From 39eda0b67765385af21a00eb6d61e1d9b9915e51 Mon Sep 17 00:00:00 2001 From: mitty Date: Sat, 4 Jul 2009 21:07:21 +0000 Subject: [PATCH] * FIX script aborts if nonexistent devices are in the script argument * setfilter * set network filters with iptables from custom rule files in /etc/ufw/* git-svn-id: https://lab.mitty.jp/svn/lab/trunk@9 7d2118f6-f56c-43e7-95a2-4bb3031d96e7 --- iptables/setfilter | 105 +++++++++++++++++++++++++++++++++++++++++++++++++++ iptables/setnapt.sh | 2 +- 2 files changed, 106 insertions(+), 1 deletion(-) create mode 100644 iptables/setfilter diff --git a/iptables/setfilter b/iptables/setfilter new file mode 100644 index 0000000..4b31e85 --- /dev/null +++ b/iptables/setfilter @@ -0,0 +1,105 @@ +#!/bin/sh -e + +### BEGIN INIT INFO +# Provides: setfilter +# Required-Start: ufw +# Required-Stop: +# Default-Start: S +# Default-Stop: +# Short-Description: set network filters with iptables +### END INIT INFO + +PATH="/sbin:/bin:/usr/sbin:/usr/bin" + +. /lib/lsb/init-functions + +if [ -s /etc/ufw/ufw.conf ]; then + . /etc/ufw/ufw.conf +else + log_failure_msg "Could not find /etc/ufw/ufw.conf (aborting)" + exit 1 +fi + +RULES_PATH="/etc/ufw" + +case "$1" in +start) + if iptables -L LOG_ICMP -t raw -n >/dev/null 2>&1 ; then + # if firewall loaded, tell to reload instead + log_action_msg "Network filter already started, use 'force-reload'" + exit 0 + fi + if [ "$ENABLED" = "yes" ] || [ "$ENABLED" = "YES" ]; then + log_action_begin_msg "Setting network filter" + error="" + + tables="raw mangle" + for table in $tables + do + RULES="$RULES_PATH/$table.rules" + + #flush the chains + iptables -F -t $table || error="yes" + iptables -X -t $table || error="yes" + + if [ -s "$RULES" ]; then + if ! iptables-restore -n < $RULES ; then + log_action_cont_msg "Problem running '$RULES'" + error="yes" + fi + else + log_action_cont_msg "Couldn't find '$RULES'" + fi + done + + if [ "$error" = "yes" ]; then + log_action_end_msg 1 + exit 1 + else + log_action_end_msg 0 + fi + else + log_action_begin_msg "Skipping network filter (not enabled)" + log_action_end_msg 0 + fi + ;; +stop) + if [ "$ENABLED" != "yes" ] && [ "$ENABLED" != "YES" ]; then + log_action_begin_msg "Skipping network filter (not enabled)" + log_action_end_msg 0 + exit 0 + fi + + log_action_begin_msg "Stopping network filter" + error="" + + tables="raw mangle" + for table in $tables + do + iptables -F -t $table || error="yes" + iptables -X -t $table || error="yes" + done + + if [ "$error" = "yes" ]; then + log_action_end_msg 1 + exit 1 + else + log_action_end_msg 0 + fi + ;; +restart|force-reload) + if [ "$ENABLED" = "yes" ] || [ "$ENABLED" = "YES" ]; then + $0 stop + $0 start + else + log_warning_msg "Skipping $1 (not enabled)" + fi + ;; +*) + echo "Usage: /etc/init.d/setfilter {start|stop|restart|force-reload}" + exit 1 + ;; +esac + +exit 0 + diff --git a/iptables/setnapt.sh b/iptables/setnapt.sh index d34ba37..6093f6d 100644 --- a/iptables/setnapt.sh +++ b/iptables/setnapt.sh @@ -42,7 +42,7 @@ for GW in ${GATEWAYS}; do IPADDR=`/sbin/ip addr show dev ${GW} | grep -w inet | cut -d t -f 2 | cut -d ' ' -f 2 | cut -d / -f 1` if [ -z "${IPADDR}" ]; then # device doesn't seem to have an IP address - break + continue fi ## set masquerade rule to all devices -- 1.7.9.5