# # Clear Proxy Arp # delete_proxyarp() { if [ -f ${VARDIR}/proxyarp ]; then while read address interface external haveroute; do qt arp -i $external -d $address pub [ -z "${haveroute}${NOROUTES}" ] && qt ip route del $address dev $interface done < ${VARDIR}/proxyarp for f in /proc/sys/net/ipv4/conf/*; do [ -f $f/proxy_arp ] && echo 0 > $f/proxy_arp done fi rm -f ${VARDIR}/proxyarp } # # Stop/restore the firewall after an error or because of a "stop" or "clear" command # stop_firewall() { deletechain() { qt $IPTABLES -L $1 -n && qt $IPTABLES -F $1 && qt $IPTABLES -X $1 } deleteallchains() { $IPTABLES -F $IPTABLES -X } setcontinue() { $IPTABLES -A $1 -m state --state ESTABLISHED,RELATED -j ACCEPT } delete_nat() { $IPTABLES -t nat -F $IPTABLES -t nat -X if [ -f ${VARDIR}/nat ]; then while read external interface; do del_ip_addr $external $interface done < ${VARDIR}/nat rm -f ${VARDIR}/nat fi } case $COMMAND in stop|clear) ;; *) set +x case $COMMAND in start) logger -p kern.err "ERROR:$PRODUCT start failed" ;; restart) logger -p kern.err "ERROR:$PRODUCT restart failed" ;; restore) logger -p kern.err "ERROR:$PRODUCT restore failed" ;; esac if [ "$RESTOREFILE" = NONE ]; then COMMAND=clear clear_firewall echo "$PRODUCT Cleared" kill $$ exit 2 else RESTOREPATH=${VARDIR}/$RESTOREFILE if [ -x $RESTOREPATH ]; then if [ -x ${RESTOREPATH}-ipsets ]; then progress_message2 Restoring Ipsets... # # We must purge iptables to be sure that there are no # references to ipsets # for table in mangle nat filter; do $IPTABLES -t $table -F $IPTABLES -t $table -X done ${RESTOREPATH}-ipsets fi echo Restoring ${PRODUCT:=Shorewall}... if $RESTOREPATH restore; then echo "$PRODUCT restored from $RESTOREPATH" set_state "Started" else set_state "Unknown" fi kill $$ exit 2 fi fi ;; esac set_state "Stopping" STOPPING="Yes" TERMINATOR= deletechain shorewall determine_capabilities run_stop_exit if [ -n "$MANGLE_ENABLED" ]; then run_iptables -t mangle -F run_iptables -t mangle -X for chain in PREROUTING INPUT FORWARD POSTROUTING; do qt $IPTABLES -t mangle -P $chain ACCEPT done fi if [ -n "$RAW_TABLE" ]; then run_iptables -t raw -F run_iptables -t raw -X for chain in PREROUTING OUTPUT; do qt $IPTABLES -t raw -P $chain ACCEPT done fi if [ -n "$NAT_ENABLED" ]; then delete_nat for chain in PREROUTING POSTROUTING OUTPUT; do qt $IPTABLES -t nat -P $chain ACCEPT done fi delete_proxyarp [ -n "$CLEAR_TC" ] && delete_tc1 [ -n "$DISABLE_IPV6" ] && disable_ipv6 undo_routing restore_default_route if [ -n "$CRITICALHOSTS" ]; then if [ -z "$ADMINISABSENTMINDED" ]; then for chain in INPUT OUTPUT; do setpolicy $chain ACCEPT done setpolicy FORWARD DROP deleteallchains for host in $CRITICALHOSTS; do interface=${host%:*} networks=${host#*:} $IPTABLES -A INPUT -i $interface $(source_ip_range $networks) -j ACCEPT $IPTABLES -A OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT done for chain in INPUT OUTPUT; do setpolicy $chain DROP done else for chain in INPUT OUTPUT; do setpolicy $chain ACCEPT done setpolicy FORWARD DROP deleteallchains for host in $CRITICALHOSTS; do interface=${host%:*} networks=${host#*:} $IPTABLES -A INPUT -i $interface $(source_ip_range $networks) -j ACCEPT $IPTABLES -A OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT done setpolicy INPUT DROP for chain in INPUT FORWARD; do setcontinue $chain done fi elif [ -z "$ADMINISABSENTMINDED" ]; then for chain in INPUT OUTPUT FORWARD; do setpolicy $chain DROP done deleteallchains else for chain in INPUT FORWARD; do setpolicy $chain DROP done setpolicy OUTPUT ACCEPT deleteallchains for chain in INPUT FORWARD; do setcontinue $chain done fi $IPTABLES -A INPUT -i lo -j ACCEPT [ -z "$ADMINISABSENTMINDED" ] && $IPTABLES -A OUTPUT -o lo -j ACCEPT for interface in $DHCP_INTERFACES; do $IPTABLES -A INPUT -p udp -i $interface --dport 67:68 -j ACCEPT [ -z "$ADMINISABSENTMINDED" ] && $IPTABLES -A OUTPUT -p udp -o $interface --dport 67:68 -j ACCEPT # # This might be a bridge # $IPTABLES -A FORWARD -p udp -i $interface -o $interface --dport 67:68 -j ACCEPT done case "$IP_FORWARDING" in On|on|ON) echo 1 > /proc/sys/net/ipv4/ip_forward progress_message2 IP Forwarding Enabled ;; Off|off|OFF) echo 0 > /proc/sys/net/ipv4/ip_forward progress_message2 IP Forwarding Disabled! ;; esac run_stopped_exit set_state "Stopped" logger -p kern.info "$PRODUCT Stopped" case $COMMAND in stop|clear) ;; *) # # The firewall is being stopped when we were trying to do something # else. Remove the lock file and Kill the shell in case we're in a # subshell # kill $$ ;; esac } # # Set policy of chain $1 to $2 # setpolicy() { $IPTABLES -P $1 $2 } # # Remove all Shorewall-added rules # clear_firewall() { stop_firewall setpolicy INPUT ACCEPT setpolicy FORWARD ACCEPT setpolicy OUTPUT ACCEPT run_iptables -F echo 1 > /proc/sys/net/ipv4/ip_forward if [ -n "$DISABLE_IPV6" ]; then if qt mywhich ip6tables; then ip6tables -P INPUT ACCEPT 2> /dev/null ip6tables -P OUTPUT ACCEPT 2> /dev/null ip6tables -P FORWARD ACCEPT 2> /dev/null fi fi run_clear_exit set_state "Cleared" logger -p kern.info "$PRODUCT Cleared" } # # Issue a message and stop/restore the firewall # fatal_error() { echo " ERROR: $@" >&2 stop_firewall exit 2 } # # Issue a message and stop # startup_error() # $* = Error Message { echo " ERROR: $@" >&2 case $COMMAND in start) logger -p kern.err "ERROR:$PRODUCT start failed" ;; restart) logger -p kern.err "ERROR:$PRODUCT restart failed" ;; restore) logger -p kern.err "ERROR:$PRODUCT restore failed" ;; esac kill $$ exit 2 } # # Run iptables and if an error occurs, stop/restore the firewall # run_iptables() { if [ -n "$COMMENT" ]; then $IPTABLES $@ -m comment --comment "$COMMENT" else $IPTABLES $@ fi if [ $? -ne 0 ]; then error_message "ERROR: Command \"$IPTABLES $@\" Failed" stop_firewall exit 2 fi } # # Run iptables and if an error occurs, stop/restore the firewall # run_ip() { if ! ip $@; then error_message "ERROR: Command \"ip $@\" Failed" stop_firewall exit 2 fi } # # Run tc and if an error occurs, stop/restore the firewall # run_tc() { if ! tc $@ ; then error_message "ERROR: Command \"tc $@\" Failed" stop_firewall exit 2 fi } # # Functions to appease unconverted extension scripts # save_command() { return 0 } run_and_save_command() { eval $@ } ensure_and_save_command() { eval $@ || fatal_error "Command \"$@\" failed" } restore_dynamic_rules() { if [ -f ${VARDIR}/save ]; then progress_message2 "Setting up dynamic rules..." rangematch='source IP range' while read target ignore1 ignore2 address ignore3 rest; do case $target in DROP|reject|logdrop|logreject) case $rest in $rangematch*) run_iptables -A dynamic -m iprange --src-range ${rest#source IP range} -j $target ;; *) if [ -z "$rest" ]; then run_iptables -A dynamic -s $address -j $target else error_message "WARNING: Unable to restore dynamic rule \"$target $ignore1 $ignore2 $address $ignore3 $rest\"" fi ;; esac ;; esac done < ${VARDIR}/save fi }