#!/bin/sh # # Startup script to implement ipchains pre-defined rules. # # chkconfig: - 08 92 # # description: Automates a packet filtering firewall with ipchains. # INTERFACE="eth0" . /etc/rc.d/init.d/functions # You shouldn't need to change anything in the rest of this section LOCALIP=$(/sbin/ifconfig $INTERFACE | perl -ne 'if (/inet addr:(\d+.\d+.\d+.\d+)/) {print $1;}') LOCALNET="$LOCALIP/255.255.255.255" case "$1" in stop) action "Flushing all chains:" ipchains -F action "Removing user defined chains:" ipchains -X echo -n "Resetting built-in chains to the default ACCEPT policy:" ipchains -P input ACCEPT && \ ipchains -P forward ACCEPT && \ ipchains -P output ACCEPT && \ success "Resetting built-in chains to the default ACCEPT policy" || \ failure "Resetting built-in chains to the default ACCEPT policy" echo rm -f /var/lock/subsys/UVAipchains ;; start) action "Flushing all current rules and user defined chains:" ipchains -F action "Clearing all current rules and user defined chains:" ipchains -X ipchains -Z ipchains -A input -i lo -s 0/0 -d 0/0 -j ACCEPT ipchains -A input -s 128.143.0.0/255.255.0.0 -d 0.0.0.0/0.0.0.0 -i $INTERFACE -j ACCEPT ipchains -A input -s 0.0.0.0/0.0.0.0 -d $LOCALNET -i $INTERFACE -p 6 -j ACCEPT ! -y ipchains -A input -s 0.0.0.0/0.0.0.0 -d $LOCALNET 20:25 -i $INTERFACE -p 6 -j ACCEPT ipchains -A input -s 0.0.0.0/0.0.0.0 20:20 -d $LOCALNET 1024:65535 -i $INTERFACE -p 6 -j ACCEPT ipchains -A input -s 0.0.0.0/0.0.0.0 -d $LOCALNET 80:80 -i $INTERFACE -p 6 -j ACCEPT ipchains -A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -i lo -j ACCEPT ipchains -A input -s 0.0.0.0/0.0.0.0 -d $LOCALNET -j DENY -l touch /var/lock/subsys/UVAipchains ;; restart) # "restart" is really just "start" as this isn't a daemon, # and "start" clears any pre-defined rules anyway. # This is really only here to make those who expect it happy $0 start ;; status) ipchains -nL ;; *) echo "Usage: $0 {start|stop|restart|status}" exit 1 esac exit 0