From d11608eafc201f6fc5e6fad86eb76908f489deda Mon Sep 17 00:00:00 2001
From: Silvino Silva <silvino@bk.ru>
Date: Mon, 13 Feb 2017 21:44:14 +0000
Subject: tools network revision

---
 tools/conf/etc/rc.d/iptables | 81 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 81 insertions(+)
 create mode 100755 tools/conf/etc/rc.d/iptables

(limited to 'tools/conf/etc/rc.d/iptables')

diff --git a/tools/conf/etc/rc.d/iptables b/tools/conf/etc/rc.d/iptables
new file mode 100755
index 0000000..23f5485
--- /dev/null
+++ b/tools/conf/etc/rc.d/iptables
@@ -0,0 +1,81 @@
+#!/bin/sh
+#
+# /etc/rc.d/iptables: load/unload iptable rules
+#
+
+#rules=rules.v4
+rules=vlan.v4
+
+iptables_clear () {
+    echo "clear all iptables tables"
+    iptables -F
+    iptables -X
+    iptables -t nat -F
+    iptables -t nat -X
+    iptables -t mangle -F
+    iptables -t mangle -X
+    iptables -t raw -F
+    iptables -t raw -X
+    iptables -t security -F
+    iptables -t security -X
+}
+
+case $1 in
+    start)
+        iptables_clear
+        echo "starting IPv4 firewall filter table..."
+        /usr/sbin/iptables-restore < /etc/iptables/${rules}
+        ;;
+    stop)
+        iptables_clear
+        echo "stopping firewall and deny everyone..."
+        /usr/sbin/iptables -P INPUT DROP
+        /usr/sbin/iptables -P FORWARD DROP
+        /usr/sbin/iptables -P OUTPUT DROP
+
+        # Unlimited on local
+        /usr/sbin/iptables -A INPUT -i lo -j ACCEPT
+        /usr/sbin/iptables -A OUTPUT -o lo -j ACCEPT
+
+        # log everything else and drop
+        /usr/sbin/iptables -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: "
+        /usr/sbin/iptables -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: "
+        /usr/sbin/iptables -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: "
+
+        ;;
+    open)
+        iptables_clear
+        echo "outgoing Open firewall and deny everyone..."
+
+        /usr/sbin/iptables -P INPUT DROP
+        /usr/sbin/iptables -P FORWARD DROP
+        /usr/sbin/iptables -P OUTPUT ACCEPT
+
+        /usr/sbin/iptables -A OUTPUT -j ACCEPT
+
+        # Unlimited on local
+        /usr/sbin/iptables -A INPUT -i lo -j ACCEPT
+        /usr/sbin/iptables -A OUTPUT -o lo -j ACCEPT
+
+        # Accept passive
+        /usr/sbin/iptables -A INPUT -p tcp --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
+        /usr/sbin/iptables -A INPUT -p udp --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
+
+        # log everything else and drop
+        /usr/sbin/iptables -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: "
+        /usr/sbin/iptables -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: "
+        /usr/sbin/iptables -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: "
+
+        ;;
+
+    restart)
+        $0 stop
+        $0 start
+        ;;
+    *)
+
+        echo "usage: $0 [start|stop|restart]"
+        ;;
+esac
+
+# End of file
-- 
cgit 1.4.1-2-gfad0