#!/bin/bash # # chkconfig: 35 90 12 # description: Firewall # # Start the firewall start() { FIREWALL_RULES='/etc/firewall/firewall_rules' if [ -f /var/lock/subsys/fw.lock ]; then echo "Firewall already running." exit 1 fi echo "Starting the Firewall: " if [ -n "$1" ]; then case "$1" in input) bash /etc/firewall/firewall_rules input ;; output) bash /etc/firewall/firewall_rules output ;; forward) bash /etc/firewall/firewall_rules forward ;; workstations) bash /etc/firewall/firewall_rules workstations ;; winservers) bash /etc/firewall/firewall_rules winservers ;; devnetwork) bash /etc/firewall/firewall_rules devnetwork ;; dmznetwork) bash /etc/firewall/firewall_rules dmznetwork ;; all) bash /etc/firewall/firewall_rules all ;; *) sleep 1 echo "Chain $1 does not exist." exit 1 esac else bash /etc/firewall/firewall_rules all fi touch /var/lock/subsys/fw.lock sleep 1 if [ -n "$1" ]; then echo "$1 chain(s) active. Started `date +%h\ %d\ %Y\ %H:%M:%S`" >> /var/log/firewall/fwstatus.log echo "$1 chain(s) started." else echo "all chain(s) active. Started `date +%h\ %d\ %Y\ %H:%M:%S`" >> /var/log/firewall/fwstatus.log echo "all chain(s) started." fi sleep 1 if [ -f /var/lock/subsys/fw.lock ]; then echo "Firewall started"; fi } # Stop the firewall stop() { FIREWALL_RULES='/etc/firewall/firewall_rules' if [ ! -f /var/lock/subsys/fw.lock ]; then echo "Firewall not running." exit 1 fi echo "Stopping the Firewall: " if [ ! -z "$1" ]; then case "$1" in input) DEFAULTCHAIN=INPUT ;; output) DEFAULTCHAIN=OUTPUT ;; forward) DEFAULTCHAIN=FORWARD ;; workstations) CHAIN=WORKSTATIONS ;; winservers) CHAIN=WINSERVERS ;; devnetwork) CHAIN=DEVNETWORK ;; dmznetwork) CHAIN=DMZNETWORK ;; all) DEFAULTCHAIN='INPUT OUTPUT FORWARD' CHAIN='WORKSTATIONS WINSERVERS DEVNETWORK DMZNETWORK' ;; *) sleep 1 echo "Chain $1 does not exist." exit 1 esac else DEFAULTCHAIN='INPUT OUTPUT FORWARD' CHAIN='WORKSTATIONS WINSERVERS DEVNETWORK DMZNETWORK' fi if [ ! -z "$DEFAULTCHAIN" ]; then # iptables -F # iptables -Z $DEFAULTCHAIN sed -i /^$DEFAULTCHAIN.*$/Id /var/log/firewall/fwstatus.log fi if [ ! -z "$CHAIN" ]; then # iptables -X $CHAIN # iptables -F sed -i /^$CHAIN.*$/Id /var/log/firewall/fwstatus.log fi if [ ! -z "$DEFAULTCHAIN" ] && [ ! -z "$CHAIN" ]; then rm -f /var/log/firewall/fwstatus.log touch /var/log/firewall/fwstatus.log fi if [ ! -s /var/log/firewall/fwstatus.log ]; then rm -f /var/lock/subsys/fw.lock fi sleep 1 if [ -n "$1" ]; then if [ ! -s /var/log/firewall/fwstatus.log ]; then echo "Firewall stopped"; else echo "$1 chain(s) removed."; fi else echo "Firewall stopped" fi } # Show if firewall is running and which chains are active status() { if [ ! -f /var/lock/subsys/fw.lock ]; then echo "Firewall is stopped." else echo "Firewall is running." fi if [ -s /var/log/firewall/fwstatus.log ]; then cat /var/log/firewall/fwstatus.log else echo "No active chains." fi } restart() { echo "Stopping the Firewall...: " stop sleep 1 echo "Starting the Firewall...: " start sleep 1 echo "Done." } help () { echo "This init script loads and unloads rules from iptables. Possible arguments are start, stop, status, restart, reload, and help. The start and stop arguments can also take an argument, which is the name of the target chain, or all for all chains. For example, '/etc/init.d/firewall stop input' will clear the input chain. By default, if a chain is not specified, the function will operate on all chains. The available chains are input, output, forward, workstations, winservers, devnetwork, and dmznetwork." } configcheck() { if [ ! -f $FIREWALL_RULES ]; then echo "$FIREWALL_RULES must exist" exit 1 fi } configcheck ### main logic ### case "$1" in start) start $2 ;; stop) stop $2 ;; status) status ;; restart|reload) restart ;; help) help ;; *) echo "Usage: $0 {start|stop|restart|reload|status} {input|output|forward|workstations|winservers|devnetwork|dmznetwork} " exit 1 esac exit 0