Use functions from lsb to display messages
Frédéric Péters
parent
584c4b8aa6
commit
3308d21135
41
firewall
41
firewall
|
|
@ -10,6 +10,8 @@
|
|||
# Description: An iptables firewall
|
||||
### END INIT INFO
|
||||
|
||||
. /lib/lsb/init-functions
|
||||
|
||||
NAME="firewall"
|
||||
|
||||
abort()
|
||||
|
|
@ -162,7 +164,6 @@ port_knocking()
|
|||
|
||||
start()
|
||||
{
|
||||
echo "Starting: Firewall"
|
||||
test_config
|
||||
modprobe ip_conntrack
|
||||
clean
|
||||
|
|
@ -176,33 +177,33 @@ start()
|
|||
$IPTABLES -A INPUT -i lo -j ACCEPT
|
||||
$IPTABLES -A OUTPUT -o lo -j ACCEPT
|
||||
|
||||
echo "+ Allow WAN outgoing traffic"
|
||||
log_progress_msg "Allow WAN outgoing traffic"
|
||||
$IPTABLES -A OUTPUT -o $WAN_INT -p all -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
|
||||
$IPTABLES -A INPUT -i $WAN_INT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
|
||||
critical_return
|
||||
|
||||
if [ $LAN == 1 ]; then
|
||||
echo "+ Allow WAN outgoing traffic from lan"
|
||||
log_progress_msg "Allow WAN outgoing traffic from lan"
|
||||
$IPTABLES -A FORWARD -i $LAN_INT -o $WAN_INT -p all -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
|
||||
$IPTABLES -A FORWARD -i $WAN_INT -o $LAN_INT -p all -m state --state RELATED,ESTABLISHED -j ACCEPT
|
||||
|
||||
echo "+ Allow local network"
|
||||
log_progress_msg "Allow local network"
|
||||
$IPTABLES -A OUTPUT -o $LAN_INT -p all -j ACCEPT
|
||||
$IPTABLES -A INPUT -i $LAN_INT -p all -j ACCEPT
|
||||
for ALLOW_INT in $ALLOW_INTS; do
|
||||
echo "+ Allow WAN outgoing traffic for interface $ALLOW_INT"
|
||||
log_progress_msg "Allow WAN outgoing traffic for interface $ALLOW_INT"
|
||||
$IPTABLES -A FORWARD -i $ALLOW_INT -o $WAN_INT -p all -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
|
||||
$IPTABLES -A FORWARD -i $WAN_INT -o $ALLOW_INT -p all -m state --state RELATED,ESTABLISHED -j ACCEPT
|
||||
|
||||
echo "+ Allow local network"
|
||||
log_progress_msg "+ Allow local network"
|
||||
$IPTABLES -A OUTPUT -o $ALLOW_INT -p all -j ACCEPT
|
||||
$IPTABLES -A INPUT -i $ALLOW_INT -p all -j ACCEPT
|
||||
done
|
||||
fi
|
||||
|
||||
## block spoofing
|
||||
echo "+ Block spoofing, scan port, Xmas Tree, null scanning, SYN/RST and SYN/FIN"
|
||||
log_progress_msg "Block spoofing, scan port, Xmas Tree, null scanning, SYN/RST and SYN/FIN"
|
||||
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
|
||||
## NMAP FIN/URG/PSH
|
||||
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG --log-prefix 'iptables: Port scan: ' --log-level 4
|
||||
|
|
@ -223,19 +224,19 @@ start()
|
|||
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
|
||||
|
||||
## stop sync flood
|
||||
echo "+ Block Syn flood"
|
||||
log_progress_msg "Block Syn flood"
|
||||
echo "1" >/proc/sys/net/ipv4/tcp_syncookies
|
||||
echo "1024" > /proc/sys/net/ipv4/tcp_max_syn_backlog
|
||||
|
||||
if [ $PING == 1 ]; then
|
||||
echo "+ PING allowed"
|
||||
log_progress_msg "PING allowed"
|
||||
iptables -A INPUT -p icmp --icmp-type ping -j ACCEPT
|
||||
iptables -A OUTPUT -p icmp --icmp-type ping -j ACCEPT
|
||||
iptables -A FORWARD -p icmp --icmp-type ping -j ACCEPT
|
||||
fi
|
||||
|
||||
if [ $FTP == 1 ]; then
|
||||
echo "+ FTP allowed"
|
||||
log_progress_msg "FTP allowed"
|
||||
modprobe ip_conntrack_ftp
|
||||
$IPTABLES -A INPUT -i $WAN_INT -d $IP -p tcp --dport ftp -m state --state NEW,ESTABLISHED -j ACCEPT
|
||||
$IPTABLES -A OUTPUT -o $WAN_INT -s $IP -p tcp --sport ftp -m state --state ESTABLISHED -j ACCEPT
|
||||
|
|
@ -276,7 +277,7 @@ start()
|
|||
|
||||
## NAT
|
||||
if [ $NAT == 1 ]; then
|
||||
echo "+ Activate nat"
|
||||
log_progress_msg "Activate nat"
|
||||
for proto in ftp irc sip h323; do modprobe nf_nat_$proto; done
|
||||
$IPTABLES -t nat -A POSTROUTING -o $WAN_INT -s $LAN_NETWORK -j SNAT --to-source $IP
|
||||
fi
|
||||
|
|
@ -294,30 +295,35 @@ start()
|
|||
$IPTABLES -A INPUT -j LOGDROP
|
||||
$IPTABLES -A OUTPUT -j LOGDROP
|
||||
$IPTABLES -A FORWARD -j LOGDROP
|
||||
|
||||
}
|
||||
|
||||
|
||||
stop()
|
||||
{
|
||||
echo "+ Firewall stoped"
|
||||
clean
|
||||
}
|
||||
|
||||
case "$1" in
|
||||
start|restore)
|
||||
log_daemon_msg "Starting firewall"
|
||||
if [ -f /etc/network/iptables-save ]; then
|
||||
iptables-restore < /etc/network/iptables-save
|
||||
echo "Firewall: rules loaded"
|
||||
else
|
||||
abort "!! No iptables rules saved please use test and save script options"
|
||||
log_warning_msg "!! No iptables rules saved please use test and save script options"
|
||||
fi
|
||||
log_end_msg 0
|
||||
;;
|
||||
stop)
|
||||
log_daemon_msg "Stopping firewall"
|
||||
stop || exit 1
|
||||
log_end_msg 0
|
||||
;;
|
||||
test)
|
||||
echo "You have 30 seconds to test your new rules"
|
||||
log_daemon_msg "Starting new rules"
|
||||
start || exit 1
|
||||
log_end_msg 0
|
||||
echo "... Please test your rules"
|
||||
sleep 30
|
||||
echo "---- The test is finished ----"
|
||||
|
|
@ -331,12 +337,15 @@ case "$1" in
|
|||
echo "If you are happy with this new rules please use save option"
|
||||
;;
|
||||
save)
|
||||
log_daemon_msg "Starting and saving new rules"
|
||||
start || exit 1
|
||||
iptables-save > /etc/network/iptables-save
|
||||
log_end_msg 0
|
||||
;;
|
||||
*)
|
||||
N=/etc/init.d/$NAME
|
||||
abort "Usage: $N {start|restore|save|test|stop}" >&2
|
||||
N=/etc/init.d/$NAME
|
||||
echo "Usage: $N {start|restore|save|test|stop}"
|
||||
exit 2
|
||||
;;
|
||||
esac
|
||||
|
||||
|
|
|
|||
Reference in New Issue