An Incomplete Firewall script for SourceMage Gnu/Linux
the configuration for this scripting is rather simplistic at this time,
a set of lines with "ACCESS=" "SERVICE=" or "MASQUERADE="
ACCESS=<resolvablename> <policy>
grc.com microsoft.com hotmail.com sourceforge.net are resolvablenames
ACCEPT REJECT DROP are acceptable policy rules
SERVICE=<service name>[<.tcp|.udp> <hostname> <policy>]
any name for a service listed in /etc/services
if "service name" has ".tcp" or ".udp" appended then hostname and policy are required
as the auth example lines below
to have changes take effect then "telinit run firewall restart" as this script supports
"start / stop / restart / status" as keywords when the firewall is run
--Example::Begin--
ACCESS=grc.com DROP
SERVICE=ftp-data
SERVICE=ftp
SERVICE=ssh
SERVICE=domain
SERVICE=bootps
SERVICE=bootpc
SERVICE=tftp
SERVICE=http
SERVICE=auth.tcp localhost ACCEPT
SERVICE=auth.udp localhost DROP
--Example::End--
--firewall::Begin--
#!/bin/bash
#
# simpleinit::firewall
#
# Author:: Jeremy "Belxjander Serechai" Kajikawa
#
PROGRAM=/bin/false
RUNLEVEL=3
PROVIDES=firewall
NEEDS="+syslog"
. /etc/init.d/smgl_init
required_executable "/usr/sbin/iptables"
IPTABLES="/usr/sbin/iptables"
fwconf="/etc/sysconfig/firewall"
fwTemp='/tmp/firewall'
IP_LOCAL='/proc/sys/net/ipv4/ip_local_port_range'
IP_FORWARD='/proc/sys/net/ipv4/ip_forward'
Firewall_AccessList()
{
cat $fwconf | grep ACCESS >$fwTemp
while read accesslistent
do
control=`builtin echo $accesslistent | cut -f2 -d "="`
server=`builtin echo $control | cut -f1 -d " "`
policy=`builtin echo $control | cut -f2 -d " "`
if ! [ "$server" = "$policy" ]; then
$IPTABLES -A INPUT -p tcp -s $server -j $policy
$IPTABLES -A INPUT -p udp -s $server -j $policy
fi
done <$fwTemp
}
Firewall_Services()
{
cat $fwconf | grep SERVICE >$fwTemp
while read servent
do
service=`builtin echo $servent | cut -f2 -d "="`
srvname=`builtin echo $service | cut -f1 -d "."`
srvdata=`builtin echo $service | cut -f2 -d "."`
srvtype=`builtin echo $srvdata | cut -f1 -d " "`
server=`builtin echo $srvdata | cut -f2 -d " "`
policy=`builtin echo $srvdata | cut -f3 -d " "`
if ! [ "-$service" = "-" ]; then
if [ "$service" = "$srvtype" ]; then
$IPTABLES -A INPUT -p tcp --dport $service -j ACCEPT
$IPTABLES -A INPUT -p udp --dport $service -j ACCEPT
else
aclname="$srvname.$srvtype"
$IPTABLES -N $aclname
$IPTABLES -A INPUT -p $srvtype --dport $srvname -j $aclname
# $IPTABLES -A $aclname -p $srvtype -s $src -d $dest -j $policy
fi
fi
done < $fwTemp
}
Firewall_Masquerade()
{
cat $fwconf | grep MASQUERADE >$fwTemp
while read masqent
do
if ! [ "-$masqent" = "-" ]; then
builtin echo "Masquerading not finished"
fi
done < $fwTemp
# for LOCALNET in $INTERN
# do
# $IPTABLES -A FORWARD -i $EXTERN -o $LOCALNET -m state --state RELATED,ESTABLISHED -j ACCEPT
# $IPTABLES -A FORWARD -i $LOCALNET -o $EXTERN -j ACCEPT
# $IPTABLES -t nat -A POSTROUTING -o $EXTERN -j MASQUERADE
# done
}
start()
{
$IPTABLES -X -t filter
$IPTABLES -Z -t filter
$IPTABLES -X -t nat
$IPTABLES -Z -t nat
#
echo "Loading Firewall rules..."
LBOUND=`cat $IP_LOCAL | cut -f1`
UBOUND=`cat $IP_LOCAL | cut -f2`
#
$IPTABLES -A INPUT -p icmp -j ACCEPT
$IPTABLES -A INPUT -p tcp -d 127.0.0.1/255.0.0.0 -j ACCEPT
$IPTABLES -A INPUT -p udp -d 127.0.0.1/255.0.0.0 -j ACCEPT
#
Firewall_AccessList
Firewall_Services
#
$IPTABLES -A INPUT -p tcp --dport $LBOUND:$UBOUND -j ACCEPT
$IPTABLES -A INPUT -p udp --dport $LBOUND:$UBOUND -j ACCEPT
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT
#
Firewall_Masquerade
#
rm -f $fwTemp
}
stop()
{
echo "Unloading Firewall rules..."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
#
builtin echo 0 >$IP_FORWARD
#
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -F PREROUTING
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -F POSTROUTING
$IPTABLES -t nat -P OUTPUT ACCEPT
$IPTABLES -t nat -F OUTPUT
#
$IPTABLES -F -t filter
$IPTABLES -X -t filter
$IPTABLES -F -t nat
$IPTABLES -X -t nat
}
status()
{
echo "Current Filtration rules..."
$IPTABLES -L -n
echo "Current Masquerade rules..."
$IPTABLES -t nat -L n
}
reload() { exit 3; }
usage()
{
echo "Usage: $0 {start|stop|status}"
}
--firewall::End--
An-SMGL-Secure-Basic-Firewall-script (last edited 2009-01-25 23:39:17 by p3201-ipbfp205tottori)