#!/bin/sh # # Startup script to implement /etc/sysconfig/ipchains pre-defined rules. # # chkconfig: 2345 08 92 # # description: Automates a packet filtering firewall with ipchains. # # Script Author: Joshua Jensen <joshua@redhat.com> # -- hacked up by gafton with help from notting # # config: /etc/sysconfig/ipchains # Source 'em up . /etc/init.d/functions IPCHAINS_CONFIG=/etc/sysconfig/ipchains if [ ! -x /sbin/ipchains ]; then exit 0 fi KERNELMAJ=`uname -r | sed -e 's,\..*,,'` KERNELMIN=`uname -r | sed -e 's,[^\.]*\.,,' -e 's,\..*,,'` if [ "$KERNELMAJ" -lt 2 ] ; then exit 0 fi if [ "$KERNELMAJ" -eq 2 -a "$KERNELMIN" -lt 2 ] ; then exit 0 fi if [ "$KERNELMAJ" -eq 2 -a "$KERNELMIN" -gt 3 ] ; then IP_MODULES=`lsmod | awk ' /^ip/ { print $1 } '` if [ -z "$IP_MODULES" ] ;then action "Install Backward Compatibility with ipchains for kernel 2.4" modprobe ipchains elif echo $IP_MODULES | grep -q ipchains ; then gprintf "Found Backward Compatibility with ipchains for kernel 2.4\n" else gprintf "To use Backward Compatibility with ipchains for kernel 2.4\n" gprintf "Use: /sbin/modprobe ipchains\n" exit 0 fi fi case "$1" in start) # don't do squat if we don't have the config file if [ -f $IPCHAINS_CONFIG ]; then # If we don't clear these first, we might be adding to # pre-existing rules. action "Flushing all current rules and user defined chains:" ipchains -F action "Clearing all current rules and user defined chains:" ipchains -X ipchains -Z gprintf "Applying ipchains firewall rules: " grep -v "^[[:space:]]*#" $IPCHAINS_CONFIG | grep -v '^[[:space:]]*$' | /sbin/ipchains-restore -p -f && \ success "Applying ipchains firewall rules" || \ failure "Applying ipchains firewall rules" echo touch /var/lock/subsys/ipchains fi ;; stop) action "Flushing all chains:" ipchains -F action "Removing user defined chains:" ipchains -X gprintf "Resetting built-in chains to the default ACCEPT policy:" ipchains -P input ACCEPT && \ ipchains -P forward ACCEPT && \ ipchains -P output ACCEPT && \ success "Resetting built-in chains to the default ACCEPT policy" || \ failure "Resetting built-in chains to the default ACCEPT policy" echo rm -f /var/lock/subsys/ipchains ;; restart|reload) # "restart" is really just "start" as this isn't a daemon, # and "start" clears any pre-defined rules anyway. # This is really only here to make those who expect it happy $0 start ;; status) ipchains -nL ;; panic) gprintf "Changing target policies to DENY: " ipchains -P input DENY && \ ipchains -P forward DENY && \ ipchains -P output DENY && \ success "Changing target policies to DENY" || \ failure "Changing target policies to DENY" echo action "Flushing all chains:" ipchains -F action "Removing user defined chains:" ipchains -X ;; save) gprintf "Saving current rules to %s: " "$IPCHAINS_CONFIG" /sbin/ipchains-save > $IPCHAINS_CONFIG 2>/dev/null && \ success "Saving current rules to %s" "$IPCHAINS_CONFIG" || \ failure "Saving current rules to %s" "$IPCHAINS_CONFIG" echo ;; *) gprintf "Usage: %s {start|stop|restart|status|panic|save}\n" "$0" exit 1 esac exit 0