LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Debian (http://www.linuxquestions.org/questions/debian-26/)
-   -   add reload and restart options to the firewall script (http://www.linuxquestions.org/questions/debian-26/add-reload-and-restart-options-to-the-firewall-script-487222/)

cccc 09-26-2006 07:14 PM

add reload and restart options to the firewall script
 
hi

on my debian sarge stable I have the following firewall script:
Code:

#!/bin/sh

EXT_IF="eth0"
INT_IF="eth1"
LOCAL_LAN="192.168.115.0/24"
REMOTE_LAN1="192.168.0.0/24"
REMOTE_LAN2="192.168.1.0/24"
REMOTE_LAN3="10.0.0.0/8"
IPTABLES="/sbin/iptables"

$IPTABLES -t mangle -F
$IPTABLES -t mangle -X
$IPTABLES -t nat -F
$IPTABLES -t nat -X
$IPTABLES -F
$IPTABLES -X


case "$1" in
  start)
    echo -n "Starting firewall.."

# Flush then restrict
$IPTABLES -F
$IPTABLES -P FORWARD DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT



# SYN-flood atack protection
$IPTABLES -A INPUT -p tcp --syn -m limit --limit 1/s -j ACCEPT
$IPTABLES -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT

# Disable ping
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j DROP
$IPTABLES -A INPUT -p icmp --icmp-type echo-reply -j DROP



# Public Networks
$IPTABLES -A INPUT -s 202.X.X.0/28 -j ACCEPT

# Allowed Services
$IPTABLES -A INPUT -p tcp -m multiport --dport 80,443 -i eth0 -j ACCEPT

# Allow DNS
$IPTABLES -A INPUT -p tcp --dport 53 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 53 -j ACCEPT

# Allow FTP
$IPTABLES -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT

# Allow SSH
$IPTABLES -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

# Allow SMTP
$IPTABLES -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT

# Allow IMAP
$IPTABLES -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT

# Allow SSL encryption
$IPTABLES -A INPUT -p tcp -m tcp --dport 465 -j ACCEPT

# Allow access from LAN
$IPTABLES -t nat -A POSTROUTING -s $LOCAL_LAN -o $EXT_IF -j SNAT --to 202.X.X.2

# Mark VPN packets
$IPTABLES -t mangle -A PREROUTING -i $EXT_IF -p esp -j MARK --set-mark 1 #VPN

#$IPTABLES -t nat -A PREROUTING -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -t nat -A PREROUTING -s $REMOTE_LAN1 -i $EXT_IF -m mark --mark 1 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -s $REMOTE_LAN2 -i $EXT_IF -m mark --mark 1 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -s $REMOTE_LAN3 -i $EXT_IF -m mark --mark 1 -j ACCEPT

$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

$IPTABLES -A INPUT -i eth1 -p icmp -j ACCEPT
$IPTABLES -A INPUT -i $EXT_IF -p udp -m udp --dport 500 -j ACCEPT #VPN
$IPTABLES -A INPUT -i $EXT_IF -m mark --mark 1 -j ACCEPT

$IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $EXT_IF -m mark --mark 1 -j ACCEPT
$IPTABLES -A FORWARD -i $INT_IF -j ACCEPT

# Allow loopback-device
$IPTABLES -A INPUT -i lo -j ACCEPT

# Spoof protection
$IPTABLES -t nat -A PREROUTING -d $LOCAL_LAN -i $EXT_IF -j DROP



echo "..done"
    ;;
  stop)
    echo -n "Stopping firewall.."
    $IPTABLES -F
    $IPTABLES -P FORWARD DROP
    $IPTABLES -P OUTPUT ACCEPT
    $IPTABLES -P INPUT ACCEPT
    echo "done"
    ;;
  *)
    echo "Usage: $NAME {start|stop}"
    exit 1
    ;;
esac

howto add reload and restart options to this script ?

chadl 09-26-2006 07:47 PM

Here is an example of how I have done something like that in the past:
Code:

#!/bin/bash
case "$1" in
        start)
                echo "Starting"
                ;;
        stop)
                echo "Stoping"
                ;;
        restart)
                echo "Restarting"
                $0 stop
                $0 start
                ;;
        reload)
                echo "Reloading"
                $0 start
                ;;
        *)
                echo "Unknown command" 1>&2
                ;;
esac

This will just run the script with the stop command, and then the start command when you tell it to restart, and it will run the start command when you tell it to reload (you may have to edit the actions to what you want).

$0 stands for the name of the command, so it is just a quick way of calling itself. In this script, if you put it in a file and make it executable, when you run it with:
Code:

./test.sh restart
Then it will print out Restarting, then Stoping, then Starting. "reload" will just print out Reloading and then starting.

cccc 09-27-2006 05:11 AM

thanks a lot !

I changed and hope it's OK now:
Code:

#!/bin/sh

EXT_IF="eth0"
INT_IF="eth1"
LOCAL_LAN="192.168.115.0/24"
REMOTE_LAN1="192.168.0.0/24"
REMOTE_LAN2="192.168.1.0/24"
REMOTE_LAN3="10.0.0.0/8"
IPTABLES="/sbin/iptables"

$IPTABLES -t mangle -F
$IPTABLES -t mangle -X
$IPTABLES -t nat -F
$IPTABLES -t nat -X
$IPTABLES -F
$IPTABLES -X


case "$1" in
  start)
    echo -n "Starting firewall.."   


# Flush then restrict
$IPTABLES -F
$IPTABLES -P FORWARD DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT



# SYN-flood atack protection
$IPTABLES -A INPUT -p tcp --syn -m limit --limit 1/s -j ACCEPT
$IPTABLES -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT

# Disable ping
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j DROP
$IPTABLES -A INPUT -p icmp --icmp-type echo-reply -j DROP



# Public Networks
$IPTABLES -A INPUT -s 202.X.X.0/28 -j ACCEPT

# Allowed Services
$IPTABLES -A INPUT -p tcp -m multiport --dport 80,443 -i eth0 -j ACCEPT

# Allow DNS
$IPTABLES -A INPUT -p tcp --dport 53 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 53 -j ACCEPT

# Allow FTP
$IPTABLES -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT

# Allow SSH
$IPTABLES -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

# Allow SMTP
$IPTABLES -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT

# Allow IMAP
$IPTABLES -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT

# Allow SSL encryption
$IPTABLES -A INPUT -p tcp -m tcp --dport 465 -j ACCEPT

# Allow access from LAN
$IPTABLES -t nat -A POSTROUTING -s $LOCAL_LAN -o $EXT_IF -j SNAT --to 202.X.X.2

# Mark VPN packets
$IPTABLES -t mangle -A PREROUTING -i $EXT_IF -p esp -j MARK --set-mark 1 #VPN

#$IPTABLES -t nat -A PREROUTING -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -t nat -A PREROUTING -s $REMOTE_LAN1 -i $EXT_IF -m mark --mark 1 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -s $REMOTE_LAN2 -i $EXT_IF -m mark --mark 1 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -s $REMOTE_LAN3 -i $EXT_IF -m mark --mark 1 -j ACCEPT

$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

$IPTABLES -A INPUT -i eth1 -p icmp -j ACCEPT
$IPTABLES -A INPUT -i $EXT_IF -p udp -m udp --dport 500 -j ACCEPT #VPN
$IPTABLES -A INPUT -i $EXT_IF -m mark --mark 1 -j ACCEPT

$IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $EXT_IF -m mark --mark 1 -j ACCEPT
$IPTABLES -A FORWARD -i $INT_IF -j ACCEPT

# Allow loopback-device
$IPTABLES -A INPUT -i lo -j ACCEPT

# Spoof protection
$IPTABLES -t nat -A PREROUTING -d $LOCAL_LAN -i $EXT_IF -j DROP



echo "..done"
                ;;

        stop) 

                echo -n "Stopping firewall.."
                $IPTABLES -F
                $IPTABLES -P FORWARD DROP
                $IPTABLES -P OUTPUT ACCEPT
                $IPTABLES -P INPUT ACCEPT
                echo "done"                       
                 
                ;;
        restart)
                echo -n "Restarting firewall.."
                $IPTABLES -F
                $IPTABLES -P FORWARD DROP
                $IPTABLES -P OUTPUT ACCEPT
                $IPTABLES -P INPUT ACCEPT                           
                $0 stop
                $0 start
                ;;
        reload)
                echo "Reloading"
                $0 start
                ;;
        *)
                echo "Unknown command" 1>&2
                ;;
esac



All times are GMT -5. The time now is 05:35 AM.