[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Firewall in Sarge

>> "Douglas" == Douglas G Phillips <csdgp@eiu.edu> writes:

  > Adi Linden <adil@adis.on.ca> writes:
  >> In Debian/Sarge, where is the appropriate place for some iptables
  >> rules to deny access to some local ports?

  > On my system I put a firewall script in /etc/init.d and have it
  > loaded on startup.  But this is on a LAN.  You may want to do
  > things differently for dial-up.

  > -Doug

I concur and did the same.

-- 

#! /bin/sh
#
# skeleton	Example initscript
#		This file should be used to construct scripts to be
#		placed in /etc/init.d.
#
# Author:	Marc D Ronell <marc_ronell@highstream.net>
#
#		Please remove the "Author" lines above and replace them
#		with your own name if you copy and modify this script.
#
# Version:	@(#)iptables.sh  2.85-23  08-Oct-2004 marc_ronell@highstream.net
#

set -e

PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
DESC="firewall"
NAME=iptables.sh
DAEMON=/usr/sbin/$NAME
PIDFILE=/var/run/$NAME.pid
SCRIPTNAME=/etc/init.d/$NAME

IPTABLES=iptables
IPTABLES_SAVE=/sbin/iptables-save
IPTABLES_RESTORE=/sbin/iptables-restore
IPTABLES_CONFIG=/etc/default/iptables-config
IPTABLES_FLUSH=/etc/default/iptables-flush

# Gracefully exit if the package has been removed.
test -r $IPTABLES_CONFIG || exit 0
test -r $IPTABLES_FLUSH  || exit 0

# Read config file if it is present.
#if [ -r /etc/default/$NAME ]
#then
#	. /etc/default/$NAME
#fi

#
#	Function that starts the iptables.sh/service.
#
d_start() {
    echo "   Enabling Forwarding.."
    echo "1" > /proc/sys/net/ipv4/ip_forward
    echo "   Enabling DynamicAddr.."
    echo "1" > /proc/sys/net/ipv4/ip_dynaddr
    cat $IPTABLES_CONFIG | $IPTABLES_RESTORE 
}

#
#	Function that stops the iptables.sh/service.
#
d_stop() {
    cat $IPTABLES_FLUSH | $IPTABLES_RESTORE
    echo "   Disabling Forwarding.."
    echo "0" > /proc/sys/net/ipv4/ip_forward
    echo "   Disabling DynamicAddr.."
    echo "0" > /proc/sys/net/ipv4/ip_dynaddr
    $IPTABLES -P INPUT ACCEPT
    $IPTABLES -F INPUT 
    $IPTABLES -P OUTPUT ACCEPT
    $IPTABLES -F OUTPUT 
    $IPTABLES -P FORWARD DROP
    $IPTABLES -F FORWARD 
    $IPTABLES -t nat -F
}

d_status() {
    $IPTABLES -L
}

#
#	Function that sends a SIGHUP to the iptables.sh/service.
#
d_reload() {
        echo  "Reloading firewall:  $NAME"
}

case "$1" in
  start)
	echo  "Starting $DESC: $NAME"
	d_start
	echo "."
	;;
  stop)
	echo  "Stopping $DESC: $NAME"
	d_stop
	echo "."
	;;
  status)
	echo  "Status $DESC: $NAME"
	d_status
	echo "."
	;;
  #reload)
	#
	#	If the iptables.sh can reload its configuration without
	#	restarting (for example, when it is sent a SIGHUP),
	#	then implement that here.
	#
	#	If the iptables.sh responds to changes in its config file
	#	directly anyway, make this an "exit 0".
	#
	# echo -n "Reloading $DESC configuration..."
	# d_reload
	# echo "done."
  #;;
  restart|force-reload)
	#
	#	If the "reload" option is implemented, move the "force-reload"
	#	option to the "reload" entry above. If not, "force-reload" is
	#	just the same as "restart".
	#
	echo  "Restarting $DESC: $NAME"
	d_stop
	sleep 1
	d_start
	echo "."
	;;
  *)
	# echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2
	echo "Usage: $SCRIPTNAME {start|stop|restart|force-reload|status}" >&2
	exit 1
	;;
esac

exit 0
Reply to: