--- /usr/portage/net-firewall/iptables/files/iptables-1.3.2.init 2005-08-10 20:35:49.000000000 -0300 +++ iptables 2005-08-28 12:42:36.945458232 -0300 @@ -3,7 +3,7 @@ # Distributed under the terms of the GNU General Public License v2 # $Header: /var/cvsroot/gentoo-x86/net-firewall/iptables/files/iptables-1.3.2.init,v 1.2 2005/08/10 23:11:12 vapier Exp $ -opts="save reload panic" +opts="save reload panic panic_log" iptables_name=${SVCNAME} if [[ ${iptables_name} != "iptables" && ${iptables_name} != "ip6tables" ]] ; then @@ -29,6 +29,7 @@ nat) chains="PREROUTING POSTROUTING OUTPUT";; mangle) chains="PREROUTING INPUT FORWARD OUTPUT POSTROUTING";; filter) chains="INPUT FORWARD OUTPUT";; + raw) chains="OUTPUT PREROUTING";; *) chains="";; esac local chain @@ -37,6 +38,22 @@ done } +add_table_rule() { + local chains table=$1 rule=$2 + case ${table} in + nat) chains="PREROUTING POSTROUTING OUTPUT";; + mangle) chains="PREROUTING INPUT FORWARD OUTPUT POSTROUTING";; + filter) chains="INPUT FORWARD OUTPUT";; + raw) chains="OUTPUT PREROUTING";; + *) chains="";; + esac + local chain + for chain in ${chains} ; do + ${iptables_bin} -t ${table} -A ${chain} ${rule} + done +} + + checkkernel() { if [[ ! -e ${iptables_proc} ]] ; then eerror "Your kernel lacks ${iptables_name} support, please load" @@ -82,10 +99,11 @@ for a in $(<${iptables_proc}) ; do ${iptables_bin} -F -t $a ${iptables_bin} -X -t $a - done - eend $? + set_table_policy $a ACCEPT + done start + eend $? } save() { @@ -109,3 +127,20 @@ done eend $? } + +panic_log() { + checkkernel || return 1 + [[ -e ${svcdir}/started/${iptables_name} ]] && svc_stop + + ebegin "Dropping and logging all packets" + + for a in $(<${iptables_proc}) ; do + ${iptables_bin} -F -t $a + ${iptables_bin} -X -t $a + iptables -t $a -N BAD + iptables -t $a -A BAD -j LOG --log-prefix "drop all policy: " + set_table_policy $a DROP + add_table_rule $a '-j BAD' + done + eend $? +}