#!/bin/bash # **** License **** # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 as # published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # General Public License for more details. # # This code was originally developed by Vyatta, Inc. # Portions created by Vyatta are Copyright (C) 2007 Vyatta, Inc. # All Rights Reserved. # # Author: Tom Grennan # Description: firewall init # this is an indirect init sub-script executed by ofr.init # # **** End License **** prefix=@prefix@ exec_prefix=@exec_prefix@ bindir=@bindir@ sbindir=@sbindir@ export PATH=/usr/bin:/usr/sbin:/bin:/sbin:$bindir:$sbindir . /lib/lsb/init-functions ACTION=$1 declare -a modules=( nf_conntrack nf_conntrack_ftp nf_conntrack_tftp nf_nat nf_nat_ftp nf_nat_tftp nf_nat_proto_gre nf_nat_sip nf_nat_h323 nf_nat_pptp) ## setup firewall & nat conntrack modules start () { for mod in ${modules[@]} ; do modprobe --syslog $mod done # set up notrack chains/rules for IPv4 # by default, nothing is tracked. iptables -t raw -A PREROUTING -j NOTRACK iptables -t raw -A OUTPUT -j NOTRACK # set up notrack chains/rules for IPv6 ip6tables -t raw -A PREROUTING -j NOTRACK ip6tables -t raw -A OUTPUT -j NOTRACK # set up post-firewall hook for IPv4 iptables -N VYATTA_POST_FW_HOOK iptables -A VYATTA_POST_FW_HOOK -j ACCEPT iptables -A INPUT -j VYATTA_POST_FW_HOOK iptables -A FORWARD -j VYATTA_POST_FW_HOOK # set up post-firewall hook for IPv6 ip6tables -N VYATTA_POST_FW_HOOK ip6tables -A VYATTA_POST_FW_HOOK -j ACCEPT ip6tables -A INPUT -j VYATTA_POST_FW_HOOK ip6tables -A FORWARD -j VYATTA_POST_FW_HOOK # set up pre-SNAT hook iptables -t nat -N VYATTA_PRE_SNAT_HOOK iptables -t nat -A VYATTA_PRE_SNAT_HOOK -j RETURN iptables -t nat -A POSTROUTING -j VYATTA_PRE_SNAT_HOOK # Loosen the acceptability rules for TCP sequence and ACK numbers in # conntrack. This allows TCP connections through NAT to survive certain # cases of packet loss where conntrack can not accurately track the # connection state sysctl -q -w net.netfilter.nf_conntrack_tcp_be_liberal=1 # set conntrack table size sysctl -q -w net.nf_conntrack_max=16384 } case "$ACTION" in start) start ;; stop|restart|force-reload) true ;; # nothing to stop/restart *) log_failure_msg "action unknown: $ACTION" ; false ;; esac exit $? # Local Variables: # mode: shell-script # sh-indentation: 4 # End: