#!/bin/sh # # /sbin/bastille-netfilter Load/unload netfilter rulesets # # $Source: /cvsroot/bastille-linux/dev/working_tree/Bastille/bastille-netfilter,v $ # Modified by: $Author: peterw $ # $Date: 2002/01/11 02:23:14 $ # $Revision: 1.27 $ # # Copyright (C) 1999-2001 Peter Watkins # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # # Thanks to David Ranch, Brad A, Don G, Jay Beale and others # (especially the netfilter mailing list!) for their suggestions # # This script is designed to be called BY a SysV-style init script. # # It should be run with a "start" argument # 1) BY an rc?.d "S" script, _before_ the "network" script # (normally via the "bastille-firewall" init script; # as of 2001/02/14, the only purpose of bastille-firewall # is to start this script) # 2) any time an interface is brought up or changed, e.g. # establishing a PPP conection or renewing a DHCP lease # [also copy 'bastille-firewall-reset', 'bastille-firewall-schedule' and # 'ifup-local' to /sbin/ (in addition to the bastille-firewall init script] # # Normally you Do Not _Ever_ Want to run this with a "stop" argument! # # Note that running this with "stop" will disable the firewall and open # your system to all network traffic; if you make changes to these rules, # apply them by running the script again with a "start" argument. PATH=/bin:/sbin:/usr/bin:/usr/sbin IPTABLES=/sbin/iptables CONFIG=/etc/Bastille/bastille-firewall.cfg if [ ! -x ${IPTABLES} ]; then echo "ERROR: \"${IPTABLES}\" does not exist!" if [ -x /sbin/bastille-ipchains ]; then # better to fall back to 'ipchains' than do nothing unset IPTABLES echo "Executing /sbin/bastille-ipchains $1" /sbin/bastille-ipchains $1 exit $? fi exit 1 fi if [ ! -f ${CONFIG} ]; then echo "ERROR: unable to read configuration file \"${CONFIG}\"" exit 1 fi # source the configuration file, which will set environment variables . ${CONFIG} if [ -z "${REJECT_METHOD}" ]; then echo "ERROR: no reject method specified (corrupt config file?) Exiting!" exit 1 fi # # Computed values # # These things should be queried/computed at run time # # LOCAL_ADDRESSES # # LOCAL_ADDRESSES lists all IP addresses for this server # (for the INTERNAL_SERVICES rules); if you have virtual # network devices, you may want to hand-code this, e.g. # LOCAL_ADDRESSES="127.0.0.0/8" # # The following makes a list of all current IP addresses LOCAL_ADDRESSES=`ifconfig | grep "inet addr" | awk '{print $2}' | awk -F: '{print $2"/32"}' | sed s:127\.0\.0\.1/32:127.0.0.1/8: ` # # # DEFAULT_GW_IFACE # # The name of the address that is the default gateway (for SNAT) DEFAULT_GW_IFACE=`netstat -nr | awk '$1 == "0.0.0.0" {print $8}'` # # # INTERNAL_NETWORKS # # INTERNAL_NETWORKS lists the masked networks for the INT_INTERFACES # e.g. INTERNAL_NETWORKS="10.0.0.0/255.0.0.0" # The following makes a list of all current internal IP addresses _with netmasks_ for i in ${INTERNAL_IFACES} ; do INTERNAL_NETWORKS="${INTERNAL_NETWORKS} `ifconfig ${i} | grep "inet addr" | awk '{print $2":"$4}' | awk -F: '{print $2"/"$4}' | sed 's:127\.0\.0\.1/$:127.0.0.1/8:'`" if [ $i = "${DEFAULT_GW_IFACE}" ]; then DEFAULT_GW_IP=`ifconfig ${i} | grep "inet addr" | awk '{print $2}'` fi done # # # CALLED_METHOD # # Variable to hold $1, for use in functions (which have their own $1 vars) CALLED_METHOD="$1" # # # REJECT_METHOD # # Convert ipchains/DENY to netfilter/DROP if [ "${REJECT_METHOD}" = "DENY" ]; then REJECT_METHOD="DROP" fi # counter number to help toubleshoot RULENUM=0 # # Shell functions # # include_supplemental # source supplemental (plug-in) firewall scripts include_supplemental() { # args: $1 = nickname for the supplemental phase nickname="$1" if [ -e /etc/Bastille/firewall.d/${nickname}.sh ]; then cd /etc/Bastille/firewall.d && . ./${nickname}.sh fi if [ -d /etc/Bastille/firewall.d/${nickname}.d ]; then for s in `ls /etc/Bastille/firewall.d/${nickname}.d/*.sh`; do cd /etc/Bastille/firewall.d/${nickname}.d && \ . ${s} done fi } # # incr_rule_num # Increment counter number to help toubleshoot incr_rule_num() { RULENUM=`expr $RULENUM + 1` return 0 } # # do_masq_mods # Function to load/unload NAT kernel modules do_masq_mods() { # args: $1 = "load" or "unload" # # find the currently loaded modules masq_mods=`lsmod | awk '{print $1}' | grep '^ip_nat_'` # # Step 1: unload unwanted modules for m in ${masq_mods} ; do UNLOAD_THIS_MOD=Y for normal_mod in ${IP_MASQ_MODULES} ; do if [ "ip_nat_${normal_mod}" = $m -o "ip_nat_${normal_mod}_conntrack" = $m ]; then # this module is _supposed_ to be loaded UNLOAD_THIS_MOD=N fi done if [ "${CALLED_METHOD}" = "stop" -o -z "${IP_MASQ_NETWORK}" ]; then # we're either disabling the firewall or we've disabled masquerading, # so we should unload _all_ masq modules UNLOAD_THIS_MOD=Y fi if [ $UNLOAD_THIS_MOD = "Y" -a $1 = "unload" ]; then rmmod ${m} || echo "Error unloading ${m} module" fi done # Step 2: load wanted modules that are not already loaded if [ $1 = "load" ]; then for normal_mod in ${IP_MASQ_MODULES} ; do MOD_LOADED=N for m in ${masq_mods} ; do if [ "ip_nat_${normal_mod}" = $m ]; then MOD_LOADED=Y fi done if [ $MOD_LOADED = "N" ]; then insmod "ip_nat_${normal_mod}" || echo "Error loading ip_nat_${normal_mod} module" fi # try to load any _conntrack variants modprobe "ip_nat_${normal_mod}_conntrack" 2>/dev/null done fi } # See how we were called. case "$1" in start|restart|reload) # # anything to do before resetting? include_supplemental pre-reset # # Make sure we don't have any ipchains rules! for c in INPUT OUTPUT FORWARD; do ipchains -P ${c} DENY 2>/dev/null ipchains -F ${c} 2>/dev/null done ipchains -X 2>/dev/null rmmod ipchains 2>/dev/null # # For Red Hat users, let's ensure that its firewalls are disabled rhtest_ipchains=`chkconfig --list ipchains 2>/dev/null | grep :on` rhtest_iptables=`chkconfig --list iptables 2>/dev/null | grep :on` bftest=`chkconfig --list bastille-firewall 2>/dev/null | grep :on` if [ \( -n "${rhtest_ipchains}" -o -n "${rhtest_iptables}" \) -a -n "${bftest}" ]; then echo echo "bastille-firewall conflicts with Red Hat 7.1's 'ipchains'" echo "and 'iptables' firewalls. We are disabling Red Hat's firewalls." [ -n "${rhtest_ipchains}" ] && chkconfig --level 0123456 ipchains off [ -n "${rhtest_iptables}" ] && chkconfig --level 0123456 iptables off echo fi # # Make sure the iptables/netfilter kernel module is loaded modprobe ip_tables # # Clean up the default chains # # we set defaults to DROP to minimize possible interruptions # if this script is re-run to reset rules # for chain in INPUT OUTPUT FORWARD ; do ${IPTABLES} -P ${chain} DROP # flush rules ${IPTABLES} -F ${chain} done # for chain in PREROUTING POSTROUTING ; do ${IPTABLES} -t nat -F ${chain} done ${IPTABLES} -t mangle -F PREROUTING # Our custom chains for chain in PUB_IN PUB_OUT INT_IN INT_OUT ; do ${IPTABLES} -N ${chain} 2> /dev/null ${IPTABLES} -F ${chain} ${IPTABLES} -A ${chain} -j DROP done # PAROLE chain is used for TCP services ${IPTABLES} -N PAROLE 2> /dev/null ${IPTABLES} -F PAROLE if [ "${IP_ALWAYS_USE_STATE}" = "Y" ]; then # nmap NULL scans pass the --syn test, but this doesn't seem # to catch them, either [ "${LOG_FAILURES}" = "Y" ] && \ ${IPTABLES} -A PAROLE -p tcp --tcp-flags ALL NONE -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "PAROLE ${REJECT_METHOD} $RULENUM" ; incr_rule_num ${IPTABLES} -A PAROLE -p tcp --tcp-flags ALL NONE -j ${REJECT_METHOD} ${IPTABLES} -A PAROLE -p tcp -m state --state NEW --syn -j ACCEPT [ "${LOG_FAILURES}" = "Y" ] && \ ${IPTABLES} -A PAROLE -p tcp -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "PAROLE ${REJECT_METHOD} $RULENUM" ; incr_rule_num ${IPTABLES} -A PAROLE -p tcp -j ${REJECT_METHOD} fi ${IPTABLES} -A PAROLE -j ACCEPT # Run our "early" custom script if it exists [ -f /etc/Bastille/bastille-firewall-early.sh ] && . /etc/Bastille/bastille-firewall-early.sh # any new-style "early" plugins? include_supplemental early # enable stateful rules modprobe ip_conntrack modprobe ip_conntrack_ftp modprobe ipt_LOG # from the ipchains HOWTO if [ "${ENABLE_SRC_ADDR_VERIFY}" = "Y" ]; then if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then echo -n "Setting up IP spoofing protection..." for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f done echo " done." else echo "WARNING: errors encountered while trying to enable IP spoofing protection!" fi fi include_supplemental pre-local-block # Block any non-local attempts to get localhost addresses # per woody@thebunker.net's bugtraq post [ "${LOG_FAILURES}" = "Y" ] && \ ${IPTABLES} -A INPUT -p tcp -d 127.0.0.0/8 ! -i lo -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "INPUT ${REJECT_METHOD} $RULENUM" ; incr_rule_num ${IPTABLES} -A INPUT -p tcp -d 127.0.0.0/8 ! -i lo -j ${REJECT_METHOD} # Uncomment this to really, truly block active FTP # (shouldn't be necessary if ip_conntrack_ftp does its job) #if [ ${FORCE_PASV_FTP} = "Y" ]; then # [ "${LOG_FAILURES}" = "Y" ] && \ # ${IPTABLES} -A INPUT -p tcp --sport ftp-data -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "INPUT ${REJECT_METHOD} $RULENUM " ; incr_rule_num # ${IPTABLES} -A INPUT -p tcp --sport ftp-data -j ${REJECT_METHOD} # [ "${LOG_FAILURES}" = "Y" ] && \ # ${IPTABLES} -A FORWARD -p tcp --sport ftp-data -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "FORWARD ${REJECT_METHOD} $RULENUM " ; incr_rule_num # ${IPTABLES} -A FORWARD -p tcp --sport ftp-data -j ${REJECT_METHOD} #fi include_supplemental pre-established # Stateful data returns (this should include ICMP messages) # ...for data to this box ${IPTABLES} -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT ${IPTABLES} -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # Fragments if [ "${ALLOW_FRAGMENTS}" = "N" ]; then [ "${LOG_FAILURES}" = "Y" ] && \ ${IPTABLES} -A INPUT -f -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "INPUT ${REJECT_METHOD} $RULENUM " ; incr_rule_num ${IPTABLES} -A INPUT -f -j ${REJECT_METHOD} fi include_supplemental pre-trusted # Allow all traffic from trusted interfaces echo -n "Allowing traffic from trusted interfaces..." for t_iface in ${TRUSTED_IFACES} ; do # we could be pickier here, e.g. only allow traffic # that looks valid ${IPTABLES} -A INPUT -i ${t_iface} -j ACCEPT done echo " done. " # If you have networks that route traffic to each other through this # server, you may want to add some forwarding rules, here, e.g. # one way, 192.168.*.* -> 10.*.*.* with 192.168.*.* on "eth0" # # Note: I _think_ this is right; if not, please let me know! # #${IPTABLES} -A FORWARD -i eth0 -s 192.168.0.0/16 -d 10.0.0.0/8 -j ACCEPT # the other direction, 10.*.*.* -> 192.168.*.* with 10.*.*.* on "eth1" #${IPTABLES} -A FORWARD -i eth1 -d 192.168.0.0/16 -s 10.0.0.0/8 -j ACCEPT include_supplemental pre-mcast-block # No packets with multicast source addresses (Joshua K, RFC 1122) # (If you want to enable multicast, comment this out!) [ "${LOG_FAILURES}" = "Y" ] && \ ${IPTABLES} -A INPUT -s 224.0.0.0/4 -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "INPUT ${REJECT_METHOD} $RULENUM " ; incr_rule_num ${IPTABLES} -A INPUT -s 224.0.0.0/4 -j ${REJECT_METHOD} # Forwarding include_supplemental pre-nat # IP Masquerading/forwarding # # Unload masq modules (maybe we're disabling masquerading, maybe we changed the module list) #do_masq_mods unload # if [ -n "${IP_MASQ_NETWORK}" ]; then echo -n "Loading NAT modules..." modprobe iptable_nat echo " done." echo -n "Setting up masquerading rules..." # since we've set the default forwarding policy to # reject, we can enable forwarding now echo 1 > /proc/sys/net/ipv4/ip_forward # set up rules for masqueraded networks for net in ${IP_MASQ_NETWORK} ; do for pub in ${PUBLIC_IFACES} ; do # NAT should be one-way, deny traffic from public # interfaces that is addresses to masq'ed networks [ "${LOG_FAILURES}" = "Y" ] && \ ${IPTABLES} -A INPUT -d ${net} -i ${pub} -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "INPUT ${REJECT_METHOD} $RULENUM " ; incr_rule_num ${IPTABLES} -A INPUT -d ${net} -i ${pub} -j ${REJECT_METHOD} # spoofed addreses from outside [ "${LOG_FAILURES}" = "Y" ] && \ ${IPTABLES} -A INPUT -s ${net} -i ${pub} -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "INPUT ${REJECT_METHOD} $RULENUM " ; incr_rule_num ${IPTABLES} -A INPUT -s ${net} -i ${pub} -j ${REJECT_METHOD} if [ "${DROP_SMB_NAT_BCAST}" = "Y" ]; then # NetBIOS [ "${LOG_FAILURES}" = "Y" ] && \ ${IPTABLES} -A FORWARD -p tcp -s ${net} -o ${pub} --dport 137:139 -d 0.0.0.255/0.0.0.255 -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "FORWARD ${REJECT_METHOD} $RULENUM " ; incr_rule_num ${IPTABLES} -A FORWARD -p tcp -s ${net} -o ${pub} --dport 137:139 -d 0.0.0.255/0.0.0.255 -j ${REJECT_METHOD} [ "${LOG_FAILURES}" = "Y" ] && \ ${IPTABLES} -A FORWARD -p udp -s ${net} -o ${pub} --dport 137:139 -d 0.0.0.255/0.0.0.255 -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "FORWARD ${REJECT_METHOD} $RULENUM " ; incr_rule_num ${IPTABLES} -A FORWARD -p udp -s ${net} -o ${pub} --dport 137:139 -d 0.0.0.255/0.0.0.255 -j ${REJECT_METHOD} fi # set up a NAT rule with MASQ -- se below for SNAT ${IPTABLES} -t nat -A POSTROUTING -s ${net} -o ${pub} -j MASQUERADE ${IPTABLES} -A FORWARD -s ${net} -o ${pub} -j ACCEPT done done # If you have a statuc address for the public interface, # you might prefer setting upp static NAT instead of the # -j MASQUERADE code above: #${IPTABLES} -t nat -A POSTROUTING -o ${DEFAULT_GW_IFACE} -j SNAT --to ${DEFAULT_GW_IP} echo " done." echo -n "Loading masquerading modules..." do_masq_mods load echo " done." fi include_supplemental pre-chain-split echo -n "Setting up chains for public/internal interface traffic..." # Direct PUBLIC interface traffic to the proper chain for iface in ${PUBLIC_IFACES} ; do ${IPTABLES} -A INPUT -i ${iface} -j PUB_IN ${IPTABLES} -A OUTPUT -o ${iface} -j PUB_OUT done # disallow any attempts to get to internal interfaces from outside # not good if this is supposed to route between normal networks for int in ${INTERNAL_NETWORKS} ; do # deny traffic from public # interfaces that is addressed to internal networks [ "${LOG_FAILURES}" = "Y" ] && \ ${IPTABLES} -A PUB_IN -d ${int} -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "PUB_IN ${REJECT_METHOD} $RULENUM " ; incr_rule_num ${IPTABLES} -A PUB_IN -d ${int} -j ${REJECT_METHOD} # spoofed addreses from outside [ "${LOG_FAILURES}" = "Y" ] && \ ${IPTABLES} -A PUB_IN -s ${int} -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "PUB_IN ${REJECT_METHOD} $RULENUM " ; incr_rule_num ${IPTABLES} -A PUB_IN -s ${int} -j ${REJECT_METHOD} done # direct packets to the INTERNAL_* chains for iface in ${INTERNAL_IFACES} ; do ${IPTABLES} -A INPUT -i ${iface} -j INT_IN ${IPTABLES} -A OUTPUT -o ${iface} -j INT_OUT done echo " done. " echo -n "Setting up general rules..." include_supplemental pre-dhcp # Allow response from DHCP servers for iface in ${DHCP_IFACES} ; do # make link so dhcpcd runs firewall when IP changes (if no such file already) [ ! -d /etc/dhcpc ] && mkdir /etc/dhcpc -m 0750 if [ -x /sbin/bastille-firewall-reset -a ! -L /etc/dhcpc/dhcpcd-${iface}.exe ]; then ln -s /sbin/bastille-firewall-reset /etc/dhcpc/dhcpcd-${iface}.exe fi done include_supplemental pre-internal # internal interface rules # Allow accessses to TCP services on this system for serv in ${TCP_INTERNAL_SERVICES} ; do ${IPTABLES} -A INT_IN -p tcp --dport ${serv} -j PAROLE done # UDP services for serv in ${UDP_INTERNAL_SERVICES} ; do ${IPTABLES} -A INT_IN -p udp --dport ${serv} -j ACCEPT done # ICMP # hopefully you don't care about hiding from internal hosts! ${IPTABLES} -A INT_IN -p icmp -j ACCEPT ${IPTABLES} -A INT_OUT -p icmp -j ACCEPT # ...but if you do... try this... (and see the PUB_IN rules below) #for type in ${ICMP_ALLOWED_TYPES} ; do # ${IPTABLES} -A INT_IN -p icmp --icmp-type ${type} -j ACCEPT #done include_supplemental pre-input # input rules # # public interfaces # --------------------- ICMP -------------------------- for type in ${ICMP_ALLOWED_TYPES} ; do ${IPTABLES} -A PUB_IN -p icmp --icmp-type ${type} -j ACCEPT done # --------------------- TCP -------------------------- for serv in ${TCP_PUBLIC_SERVICES} ; do ${IPTABLES} -A PUB_IN -p tcp --dport ${serv} -j PAROLE done # --------------------- UDP -------------------------- for serv in ${UDP_PUBLIC_SERVICES} ; do ${IPTABLES} -A PUB_IN -p udp --dport ${serv} -j ACCEPT done include_supplemental pre-audit # -------------- Public interface input auditing --------------- # Note that this will only audit services that are not actually available # for service in ${TCP_AUDIT_SERVICES} ; do ${IPTABLES} -A PUB_IN -p tcp --dport ${service} -m state --state NEW,INVALID -m limit --limit 5/second --limit-burst 8 -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "audit" done for service in ${UDP_AUDIT_SERVICES} ; do ${IPTABLES} -A PUB_IN -p udp --dport ${service} -m state --state NEW,INVALID -m limit --limit 5/second --limit-burst 8 -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "audit" done for type in ${ICMP_AUDIT_TYPES} ; do ${IPTABLES} -A PUB_IN -p icmp --icmp-type ${type} -m state --state NEW,INVALID -m limit --limit 5/second --limit-burst 8 -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "audit" done # if you're disallowing ICMP, you may be trying to look # invisible/disable ping, so let's just drop these attempts [ "${LOG_FAILURES}" = "Y" ] && \ ${IPTABLES} -A PUB_IN -p icmp -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "PUB_IN DROP $RULENUM" ; incr_rule_num ${IPTABLES} -A PUB_IN -p icmp -j DROP # --------------------- catch-all -------------------------- # Reject all other traffic (redundant if not logging) if [ ${LOG_FAILURES} = "Y" ]; then for chain in INPUT PUB_IN INT_IN ; do [ "${LOG_FAILURES}" = "Y" ] && \ ${IPTABLES} -A ${chain} -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "${chain} ${REJECT_METHOD} $RULENUM " ; incr_rule_num ${IPTABLES} -A ${chain} -j ${REJECT_METHOD} done fi # echo " done." include_supplemental pre-output echo -n "Setting up outbound rules..." # # Here you might really lock things down if this is a server, # e.g., to keep it from doing anything but connecting to # SMTP servers and responding to Web requests, or whatever # the specific requirements are. # # Such lockdowns are recommended if the situation affords you # that flexibility. # # If you want to only allow the server to respond to requests # (and not even make DNS/dhcp/ntp queries!), then uncomment these lines: # # Note: if the connection table fills, you won't be able to # # respond to requests if you rely on "-m state" with these rules # ${IPTABLES} -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # [ ${LOG_FAILURES} = "Y" ] && \ # ${IPTABLES} -A OUTPUT -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "OUTPUT ${REJECT_METHOD} $RULENUM " ; incr_rule_num # ${IPTABLES} -A OUTPUT -j REJECT # # default is to enable outbound traffic ${IPTABLES} -P OUTPUT ACCEPT include_supplemental pre-policy-reset # Now that all rules are set, we can change the policies # to the user preference safely [ ${REJECT_METHOD} != "DROP" ] && ${IPTABLES} -A FORWARD -j ${REJECT_METHOD} [ ${REJECT_METHOD} != "DROP" ] && ${IPTABLES} -A INPUT -j ${REJECT_METHOD} # to set default "policies" for PUB_* and INT_* chains, add a final rule if [ ${LOG_FAILURES} != "Y" ]; then # if LOG_FAILURES were set, we would have already done this for chain in PUB_IN INT_IN INPUT FORWARD; do [ "${LOG_FAILURES}" = "Y" ] && \ ${IPTABLES} -A ${chain} -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "${chain} ${REJECT_METHOD} $RULENUM " ; incr_rule_num ${IPTABLES} -A ${chain} -j ${REJECT_METHOD} done fi for chain in PUB_OUT INT_OUT ; do ${IPTABLES} -A ${chain} -j ACCEPT done # rule 1 in all of these chains is a deny rule; remove it so other rules work for chain in PUB_IN INT_IN PUB_OUT INT_OUT ; do ${IPTABLES} -D ${chain} -j DROP done include_supplemental post-rule-setup echo " done." ;; stop) include_supplemental pre-drop-rules echo echo "WARNING: reverting to default settings (dropping firewall)" # We should disable NAT/forwarding even if not set to restore defaults echo -n "disabling IP forwarding..." echo 0 > /proc/sys/net/ipv4/ip_forward echo " done." echo -n "unloading masquerading modules..." do_masq_mods unload echo " done." # flushing leaves the default input at ${REJECT_METHOD} echo -n "resetting default input rules to accept..." ${IPTABLES} -P INPUT ACCEPT echo " done." echo -n "resetting default output rule to accept..." ${IPTABLES} -P OUTPUT ACCEPT echo " done." # We disabled forwarding with the /proc interface, but we # reset FORWARD to ACCEPT because that;s the normal default echo -n "resetting default forward rule to accept..." ${IPTABLES} -P FORWARD ACCEPT echo " done." for chain in INPUT OUTPUT FORWARD ; do echo -n "flushing ${chain} rules..." ${IPTABLES} -F ${chain} echo " done." done for chain in PREROUTING POSTROUTING ; do ${IPTABLES} -t nat -F ${chain} done ${IPTABLES} -t mangle -F PREROUTING # flush and delete the user-defined chains echo -n "removing user-defined chains..." for chain in PUB_IN PUB_OUT INT_IN INT_OUT PAROLE ; do ${IPTABLES} -F ${chain} ${IPTABLES} -X ${chain} done include_supplemental post-drop-rules echo " done." ;; status) ${IPTABLES} -L -v -n ;; *) echo "Usage: $0 {start|restart|reload|stop|status}" exit 1 esac exit 0