Re: my debian does not read my own iptables script

On 2009-01-31 Kinglok, FONG wrote:
> # Enable IP forwarding since it is disabled by default
> echo 1 > /proc/sys/net/ipv4/ip_forward
[...]
> # Remove any existing rules from all chains
> $IPT --flush
> $IPT -t nat --flush
> $IPT -t mangle --flush
> $IPT -X
> $IPT -t nat -X
> $IPT -t mangle -X
> $IPT --policy INPUT ACCEPT
> $IPT --policy OUTPUT ACCEPT
> $IPT --policy FORWARD ACCEPT
> $IPT -t nat --policy PREROUTING ACCEPT
> $IPT -t nat --policy OUTPUT ACCEPT
> $IPT -t nat --policy POSTROUTING ACCEPT
> $IPT -t mangle --policy PREROUTING ACCEPT
> $IPT -t mangle --policy OUTPUT ACCEPT

At this point both your firewall and your LAN are completely open to the
world. NEVER EVER DO THAT!

> if [ "$1" = "stop" ]; then
> echo "Firewall completely stopped! WARNING: THIS HOST HAS NO FIREWALL RUNNING
> exit
> fi

If you want to be able to stop your firewall entirely (for whatever
reason), do the respective commands INSIDE the if-statement.

----8<----
function cleanup_chains() {
$IPT -F
$IPT -t nat -F
$IPT -t mangle -F

$IPT -X
$IPT -t nat -X
$IPT -t mangle -X
}

function set_policies() {
if [ "$1" = "open" ]; then
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
else
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
fi

$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT

$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P INPUT ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -t mangle -P FORWARD ACCEPT
$IPT -t mangle -P POSTROUTING ACCEPT
}

if [ "$1" = "stop" ]; then
set_policies open
cleanup_chains
echo "Firewall disabled!"
exit 0
fi

set_policies
cleanup_chains
---->8----

Regards
Ansgar Wiechers
--
"The Mac OS X kernel should never panic because, when it does, it
seriously inconveniences the user."
--http://developer.apple.com/technotes/tn2004/tn2118.html

--
To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org