#!/bin/sh # ### BEGIN INIT INFO # Provides: arptables_jf # Required-Start: $local_fs $network # Required-Stop: $local_fs $network # Short-Description: userspace control program for the arptables network filter # Description: The arptables_jf utility controls the arpfilter network packet filtering # code in the Linux kernel. You do not need this program for normal # network firewalling. If you need to manually control which arp # requests and/or replies this machine accepts and sends, you should # install this package. ### END INIT INFO # Startup script to implement /etc/sysconfig/arptables pre-defined rules. # # chkconfig: - 08 92 # # description: Automates a packet filtering firewall with arptables. # # by fenlason@redhat.com: based on iptables.init from the iptables package # by bero@redhat.com, based on the ipchains script: # Script Author: Joshua Jensen <joshua@redhat.com> # -- hacked up by gafton with help from notting # modified by Anton Altaparmakov <aia21@cam.ac.uk>: # modified by Nils Philippsen <nils@redhat.de> # # config: /etc/sysconfig/arptables # Source 'em up . /etc/init.d/functions ARPTABLES_CONFIG=/etc/sysconfig/arptables arp_table() { if fgrep -qsx $1 /proc/net/arp_tables_names; then arptables -t "$@" fi } start() { if [ ! -x /sbin/arptables ]; then exit 4 fi KERNELMAJ=`uname -r | sed -e 's,\..*,,'` KERNELMIN=`uname -r | sed -e 's,[^\.]*\.,,' -e 's,\..*,,'` if [ "$KERNELMAJ" -lt 2 ] ; then echo "Not supported for kernel $KERNELMAJ.$KERNELMIN" exit 1 fi if [ "$KERNELMAJ" -eq 2 -a "$KERNELMIN" -lt 3 ] ; then echo "Not supported for kernel $KERNELMAJ.$KERNELMIN" exit 1 fi # don't do squat if we don't have the config file echo -n $"Starting arptables_jf" if [ -f $ARPTABLES_CONFIG ]; then success # If we don't clear these first, we might be adding to # pre-existing rules. chains=`cat /proc/net/arp_tables_names 2>/dev/null` echo -n $"Flushing all current rules and user defined chains:" let ret=0 for i in $chains; do arptables -t $i -F; let ret+=$?; done arptables -F let ret+=$? if [ $ret -eq 0 ]; then success else failure fi echo echo -n $"Clearing all current rules and user defined chains:" let ret=0 for i in $chains; do arptables -t $i -X; let ret+=$?; done arptables -X let ret+=$? if [ $ret -eq 0 ]; then success else failure fi echo for i in $chains; do arptables -t $i -Z; done echo -n $"Applying arptables firewall rules: " grep -v "^[[:space:]]*#" $ARPTABLES_CONFIG | grep -v '^[[:space:]]*$' | /sbin/arptables-restore -c && \ success || \ failure echo touch /var/lock/subsys/arptables else failure echo echo $"Configuration file /etc/sysconfig/arptables missing" exit 6 fi } stop() { chains=`cat /proc/net/arp_tables_names 2>/dev/null` echo -n $"Flushing all chains:" let ret=0 for i in $chains; do arptables -t $i -F; let ret+=$?; done arptables -F; let ret+=$? if [ $ret -eq 0 ]; then success else failure fi echo echo -n $"Removing user defined chains:" let ret=0 for i in $chains; do arptables -t $i -X; let ret+=$?; done arptables -X; let ret+=$? if [ $ret -eq 0 ]; then success else failure fi echo echo -n $"Resetting built-in chains to the default ACCEPT policy:" arp_table filter -P IN ACCEPT && \ arp_table filter -P OUT ACCEPT && \ success || \ failure echo rm -f /var/lock/subsys/arptables } case "$1" in start) start ;; stop) stop ;; restart|reload) # "restart" is really just "start" as this isn't a daemon, # and "start" clears any pre-defined rules anyway. # This is really only here to make those who expect it happy start ;; condrestart|try-restart|force-reload) [ -e /var/lock/subsys/arptables ] && start ;; status) tables=`cat /proc/net/arp_tables_names 2>/dev/null` for table in $tables; do echo $"Table: $table" arptables -t $table --list done ;; panic) echo -n $"Changing target policies to DROP: " arp_table filter -P IN DROP && \ arp_table filter -P OUT DROP && \ success || failure echo echo -n "Flushing all chains:" arp_table filter -F IN && \ arp_table filter -F OUT && \ success || failure echo echo -n "Removing user defined chains:" arp_table filter -X && \ success || failure echo ;; save) echo -n $"Saving current rules to $ARPTABLES_CONFIG: " touch $ARPTABLES_CONFIG chmod 600 $ARPTABLES_CONFIG /sbin/arptables-save -c > $ARPTABLES_CONFIG 2>/dev/null && \ success $"Saving current rules to $ARPTABLES_CONFIG" || \ failure $"Saving current rules to $ARPTABLES_CONFIG" echo ;; *) echo $"Usage: $0 {start|stop|restart|try-restart|force-reload|status|panic|save}" exit 2 esac exit 0