Attachment 259462 Details for Bug 350910 – My dynamic rule generation script

My dynamic rule generation script

firewall.init (text/plain), 1.46 KB, created by Manuel Danisch on 2011-01-10 12:04:25 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Manuel Danisch

Created: 2011-01-10 12:04:25 UTC

Size: 1.46 KB

patch

obsolete

>#!/sbin/runscript
>
>iptables_bin="/sbin/iptables"
>opts="${opts} reload"
>
>SUBNETS_FILE="/tmp/allowedIncomingSubnets"
>PORTS_FILE="/tmp/allowedIncomingPorts"
>OTHER_RULES_FILE="/tmp/additionalRules"
>DEFAULT_POLICY="DROP"
>
>depend() {
>  before net NetworkManager
>}
>
>flush() {
>  ${iptables_bin} -F
>  ${iptables_bin} -P INPUT ${DEFAULT_POLICY}
>  ${iptables_bin} -P FORWARD ${DEFAULT_POLICY}
>  ${iptables_bin} -P OUTPUT ${DEFAULT_POLICY}
>  ${iptables_bin} -A INPUT -s 127.0.0.1 -j ACCEPT
>}
>
>reject() {
>  ${iptables_bin} -A INPUT -j REJECT --reject-with icmp-host-unreachable
>  ${iptables_bin} -A FORWARD -j REJECT --reject-with icmp-host-unreachable
>  ${iptables_bin} -A OUTPUT -j REJECT --reject-with icmp-host-unreachable
>}
>
>start() {
>  ebegin "Starting firewall"
>  reload
>  eend $?
>}
>
>stop() {
>  ebegin "Stopping firewall"
>  flush
>  reject
>  eend $?
>}
>
>reload() {
>  ebegin "Generating firewall rules"
>  flush
>  ${iptables_bin} -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
>  ${iptables_bin} -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>
>  touch "${SUBNETS_FILE}" "${PORTS_FILE}" "${OTHER_RULES_FILE}"
>  while read line
>  do
>    ${iptables_bin} $line
>  done < "${OTHER_RULES_FILE}"
>
>  for SUBNET in $(< "${SUBNETS_FILE}")
>  do
>    for PORT in $(< "${PORTS_FILE}")
>    do
>      for PROTOCOL in tcp udp
>      do
>        ${iptables_bin} -A INPUT -s ${SUBNET} -p ${PROTOCOL} -m state --state NEW -m ${PROTOCOL} --dport ${PORT} -j ACCEPT
>      done
>    done
>  done
>
>  reject
>  eend $?
>}

Actions: View

Attachments on bug 350910: 259462 | 273833 | 281179 | 281201