#!/bin/bash # ==================================================================== # Curby's IPTABLES/NETFILTER Firewall Setup Script a.k.a. curbywall # Paranoid Pre-execution Stub # ==================================================================== # This short program runs to ensure that the filter chains in iptables # are set to a deny policy before the network is brought up, thereby # eliminating any chance of an unfiltered attack between the time the # network starts and the time the firewall is set up. Many firewall # scripts require that the network be started before the firewall is # set up, therefore requiring this solution. # chkconfig: 2345 1 99 # description: Curbywall pre-execution setup stub # --- Setup: Iptables command path # This can normally be commented out or left blank, and the # script will try to find it in /usr/sbin or /sbin. IPTABLES_COMMAND= # --- End of Setup # --- Source functions if it is executable if [ -x /etc/rc.d/init.d/functions ]; then . /etc/rc.d/init.d/functions else echo_success() { echo -n "[ OK ]" } echo_warning() { echo -n "[WARNING]" } echo_failure() { echo -n "[FAILED]" } fi # See how we were called. case "$1" in start|restart|reload) echo -n "Checking for iptables: " unset IPTABLES if [ -x /sbin/iptables ]; then IPTABLES=/sbin/iptables echo -n $IPTABLES echo_success;echo elif [ -x /usr/sbin/iptables ]; then IPTABLES=/usr/sbin/iptables echo -n $IPTABLES echo_success;echo elif [ $IPTABLES_COMMAND ]; then if [ -x $IPTABLES_COMMAND ]; then IPTABLES=$IPTABLES_COMMAND echo -n $IPTABLES echo_success;echo fi fi if [ ! $IPTABLES ]; then echo -n not found! echo_warning;echo exit 1 fi # --- Set filter chain policies echo -n "Setting chain policies to DENY: " $IPTABLES -t filter -P INPUT DROP $IPTABLES -t filter -P OUTPUT DROP $IPTABLES -t filter -P FORWARD DROP echo_success;echo ;; stop|status) echo -n 'precurbywall: Finished doing nothing' echo_success;echo ;; *) gprintf "Usage: %s\n" "$(basename $0) {start|stop|restart|reload|status}" exit 1 ;; esac exit 0