Re: Firewall in Sarge
>> "Douglas" == Douglas G Phillips <csdgp@eiu.edu> writes:
> Adi Linden <adil@adis.on.ca> writes:
>> In Debian/Sarge, where is the appropriate place for some iptables
>> rules to deny access to some local ports?
> On my system I put a firewall script in /etc/init.d and have it
> loaded on startup. But this is on a LAN. You may want to do
> things differently for dial-up.
> -Doug
I concur and did the same.
--
#! /bin/sh
#
# skeleton Example initscript
# This file should be used to construct scripts to be
# placed in /etc/init.d.
#
# Author: Marc D Ronell <marc_ronell@highstream.net>
#
# Please remove the "Author" lines above and replace them
# with your own name if you copy and modify this script.
#
# Version: @(#)iptables.sh 2.85-23 08-Oct-2004 marc_ronell@highstream.net
#
set -e
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
DESC="firewall"
NAME=iptables.sh
DAEMON=/usr/sbin/$NAME
PIDFILE=/var/run/$NAME.pid
SCRIPTNAME=/etc/init.d/$NAME
IPTABLES=iptables
IPTABLES_SAVE=/sbin/iptables-save
IPTABLES_RESTORE=/sbin/iptables-restore
IPTABLES_CONFIG=/etc/default/iptables-config
IPTABLES_FLUSH=/etc/default/iptables-flush
# Gracefully exit if the package has been removed.
test -r $IPTABLES_CONFIG || exit 0
test -r $IPTABLES_FLUSH || exit 0
# Read config file if it is present.
#if [ -r /etc/default/$NAME ]
#then
# . /etc/default/$NAME
#fi
#
# Function that starts the iptables.sh/service.
#
d_start() {
echo " Enabling Forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo " Enabling DynamicAddr.."
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
cat $IPTABLES_CONFIG | $IPTABLES_RESTORE
}
#
# Function that stops the iptables.sh/service.
#
d_stop() {
cat $IPTABLES_FLUSH | $IPTABLES_RESTORE
echo " Disabling Forwarding.."
echo "0" > /proc/sys/net/ipv4/ip_forward
echo " Disabling DynamicAddr.."
echo "0" > /proc/sys/net/ipv4/ip_dynaddr
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
}
d_status() {
$IPTABLES -L
}
#
# Function that sends a SIGHUP to the iptables.sh/service.
#
d_reload() {
echo "Reloading firewall: $NAME"
}
case "$1" in
start)
echo "Starting $DESC: $NAME"
d_start
echo "."
;;
stop)
echo "Stopping $DESC: $NAME"
d_stop
echo "."
;;
status)
echo "Status $DESC: $NAME"
d_status
echo "."
;;
#reload)
#
# If the iptables.sh can reload its configuration without
# restarting (for example, when it is sent a SIGHUP),
# then implement that here.
#
# If the iptables.sh responds to changes in its config file
# directly anyway, make this an "exit 0".
#
# echo -n "Reloading $DESC configuration..."
# d_reload
# echo "done."
#;;
restart|force-reload)
#
# If the "reload" option is implemented, move the "force-reload"
# option to the "reload" entry above. If not, "force-reload" is
# just the same as "restart".
#
echo "Restarting $DESC: $NAME"
d_stop
sleep 1
d_start
echo "."
;;
*)
# echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2
echo "Usage: $SCRIPTNAME {start|stop|restart|force-reload|status}" >&2
exit 1
;;
esac
exit 0
Reply to: