#!/bin/sh # # Author: Martti Kuparinen # # $Id: firewall,v 1.1 2007-08-28 09:27:23 martti Exp $ # if [ -r /lib/lsb/init-functions ]; then . /lib/lsb/init-functions fi firewall_start() { # Flush all rules iptables -F INPUT iptables -F OUTPUT iptables -F FORWARD # Default policies iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP # Allow everything on the loopback network iptables -A INPUT -i lo -j ACCEPT # Allow ICMP from the intranet router iptables -A INPUT --protocol icmp --source 10.0.0.1 -j ACCEPT # Allow everything from the home server iptables -A INPUT --source 10.0.0.2 -j ACCEPT # Allow established sessions iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow incoming SSH sessions iptables -A INPUT --protocol tcp --dport 22 --source 10.0.0.0/24 \ -m state --state NEW -j ACCEPT # Allow incoming ICMP echo request and errors iptables -A INPUT --protocol icmp --icmp-type echo-request -j ACCEPT iptables -A INPUT --protocol icmp --icmp-type destination-unreachable \ -j ACCEPT # Drop intranet broadcasts iptables -A INPUT --protocol udp --destination 10.0.0.255 -j DROP # Drop and log other packets iptables -A INPUT -j LOG iptables -A FORWARD -j LOG } firewall_stop() { # Flush all rules iptables -F INPUT iptables -F OUTPUT iptables -F FORWARD # Default policies iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT } case "$1" in start) log_begin_msg "Starting firewall..." firewall_start log_end_msg 0 ;; stop) log_begin_msg "Stopping firewall..." firewall_stop log_end_msg 0 ;; restart) log_begin_msg "Restarting firewall..." firewall_stop firewall_start log_end_msg 0 ;; *) echo "Usage: $0 {start|stop|restart}" exit 1 esac