#!/bin/sh # # /sbin/bastille-ipchains Load/unload ipchains rulesets # # $Source: /cvsroot/bastille-linux/dev/working_tree/Bastille/bastille-ipchains,v $ # Modified by: $Author: peterw $ # $Date: 2001/08/18 15:38:31 $ # $Revision: 1.18 $ # # Copyright (C) 1999-2001 Peter Watkins # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # # Thanks to David Ranch, Brad A, Don G, and others for their suggestions # # This script is designed to be called BY a SysV-style init script. # # It should be run with a "start" argument # 1) BY an rc?.d "S" script, _before_ the "network" script # (normally via the "bastille-firewall" init script; # as of 2001/02/14, the only purpose of bastille-firewall # is to start this script) # 2) any time an interface is brought up or changed, e.g. # establishing a PPP conection or renewing a DHCP lease # [also copy 'bastille-firewall-reset', 'bastille-firewall-schedule' and # 'ifup-local' to /sbin/ (in addition to the bastille-firewall init script] # # Normally you Do Not _Ever_ Want to run this with a "stop" argument! # # Note that running this with "stop" will disable the firewall and open # your system to all network traffic; if you make changes to these rules, # apply them by running the script again with a "start" argument. PATH=/bin:/sbin:/usr/bin:/usr/sbin IPCHAINS=/sbin/ipchains CONFIG=/etc/Bastille/bastille-firewall.cfg if [ ! -f ${CONFIG} ]; then echo "ERROR: unable to read configuration file \"${CONFIG}\"" exit 1 fi # source the configuration file, which will set environment variables . ${CONFIG} if [ -z "${TRUSTED_IFACES}" ]; then echo "ERROR: no trusted interfaces specified! Exiting!" exit 1 fi # # Computed values # # These things should be queried/computed at run time # # LOCAL_ADDRESSES # # LOCAL_ADDRESSES lists all IP addresses for this server # (for the INTERNAL_SERVICES rules); if you have virtual # network devices, you may want to hand-code this, e.g. # LOCAL_ADDRESSES="127.0.0.0/8" # # The following makes a list of all current IP addresses LOCAL_ADDRESSES=`ifconfig | grep "inet addr" | awk '{print $2}' | awk -F: '{print $2"/32"}' | sed s:127\.0\.0\.1/32:127.0.0.1/8: ` # # # INTERNAL_NETWORKS # # INTERNAL_NETWORKS lists the masked networks for the INT_INTERFACES # e.g. INTERNAL_NETWORKS="10.0.0.0/255.0.0.0" # The following makes a list of all current internal IP addresses _with netmasks_ for i in ${INTERNAL_IFACES} ; do INTERNAL_NETWORKS="${INTERNAL_NETWORKS} `ifconfig ${i} 2>/dev/null| grep "inet addr" | awk '{print $2":"$4}' | awk -F: '{print $2"/"$4}' | sed 's:127\.0\.0\.1/$:127.0.0.1/8:'`" done # # # DNS_SERVERS # # Derive this from /etc/resolv.conf if it's not set already # Note we only take the first three as most systems' resolvers # can only use three nameservers; see MAXNS in resolv.h for details MAXNS=3 if [ -z "${DNS_SERVERS}" ]; then DNS_SERVERS=`grep nameserver /etc/resolv.conf | awk -F\# '{print $1}' | grep '^nameserver' | awk '{print $2"/32"}' | head -${MAXNS}` fi # # # LOG_FLAG # # Flag to add to ${REJECT_METHOD} rules to force logging if [ "${LOG_FAILURES}" = "Y" ]; then LOG_FLAG="-l" else LOG_FLAG="" fi # # # CALLED_METHOD # # Variable to hold $1, for use in functions (which have their own $1 vars) CALLED_METHOD="$1" # # # REJECT_METHOD # Convert netfilter/DROP to ipchains/DENY if [ "${REJECT_METHOD}" = "DROP" ]; then REJECT_METHOD="DENY" fi # # # NTP_SERVERS # # Do hostname lookups for any names in NTP_SERVERS # ntp_server_addrs="" for n in ${NTP_SERVERS}; do ip=`echo ${n} | egrep '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'` if [ -n "${ip}" ]; then # looks like an IP address, use it as-is ntp_server_addrs="${ntp_server_addrs} ${ip}" else # use 'host' t resolve address ip=`host ${n} 2>/dev/null| awk '/ has address / { print $4 }' | head -1` ntp_server_addrs="${ntp_server_addrs} ${ip}" fi done # # Shell functions # # include_supplemental # source supplemental (plug-in) firewall scripts include_supplemental() { # args: $1 = nickname for the supplemental phase nickname="$1" if [ -e /etc/Bastille/firewall.d/${nickname}.sh ]; then cd /etc/Bastille/firewall.d && . ./${nickname}.sh fi if [ -d /etc/Bastille/firewall.d/${nickname}.d ]; then for s in `ls /etc/Bastille/firewall.d/${nickname}.d/*.sh`; do cd /etc/Bastille/firewall.d/${nickname}.d && \ . ${s} done fi } # # do_masq_mods # Function to load/unload "ip_masq_*" kernel modules do_masq_mods() { # args: $1 = "load" or "unload" # # find the currently loaded modules masq_mods=`lsmod | awk '{print $1}' | grep '^ip_masq_'` # # Step 1: unload unwanted modules for m in ${masq_mods} ; do UNLOAD_THIS_MOD=Y for normal_mod in ${IP_MASQ_MODULES} ; do if [ "ip_masq_${normal_mod}" = $m ]; then # this module is _supposed_ to be loaded UNLOAD_THIS_MOD=N fi done if [ "${CALLED_METHOD}" = "stop" -o -z "${IP_MASQ_NETWORK}" ]; then # we're either disabling the firewall or we've disabled masquerading, # so we should unload _all_ masq modules UNLOAD_THIS_MOD=Y fi if [ $UNLOAD_THIS_MOD = "Y" -a $1 = "unload" ]; then rmmod $m || echo "Error unloading ${m} module" fi done # Step 2: load wanted modules that are not already loaded if [ $1 = "load" ]; then for normal_mod in ${IP_MASQ_MODULES} ; do MOD_LOADED=N for m in ${masq_mods} ; do if [ "ip_masq_${normal_mod}" = ${m} ]; then MOD_LOADED=Y fi done if [ $MOD_LOADED = "N" ]; then insmod "ip_masq_${normal_mod}" || echo "Error loading ip_masq_${normal_mod} module" fi done fi } # See how we were called. case "$1" in start|reload|restart) # # anything to do before resetting? include_supplemental pre-reset # # For Red Hat users, let's ensure that its firewalls are disabled rhtest_ipchains=`chkconfig --list ipchains 2>/dev/null | grep :on` rhtest_iptables=`chkconfig --list iptables 2>/dev/null | grep :on` bftest=`chkconfig --list bastille-firewall 2>/dev/null | grep :on` if [ \( -n "${rhtest_ipchains}" -o -n "${rhtest_iptables}" \) -a -n "${bftest}" ]; then echo echo "bastille-firewall conflicts with Red Hat 7.1's 'ipchains'" echo "and 'iptables' firewalls. We are disabling Red Hat's firewalls." [ -n "${rhtest_ipchains}" ] && chkconfig --level 0123456 ipchains off [ -n "${rhtest_iptables}" ] && chkconfig --level 0123456 iptables off echo fi # load the IPCHAINS compatibilty module if we're using a 2.4 kernel if [ -n "$(uname -r | awk -F. ' $1 == 2 && $2 > 2 {print}')" ]; then echo "Loading ipchains compatibility module" modprobe ipchains fi # # we set defaults to DENY now to minimize possible interruptions # if this script is re-run to reset rules # # set default policy to disallow forwarding ${IPCHAINS} -P forward DENY # flush rules ${IPCHAINS} -F forward # default is to disallow incoming traffic ${IPCHAINS} -P input DENY # flush rules ${IPCHAINS} -F input # disallow outbound until we set up the explicit outbound rules ${IPCHAINS} -P output DENY # flush rules ${IPCHAINS} -F output # Run our "early" custom script if it exists [ -f /etc/Bastille/bastille-firewall-early.sh ] && . /etc/Bastille/bastille-firewall-early.sh # any new-style "early" plugins? include_supplemental early # always allow MTU discovery packets ${IPCHAINS} -A input -p icmp --icmp-type fragmentation-needed -j ACCEPT ${IPCHAINS} -A output -p icmp --icmp-type fragmentation-needed -j ACCEPT include_supplemental pre-local-block # Block any non-local attempts to get localhost addresses # per woody@thebunker.net's bugtraq post ${IPCHAINS} -A input -d 127.0.0.0/8 ! -i lo -j ${REJECT_METHOD} ${LOG_FLAG} # Fragments if [ "${ALLOW_FRAGMENTS}" = "N" ]; then ${IPCHAINS} -A input -f -j ${REJECT_METHOD} fi # from the ipchains HOWTO, I think if [ "${ENABLE_SRC_ADDR_VERIFY}" = "Y" ]; then if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then echo -n "Setting up IP spoofing protection..." for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f done echo " done." else echo "WARNING: errors encountered while trying to enable IP spoofing protection!" fi fi include_supplemental pre-trusted # Allow all traffic from trusted interfaces echo -n "Allowing traffic from trusted interfaces..." for t_iface in ${TRUSTED_IFACES} ; do ${IPCHAINS} -A input -i ${t_iface} -d 0.0.0.0/0 -j ACCEPT done echo " done. " # If you have networks that route traffic to each other through this # server, you may want to add some forwarding rules, here, e.g. # one way, 192.168.*.* -> 10.*.*.* with 192.168.*.* on "eth0" #${IPCHAINS} -A forward -i eth0 -s 192.168.0.0/16 -d 10.0.0.0/8 -j ACCEPT # the other direction, 10.*.*.* -> 192.168.*.* with 10.*.*.* on "eth1" #${IPCHAINS} -A forward -i eth1 -d 192.168.0.0/16 -s 10.0.0.0/8 -j ACCEPT include_supplemental pre-mcast-block # No packets with multicast source addresses (Joshua K, RFC 1122) ${IPCHAINS} -A input -s 224.0.0.0/4 -j ${REJECT_METHOD} ${LOG_FLAG} # Forwarding include_supplemental pre-nat # IP Masquerading/forwarding # # Unload masq modules (maybe we're disabling masquerading, maybe we changed the module list) do_masq_mods unload # if [ -n "${IP_MASQ_NETWORK}" ]; then echo -n "Setting up masquerading rules..." # since we've set the default forwarding policy to # reject, we can enable forwarding now echo 1 > /proc/sys/net/ipv4/ip_forward # set up rules for masqueraded networks for net in ${IP_MASQ_NETWORK} ; do if [ "${DROP_SMB_NAT_BCAST}" = "Y" ]; then # NetBIOS ${IPCHAINS} -A forward -p tcp -s ${net} -d 0.0.0.255/0.0.0.255 137:139 -j ${REJECT_METHOD} ${LOG_FLAG} ${IPCHAINS} -A forward -p udp -s ${net} -d 0.0.0.255/0.0.0.255 137:139 -j ${REJECT_METHOD} ${LOG_FLAG} fi for pub in ${PUBLIC_IFACES} ; do # NAT should be one-way, deny traffic from public # interfaces that is addresses to masq'ed networks ${IPCHAINS} -A input -d ${net} -i ${pub} -j ${REJECT_METHOD} ${LOG_FLAG} # spoofed addreses from outside ${IPCHAINS} -A input -s ${net} -i ${pub} -j ${REJECT_METHOD} ${LOG_FLAG} # enable forwarding ${IPCHAINS} -A forward -s ${net} -i ${pub} -j MASQ done done echo " done." echo -n "Loading masquerading modules..." do_masq_mods load echo " done." fi echo -n "Setting up chains for public/internal interface traffic..." # make a public input chain ${IPCHAINS} -N PUB_IN 2> /dev/null ${IPCHAINS} -F PUB_IN # as close to setting policy as we can get ${IPCHAINS} -A PUB_IN -j DENY # make a public output chain ${IPCHAINS} -N PUB_OUT 2> /dev/null ${IPCHAINS} -F PUB_OUT # as close to setting policy as we can get ${IPCHAINS} -A PUB_OUT -j DENY # make an "INTERNAL" input chain ${IPCHAINS} -N INT_IN 2> /dev/null ${IPCHAINS} -F INT_IN # as close to setting policy as we can get ${IPCHAINS} -A INT_IN -j DENY # make an "INTERNAL" output chain ${IPCHAINS} -N INT_OUT 2> /dev/null ${IPCHAINS} -F INT_OUT # as close to setting policy as we can get ${IPCHAINS} -A INT_OUT -j DENY include_supplemental pre-chain-split # direct packets to the INTERNAL_* chains for iface in ${INTERNAL_IFACES} ; do ${IPCHAINS} -A input -i ${iface} -j INT_IN ${IPCHAINS} -A output -i ${iface} -j INT_OUT NON_LOOPBACK_SEEN=N for net in ${LOCAL_ADDRESSES} ; do if [ ${net} != "127.0.0.1/8" ]; then NON_LOOPBACK_SEEN=Y fi done # complain if no local addresses if [ ${NON_LOOPBACK_SEEN} = "N" ]; then echo "WARNING: no non-loopback local addresses; protection from INTERNAL_IFACES not enabled!" fi done # Direct PUBLIC interface traffic to the proper chain for iface in ${PUBLIC_IFACES} ; do ${IPCHAINS} -A input -i ${iface} -j PUB_IN ${IPCHAINS} -A output -i ${iface} -j PUB_OUT done include_supplemental pre-audit # Auditing must be set up before these packets are blocked! # for service in ${TCP_AUDIT_SERVICES} ; do ${IPCHAINS} -A PUB_IN -p tcp -d 0.0.0.0/0 ${service} -y -l done for service in ${UDP_AUDIT_SERVICES} ; do ${IPCHAINS} -A PUB_IN -p udp -d 0.0.0.0/0 ${service} -l done for type in ${ICMP_AUDIT_TYPES} ; do ${IPCHAINS} -A PUB_IN -p icmp --icmp-type ${type} -d 0.0.0.0/0 -l done # disallow any attempts to get to internal interfaces from outside # not good if this is supposed to route between normal networks for int in ${INTERNAL_NETWORKS} ; do # deny traffic from public # interfaces that is addressed to internal networks ${IPCHAINS} -A PUB_IN -d ${int} -j ${REJECT_METHOD} ${LOG_FLAG} # spoofed addreses from outside ${IPCHAINS} -A PUB_IN -s ${int} -j ${REJECT_METHOD} ${LOG_FLAG} done echo " done. " echo -n "Setting up general rules..." include_supplemental pre-dhcp # Allow response from DHCP servers for iface in ${DHCP_IFACES} ; do for chain in input PUB_IN INT_IN ; do # allow UDP responses ${IPCHAINS} -A ${chain} -p udp -s 0.0.0.0/0 bootps -d 255.255.255.255/0 bootpc -j ACCEPT # normally we allow TCP data returns so this is redundant # ${IPCHAINS} -A ${chain} -p tcp -s 0.0.0.0/0 bootps -d 255.255.255.255/0 bootpc -j ACCEPT done # make link so dhcpcd runs firewall when IP changes (if no such file already) [ ! -d /etc/dhcpc ] && mkdir /etc/dhcpc -m 0750 if [ -x /sbin/bastille-firewall-reset -a ! -L /etc/dhcpc/dhcpcd-${iface}.exe ]; then ln -s /sbin/bastille-firewall-reset /etc/dhcpc/dhcpcd-${iface}.exe fi done include_supplemental pre-internal # internal interface rules for net in ${LOCAL_ADDRESSES} ; do # Allow accessses to TCP services on this system for serv in ${TCP_INTERNAL_SERVICES} ; do ${IPCHAINS} -A INT_IN -p tcp -d ${net} ${serv} -j ACCEPT done ${IPCHAINS} -A INT_IN -p tcp -d ${net} ${serv} \! -y -j ACCEPT # UDP services for serv in ${UDP_INTERNAL_SERVICES} ; do ${IPCHAINS} -A INT_IN -p udp -d ${net} ${serv} -j ACCEPT done done # ICMP # hopefully you don't care about hiding from internal hosts! ${IPCHAINS} -A INT_IN -p icmp -d 0.0.0.0/0 -j ACCEPT ${IPCHAINS} -A INT_OUT -p icmp -d 0.0.0.0/0 -j ACCEPT # ...but if you do... try this... (and see the PUB_IN rules below) #for type in ${ICMP_ALLOWED_TYPES} ; do # ${IPCHAINS} -A INT_IN -p icmp --icmp-type ${type} -d 0.0.0.0/0 -j ACCEPT #done #for type in ${ICMP_OUTBOUND_DISABLED_TYPES} ; do # ${IPCHAINS} -A INT_OUT -p icmp --icmp-type ${type} -j REJECT #done # input rules # # public interfaces include_supplemental pre-input # --------------------- ICMP -------------------------- for type in ${ICMP_ALLOWED_TYPES} ; do ${IPCHAINS} -A PUB_IN -p icmp --icmp-type ${type} -d 0.0.0.0/0 -j ACCEPT done # --------------------- TCP -------------------------- for serv in ${TCP_PUBLIC_SERVICES} ; do ${IPCHAINS} -A PUB_IN -p tcp -d 0.0.0.0/0 ${serv} -j ACCEPT done # if you're disallowing ICMP, you may be trying to look # invisible/disable ping, so let's just drop these attempts ${IPCHAINS} -A PUB_IN -p icmp -d 0.0.0.0/0 -j DENY ${LOG_FLAG} for chain in PUB_IN INT_IN ; do if [ ${FORCE_PASV_FTP} != "Y" ]; then # no point explicitly blocking TCP services unless active FTP is enabled # Step 1: block the high port TCP services for serv in ${TCP_BLOCKED_SERVICES} ; do # only block -y initial connects; in case the port was needlessly # specified, this should still enable it to be used as a source # port for non-FTP connecions from this host or machines using it as a gateway ${IPCHAINS} -A ${chain} -p tcp -d 0.0.0.0/0 ${serv} -y -j ${REJECT_METHOD} ${LOG_FLAG} done # FEATURE: check bound high TCP and complain? # Step 2: allow the ftp-data connections ${IPCHAINS} -A ${chain} -p tcp -d 0.0.0.0/0 1024: -s 0.0.0.0/0 ftp-data -j ACCEPT fi # general response to my TCP requests ${IPCHAINS} -A ${chain} -p tcp \! -y -j ACCEPT # no TCP requests to other ports (redundant) # ${IPCHAINS} -A ${chain} -p tcp -j ${REJECT_METHOD} ${LOG_FLAG} # --------------------- UDP -------------------------- for serv in ${UDP_PUBLIC_SERVICES} ; do ${IPCHAINS} -A PUB_IN -p udp -d 0.0.0.0/0 ${serv} -j ACCEPT done # This isn't necessary unless you have DNS_SERVERS or NTP_SERVERS # but who wouldn't have DNS servers configured? for serv in ${UDP_BLOCKED_SERVICES} ; do ${IPCHAINS} -A ${chain} -p udp -d 0.0.0.0/0 ${serv} -j ${REJECT_METHOD} ${LOG_FLAG} done for dns_net in ${DNS_SERVERS} ; do ${IPCHAINS} -A ${chain} -p udp -s ${dns_net} domain -d 0.0.0.0/0 1024: -j ACCEPT done for ntp_net in ${ntp_server_addrs} ; do # this allows unprivileged queries, e.g. 'ntpdate' ${IPCHAINS} -A ${chain} -p udp -s ${ntp_net} ntp -d 0.0.0.0/0 1024: -j ACCEPT # this allows you to run an ntp daemon to maintain # system time nore gracefully than with 'ntpdate' ${IPCHAINS} -A ${chain} -p udp -s ${ntp_net} ntp -d 0.0.0.0/0 ntp -j ACCEPT done # Reject other UDP (redundant) #${IPCHAINS} -A ${chain} -p udp -j ${REJECT_METHOD} ${LOG_FLAG} done # end of loop through public interfaces for input rules if [ ${FORCE_PASV_FTP} != "Y" -a \( -n "${PUBLIC_IFACES}" -o -n "${INTERNAL_IFACES}" \) ]; then # warning echo echo "WARNING: allowing \"active\" FTP; any unknown TCP services running" echo "on high ports will be vulnerable; blocking too many high TCP ports" echo "may affect various TCP _clients_ running on this machine or using" echo "this machine as a gateway." fi # now we can deny the attempts from the internal interfaces to this host for tnet in ${LOCAL_ADDRESSES} ; do for chain in PUB_IN INT_IN ; do ${IPCHAINS} -A ${chain} -d ${tnet} -j ${REJECT_METHOD} ${LOG_FLAG} done done # now that we've blocked attempts from the internal interfaces # to the IP's on this server, we need to accept other connections # so the IP Masq / NAT will function for net in ${IP_MASQ_NETWORK} ; do for chain in PUB_IN INT_IN ; do ${IPCHAINS} -A ${chain} -s ${net} -j ACCEPT done done # --------------------- catch-all -------------------------- # Reject all other traffic (redundant if not logging) if [ ${LOG_FAILURES} = "Y" ]; then for chain in input forward PUB_IN INT_IN ; do ${IPCHAINS} -A ${chain} -j ${REJECT_METHOD} ${LOG_FLAG} done fi # echo " done." echo -n "Setting up outbound rules..." include_supplemental pre-output # block outbound ICMP types (usu. to hide from traceroute) for type in ${ICMP_OUTBOUND_DISABLED_TYPES} ; do # ** The following will limit ICMP on public and internal interfaces: # for chain in PUB_OUT INT_OUT ; do # ** but our default is to only limit outbound ICMP on public interfaces for chain in PUB_OUT ; do ${IPCHAINS} -A ${chain} -p icmp --icmp-type ${type} -j REJECT ${LOG_FLAG} done done # # Here you might really lock things down if this is a server, # e.g., to keep it from doing anything but connecting to # SMTP servers and responding to Web requests, or whatever # the specific requirements are. # # Such lockdowns are recommended if the situation affords you # that flexibility. # # default is to enable outbound traffic # (again, here, for a server you might default to ${REJECT_METHOD} ) ${IPCHAINS} -P output ACCEPT include_supplemental pre-policy-reset # Now that all rules are set, we can change the policies # to the user preference safely ${IPCHAINS} -P forward ${REJECT_METHOD} ${IPCHAINS} -P input ${REJECT_METHOD} # to set default "policies" for PUB_* and INT_* chains, add a final rule if [ ${LOG_FAILURES} != "Y" ]; then # if LOG_FAILURES were set, we would have already done this for chain in PUB_IN INT_IN ; do ${IPCHAINS} -A ${chain} -j ${REJECT_METHOD} ${LOG_FLAG} done fi for chain in PUB_OUT INT_OUT ; do ${IPCHAINS} -A ${chain} -j ACCEPT done # rule 1 in all of these chains is a deny rule; remove it so other rules work for chain in PUB_IN INT_IN PUB_OUT INT_OUT ; do ${IPCHAINS} -D ${chain} -j DENY done include_supplemental post-rule-setup echo " done." ;; stop) include_supplemental pre-drop-rules echo echo "WARNING: reverting to default settings (dropping firewall)" # We should disable NAT/forwarding even if not set to restore defaults echo -n "disabling IP forwarding..." echo 0 > /proc/sys/net/ipv4/ip_forward echo " done." echo -n "unloading masquerading modules..." do_masq_mods unload echo " done." # flushing seems to leave the default input at ${REJECT_METHOD} echo -n "resetting default input rules to accept..." ${IPCHAINS} -P input ACCEPT echo " done." echo -n "resetting default output rule to accept..." ${IPCHAINS} -P output ACCEPT echo " done." # We disabled forwarding with the /proc interface, but we # reset FORWARD to ACCEPT because that;s the normal default echo -n "resetting default forward rule to accept..." ${IPCHAINS} -P forward ACCEPT echo " done." for chain in input output forward ; do echo -n "flushing ${chain} rules..." ${IPCHAINS} -F ${chain} echo " done." done # flush and delete the user-defined chains echo -n "removing user-defined chains..." for chain in PUB_IN PUB_OUT INT_IN INT_OUT ; do ${IPCHAINS} -F ${chain} ${IPCHAINS} -X ${chain} done include_supplemental post-drop-rules echo " done." ;; status) ${IPCHAINS} -L -v -n ;; *) echo "Usage: $0 {start|restart|reload|stop|status}" exit 1 esac exit 0