2005-07-21 11:35:28 +02:00
|
|
|
#!/bin/sh
|
2005-10-28 09:33:21 +02:00
|
|
|
#
|
|
|
|
# Copyright (c) 02005 sense.lab <senselab@systemausfall.org>
|
|
|
|
#
|
|
|
|
# License: This script is distributed under the terms of version 2
|
|
|
|
# of the GNU GPL. See the LICENSE file included with the package.
|
|
|
|
#
|
2005-10-12 01:21:32 +02:00
|
|
|
# $Id$
|
2005-07-21 11:35:28 +02:00
|
|
|
#
|
|
|
|
# set up the firewall of the cryptobox
|
|
|
|
#
|
2005-07-21 21:53:49 +02:00
|
|
|
# called by:
|
|
|
|
# - cbox-manage.sh during network-up
|
|
|
|
#
|
2005-07-21 11:35:28 +02:00
|
|
|
|
|
|
|
set -u
|
|
|
|
|
2005-12-01 19:47:52 +01:00
|
|
|
# read the default setting file, if it exists
|
|
|
|
[ -e /etc/default/cryptobox ] && . /etc/default/cryptobox
|
|
|
|
|
|
|
|
# set CONF_FILE to default value, if not configured in /etc/default/cryptobox
|
|
|
|
CONF_FILE=${CONF_FILE:-/etc/cryptobox/cryptobox.conf}
|
2005-07-21 11:35:28 +02:00
|
|
|
# parse config file
|
2005-12-01 19:47:52 +01:00
|
|
|
. "$CONF_FILE"
|
2005-07-21 11:35:28 +02:00
|
|
|
|
|
|
|
|
|
|
|
ACTION="help"
|
|
|
|
[ $# -gt 0 ] && ACTION=$1
|
|
|
|
|
|
|
|
case "$ACTION" in
|
|
|
|
start)
|
|
|
|
iptables -P INPUT DROP
|
|
|
|
iptables -P FORWARD DROP
|
|
|
|
iptables -P OUTPUT ACCEPT
|
|
|
|
|
|
|
|
OFILE=/proc/sys/net/ipv4/tcp_syncookies
|
|
|
|
[ -e "$OFILE" ] && echo 1 >"$OFILE"
|
|
|
|
|
|
|
|
iptables -F
|
|
|
|
iptables -X
|
|
|
|
iptables -Z
|
|
|
|
|
|
|
|
iptables -A INPUT -i lo -j ACCEPT
|
|
|
|
|
|
|
|
for a in $ALLOW_TCP_PORTS
|
|
|
|
do iptables -A INPUT -i $NET_IFACE -p tcp --dport $a -j ACCEPT
|
|
|
|
done
|
|
|
|
|
|
|
|
for a in $ALLOW_UDP_PORTS
|
|
|
|
do iptables -A INPUT -i $NET_IFACE -p udp --dport $a -j ACCEPT
|
|
|
|
done
|
|
|
|
|
|
|
|
iptables -A INPUT -i $NET_IFACE -p icmp -j ACCEPT
|
|
|
|
;;
|
|
|
|
stop)
|
|
|
|
iptables -P INPUT ACCEPT
|
|
|
|
iptables -P FORWARD ACCEPT
|
|
|
|
iptables -P OUTPUT ACCEPT
|
|
|
|
iptables -F
|
|
|
|
iptables -X
|
|
|
|
iptables -Z
|
|
|
|
;;
|
|
|
|
*)
|
|
|
|
echo "usage $0 start | stop"
|
|
|
|
;;
|
|
|
|
esac
|
|
|
|
|