|
here they are
thanks
david
|
#!/bin/sh # # Startup script to implement /etc/sysconfig/iptables pre-defined rules. # # chkconfig: 2345 08 92 # # description: Automates a packet filtering firewall with iptables. # # by [EMAIL PROTECTED], based on the ipchains script: # Script Author: Joshua Jensen <[EMAIL PROTECTED]> # -- hacked up by gafton with help from notting # modified by Anton Altaparmakov <[EMAIL PROTECTED]>: # modified by Nils Philippsen <[EMAIL PROTECTED]> # # config: /etc/sysconfig/iptables
# Source 'em up
. /etc/init.d/functions
IPTABLES_CONFIG=/etc/sysconfig/iptables
if [ ! -x /sbin/iptables ]; then
exit 0
fi
KERNELMAJ=`uname -r | sed -e 's,\..*,,'`
KERNELMIN=`uname -r | sed -e 's,[^\.]*\.,,' -e 's,\..*,,'`
if [ "$KERNELMAJ" -lt 2 ] ; then
exit 0
fi
if [ "$KERNELMAJ" -eq 2 -a "$KERNELMIN" -lt 3 ] ; then
exit 0
fi
if /sbin/lsmod 2>/dev/null |grep -q ipchains ; then
# Don't do both
exit 0
fi
start() {
# don't do squat if we don't have the config file
if [ -f $IPTABLES_CONFIG ]; then
# If we don't clear these first, we might be adding to
# pre-existing rules.
action $"Flushing all current rules and user defined chains:" iptables -F
action $"Clearing all current rules and user defined chains:" iptables -X
chains=`cat /proc/net/ip_tables_names 2>/dev/null`
for i in $chains; do iptables -t $i -F; done && \
success $"Flushing all current rules and user defined chains:" || \
failure $"Flushing all current rules and user defined chains:"
for i in $chains; do iptables -t $i -X; done && \
success $"Clearing all current rules and user defined chains:" || \
failure $"Clearing all current rules and user defined chains:"
for i in $chains; do iptables -t $i -Z; done
echo $"Applying iptables firewall rules: "
grep -v "^[[:space:]]*#" $IPTABLES_CONFIG | grep -v '^[[:space:]]*$' |
/sbin/iptables-restore -c && \
success $"Applying iptables firewall rules" || \
failure $"Applying iptables firewall rules"
echo
touch /var/lock/subsys/iptables
fi
# ----------------------------------------------------------------------------
# Some definitions for easy maintenance.
# EDIT THESE TO SUIT YOUR SYSTEM AND ISP.
# Este script posee la definiicon de
# Local_iNTERFACE,intranet
# PERO NO POSEE LA DEFINICION DEL SMTP SERVER
IPADDR="169.158.128.2/27"
EXTERNAL_INTERFACE="eth0" # Internet connected interface
LOOPBACK_INTERFACE="lo" # Your local naming convention
LOCAL_INTERFACE_1="eth1" # Your Internal LAN interface
INTRANET="10.0.0.0/16" # Your Private IP Addr Range
PRIMARY_NAMESERVER="169.158.128.2/27" # Your Primary Name Server
SECONDARY_NAMESERVER="169.158.128.3/27" # Your Secondary Name Server
#SYSLOG_SERVER="***.**.**.*" # Your Syslog Internal Server
LOOPBACK="127.0.0.0/8" # Reserved loopback address range
CLASS_A="10.0.0.0/8" # Class A private networks
CLASS_B="172.16.0.0/12" # Class B private networks
CLASS_C="192.168.0.0/16" # Class C private networks
CLASS_D_MULTICAST="224.0.0.0/4" # Class D multicast addr
CLASS_E_RESERVED_NET="240.0.0.0/5" # Class E reserved addr
BROADCAST_SRC="0.0.0.0" # Broadcast source addr
BROADCAST_DEST="255.255.255.255" # Broadcast destination addr
PRIVPORTS="0:1023" # Privileged port range
UNPRIVPORTS="1024:" # Unprivileged port range
# ----------------------------------------------------------------------------
# The SSH client starts at 1023 and works down to 513 for each
# additional simultaneous connection originating from a privileged port.
# Clients can optionally be configured to use only unprivileged ports.
SSH_LOCAL_PORTS="1022:65535" # Port range for local clients
SSH_REMOTE_PORTS="513:65535" # Port range for remote clients
# traceroute usually uses -S 32769:65535 -D 33434:33523
TRACEROUTE_SRC_PORTS="32769:65535"
TRACEROUTE_DEST_PORTS="33434:33523"
# ----------------------------------------------------------------------------
# FIREWALL MODULES
# ----------------
# Uncomment all of the following modules lines only
# for modularized kernel system.
# These modules are necessary to masquerade their respective services.
# /sbin/modprobe ip_tables
# /sbin/modprobe iptable_nat
# /sbin/modprobe ip_conntrack
# /sbin/modprobe ip_conntrack_ftp
# /sbin/modprobe ip_tables
# /sbin/modprobe ip_nat_ftp
# /sbin/modprobe ipt_LOG
# /sbin/modprobe ipt_MARK
# /sbin/modprobe ipt_MASQUERADE
# /sbin/modprobe ipt_REDIRECT
# /sbin/modprobe ipt_REJECT
# /sbin/modprobe ipt_TOS
# /sbin/modprobe ipt_limit
# /sbin/modprobe ipt_mac
# /sbin/modprobe ipt_mark
# /sbin/modprobe ipt_multiport
# /sbin/modprobe ipt_state
# /sbin/modprobe ipt_tos
# /sbin/modprobe iptable_mangle
# ----------------------------------------------------------------------------
# Default policy is DENY
# Explicitly accept desired INCOMING & OUTGOING connections
#
# # Remove all existing rules belonging to this filter
# iptables -F
# iptables -F -t nat
#
# # Remove any existing user-defined chains.
# iptables -X
#
# # Set the default policy of the filter to deny.
# iptables -P INPUT DROP
# iptables -P OUTPUT DROP
# iptables -P FORWARD DROP
##
# ----------------------------------------------------------------------------
# LOOPBACK
# --------
# Unlimited traffic on the loopback interface.
iptables -A INPUT -i $LOOPBACK_INTERFACE -j ACCEPT
iptables -A OUTPUT -o $LOOPBACK_INTERFACE -j ACCEPT
# ----------------------------------------------------------------------------
# Unlimited traffic within the local network.
# All internal machines have access to the fireall machine.
iptables -A INPUT -i $LOCAL_INTERFACE_1 -s $INTRANET -j ACCEPT
iptables -A OUTPUT -o $LOCAL_INTERFACE_1 -d $INTRANET -j ACCEPT
# ----------------------------------------------------------------------------
# STATEFUL PART!
# --------------
# Kill malformed XMAS packets
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP
# Kill malformed NULL packets
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP
# Block faked, or "spoofed," packets from getting through the firewall.
iptables -A FORWARD -i $LOCAL_INTERFACE_1 -s ! $INTRANET -j DROP
# Allow all internal packets out of our network.
iptables -A FORWARD -m state --state NEW -i $LOCAL_INTERFACE_1 && \
-s $INTRANET -j ACCEPT
# Allow the associated packets with those connections back in.
iptables -A FORWARD -m state --state ESTABLISHED,RELATED && \
-i $EXTERNAL_INTERFACE -s ! $INTRANET -j ACCEPT
# All internal traffic is masqueraded externally.
iptables -A POSTROUTING -t nat -o $EXTERNAL_INTERFACE -j MASQUERADE
# Blocks any forwards that come from Internet connection. Uncomment only for
# users with modem device like "ppp0".
# iptables -A FORWARD -i $EXTERNAL_INTERFACE -m state \
# --state NEW,INVALID -j REJECT
# ----------------------------------------------------------------------------
# SPOOFING & BAD ADDRESSES
# Refuse spoofed packets.
# Ignore blatantly illegal source addresses.
# Protect yourself from sending to bad addresses.
# Refuse incoming packets pretending to be from the external address.
iptables -A INPUT -s $IPADDR -j DROP
# Refuse incoming packets claiming to be from a Class A, B or C private network
# iptables -A INPUT -s $CLASS_A -j DROP
iptables -A INPUT -s $CLASS_B -j DROP
iptables -A INPUT -s $CLASS_C -j DROP
# Refuse broadcast address SOURCE packets
iptables -A INPUT -s $BROADCAST_DEST -j DROP
iptables -A INPUT -d $BROADCAST_SRC -j DROP
# Refuse Class D multicast addresses
# Multicast is illegal as a source address.
# Multicast uses UDP.
iptables -A INPUT -s $CLASS_D_MULTICAST -j DROP
# Refuse Class E reserved IP addresses
iptables -A INPUT -s $CLASS_E_RESERVED_NET -j DROP
# Refuse special addresses defined as reserved by the IANA.
# Note: The remaining reserved addresses are not included
# filtering them causes problems as reserved blocks are
# being allocated more often now. The following are based on
# reservations as listed by IANA as of 2001/01/04. Please regularly
# check at http://www.iana.org/ for the latest status.
# Note: this list includes the loopback, multicast, & reserved addresses.
# 0.*.*.* - Can't be blocked for DHCP users.
# 127.*.*.* - LoopBack
# 169.254.*.* - Link Local Networks
# 192.0.2.* - TEST-NET
# 224-255.*.*.* - Classes D & E, plus unallocated.
iptables -A INPUT -s 0.0.0.0/8 -j DROP
iptables -A INPUT -s 127.0.0.0/8 -j DROP
iptables -A INPUT -s 169.254.0.0/16 -j DROP
iptables -A INPUT -s 192.0.2.0/24 -j DROP
iptables -A INPUT -s 224.0.0.0/3 -j DROP
# ----------------------------------------------------------------------------
# UDP TRACEROUTE
# --------------
# traceroute usually uses -S 32769:65535 -D 33434:33523
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp --source-port
$TRACEROUTE_SRC_PORTS && \
-d $IPADDR --destination-port $TRACEROUTE_DEST_PORTS -j DROP
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp -s $IPADDR --source-port
$TRACEROUTE_SRC_PORTS && \
--destination-port $TRACEROUTE_DEST_PORTS -j ACCEPT
# ----------------------------------------------------------------------------
# DNS forward-only nameserver
# ---------------------------
#ESTAS PRIMERAS CUATRO LINEAS SON EL COMPARTAMIENTO DE UN CLIENTE dns
#QUE LO QUE HACE ES CONECTARSE A UN SERVIDOR DNS POR EL PUERTO 53.
#En este caso es servidor es el nameserver1
#
#
# iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
# -s $PRIMARY_NAMESERVER --source-port 53 \
# -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
#
# iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \
# -s $IPADDR --source-port $UNPRIVPORTS \
# -d $PRIMARY_NAMESERVER --destination-port 53 -j ACCEPT#
#
# iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
# -s $PRIMARY_NAMESERVER --source-port 53 \
# -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
#
# iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
# -s $IPADDR --source-port $UNPRIVPORTS \
# -d $PRIMARY_NAMESERVER --destination-port 53 -j ACCEPT
#
#ESTAS PRIMERAS CUATRO LINEAS SON EL COMPARTAMIENTO DE UN CLIENTE dns
#QUE LO QUE HACE ES CONECTARSE A UN SERVIDOR DNS POR EL PUERTO 53.
#En este caso es servidor es el nameserver2
# iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
# -s $SECONDARY_NAMESERVER --source-port 53 \
# -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
#
# iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \
# -s $IPADDR --source-port $UNPRIVPORTS \
# -d $SECONDARY_NAMESERVER --destination-port 53 -j ACCEPT
#
# iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
# -s $SECONDARY_NAMESERVER --source-port 53 \
# -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
#
# iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
# -s $IPADDR --source-port $UNPRIVPORTS \
# -d $SECONDARY_NAMESERVER --destination-port 53 -j ACCEPT
#ESTAS 8 lineas anteriores sirven cuando el gateway y el servidor dns estan en
distintas maquinas
# como este no es el caso, podemos simplificar el compartamiento CLIENTE de esta
maquina en
#las siguiente cuatro lineas, o sea permitiendo que su comportamiento como cliente no
sea solamente
# tomando como servidores dns1 y dns2 sino cualquier servidor dns
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp --source-port $UNPRIVPORTS && \
-d $IPADDR --destination-port 53 -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp -s $IPADDR --source-port 53 && \
--destination-port $UNPRIVPORTS -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp --source-port 53 && \
-d $IPADDR --destination-port 53 -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp -s $IPADDR --source-port 53 && \
--destination-port 53 -j ACCEPT
#ESTO LO VOY A ANADIR YO PORQUE ESTO ES LO QUE HACE UN SERVIDOR DNS, o sea aceptar
peticiones
#desde su puerto 53 y que provienen de puertos no privilegiados en otras maquinas.
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp --source-port $UNPRIVPORTS && \
-d $IPADDR --destination-port 53 -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp -s $IPADDR --source-port 53 && \
--destination-port $UNPRIVPORTS -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp --source-port 53 && \
-d $IPADDR --destination-port 53 -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp -s $IPADDR --source-port 53 && \
--destination-port 53 -j ACCEPT
#Esto tambien lo voy a anadir porque el servidor dns tiene que aceptar las
#transferencias de zona desde el servidor dns2
# DNS Zone Transfers (53)
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp -s $SECONDARY_NAMESERVER
--source-port $UNPRIVPORTS && \
-d $IPADDR --destination-port 53 -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp -s $IPADDR --source-port 53 && \
-d $SECONDARY_NAMESERVER --destination-port $UNPRIVPORTS -j ACCEPT
# ------------------------------------------------------------------
# HTTP client (80)
# ----------------
# iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn --source-port 80 && \
# -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
#
# iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp -s $IPADDR --source-port
$UNPRIVPORTS && \
# --destination-port 80 -j ACCEPT
#
# ------------------------------------------------------------------
# HTTPS client (443)
# ------------------
# iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn --source-port 443 && \
# -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
#
# iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp -s $IPADDR --source-port
$UNPRIVPORTS && \
# --destination-port 443 -j ACCEPT
# ------------------------------------------------------------------
# WWW-CACHE client
# ----------------
# iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
# --source-port 3128 \
# -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
# iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
# -s $IPADDR --source-port $UNPRIVPORTS \
# --destination-port 3128 -j ACCEPT
# ------------------------------------------------------------------
# NNTP NEWS client (119)
# ----------------------
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn --source-port 119 && \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp -s $IPADDR --source-port
$UNPRIVPORTS && \
--destination-port 119 -j ACCEPT
# ------------------------------------------------------------------
# POP client (110)
# ----------------
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn --source-port 110 && \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp -s $IPADDR --source-port
$UNPRIVPORTS && \
--destination-port 110 -j ACCEPT
# ------------------------------------------------------------------
# IMAP client (143)
# -----------------
# iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
# --source-port 143 \
# -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
# iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
# -s $IPADDR --source-port $UNPRIVPORTS \
# --destination-port 143 -j ACCEPT
# ------------------------------------------------------------------
# SMTP client (25)
# ----------------
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn --source-port 25 && \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp -s $IPADDR --source-port
$UNPRIVPORTS && \
--destination-port 25 -j ACCEPT
# ------------------------------------------------------------------
# SSH server (22)
# ---------------
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp --source-port $SSH_REMOTE_PORTS
&& \
-d $IPADDR --destination-port 22 -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn -s $IPADDR --source-port
22 && \
--destination-port $SSH_REMOTE_PORTS -j ACCEPT
# SSH client (22)
# ---------------
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn --source-port 22 && \
-d $IPADDR --destination-port $SSH_LOCAL_PORTS -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp -s $IPADDR --source-port
$SSH_LOCAL_PORTS && \
--destination-port 22 -j ACCEPT
# ------------------------------------------------------------------
# TELNET client (23)
# ------------------
# iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
# --source-port 23 \
# -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
# iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
# -s $IPADDR --source-port $UNPRIVPORTS \
# --destination-port 23 -j ACCEPT
# ------------------------------------------------------------------
# AUTH server (113)
# -----------------
# Reject, rather than deny, the incoming auth port. (NET-3-HOWTO)
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp --source-port $UNPRIVPORTS && \
-d $IPADDR --destination-port 113 -j REJECT
# AUTH client (113)
# -----------------
# iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
# --source-port 113 \
# -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
# iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
# -s $IPADDR --source-port $UNPRIVPORTS \
# --destination-port 113 -j ACCEPT
# ------------------------------------------------------------------
# WHOIS client (43)
# -----------------
# iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
# --source-port 43 \
# -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
# iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
# -s $IPADDR --source-port $UNPRIVPORTS \
# --destination-port 43 -j ACCEPT
# ------------------------------------------------------------------
# FINGER client (79)
# ------------------
# iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
# --source-port 79 \
# -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
# iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
# -s $IPADDR --source-port $UNPRIVPORTS \
# --destination-port 79 -j ACCEPT
# ------------------------------------------------------------------
# FTP client (21)
# ---------------
# outgoing request
# iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
# -s $IPADDR --source-port $UNPRIVPORTS \
# --destination-port 21 -j ACCEPT
#
# iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
# --source-port 21 \
# -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
# PORT mode data channel
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp --source-port 20 && \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn -s $IPADDR --source-port
$UNPRIVPORTS && \
--destination-port 20 -j ACCEPT
# ------------------------------------------------------------------
}
stop() {
chains=`cat /proc/net/ip_tables_names 2>/dev/null`
for i in $chains; do iptables -t $i -F; done && \
success $"Flushing all chains:" || \
failure $"Flushing all chains:"
for i in $chains; do iptables -t $i -X; done && \
success $"Removing user defined chains:" || \
failure $"Removing user defined chains:"
echo -n $"Resetting built-in chains to the default ACCEPT policy:"
iptables -P INPUT ACCEPT && \
iptables -P OUTPUT ACCEPT && \
iptables -P FORWARD ACCEPT && \
iptables -t nat -P PREROUTING ACCEPT && \
iptables -t nat -P POSTROUTING ACCEPT && \
iptables -t nat -P OUTPUT ACCEPT && \
iptables -t mangle -P PREROUTING ACCEPT && \
iptables -t mangle -P OUTPUT ACCEPT && \
success $"Resetting built-in chains to the default ACCEPT policy" || \
failure $"Resetting built-in chains to the default ACCEPT policy"
echo
rm -f /var/lock/subsys/iptables
}
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
# "restart" is really just "start" as this isn't a daemon,
# and "start" clears any pre-defined rules anyway.
# This is really only here to make those who expect it happy
start
;;
condrestart)
[ -e /var/lock/subsys/iptables ] && start
;;
status)
echo $"Table: filter"
iptables --list
echo $"Table: nat"
iptables -t nat --list
echo $"Table: mangle"
iptables -t mangle --list
;;
panic)
echo -n $"Changing target policies to DROP: "
iptables -P INPUT DROP && \
iptables -P FORWARD DROP && \
iptables -P OUTPUT DROP && \
iptables -t nat -P PREROUTING DROP && \
iptables -t nat -P POSTROUTING DROP && \
iptables -t nat -P OUTPUT DROP && \
iptables -t mangle -P PREROUTING DROP && \
iptables -t mangle -P OUTPUT DROP && \
success $"Changing target policies to DROP" || \
failure $"Changing target policies to DROP"
echo
iptables -F INPUT && \
iptables -F FORWARD && \
iptables -F OUTPUT && \
iptables -t nat -F PREROUTING && \
iptables -t nat -F POSTROUTING && \
iptables -t nat -F OUTPUT && \
iptables -t mangle -F PREROUTING && \
iptables -t mangle -F OUTPUT && \
success $"Flushing all chains:" || \
failure $"Flushing all chains:"
iptables -X INPUT && \
iptables -X FORWARD && \
iptables -X OUTPUT && \
iptables -t nat -X PREROUTING && \
iptables -t nat -X POSTROUTING && \
iptables -t nat -X OUTPUT && \
iptables -t mangle -X PREROUTING && \
iptables -t mangle -X OUTPUT && \
success $"Removing user defined chains:" || \
failure $"Removing user defined chains:"
;;
save)
echo -n $"Saving current rules to $IPTABLES_CONFIG: "
touch $IPTABLES_CONFIG
chmod 600 $IPTABLES_CONFIG
/sbin/iptables-save -c > $IPTABLES_CONFIG 2>/dev/null && \
success $"Saving current rules to $IPTABLES_CONFIG" || \
failure $"Saving current rules to $IPTABLES_CONFIG"
echo
;;
*)
echo $"Usage: $0 {start|stop|restart|condrestart|status|panic|save}"
exit 1
esac
exit 0
