Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 21506 Details for
Bug 27087
iptables init.d script should be 'before net' not 'need net'
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
Simple before-net iptables script
iptables (text/plain), 3.07 KB, created by
Aurelus
on 2003-11-30 06:54:27 UTC
(
hide
)
Description:
Simple before-net iptables script
Filename:
MIME Type:
Creator:
Aurelus
Created:
2003-11-30 06:54:27 UTC
Size:
3.07 KB
patch
obsolete
>#!/sbin/runscript ># Copyright 1999-2003 Gentoo Technologies, Inc. ># Distributed under the terms of the GNU General Public License, v2 or ># later ># $Header: /home/cvsroot/gentoo-x86/net-firewall/iptables/files/iptables.init,v 1.2 2003/05/04 18:19:03 aliz Exp $ > >opts="start stop" > >depend() { > need logger net >} > >checkconfig() { > ># If the external device isn't specified, we can't continue. Otherwise, ># even local traffic would be blocked. > if [ ! "$EXT_DEV" ]; then > eerror "External device not configured! See /etc/conf.d/iptables" > return 1 > fi >} > >start() { > checkconfig || return 1 > ebegin "Starting firewall" > ># Block incoming traffic by default, allow all outgoing traffic. > /sbin/iptables -P INPUT DROP > /sbin/iptables -P FORWARD DROP > /sbin/iptables -P OUTPUT ACCEPT > ># Allow traffic for existing connections, and for traffic not related with ># the ``insecure'' external device. > /sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > /sbin/iptables -A INPUT -i ! $EXT_DEV -j ACCEPT > ># Allow some elementary incoming ICMP traffic. These are useful notifications ># from other hosts. > /sbin/iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT > /sbin/iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT > /sbin/iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT > /sbin/iptables -A INPUT -p icmp --icmp-type parameter-problem -j ACCEPT > ># If specified, make the firewall a stateful firewall and ban users whose ># traffic was blocked. > if [ "$BAN_SECONDS" ]; then > einfo "Banning misbehaving hosts for $BAN_SECONDS seconds." > /sbin/iptables -A INPUT -m recent --update --seconds $BAN_SECONDS -j DROP > fi > ># Go to a INPUT_ACCEPT chain which accepts certain traffic based on user- ># specified rules. This chain can be dynamic. > /sbin/iptables -N INPUT_ACCEPT > /sbin/iptables -A INPUT -j INPUT_ACCEPT > ># If the incoming traffic wasn't accepted up to this point, it gets blocked. ># In case the firewall is stateful, this is registered. > if [ "$BAN_SECONDS" ]; then > /sbin/iptables -A INPUT_ACCEPT -m recent --set -j DROP > else > /sbin/iptables -A INPUT_ACCEPT -j DROP > fi > > > if [ "${ENABLE_FORWARDING_IPv4}" = "yes" ] ; then > einfo "Enabling forwarding for ipv4" > echo "1" > /proc/sys/net/ipv4/conf/all/forwarding > fi > > eend $? >} > >stop() { > ebegin "Stopping firewall" > # set sane defaults that disable forwarding > if [ -f /proc/sys/net/ipv4/conf/all/forwarding ] ; then > echo "0" > /proc/sys/net/ipv4/conf/all/forwarding > fi > > for a in `cat /proc/net/ip_tables_names`; do > iptables -F -t $a > iptables -X -t $a > > if [ $a == nat ]; then > iptables -t nat -P PREROUTING ACCEPT > iptables -t nat -P POSTROUTING ACCEPT > iptables -t nat -P OUTPUT ACCEPT > elif [ $a == mangle ]; then > iptables -t mangle -P PREROUTING ACCEPT > iptables -t mangle -P INPUT ACCEPT > iptables -t mangle -P FORWARD ACCEPT > iptables -t mangle -P OUTPUT ACCEPT > iptables -t mangle -P POSTROUTING ACCEPT > elif [ $a == filter ]; then > iptables -t filter -P INPUT ACCEPT > iptables -t filter -P FORWARD ACCEPT > iptables -t filter -P OUTPUT ACCEPT > fi > done > eend $? >}
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=21506">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 27087
:
18131
| 21506
