diff options
| author | Silvino Silva <silvino@bk.ru> | 2017-02-01 05:10:24 +0000 |
|---|---|---|
| committer | Silvino Silva <silvino@bk.ru> | 2017-02-01 05:10:24 +0000 |
| commit | ed23bb3344ec5be2893db8d8d838c38c9f2baacd (patch) | |
| tree | 662a5e7ce5569249b63c9f4925ba4f75b4c44575 /core/conf/rc.d/iptables | |
| parent | aac4d4e7e8de530495e0e0827ddf7680c7e65e69 (diff) | |
| parent | a671b0c01821d46d9f783393b887d7987ec10161 (diff) | |
| download | doc-ed23bb3344ec5be2893db8d8d838c38c9f2baacd.tar.gz | |
New release 0.3.0
Diffstat (limited to 'core/conf/rc.d/iptables')
| -rw-r--r-- | core/conf/rc.d/iptables | 111 |
1 files changed, 55 insertions, 56 deletions
diff --git a/core/conf/rc.d/iptables b/core/conf/rc.d/iptables index 3f29928..bb5cf91 100644 --- a/core/conf/rc.d/iptables +++ b/core/conf/rc.d/iptables @@ -3,80 +3,79 @@ # /etc/rc.d/iptables: load/unload iptable rules # -case $1 in -start) - echo "Starting IPv4 firewall filter table..." - /usr/sbin/iptables-restore < /etc/iptables/rules.v4 - ;; -stop) - echo "Stopping firewall and deny everyone..." - iptables -F - iptables -X - iptables -t nat -F - iptables -t nat -X - iptables -t mangle -F - iptables -t mangle -X - iptables -t raw -F - iptables -t raw -X - iptables -t security -F - iptables -t security -X +rules=rules.v4 +#rules=vlan.v4 + +iptables_clear () { + echo "clear all iptables tables" + iptables -F + iptables -X + iptables -t nat -F + iptables -t nat -X + iptables -t mangle -F + iptables -t mangle -X + iptables -t raw -F + iptables -t raw -X + iptables -t security -F + iptables -t security -X +} +case $1 in + start) + iptables_clear + echo "starting IPv4 firewall filter table..." + /usr/sbin/iptables-restore < /etc/iptables/${rules} + ;; + stop) + iptables_clear + echo "stopping firewall and deny everyone..." /usr/sbin/iptables -P INPUT DROP /usr/sbin/iptables -P FORWARD DROP /usr/sbin/iptables -P OUTPUT DROP - # Unlimited on local - /usr/sbin/iptables -A INPUT -i lo -j ACCEPT - /usr/sbin/iptables -A OUTPUT -o lo -j ACCEPT + # Unlimited on local + /usr/sbin/iptables -A INPUT -i lo -j ACCEPT + /usr/sbin/iptables -A OUTPUT -o lo -j ACCEPT - # log everything else and drop - /usr/sbin/iptables -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: " - /usr/sbin/iptables -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: " - /usr/sbin/iptables -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: " + # log everything else and drop + /usr/sbin/iptables -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: " + /usr/sbin/iptables -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: " + /usr/sbin/iptables -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: " - ;; -open) - echo "Outgoing Open firewall and deny everyone..." - iptables -F - iptables -X - iptables -t nat -F - iptables -t nat -X - iptables -t mangle -F - iptables -t mangle -X - iptables -t raw -F - iptables -t raw -X - iptables -t security -F - iptables -t security -X + ;; + open) + iptables_clear + echo "outgoing Open firewall and deny everyone..." /usr/sbin/iptables -P INPUT DROP /usr/sbin/iptables -P FORWARD DROP /usr/sbin/iptables -P OUTPUT ACCEPT - # Unlimited on local - /usr/sbin/iptables -A INPUT -i lo -j ACCEPT - /usr/sbin/iptables -A OUTPUT -o lo -j ACCEPT - - # Accept passive - /usr/sbin/iptables -A INPUT -p tcp --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT + /usr/sbin/iptables -A OUTPUT -j ACCEPT - /usr/sbin/iptables -A INPUT -p udp --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT + # Unlimited on local + /usr/sbin/iptables -A INPUT -i lo -j ACCEPT + /usr/sbin/iptables -A OUTPUT -o lo -j ACCEPT + # Accept passive + /usr/sbin/iptables -A INPUT -p tcp --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT + /usr/sbin/iptables -A INPUT -p udp --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT - # log everything else and drop - /usr/sbin/iptables -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: " - #/usr/sbin/iptables -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: " - /usr/sbin/iptables -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: " + # log everything else and drop + /usr/sbin/iptables -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: " + /usr/sbin/iptables -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: " + /usr/sbin/iptables -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: " - ;; + ;; -restart) - $0 stop - $0 start - ;; -*) + restart) + $0 stop + $0 start + ;; + *) - echo "usage: $0 [start|stop|restart]" - ;; + echo "usage: $0 [start|stop|restart]" + ;; esac # End of file |