#!/bin/sh # # Main file for firewall rules, using iptables. # Written by Tom Karlsson 2001-09-21. # # Parameters to fwrules are: # # refresh = Initialize or reinitialize the complete set of rules (default). # This will clear all statistics. # purge = Delete the rules declared in the fwrules files, # but leave all manually added rules. # delete = Delete all rules. # #------------------ # Load filter modules # modprobe ip_tables modprobe iptable_filter modprobe ipt_limit modprobe ip_conntrack modprobe ip_conntrack_ftp modprobe ipt_state modprobe ipt_LOG modprobe ipt_REJECT modprobe iptable_nat modprobe ip_nat_ftp #modprobe ipt_MASQUERADE modprobe ipt_REDIRECT source /filter/fw.conf if [ ${1:-none} = "none" ]; then ACTION="refresh" iptables -F iptables -X else if [ $1 != "refresh" -a $1 != "purge" -a $1 != "delete" ]; then echo echo "Usage: $0 " echo "Example: $0 refresh (default)" echo exit fi fi case $1 in ( refresh ) ACTION=refresh; iptables -F; iptables -X;; ( purge ) ACTION=purge;; ( delete ) ACTION=delete; iptables -F; iptables -X; exit;; esac iptables --version echo echo "$0" #------------------ # Set default policy # iptables -P INPUT ACCEPT iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT #------------------ # Source NAT or Masquerading # iptables -t nat -F iptables -t nat -A POSTROUTING -o $IF_IP0 -s $NET_IP1 -j SNAT --to $IP0 #iptables -t nat -A POSTROUTING -o $IF_IP0 -s $NET_IP2 -j SNAT --to $IP0 #iptables -t nat -A POSTROUTING -o $IF_IP0 -s $NET_IP3 -j SNAT --to $IP0 ##iptables -t nat -A POSTROUTING -o $IF_IP0 -s $NET_IP1 -j MASQUERADE #------------------ # Create new sub chains. # Inserted in reverse traffic order. # if [ $ACTION = "refresh" ]; then iptables -N local_icmp 2> /dev/null iptables -I INPUT -j local_icmp iptables -N f_icmp 2> /dev/null iptables -I FORWARD -j f_icmp iptables -N local_filter 2> /dev/null iptables -I INPUT -j local_filter iptables -N filter 2> /dev/null iptables -I FORWARD -j filter iptables -N local_frag 2> /dev/null iptables -I INPUT -j local_frag iptables -N frag 2> /dev/null iptables -I FORWARD -j frag fi #------------------ # lock # iptables -I INPUT 1 -j DROP iptables -I FORWARD 1 -j DROP #------------------ # loopback for older /bin/login # #iptables -I INPUT -i lo -j ACCEPT #------------------ # Call the other modules # /filter/fwrules.fragments $ACTION /filter/fwrules.icmp $ACTION /filter/fwrules.filter $ACTION #------------------ # Remove lock # iptables -D INPUT 1 iptables -D FORWARD 1