
|
|
|
if [ $# != 4 ]; then
|
2011-07-04 19:07:54 +02:00
|
|
|
log_warning_msg "Bad syntax for port redirection : $*"
|
2011-05-09 22:44:46 +02:00
|
|
|
return
|
|
|
|
fi
|
2011-06-21 14:21:52 +02:00
|
|
|
|
2011-06-23 16:53:25 +02:00
|
|
|
local if=$1
|
|
|
|
local proto=$2
|
|
|
|
local srcport=$3
|
|
|
|
local destport=$4
|
2011-05-09 22:44:46 +02:00
|
|
|
|
2011-07-04 19:07:54 +02:00
|
|
|
log_action_msg "Redirect $if port $srcport to $destport for portocol $proto"
|
2013-11-15 12:05:40 +01:00
|
|
|
$IPTABLES -t nat -A PREROUTING -i $if -p $proto --dport $srcport -j REDIRECT --to-port $destport
|
2011-03-07 18:12:12 +01:00
|
|
|
}
|
|
|
|
|
2011-06-21 14:21:52 +02:00
|
|
|
port_knocking()
|
|
|
|
{
|
2011-06-23 14:56:41 +02:00
|
|
|
if [ $# != 3 ]; then
|
2011-07-04 19:07:54 +02:00
|
|
|
log_warning_msg "Bad syntax for port knocking : $*"
|
2011-06-21 14:21:52 +02:00
|
|
|
return
|
|
|
|
fi
|
|
|
|
|
2013-07-23 10:27:01 +02:00
|
|
|
local ports=$1
|
2011-06-23 16:53:25 +02:00
|
|
|
local knock_ports=$2
|
|
|
|
local knock_number=$3
|
|
|
|
local i=0
|
2011-06-21 15:26:05 +02:00
|
|
|
|
|
|
|
for kport in $(echo $knock_ports | sed 's/,/ /g'); do
|
|
|
|
((i++))
|
2011-06-23 14:56:41 +02:00
|
|
|
tock_number=$knock_number$i
|
2011-06-21 15:26:05 +02:00
|
|
|
if [ $i -gt 1 ]; then
|
2013-11-15 12:05:40 +01:00
|
|
|
$IPTABLES -N EO-TOC${tock_number}
|
|
|
|
$IPTABLES -A EO-TOC${tock_number} -m recent --name EO-TOC$((${tock_number}-1)) --remove
|
|
|
|
$IPTABLES -A EO-TOC${tock_number} -m recent --name EO-TOC${tock_number} --set
|
|
|
|
$IPTABLES -A EO-INPUT -i $WAN_INT -p tcp --dport $kport -m recent --rcheck --name EO-TOC$((${tock_number}-1)) -j EO-TOC${tock_number}
|
2011-06-21 15:26:05 +02:00
|
|
|
else
|
2013-11-15 12:05:40 +01:00
|
|
|
$IPTABLES -A EO-INPUT -i $WAN_INT -p tcp --dport $kport -m recent --set --name EO-TOC${tock_number}
|
2011-06-21 15:26:05 +02:00
|
|
|
fi
|
2011-06-21 14:21:52 +02:00
|
|
|
done
|
2013-07-23 10:27:01 +02:00
|
|
|
log_action_msg "Port knocking for $ports with combinaison $knock_ports on $WAN_INT"
|
|
|
|
for port in $(echo $ports | sed 's/,/ /g'); do
|
2013-11-15 12:05:40 +01:00
|
|
|
$IPTABLES -A EO-INPUT -i $WAN_INT -p tcp --dport $port -m recent --rcheck --seconds 15 --name EO-TOC${tock_number} -m state --state NEW -j ACCEPT
|
2013-07-23 10:27:01 +02:00
|
|
|
done
|
2011-06-21 14:21:52 +02:00
|
|
|
}
|
|
|
|
|
2011-03-07 18:12:12 +01:00
|
|
|
start()
|
|
|
|
{
|
2013-11-14 18:56:58 +01:00
|
|
|
init
|
2011-03-07 18:12:12 +01:00
|
|
|
|
|
|
|
## allow packets coming from the machine
|
2013-11-14 18:56:58 +01:00
|
|
|
log_action_msg "Accept lo interface"
|
|
|
|
$IPTABLES -A EO-INPUT -i lo -j ACCEPT
|
|
|
|
$IPTABLES -A EO-OUTPUT -o lo -j ACCEPT
|
2011-03-07 18:12:12 +01:00
|
|
|
|
2014-02-12 14:28:25 +01:00
|
|
|
$IPTABLES -A EO-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
|
|
$IPTABLES -A EO-OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
|
|
$IPTABLES -A EO-FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
|
2013-11-14 18:56:58 +01:00
|
|
|
|
2014-02-12 14:33:13 +01:00
|
|
|
if [ $ALLOW_WAN_OUTPUT_EVERYWHERE -ne 0 ]; then
|
2013-11-15 12:05:40 +01:00
|
|
|
log_action_msg "Allow WAN outgoing traffic to everywhere"
|
2014-02-12 14:28:25 +01:00
|
|
|
$IPTABLES -A EO-OUTPUT -o $WAN_INT -m state --state NEW -j ACCEPT
|
2013-11-14 18:56:58 +01:00
|
|
|
fi
|
2011-03-07 18:12:12 +01:00
|
|
|
|
2011-03-16 20:43:22 +01:00
|
|
|
critical_return
|
|
|
|
|
2011-03-07 18:12:12 +01:00
|
|
|
if [ $LAN == 1 ]; then
|
2011-07-04 19:07:54 +02:00
|
|
|
log_action_msg "Allow WAN outgoing traffic from lan"
|
2014-02-12 14:28:25 +01:00
|
|
|
$IPTABLES -A EO-FORWARD -i $LAN_INT -o $WAN_INT -s $LAN_NETWORK -m state --state NEW -j ACCEPT
|
2011-07-04 19:07:54 +02:00
|
|
|
log_action_msg "Allow local network"
|
2014-02-12 14:28:25 +01:00
|
|
|
$IPTABLES -A EO-OUTPUT -o $LAN_INT -s $LAN_NETWORK -j ACCEPT
|
|
|
|
$IPTABLES -A EO-INPUT -i $LAN_INT -d $LAN_NETWORK -j ACCEPT
|
2011-03-07 18:12:12 +01:00
|
|
|
fi
|
|
|
|
|
|
|
|
## block spoofing
|
2014-02-03 10:45:25 +01:00
|
|
|
log_action_msg "Enable rp filter"
|
2011-03-07 18:12:12 +01:00
|
|
|
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
|
|
|
|
|
|
|
|
## stop sync flood
|
2011-07-04 19:07:54 +02:00
|
|
|
log_action_msg "Block Syn flood"
|
2011-03-07 18:12:12 +01:00
|
|
|
echo "1" >/proc/sys/net/ipv4/tcp_syncookies
|
|
|
|
echo "1024" > /proc/sys/net/ipv4/tcp_max_syn_backlog
|
|
|
|
|
|
|
|
if [ $PING == 1 ]; then
|
2011-07-04 19:07:54 +02:00
|
|
|
log_action_msg "PING allowed"
|
2013-11-15 12:05:40 +01:00
|
|
|
$IPTABLES -A EO-INPUT -p icmp --icmp-type ping -j ACCEPT
|
|
|
|
$IPTABLES -A EO-OUTPUT -p icmp --icmp-type ping -j ACCEPT
|
|
|
|
$IPTABLES -A EO-FORWARD -p icmp --icmp-type ping -j ACCEPT
|
2011-03-07 18:12:12 +01:00
|
|
|
fi
|
|
|
|
|
|
|
|
if [ $FTP == 1 ]; then
|
2011-07-04 19:07:54 +02:00
|
|
|
log_action_msg "FTP allowed"
|
2011-03-07 18:12:12 +01:00
|
|
|
modprobe ip_conntrack_ftp
|
2014-02-12 14:28:25 +01:00
|
|
|
$IPTABLES -A EO-INPUT -i $WAN_INT -d $IP -p tcp --dport ftp -m state --state NEW -j ACCEPT
|
2011-03-07 18:12:12 +01:00
|
|
|
fi
|
|
|
|
|
2013-11-15 12:05:40 +01:00
|
|
|
## Open input ports
|
2011-05-09 22:44:46 +02:00
|
|
|
for args in "${OPEN_PORTS[@]}"; do
|
2013-11-15 12:05:40 +01:00
|
|
|
open_input_port $args
|
|
|
|
done
|
|
|
|
|
|
|
|
## Open ouput ports
|
|
|
|
for args in "${OUPUT_DESTINATIONS[@]}"; do
|
|
|
|
open_output_port $args
|
2011-03-07 18:12:12 +01:00
|
|
|
done
|
2011-03-16 20:43:22 +01:00
|
|
|
|
2011-06-21 14:21:52 +02:00
|
|
|
## Port knocking
|
2011-06-23 16:53:25 +02:00
|
|
|
local i=1
|
2011-06-21 14:21:52 +02:00
|
|
|
for args in "${PORT_KNOCK[@]}"; do
|
2011-06-23 16:53:25 +02:00
|
|
|
port_knocking $args $i
|
|
|
|
((i++))
|
2011-06-21 14:21:52 +02:00
|
|
|
done
|
|
|
|
|
2011-03-07 18:12:12 +01:00
|
|
|
## Port forwading
|
2011-05-09 22:44:46 +02:00
|
|
|
for args in "${TRAFFICS[@]}"; do
|
|
|
|
forward_port $args
|
2011-03-07 18:12:12 +01:00
|
|
|
done
|
|
|
|
|
|
|
|
## Port redirection
|
2011-05-09 22:44:46 +02:00
|
|
|
for args in "${REDIRECTIONS[@]}"; do
|
|
|
|
port_redirection $args
|
2011-03-07 18:12:12 +01:00
|
|
|
done
|
|
|
|
|
2013-07-23 10:27:01 +02:00
|
|
|
## Old: Whitelist
|
2011-06-21 17:54:06 +02:00
|
|
|
for arg in "${WHITELIST_SSH[@]}"; do
|
2013-07-23 10:27:01 +02:00
|
|
|
log_warning_msg "WHITELIST_SSH is obsolete: this option will be removed in next version"
|
2013-11-22 10:18:26 +01:00
|
|
|
open_input_port $arg tcp ssh
|
2011-06-21 17:54:06 +02:00
|
|
|
done
|
|
|
|
|
2013-07-23 10:27:01 +02:00
|
|
|
for ip in "${WHITELIST[@]}"; do
|
|
|
|
for args in "${WHITELIST_OPEN_PORTS[@]}"; do
|
2013-11-22 10:18:26 +01:00
|
|
|
open_input_port $ip $args
|
2013-07-23 10:27:01 +02:00
|
|
|
done
|
|
|
|
done
|
|
|
|
|
2011-03-07 18:12:12 +01:00
|
|
|
## NAT
|
|
|
|
if [ $NAT == 1 ]; then
|
2011-07-04 19:07:54 +02:00
|
|
|
log_action_msg "Activate nat"
|
2011-05-09 22:44:46 +02:00
|
|
|
for proto in ftp irc sip h323; do modprobe nf_nat_$proto; done
|
2014-02-03 10:00:25 +01:00
|
|
|
$IPTABLES -t nat -A POSTROUTING -s $LAN_NETWORK -j SNAT --to-source $IP
|
2011-03-07 18:12:12 +01:00
|
|
|
fi
|
|
|
|
|
|
|
|
ipt_hook
|
|
|
|
|
2013-11-14 18:56:58 +01:00
|
|
|
$IPTABLES -A INPUT -j EO-INPUT
|
|
|
|
$IPTABLES -A OUTPUT -j EO-OUTPUT
|
|
|
|
$IPTABLES -A FORWARD -j EO-FORWARD
|
|
|
|
|
2011-03-07 18:12:12 +01:00
|
|
|
## LOG
|
2013-11-15 16:14:12 +01:00
|
|
|
## Create a EO-LOGDROP chain to log and drop packets
|
|
|
|
$IPTABLES -A EO-LOGDROP -p tcp -m limit --limit 1/min -j LOG --log-prefix "iptables: denied tcp: " --log-level 4
|
|
|
|
$IPTABLES -A EO-LOGDROP -p udp -m limit --limit 1/min -j LOG --log-prefix "iptables: denied udp: " --log-level 4
|
|
|
|
$IPTABLES -A EO-LOGDROP -p icmp -m limit --limit 1/min -j LOG --log-prefix "iptables: denied icmp: " --log-level 4
|
|
|
|
$IPTABLES -A EO-LOGDROP -j DROP
|
|
|
|
|
|
|
|
$IPTABLES -A INPUT -j EO-LOGDROP
|
|
|
|
$IPTABLES -A OUTPUT -j EO-LOGDROP
|
|
|
|
$IPTABLES -A FORWARD -j EO-LOGDROP
|
2011-03-07 18:12:12 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
2013-11-15 10:31:30 +01:00
|
|
|
load()
|
|
|
|
{
|
2013-11-22 10:38:36 +01:00
|
|
|
log_action_msg "Loading old rules from /etc/network/iptables-save"
|
|
|
|
log_action_msg "If you want to load new rules please use test and then start"
|
2013-11-15 10:31:30 +01:00
|
|
|
if [ -f /etc/network/iptables-save ]; then
|
|
|
|
iptables-restore < /etc/network/iptables-save
|
|
|
|
else
|
|
|
|
log_warning_msg "No iptables rules saved please use test and save script options"
|
|
|
|
fi
|
|
|
|
}
|
|
|
|
|
|
|
|
test_rules()
|
|
|
|
{
|
|
|
|
log_action_msg "Testing new rules"
|
|
|
|
log_action_msg "You have 30 seconds to test your new rules"
|
|
|
|
start || exit 1
|
|
|
|
log_end_msg 0
|
|
|
|
log_action_msg "... Please test your rules"
|
|
|
|
sleep 30
|
|
|
|
log_action_msg "---- The test is finished ----"
|
|
|
|
if [ -f /etc/network/iptables-save ]; then
|
|
|
|
iptables-restore < /etc/network/iptables-save
|
|
|
|
log_action_msg "Old rules restored"
|
|
|
|
else
|
2013-11-15 12:05:40 +01:00
|
|
|
clean
|
|
|
|
log_action_msg "Rules cleaned"
|
2013-11-15 10:31:30 +01:00
|
|
|
fi
|
|
|
|
log_action_msg "If you are happy with this new rules please use save option"
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2011-03-07 18:12:12 +01:00
|
|
|
case "$1" in
|
2013-11-15 10:31:30 +01:00
|
|
|
load|restore)
|
|
|
|
load || exit 1
|
2011-03-07 18:12:12 +01:00
|
|
|
;;
|
2011-06-21 14:21:52 +02:00
|
|
|
test)
|
2013-11-15 10:31:30 +01:00
|
|
|
test_rules || exit 1
|
2011-06-21 14:21:52 +02:00
|
|
|
;;
|
2013-11-15 11:21:15 +01:00
|
|
|
start)
|
2013-11-22 10:38:36 +01:00
|
|
|
log_warning_msg "WARNING: you are loading new rules you have 3 seconds to cancel (CRTL+C)"
|
|
|
|
sleep 3
|
2011-06-21 14:21:52 +02:00
|
|
|
start || exit 1
|
2013-11-15 11:21:15 +01:00
|
|
|
;;
|
|
|
|
save)
|
2013-11-22 10:38:36 +01:00
|
|
|
log_action_msg "You need to make a start before if you want to save new rules"
|
|
|
|
log_action_msg "Saving current rules to /etc/network/iptables-save"
|
2011-06-21 14:21:52 +02:00
|
|
|
iptables-save > /etc/network/iptables-save
|
2011-03-07 18:12:12 +01:00
|
|
|
;;
|
2013-11-14 18:56:58 +01:00
|
|
|
flush)
|
2013-11-15 10:31:30 +01:00
|
|
|
flush || exit 1
|
|
|
|
;;
|
|
|
|
clean)
|
|
|
|
clean || exit 1
|
2013-11-14 18:56:58 +01:00
|
|
|
;;
|
2011-03-07 18:12:12 +01:00
|
|
|
*)
|
2013-11-15 10:31:30 +01:00
|
|
|
N=/usr/bin/$NAME
|
|
|
|
echo "Usage: $N {restore|load|save|test|clean|flush}"
|
2011-06-24 11:41:18 +02:00
|
|
|
exit 2
|
2011-03-07 18:12:12 +01:00
|
|
|
;;
|
|
|
|
esac
|
|
|
|
|
|
|
|
exit 0
|