#!/bin/bash #Copyright 2003 William Stearns #Released under the GPL. Me='policy' MyVersion='0.3.3' #DefaultActions='' #Set down in ...-z $DefaultPolicy... section below. [ -r /etc/firebricks/firebricks.conf ] && . /etc/firebricks/firebricks.conf [ -r /etc/firebricks/$Me.conf ] && . /etc/firebricks/$Me.conf [ -r ${FBLibDir:-'/usr/lib/firebricks/'}/firebrickslib ] && . ${FBLibDir:-'/usr/lib/firebricks/'}/firebrickslib if [ -z "$FBLibVer" ]; then echo 'It looks like firebrickslib was not loaded, why? Exiting' >&2 exit 1 fi #Grab the last valid (accept or drop) action from the command line as the policy for OneAction in $Actions ; do case $OneAction in [Aa][Cc][Cc][Ee][Pp][Tt]) DefaultPolicy="ACCEPT" ;; [Rr][Ee][Jj][Ee][Cc][Tt]|[Rr][Ee][Jj][Ee][Cc][Tt]*) echo 'Warning: Reject is not a valid policy. Using DROP instead.' >&2 DefaultPolicy="DROP" ;; [Dd][Rr][Oo][Pp]) DefaultPolicy="DROP" ;; esac done if [ -z "$DefaultPolicy" ]; then DefaultPolicy='DROP' fi for OneTask in $Tasks ; do case "$OneTask" in link) $IptablesBin -P INPUT $DefaultPolicy $IptablesBin -P FORWARD $DefaultPolicy $IptablesBin -P OUTPUT $DefaultPolicy ;; unlink) $IptablesBin -P INPUT ACCEPT $IptablesBin -P FORWARD ACCEPT $IptablesBin -P OUTPUT ACCEPT ;; create) #Nothing to do echo "Starting $Me" >&2 ;; destroy) #Nothing to do echo "Stopping $Me" >&2 ;; renamechain) #Nothing to do : ;; replacelinks) #Nothing to do : ;; status) echo 'Default Policies:' >&2 $IptablesBin -L -nv | grep '(policy ' | awk '{print $2,$4}' >&2 ;; version) echo "$Me $MyVersion, firebrickslib $FBLibVer" >&2 ;; help) DefaultHelp cat <&2 The $Me module sets the policy (action to take if no rule matches) at the end of each of the 3 built-in chains (INPUT, OUTPUT, and FORWARD). The policy can be set by setting: DefaultPolicy='ACCEPT' or DefaultPolicy='DROP' in /etc/firebricks/firebricks.conf , or can be specified on the command line (command line overrides file setings). EOTEXT ;; *) echo "Unknown action $Action in $Me, no action taken." >&2 ;; esac done