summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorFrédéric Péters <fpeters@0d.be>2011-06-24 09:41:18 (GMT)
committerFrédéric Péters <fpeters@0d.be>2011-06-24 09:41:18 (GMT)
commit3308d2113599cc41c8c1a425fcdfb749765a5c7e (patch)
treed1ad5d7e4b1331820ba322964c0df4e829abcaf8
parent584c4b8aa64e86a8ea2ef11667fe83c8d661e37d (diff)
downloadeofirewall-3308d2113599cc41c8c1a425fcdfb749765a5c7e.zip
eofirewall-3308d2113599cc41c8c1a425fcdfb749765a5c7e.tar.gz
eofirewall-3308d2113599cc41c8c1a425fcdfb749765a5c7e.tar.bz2
Use functions from lsb to display messages
-rwxr-xr-xfirewall41
1 files changed, 25 insertions, 16 deletions
diff --git a/firewall b/firewall
index 33d5ad0..677c4aa 100755
--- a/firewall
+++ b/firewall
@@ -10,6 +10,8 @@
# Description: An iptables firewall
### END INIT INFO
+. /lib/lsb/init-functions
+
NAME="firewall"
abort()
@@ -162,7 +164,6 @@ port_knocking()
start()
{
- echo "Starting: Firewall"
test_config
modprobe ip_conntrack
clean
@@ -176,33 +177,33 @@ start()
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
- echo "+ Allow WAN outgoing traffic"
+ log_progress_msg "Allow WAN outgoing traffic"
$IPTABLES -A OUTPUT -o $WAN_INT -p all -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
$IPTABLES -A INPUT -i $WAN_INT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
critical_return
if [ $LAN == 1 ]; then
- echo "+ Allow WAN outgoing traffic from lan"
+ log_progress_msg "Allow WAN outgoing traffic from lan"
$IPTABLES -A FORWARD -i $LAN_INT -o $WAN_INT -p all -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
$IPTABLES -A FORWARD -i $WAN_INT -o $LAN_INT -p all -m state --state RELATED,ESTABLISHED -j ACCEPT
- echo "+ Allow local network"
+ log_progress_msg "Allow local network"
$IPTABLES -A OUTPUT -o $LAN_INT -p all -j ACCEPT
$IPTABLES -A INPUT -i $LAN_INT -p all -j ACCEPT
for ALLOW_INT in $ALLOW_INTS; do
- echo "+ Allow WAN outgoing traffic for interface $ALLOW_INT"
+ log_progress_msg "Allow WAN outgoing traffic for interface $ALLOW_INT"
$IPTABLES -A FORWARD -i $ALLOW_INT -o $WAN_INT -p all -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
$IPTABLES -A FORWARD -i $WAN_INT -o $ALLOW_INT -p all -m state --state RELATED,ESTABLISHED -j ACCEPT
- echo "+ Allow local network"
+ log_progress_msg "+ Allow local network"
$IPTABLES -A OUTPUT -o $ALLOW_INT -p all -j ACCEPT
$IPTABLES -A INPUT -i $ALLOW_INT -p all -j ACCEPT
done
fi
## block spoofing
- echo "+ Block spoofing, scan port, Xmas Tree, null scanning, SYN/RST and SYN/FIN"
+ log_progress_msg "Block spoofing, scan port, Xmas Tree, null scanning, SYN/RST and SYN/FIN"
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
## NMAP FIN/URG/PSH
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG --log-prefix 'iptables: Port scan: ' --log-level 4
@@ -223,19 +224,19 @@ start()
$IPTABLES -A INPUT -i $WAN_INT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
## stop sync flood
- echo "+ Block Syn flood"
+ log_progress_msg "Block Syn flood"
echo "1" >/proc/sys/net/ipv4/tcp_syncookies
echo "1024" > /proc/sys/net/ipv4/tcp_max_syn_backlog
if [ $PING == 1 ]; then
- echo "+ PING allowed"
+ log_progress_msg "PING allowed"
iptables -A INPUT -p icmp --icmp-type ping -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type ping -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type ping -j ACCEPT
fi
if [ $FTP == 1 ]; then
- echo "+ FTP allowed"
+ log_progress_msg "FTP allowed"
modprobe ip_conntrack_ftp
$IPTABLES -A INPUT -i $WAN_INT -d $IP -p tcp --dport ftp -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o $WAN_INT -s $IP -p tcp --sport ftp -m state --state ESTABLISHED -j ACCEPT
@@ -276,7 +277,7 @@ start()
## NAT
if [ $NAT == 1 ]; then
- echo "+ Activate nat"
+ log_progress_msg "Activate nat"
for proto in ftp irc sip h323; do modprobe nf_nat_$proto; done
$IPTABLES -t nat -A POSTROUTING -o $WAN_INT -s $LAN_NETWORK -j SNAT --to-source $IP
fi
@@ -294,30 +295,35 @@ start()
$IPTABLES -A INPUT -j LOGDROP
$IPTABLES -A OUTPUT -j LOGDROP
$IPTABLES -A FORWARD -j LOGDROP
+
}
stop()
{
- echo "+ Firewall stoped"
clean
}
case "$1" in
start|restore)
+ log_daemon_msg "Starting firewall"
if [ -f /etc/network/iptables-save ]; then
iptables-restore < /etc/network/iptables-save
- echo "Firewall: rules loaded"
else
- abort "!! No iptables rules saved please use test and save script options"
+ log_warning_msg "!! No iptables rules saved please use test and save script options"
fi
+ log_end_msg 0
;;
stop)
+ log_daemon_msg "Stopping firewall"
stop || exit 1
+ log_end_msg 0
;;
test)
echo "You have 30 seconds to test your new rules"
+ log_daemon_msg "Starting new rules"
start || exit 1
+ log_end_msg 0
echo "... Please test your rules"
sleep 30
echo "---- The test is finished ----"
@@ -331,12 +337,15 @@ case "$1" in
echo "If you are happy with this new rules please use save option"
;;
save)
+ log_daemon_msg "Starting and saving new rules"
start || exit 1
iptables-save > /etc/network/iptables-save
+ log_end_msg 0
;;
*)
- N=/etc/init.d/$NAME
- abort "Usage: $N {start|restore|save|test|stop}" >&2
+ N=/etc/init.d/$NAME
+ echo "Usage: $N {start|restore|save|test|stop}"
+ exit 2
;;
esac