Re: [Linux-HA] Firewall restart script/resource?

Wed, 17 Dec 2008 23:07:17 -0800 

> Robert L. Harris wrote:
>> Anyone have either docs/link on creating my own resource/script to
>> restart my
>> firewall when heartbeat fails over, or a config I can look at?
>>
>> Robert

Hi,

last week I gave a talk about integration of heartbeat, conntrackd and
fwbuilder. During that talk I also developed the basics of a LSB RA for
the firewall. You can find that talk on:

http://www.heinlein-support.de/web/akademie/slac-2008/slac08-die-ha-firewall

Sorry, it is in German. Please find attached the script. I use heartbeat
ONLY to switch ip_forward and to load the policy. See the details of the
script.

When I find time over Christmas I will write a HOWTO including and
improve the script.

Cheers,

Michael.

#! /bin/sh
#

PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
NAME=firewall
DESC="Firewall"
DEFAULT=/etc/default/fwbuilder
IPTABLES=/sbin/iptables

test -f $DEFAULT || exit 0
grep -s -q 'START_FWBUILDER=yes' $DEFAULT || exit 0

SCRIPT_DIR=$(grep -s "^[[:space:]]*FWBSCRIPT_DIR" $DEFAULT | cut -d "=" -f 2)
SCRIPT="$SCRIPT_DIR/$(hostname -s).fw"

stopfw() {
        #Set accept for default tables
        $IPTABLES -P OUTPUT  ACCEPT
        $IPTABLES -P INPUT   ACCEPT
        $IPTABLES -P FORWARD ACCEPT

        #Flush tables
        $IPTABLES -F
        $IPTABLES -F -t nat
        $IPTABLES -F -t mangle
        $IPTABLES -X
        $IPTABLES -X -t nat
        $IPTABLES -X -t mangle
}

# test -x $SCRIPT || exit 0
test -x $IPTABLES || exit 0

set -e

case "$1" in
  start)
                echo -n "Starting $DESC: "
                # $SCRIPT 2>/dev/null
                echo "1" > /proc/sys/net/ipv4/ip_forward
                /usr/sbin/conntrackd -c -C /etc/conntrackd.conf
                /usr/sbin/conntrackd -f -C /etc/conntrackd.conf
                /usr/sbin/conntrackd -R -C /etc/conntrackd.conf
                echo "$NAME."
        ;;
  stop)
                echo -n "Stopping $DESC: "
                stopfw
                echo "0" > /proc/sys/net/ipv4/ip_forward
                /usr/sbin/conntrackd -n -C /etc/conntrackd.conf
                echo "$NAME."
        ;;
  status)
                if [ `cat /proc/sys/net/ipv4/ip_forward` = "1" ]
                then echo "$NAME forwarding"
                        exit 0
                else echo "$NAME not forwarding"
                        exit 3
                fi
                ;;
  restart|force-reload|reload)
        #
        #       Firewall Builder generated script flushes tables prior
        #       to setting up new tables so safe to just re-execute
        #
                echo -n "Restarting $DESC: "
                $SCRIPT 2>/dev/null
                echo "$NAME."
        ;;
        listfilter)
                $IPTABLES -L -n -v
        ;;
        listnat)
                $IPTABLES -t nat -L -n -v
        ;;
        listmangle)
                $IPTABLES -t mangle -L -n -v
        ;;
  *)
                N=/etc/init.d/$NAME
                echo "Usage: $N 
{start|stop|restart|reload|force-reload|listfilter|listnat|listmangle}" >&2
                exit 1
        ;;
esac

exit 0

_______________________________________________
Linux-HA mailing list
[email protected]
http://lists.linux-ha.org/mailman/listinfo/linux-ha
See also: http://linux-ha.org/ReportingProblems

Reply via email to