From 63d51b566ea270b45b5b34b1feab37b8faa28232 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Sun, 9 May 2004 23:20:43 +0000
Subject: main fieryfilter work

git-svn-id: file:///home/lennart/svn/public/fieryfilter/fieryfilter@31 79e6afc9-17da-0310-ae3c-b873bff394f4
---
 fieryfilter.init | 100 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 100 insertions(+)
 create mode 100755 fieryfilter.init

(limited to 'fieryfilter.init')

diff --git a/fieryfilter.init b/fieryfilter.init
new file mode 100755
index 0000000..4aab0eb
--- /dev/null
+++ b/fieryfilter.init
@@ -0,0 +1,100 @@
+#!/bin/bash
+
+reset() {
+    iptables -D INPUT -j ffsys_in
+    iptables -D OUTPUT -j ffsys_out
+    iptables -D FORWARD -j ffsys_for 
+
+    iptables -F ffsys_in
+    iptables -X ffsys_in
+    iptables -F ffsys_out
+    iptables -X ffsys_out
+    iptables -F ffsys_for
+    iptables -X ffsys_for
+    iptables -F ffsys
+    iptables -X ffsys
+}
+
+create() {
+    iptables -N ffsys
+    iptables -A ffsys -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
+    iptables -A ffsys -m state --state ESTABLISHED -j ACCEPT
+    iptables -A ffsys -m state --state RELATED -j ACCEPT
+    iptables -A ffsys -m state --state NEW -j RETURN
+    iptables -A ffsys -j DROP
+
+    iptables -N ffsys_in 
+    iptables -A ffsys_in -p icmp --icmp-type destination-unreachable -j ACCEPT
+    iptables -A ffsys_in -j ffsys
+
+    iptables -N ffsys_out
+    iptables -A ffsys_out -p icmp --icmp-type destination-unreachable -j ACCEPT
+    iptables -A ffsys_out -j ffsys
+
+    grep nameserver /etc/resolv.conf | sed s/nameserver// | {
+        while read ip ; do
+            iptables -A ffsys_out -p udp --dport 53 -d $ip -j ACCEPT
+        done
+    }
+
+    iptables -N ffsys_for
+    iptables -A ffsys_for -j ffsys
+}
+
+activate() {
+    iptables -A INPUT -j ffsys_in
+    iptables -A OUTPUT -j ffsys_out
+    iptables -A FORWARD -j ffsys_for
+}
+
+PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
+DAEMON=/usr/local/sbin/fieryfilterd
+NAME=fieryfilterd
+DESC="FieryFilter daemon"
+
+test -x $DAEMON || exit 0
+
+case "$1" in
+  start)
+	echo -n "Starting $DESC: $NAME"
+    if pidof $DAEMON > /dev/null ; then
+        echo " - already running."
+    else
+        modprobe iptable_filter
+        modprobe ip_queue
+        modprobe ip_conntrack_ftp
+
+        reset 2> /dev/null
+        create
+        activate
+
+        rm -f /tmp/fieryfilter
+
+        ( $DAEMON 2>&1 ) | logger -p daemon.info -t fieryfilterd &
+        disown
+        echo "."
+    fi
+	;;
+  stop)
+	echo -n "Stopping $DESC: $NAME"
+    if pidof $DAEMON > /dev/null ; then
+        killall -INT fieryfilterd
+        reset 2> /dev/null
+        echo "."
+    else
+        echo " - not running."
+    fi
+	;;
+  restart|force-reload)
+    $0 stop
+    sleep 2
+    $1 start
+	;;
+  *)
+	N=/etc/init.d/$NAME
+	echo "Usage: $N {start|stop|restart|force-reload}" >&2
+	exit 1
+	;;
+esac
+
+exit 0
-- 
cgit