verzia 2.26, 2005/06/29 16:16:46 |
verzia 2.27, 2005/08/04 19:39:11 |
|
|
# Licensed under terms of GNU General Public License. |
# Licensed under terms of GNU General Public License. |
# All rights reserved. |
# All rights reserved. |
# |
# |
# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.25 2005/06/29 15:24:04 rajo Exp $ |
# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.26 2005/06/29 16:16:46 rajo Exp $ |
# |
# |
# Changelog: |
# Changelog: |
# 2003-10-24 - created |
# 2003-10-24 - created |
Riadok 19 DESC="firewall" |
|
Riadok 19 DESC="firewall" |
|
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin |
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin |
|
|
DEFAULT_FIREWALL_CONFIG="${DEFAULT_FIREWALL_CONFIG:=/etc/default/firewall}" |
DEFAULT_FIREWALL_CONFIG="${DEFAULT_FIREWALL_CONFIG:=/etc/default/firewall}" |
|
DEFAULT_CACHE_DIR="${DEFAULT_CACHE_DIR:=/var/cache/firewall}" |
|
|
if [ -f "$DEFAULT_FIREWALL_CONFIG" ]; then |
if [ -f "$DEFAULT_FIREWALL_CONFIG" ]; then |
echo "Reading config file $DEFAULT_FIREWALL_CONFIG" |
echo "Reading config file $DEFAULT_FIREWALL_CONFIG" |
Riadok 40 LOG_LIMIT="${LOG_LIMIT:=-m limit --limit |
|
Riadok 41 LOG_LIMIT="${LOG_LIMIT:=-m limit --limit |
|
# Paths: |
# Paths: |
#IPTABLES=":" # for testing only - does nothing |
#IPTABLES=":" # for testing only - does nothing |
IPTABLES="${IPTABLES:=$DEBUG/sbin/iptables}" |
IPTABLES="${IPTABLES:=$DEBUG/sbin/iptables}" |
|
IPTABLES_SAVE="${IPTABLES_SAVE:=$DEBUG/sbin/iptables-save}" |
|
IPTABLES_RESTORE="${IPTABLES_RESTORE:=$DEBUG/sbin/iptables-restore}" |
|
|
if [ "x$LOGGING" = "xoff" ]; then |
if [ "x$LOGGING" = "xoff" ]; then |
IPTABLES_LOG=": log turned off" |
IPTABLES_LOG=": log turned off" |
else |
else |
|
|
fi |
fi |
} # }}} |
} # }}} |
|
|
|
load_cache() |
|
{ # {{{ |
|
|
|
if [ ! -d "$DEFAULT_CACHE_DIR" ]; then |
|
mkdir -p "$DEFAULT_CACHE_DIR"; |
|
fi |
|
|
|
config=`cat $DEFAULT_FIREWALL_CONFIG`; |
|
md5key=`echo "config = '$config' parsed_interfaces ='$parsed_interfaces' parsed_routes='$parsed_routes'" | md5sum | awk '{ print $1; }'`; |
|
CACHE_FILE="$DEFAULT_CACHE_DIR/$md5key" |
|
|
|
#echo "CACHE_FILE=$CACHE_FILE" |
|
|
|
if [ -f "$CACHE_FILE" ]; then |
|
echo "Loading rules from cache file $CACHE_FILE" |
|
$IPTABLES_RESTORE -c < $CACHE_FILE; |
|
exit 0; |
|
fi |
|
} # }}} |
|
|
# unload necessary modules from $MODULES variable |
# unload necessary modules from $MODULES variable |
unload_modules() |
unload_modules() |
{ # {{{ |
{ # {{{ |
Riadok 646 accept_loopback() |
|
Riadok 670 accept_loopback() |
|
parse_ifconfig() |
parse_ifconfig() |
{ # {{{ |
{ # {{{ |
# Parse output from ifconfig: |
# Parse output from ifconfig: |
eval `$IFCONFIG | \ |
parsed_interfaces=`$IFCONFIG | \ |
$AWK 'BEGIN { interfaces=""; } |
$AWK 'BEGIN { interfaces=""; } |
/^[a-zA-Z0-9]+[ \t]+/ { # Linux |
/^[a-zA-Z0-9]+[ \t]+/ { # Linux |
iface=$1; |
iface=$1; |
Riadok 676 parse_ifconfig() |
|
Riadok 700 parse_ifconfig() |
|
} |
} |
END { printf "\ninterfaces=\"%s\"; export interfaces;\n", interfaces; } |
END { printf "\ninterfaces=\"%s\"; export interfaces;\n", interfaces; } |
'` |
'` |
|
eval "$parsed_interfaces"; |
|
|
eval `perl -e ' |
parsed_routes=`perl -e ' |
$\ = "\n"; |
$\ = "\n"; |
open(FILE, "/proc/net/route") or die "Can not open /proc/net/route: $!"; |
open(FILE, "/proc/net/route") or die "Can not open /proc/net/route: $!"; |
my @columns = split(/\s+/, <FILE>); |
my @columns = split(/\s+/, <FILE>); |
Riadok 724 parse_ifconfig() |
|
Riadok 749 parse_ifconfig() |
|
|
|
} # }}} |
} # }}} |
'` |
'` |
|
eval "$parsed_routes"; |
|
|
# Now we have defined variables like this: |
# Now we have defined variables like this: |
# IFACE_eth0 HWaddr_eth0 IP_eth0 Bcast_eth0 Mask_eth0 |
# IFACE_eth0 HWaddr_eth0 IP_eth0 Bcast_eth0 Mask_eth0 |
# IFACE_lo HWaddr_lo IP_lo Bcast_lo Mask_lo |
# IFACE_lo HWaddr_lo IP_lo Bcast_lo Mask_lo |
|
|
start) |
start) |
echo -n "Starting $DESC: " |
echo -n "Starting $DESC: " |
# Inicialize modules |
# Inicialize modules |
$DEPMOD -a |
#$DEPMOD -a |
load_modules |
load_modules |
|
load_cache |
set_default_policy |
set_default_policy |
remove_chains |
remove_chains |
# |
# |
|
|
log_input_drop |
log_input_drop |
log_output_drop |
log_output_drop |
log_forward_drop |
log_forward_drop |
|
$IPTABLES_SAVE -c > $CACHE_FILE |
;; |
;; |
|
|
stop) |
stop) |
|
|
$IPTABLES -L -nv |
$IPTABLES -L -nv |
;; |
;; |
|
|
|
purge) |
|
find $DEFAULT_CACHE_DIR -type f -ls -exec rm -f {} \; |
|
;; |
|
|
*) |
*) |
echo "Usage: $0 {start|stop|really-off|status}" >&2 |
echo "Usage: $0 {start|stop|really-off|status|purge}" >&2 |
exit 1 |
exit 1 |
;; |
;; |
esac |
esac |