add reload and restart options to the firewall script

Need help with C, C++, perl, python, etc?

add reload and restart options to the firewall script

Postby cc » 2006-09-26 23:12

hi

on my sarge stable I have the following firewall script:
Code: Select all
#!/bin/sh

EXT_IF="eth0"
INT_IF="eth1"
LOCAL_LAN="192.168.115.0/24"
REMOTE_LAN1="192.168.0.0/24"
REMOTE_LAN2="192.168.1.0/24"
REMOTE_LAN3="10.0.0.0/8"
IPTABLES="/sbin/iptables"

$IPTABLES -t mangle -F
$IPTABLES -t mangle -X
$IPTABLES -t nat -F
$IPTABLES -t nat -X
$IPTABLES -F
$IPTABLES -X


case "$1" in
   start)
     echo -n "Starting firewall.."

# Flush then restrict
$IPTABLES -F
$IPTABLES -P FORWARD DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT



# SYN-flood atack protection
$IPTABLES -A INPUT -p tcp --syn -m limit --limit 1/s -j ACCEPT
$IPTABLES -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT

# Disable ping
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j DROP
$IPTABLES -A INPUT -p icmp --icmp-type echo-reply -j DROP



# Public Networks
$IPTABLES -A INPUT -s 202.X.X.0/28 -j ACCEPT

# Allowed Services
$IPTABLES -A INPUT -p tcp -m multiport --dport 80,443 -i eth0 -j ACCEPT

# Allow DNS
$IPTABLES -A INPUT -p tcp --dport 53 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 53 -j ACCEPT

# Allow FTP
$IPTABLES -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT

# Allow SSH
$IPTABLES -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

# Allow SMTP
$IPTABLES -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT

# Allow IMAP
$IPTABLES -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT

# Allow SSL encryption
$IPTABLES -A INPUT -p tcp -m tcp --dport 465 -j ACCEPT

# Allow access from LAN
$IPTABLES -t nat -A POSTROUTING -s $LOCAL_LAN -o $EXT_IF -j SNAT --to 202.X.X.2

# Mark VPN packets
$IPTABLES -t mangle -A PREROUTING -i $EXT_IF -p esp -j MARK --set-mark 1 #VPN

#$IPTABLES -t nat -A PREROUTING -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -t nat -A PREROUTING -s $REMOTE_LAN1 -i $EXT_IF -m mark --mark 1 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -s $REMOTE_LAN2 -i $EXT_IF -m mark --mark 1 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -s $REMOTE_LAN3 -i $EXT_IF -m mark --mark 1 -j ACCEPT

$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

$IPTABLES -A INPUT -i eth1 -p icmp -j ACCEPT
$IPTABLES -A INPUT -i $EXT_IF -p udp -m udp --dport 500 -j ACCEPT #VPN
$IPTABLES -A INPUT -i $EXT_IF -m mark --mark 1 -j ACCEPT

$IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $EXT_IF -m mark --mark 1 -j ACCEPT
$IPTABLES -A FORWARD -i $INT_IF -j ACCEPT

# Allow loopback-device
$IPTABLES -A INPUT -i lo -j ACCEPT

# Spoof protection
$IPTABLES -t nat -A PREROUTING -d $LOCAL_LAN -i $EXT_IF -j DROP



echo "..done"
     ;;
   stop)
     echo -n "Stopping firewall.."
     $IPTABLES -F
     $IPTABLES -P FORWARD DROP
     $IPTABLES -P OUTPUT ACCEPT
     $IPTABLES -P INPUT ACCEPT
     echo "done"
     ;;
   *)
     echo "Usage: $NAME {start|stop}"
     exit 1
     ;;
esac

howto add reload and restart options to this script ?
cc
 
Posts: 820
Joined: 2005-06-08 19:14

Postby ajdlinux » 2006-09-28 09:37

Add a clause above the *) line, like 'reload)', then write the code to restart the firewall (I don't exactly know what that code is though, you could just make it stop and then start again or something.)
Jabber: xmpp:ajdlinux@jabber.org.au
Spammers, email this: ajdspambucket@exemail.com.au
ajdlinux
 
Posts: 2480
Joined: 2006-04-23 09:37
Location: Port Macquarie, NSW, Australia


Return to Programming

Who is online

Users browsing this forum: No registered users and 4 guests

fashionable