#! /bin/sh ### BEGIN INIT INFO # Provides: firewall # Required-Start: $network $remote_fs $syslog $portmap # Required-Stop: $local_fs # Should-Stop: $network # Default-Start: 3 5 # Default-Stop: 0 6 # Short-Description: Apply firewall rules ### END INIT INFO PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin DESC="Applying firewall rules" PATHRULES=/etc/firewall.d/ IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" ROUTE="/sbin/route" FAIL2BAN="/etc/init.d/fail2ban" noblock () { echo "delete firewall rules..." $IPTABLES -F -t filter $IPTABLES -F -t nat $IPTABLES -F -t mangle $IPTABLES -X -t filter $IPTABLES -X -t nat $IPTABLES -X -t mangle echo "default rules : ACCEPT" $IPTABLES -P INPUT ACCEPT -t filter $IPTABLES -P FORWARD ACCEPT -t filter $IPTABLES -P OUTPUT ACCEPT -t filter $IPTABLES -P PREROUTING ACCEPT -t nat $IPTABLES -P INPUT ACCEPT -t nat $IPTABLES -P FORWARD ACCEPT -t nat $IPTABLES -P OUTPUT ACCEPT -t nat $IPTABLES -P POSTROUTING ACCEPT -t nat $IPTABLES -P PREROUTING ACCEPT -t mangle $IPTABLES -P INPUT ACCEPT -t mangle $IPTABLES -P FORWARD ACCEPT -t mangle $IPTABLES -P OUTPUT ACCEPT -t mangle $IPTABLES -P POSTROUTING ACCEPT -t mangle $IP6TABLES -F -t filter $IP6TABLES -F -t nat $IP6TABLES -F -t mangle $IP6TABLES -X -t filter $IP6TABLES -X -t nat $IP6TABLES -X -t mangle $IP6TABLES -P INPUT ACCEPT -t filter $IP6TABLES -P FORWARD ACCEPT -t filter $IP6TABLES -P OUTPUT ACCEPT -t filter # $IP6TABLES -P PREROUTING ACCEPT -t nat # $IP6TABLES -P INPUT ACCEPT -t nat # $IP6TABLES -P FORWARD ACCEPT -t nat # $IP6TABLES -P OUTPUT ACCEPT -t nat # $IP6TABLES -P POSTROUTING ACCEPT -t nat $IP6TABLES -P PREROUTING ACCEPT -t mangle $IP6TABLES -P INPUT ACCEPT -t mangle $IP6TABLES -P FORWARD ACCEPT -t mangle $IP6TABLES -P OUTPUT ACCEPT -t mangle $IP6TABLES -P POSTROUTING ACCEPT -t mangle } block () { echo "delete firewall rules..." $IPTABLES -F -t filter $IPTABLES -F -t nat $IPTABLES -F -t mangle $IPTABLES -X -t filter $IPTABLES -X -t nat $IPTABLES -X -t mangle echo "default rules : DROP" $IPTABLES -P INPUT DROP -t filter $IPTABLES -P FORWARD DROP -t filter $IPTABLES -P OUTPUT DROP -t filter # $IPTABLES -P PREROUTING DROP -t nat # $IPTABLES -P INPUT DROP -t nat # $IPTABLES -P FORWARD DROP -t nat # $IPTABLES -P OUTPUT DROP -t nat # $IPTABLES -P POSTROUTING DROP -t nat $IPTABLES -P PREROUTING DROP -t mangle $IPTABLES -P INPUT DROP -t mangle $IPTABLES -P FORWARD DROP -t mangle $IPTABLES -P OUTPUT DROP -t mangle $IPTABLES -P POSTROUTING DROP -t mangle $IP6TABLES -F -t filter $IP6TABLES -F -t nat $IP6TABLES -F -t mangle $IP6TABLES -X -t filter $IP6TABLES -X -t nat $IP6TABLES -X -t mangle $IP6TABLES -P INPUT DROP -t filter $IP6TABLES -P FORWARD DROP -t filter $IP6TABLES -P OUTPUT DROP -t filter # $IP6TABLES -P PREROUTING DROP -t nat # $IP6TABLES -P INPUT DROP -t nat # $IP6TABLES -P FORWARD DROP -t nat # $IP6TABLES -P OUTPUT DROP -t nat # $IP6TABLES -P POSTROUTING DROP -t nat $IP6TABLES -P PREROUTING DROP -t mangle $IP6TABLES -P INPUT DROP -t mangle $IP6TABLES -P FORWARD DROP -t mangle $IP6TABLES -P OUTPUT DROP -t mangle $IP6TABLES -P POSTROUTING DROP -t mangle } case "$1" in start) sleep 2 echo "." echo "start firewall rules block all..." block echo "start firewall rules accept..." FICHIERS=`find $PATHRULES -perm /u+x -type f | sort` for FICHIER in $FICHIERS; do echo "." echo "execution du script $FICHIER" $FICHIER done sleep 10 $FAIL2BAN restart sleep 2 for pid in `ps -eo "%p %n %c" | grep fail2ban-server | cut -c-6`; do renice -n -19 -p $pid; done ; for pid in `ps -eo "%p %n %c" | grep agetty | cut -c-6`; do renice -n 8 -p $pid; done ; ;; stop) $FAIL2BAN stop echo "stop firewall ..." echo "delete all rubles" noblock sleep 1 ;; lock) echo "locking all input output ethernet connection" $FAIL2BAN stop block echo "0" > /proc/sys/net/ipv4/ip_forward sleep 1 ;; restart) $FAIL2BAN stop echo "reload firewall rules..." block echo "start firewall rules..." FICHIERS=`find $PATHRULES -perm /u+x -type f | sort` for FICHIER in $FICHIERS; do echo "." echo "execution du script $FICHIER" $FICHIER done sleep 10 $FAIL2BAN restart sleep 2 for pid in `ps -eo "%p %n %c" | grep fail2ban-server | cut -c-6`; do renice -n -19 -p $pid; done ; for pid in `ps -eo "%p %n %c" | grep agetty | cut -c-6`; do renice -n 8 -p $pid; done ; ;; status) echo "status firewall..." echo "." echo "." echo "route table" $ROUTE -n echo "." echo "." echo "iptables nat table" $IPTABLES -L -t nat -n echo "." echo "." echo "iptables mangle table" $IPTABLES -L -t mangle -n echo "." echo "." echo "iptables filter table" $IPTABLES -L -t filter -n echo "status firewall..." ;; status6) echo "status firewall..." echo "." echo "." echo "route table" $ROUTE -n echo "." echo "." echo "." echo "." echo "ip6tables nat table" $IP6TABLES -L -t nat -n echo "." echo "." echo "ip6tables mangle table" $IP6TABLES -L -t mangle -n echo "." echo "." echo "ip6tables filter table" $IP6TABLES -L -t filter -n ;; *) echo "erreur ..." N=/etc/init.d/${0##*/} echo "Usage: $N {start|stop|restart|status|status6|lock}" >&2 exit 1 ;; esac echo "firewall ready [ OK ]" exit 0