#!/bin/sh
#
# Startup script to implement ipchains pre-defined rules.
#
# chkconfig: - 08 92
#
# description: Automates a packet filtering firewall with ipchains.
#
INTERFACE="eth0"
. /etc/rc.d/init.d/functions
# You shouldn't need to change anything in the rest of this section
LOCALIP=$(/sbin/ifconfig $INTERFACE | perl -ne 'if (/inet addr:(\d+.\d+.\d+.\d+)/) {print $1;}')
LOCALNET="$LOCALIP/255.255.255.255"
case "$1" in
stop)
action "Flushing all chains:" ipchains -F
action "Removing user defined chains:" ipchains -X
echo -n "Resetting built-in chains to the default ACCEPT policy:"
ipchains -P input ACCEPT && \
ipchains -P forward ACCEPT && \
ipchains -P output ACCEPT && \
success "Resetting built-in chains to the default ACCEPT policy" || \
failure "Resetting built-in chains to the default ACCEPT policy"
echo
rm -f /var/lock/subsys/UVAipchains
;;
start)
action "Flushing all current rules and user defined chains:" ipchains -F
action "Clearing all current rules and user defined chains:" ipchains -X
ipchains -Z
ipchains -A input -i lo -s 0/0 -d 0/0 -j ACCEPT
ipchains -A input -s 128.143.0.0/255.255.0.0 -d 0.0.0.0/0.0.0.0 -i $INTERFACE -j ACCEPT
ipchains -A input -s 0.0.0.0/0.0.0.0 -d $LOCALNET -i $INTERFACE -p 6 -j ACCEPT ! -y
ipchains -A input -s 0.0.0.0/0.0.0.0 -d $LOCALNET 20:25 -i $INTERFACE -p 6 -j ACCEPT
ipchains -A input -s 0.0.0.0/0.0.0.0 20:20 -d $LOCALNET 1024:65535 -i $INTERFACE -p 6 -j ACCEPT
ipchains -A input -s 0.0.0.0/0.0.0.0 -d $LOCALNET 80:80 -i $INTERFACE -p 6 -j ACCEPT
ipchains -A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -i lo -j ACCEPT
ipchains -A input -s 0.0.0.0/0.0.0.0 -d $LOCALNET -j DENY -l
touch /var/lock/subsys/UVAipchains
;;
restart)
# "restart" is really just "start" as this isn't a daemon,
# and "start" clears any pre-defined rules anyway.
# This is really only here to make those who expect it happy
$0 start
;;
status)
ipchains -nL
;;
*)
echo "Usage: $0 {start|stop|restart|status}"
exit 1
esac
exit 0