Contributing: A decent firewall script
Posted: 03 May 2012, 12:21
After having experimented with Shorewall I decided to implement my own ruleset around some xtables-addons and was again confronted with the weirdness of the bubba-firewall script that promptly caused me to overwrite the default rules myself (which is stupid because I knew it did that 
).
Anyway I figured it was time to rewrite it and I'm sharing the base version here:
Code listing of /etc/init.d/bubba-firewall
Code listing of accompanying file /etc/default/bubba-firewall
Do note that by using this script, stopping the Bubba firewall will fully expose it on all interfaces. There's a optional config file that you can use to change this behaviour.
Example code listing of /etc/network/firewall.stopped (a strict firewall with all ports closed)
).Anyway I figured it was time to rewrite it and I'm sharing the base version here:
Code listing of /etc/init.d/bubba-firewall
Code: Select all
#!/bin/sh
#
# Bubba firewall initscript
#
# Original author: Gordon Bos <gordon@bosvangennip.nl>
#
#
### BEGIN INIT INFO
# Provides: firewall
# Required-Start:
# Required-Stop::
# X-Start-Before: ifupdown ifplugd
# X-Stop-After: ifupdown ifplugd
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Controls the firewall status
### END INIT INFO
DESC="Bubba firewall"
NAME=bubba-firewall
SCRIPTNAME=/etc/init.d/$NAME
DEFAULT=/etc/default/$NAME
PIDFILE=/var/run/$NAME
MODULES=""
SAVE_ON_STOP="yes"
START_FIREWALL="yes"
# Read configuration variable file if it is present
[ -r ${DEFAULT} ] && . ${DEFAULT}
# Define LSB log_* functions.
. /lib/lsb/init-functions
# Bail out if START_FIREWALL is disabled in DEFAULT
if [ "${START_FIREWALL}" != "yes" ] && [ "$1" != "stop" ]; then
log_warning_msg "${NAME}: Not starting ${DESC}."
log_warning_msg "${NAME}: Disabled in ${DEFAULT}."
exit 0
fi
# Remove the pid file if it was created before boottime
# i.e. we're recovering from power failure
if [ -f ${PIDFILE} ] ; then
boottime=$((`date +%s`-`cut -d. -f1 /proc/uptime`))
starttime=$(cat ${PIDFILE})
if [ $boottime -gt $starttime ]; then
log_warning_msg "${NAME}: Fantom pid file found."
rm -f ${PIDFILE}
fi
fi
# Insert modules
for module in ${MODULES} ; do
modprobe ${module}
done
# Helper function that clears all rules
flush_rules() {
local table
for table in $(cat /proc/net/ip_tables_names) ; do
local chains
case ${table} in
nat) chains="PREROUTING POSTROUTING OUTPUT";;
mangle) chains="PREROUTING INPUT FORWARD OUTPUT POSTROUTING";;
filter) chains="INPUT FORWARD OUTPUT";;
*) chains="";;
esac
local chain
for chain in ${chains} ; do
/sbin/iptables -t ${table} -P ${chain} ACCEPT
done
/sbin/iptables -F -t ${table}
/sbin/iptables -X -t ${table}
done
}
# Function that saves the active rules to be reinstated the next time
# the firewall is started
save() {
log_action_begin_msg "Saving firewall"
/sbin/iptables-save > /etc/network/firewall.conf
log_action_end_msg $?
}
case "$1" in
start)
if [ -f ${PIDFILE} ] ; then
log_warning_msg "${NAME}: ${DESC} already started."
exit 1
fi
log_action_begin_msg "Setting up firewall"
echo "1" > /proc/sys/net/ipv4/ip_forward
/sbin/iptables-restore /etc/network/firewall.conf
date +%s>${PIDFILE}
log_action_end_msg $?
exit 0
;;
stop)
if [ ! -f ${PIDFILE} ] ; then
log_warning_msg "${NAME}: ${DESC} not started."
exit 1
fi
if [ "${SAVE_ON_STOP}" = "yes" ] ; then
save || return 1
fi
rm -f ${PIDFILE}
flush_rules
if [ -r /etc/network/firewall.stopped ]; then
log_action_begin_msg "Loading 'stopped' rules"
/sbin/iptables-restore /etc/network/firewall.stopped
log_action_end_msg $?
fi
exit 0
;;
restart|force-reload)
if [ ! -f ${PIDFILE} ] ; then
log_warning_msg "${NAME}: ${DESC} not started."
exit 1
fi
log_action_begin_msg "Restoring firewall"
flush_rules
/sbin/iptables-restore /etc/network/firewall.conf
log_action_end_msg $?
exit 0
;;
*)
echo "Usage: ${NAME} {start|stop|restart|force-reload}" >&2
exit 3
;;
esac
Code: Select all
# Defaults for bubba-firewall script
# Only start the firewall if set to "yes"
START_FIREWALL="yes"
# Saves the active rules on shutdown if set to "yes"
SAVE_ON_STOP="yes"
# Modules to load when starting the firewall
MODULES="nf_conntrack_ftp ip_nat_ftp ip_conntrack_irc"
# Place holders for the firewall control files. These
# paths are hardcoded in the init script and are just
# here for reference.
# Controls the rules to enable when the firewall is up
FIREWALL_UP="/etc/network/firewall.conf"
# Controls the rules that should be enabled when the
# firewall is in stopped state
FIREWALL_STOPPED="/etc/network/firewall.stopped"Example code listing of /etc/network/firewall.stopped (a strict firewall with all ports closed)
Code: Select all
# Generated by iptables-save v1.4.8 on Thu May 3 14:02:07 2012
*mangle
:PREROUTING ACCEPT [224983640:168229642522]
:INPUT ACCEPT [43592479:8157963675]
:FORWARD ACCEPT [181467008:160077121356]
:OUTPUT ACCEPT [42416524:72733375407]
:POSTROUTING ACCEPT [224083770:232858830134]
COMMIT
# Completed on Thu May 3 14:02:07 2012
# Generated by iptables-save v1.4.8 on Thu May 3 14:02:07 2012
*filter
:INPUT DROP [63157:14714433]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [35689113:64408889296]
-A INPUT -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -i br0 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A FORWARD -i br0 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
COMMIT
# Completed on Thu May 3 14:02:07 2012
# Generated by iptables-save v1.4.8 on Thu May 3 14:02:07 2012
*nat
:PREROUTING ACCEPT [1200645:106203212]
:INPUT ACCEPT [115179:7103073]
:OUTPUT ACCEPT [339515:30523145]
:POSTROUTING ACCEPT [312787:27664775]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Thu May 3 14:02:07 2012
# Generated by iptables-save v1.4.8 on Thu May 3 14:02:07 2012
*raw
:PREROUTING ACCEPT [224983648:168229642926]
:OUTPUT ACCEPT [42416525:72733376779]
COMMIT
# Completed on Thu May 3 14:02:07 2012