An Incomplete Firewall script for SourceMage Gnu/Linux 
  the configuration for this scripting is rather simplistic at this time,

a set of lines with "ACCESS=" "SERVICE=" or "MASQUERADE="

ACCESS=<resolvablename> <policy>
  grc.com microsoft.com hotmail.com sourceforge.net are resolvablenames
  ACCEPT REJECT DROP are acceptable policy rules

SERVICE=<service name>[<.tcp|.udp> <hostname> <policy>]
  any name for a service listed in /etc/services
  if "service name" has ".tcp" or ".udp" appended then hostname and policy are required
    as the auth example lines below

to have changes take effect then "telinit run firewall restart" as this script supports
  "start / stop / restart / status" as keywords when the firewall is run

--Example::Begin--
ACCESS=grc.com DROP

SERVICE=ftp-data
SERVICE=ftp
SERVICE=ssh
SERVICE=domain
SERVICE=bootps
SERVICE=bootpc
SERVICE=tftp
SERVICE=http
SERVICE=auth.tcp localhost ACCEPT
SERVICE=auth.udp localhost DROP
--Example::End--

--firewall::Begin--
#!/bin/bash
#
# simpleinit::firewall
#
# Author:: Jeremy "Belxjander Serechai" Sutherland
#
PROGRAM=/bin/false
RUNLEVEL=3
PROVIDES=firewall
NEEDS="+syslog"

. /etc/init.d/smgl_init

required_executable "/usr/sbin/iptables"

IPTABLES="/usr/sbin/iptables"

fwconf="/etc/sysconfig/firewall"
fwTemp='/tmp/firewall'

IP_LOCAL='/proc/sys/net/ipv4/ip_local_port_range'
IP_FORWARD='/proc/sys/net/ipv4/ip_forward'

Firewall_AccessList()
{
  cat $fwconf | grep ACCESS >$fwTemp
  while read accesslistent
  do
    control=`builtin echo $accesslistent | cut -f2 -d "="`
    server=`builtin echo $control | cut -f1 -d " "`
    policy=`builtin echo $control | cut -f2 -d " "`
    if ! [ "$server" = "$policy" ]; then
      $IPTABLES -A INPUT -p tcp -s $server -j $policy
      $IPTABLES -A INPUT -p udp -s $server -j $policy
    fi
  done <$fwTemp
}

Firewall_Services()
{
  cat $fwconf | grep SERVICE >$fwTemp
  while read servent
  do
    service=`builtin echo $servent | cut -f2 -d "="`
    srvname=`builtin echo $service | cut -f1 -d "."`
    srvdata=`builtin echo $service | cut -f2 -d "."`
    srvtype=`builtin echo $srvdata | cut -f1 -d " "`
    server=`builtin echo $srvdata | cut -f2 -d " "`
    policy=`builtin echo $srvdata | cut -f3 -d " "`
    if ! [ "-$service" = "-" ]; then
      if [ "$service" = "$srvtype" ]; then
        $IPTABLES -A INPUT -p tcp --dport $service -j ACCEPT
        $IPTABLES -A INPUT -p udp --dport $service -j ACCEPT
      else
        aclname="$srvname.$srvtype"
        $IPTABLES -N $aclname
        $IPTABLES -A INPUT -p $srvtype --dport $srvname -j $aclname
#        $IPTABLES -A $aclname -p $srvtype -s $src -d $dest -j $policy
      fi
    fi
  done < $fwTemp
}

Firewall_Masquerade()
{
  cat $fwconf | grep MASQUERADE >$fwTemp
  while read masqent
  do
    if ! [ "-$masqent" = "-" ]; then
      builtin echo "Masquerading not finished"
    fi
  done < $fwTemp
#  for LOCALNET in $INTERN
#  do
#    $IPTABLES -A FORWARD -i $EXTERN -o $LOCALNET -m state --state RELATED,ESTABLISHED -j ACCEPT
#    $IPTABLES -A FORWARD -i $LOCALNET -o $EXTERN -j ACCEPT
#    $IPTABLES -t nat -A POSTROUTING -o $EXTERN -j MASQUERADE
#  done
}

start()
{
  $IPTABLES -X -t filter
  $IPTABLES -Z -t filter
  $IPTABLES -X -t nat
  $IPTABLES -Z -t nat
  #
  echo "Loading Firewall rules..."
  LBOUND=`cat $IP_LOCAL | cut -f1`
  UBOUND=`cat $IP_LOCAL | cut -f2`
  #
  $IPTABLES -A INPUT -p icmp -j ACCEPT
  $IPTABLES -A INPUT -p tcp -d 127.0.0.1/255.0.0.0 -j ACCEPT
  $IPTABLES -A INPUT -p udp -d 127.0.0.1/255.0.0.0 -j ACCEPT
  #
  Firewall_AccessList
  Firewall_Services
  #
  $IPTABLES -A INPUT -p tcp --dport $LBOUND:$UBOUND -j ACCEPT
  $IPTABLES -A INPUT -p udp --dport $LBOUND:$UBOUND -j ACCEPT
  $IPTABLES -P INPUT DROP
  $IPTABLES -P FORWARD DROP
  $IPTABLES -P OUTPUT ACCEPT
  #
  Firewall_Masquerade
  #
  rm -f $fwTemp
}

stop()
{
  echo "Unloading Firewall rules..."
  $IPTABLES -P INPUT ACCEPT
  $IPTABLES -F INPUT
  $IPTABLES -P FORWARD DROP
  $IPTABLES -F FORWARD
  $IPTABLES -P OUTPUT ACCEPT
  $IPTABLES -F OUTPUT
  #
  builtin echo 0 >$IP_FORWARD
  #
  $IPTABLES -t nat -P PREROUTING ACCEPT
  $IPTABLES -t nat -F PREROUTING
  $IPTABLES -t nat -P POSTROUTING ACCEPT
  $IPTABLES -t nat -F POSTROUTING
  $IPTABLES -t nat -P OUTPUT ACCEPT
  $IPTABLES -t nat -F OUTPUT
  #
  $IPTABLES -F -t filter
  $IPTABLES -X -t filter
  $IPTABLES -F -t nat
  $IPTABLES -X -t nat
}

status()
{
  echo "Current Filtration rules..."
  $IPTABLES -L -n
  echo "Current Masquerade rules..."
  $IPTABLES -t nat -L n
}

reload() { exit 3; }

usage()
{
  echo "Usage: $0 {start|stop|status}"
}
--firewall::End--

last edited 2007-05-17 12:28:37 by BelxjanderSerechai