#! /bin/bash # # Written by David Bogen May, 2004 # You may redistribute this file if you keep this notice intact. # $Id: ipfilter.txt,v 1.1 2004/05/23 22:30:52 dbogen Exp $ # # /etc/init.d/ipfilter for SuSE 8.2 Professional # ### BEGIN INIT INFO # Provides: ipfilter # Required-Start: $network # Required-Stop: $network # Default-Start: 2 3 5 # Default-Stop: 0 1 2 6 # Description: start and stop the ipfilter module ### END INIT INFO . /etc/rc.status handle_error() { echo "###" echo "### ERROR: $1" echo "###" exit 1 } create_individual_node() { if [ -e $1 ]; then MAJOR_NUM=`ls -al $1 | awk '{print $5 $6}' | awk -F, '{print $1}'` MINOR_NUM=`ls -al $1 | awk '{print $5 $6}' | awk -F, '{print $2}'` else MAJOR_NUM=11234 MINOR_NUM=11234 fi if [ ! -c $1 ] || [ ! $MAJOR_NUM -ne $2 ] || [ ! $MINOR_NUM -ne $3 ]; then if [ -e $1 ]; then rm $1 if [ $? -ne 0 ]; then handle_error "Could not rm $1" fi fi /bin/mknod $1 c $2 $3 if [ $? -ne 0 ]; then handle_error "Could not /bin/mknod $1 c $2 $3" fi fi chmod 0600 $1 } make_nodes() { DEV_NUM=`cat /proc/devices | grep ipf | awk '{print $1}'` IPL='/dev/ipl' IPL_NUM=0 IPNAT='/dev/ipnat' IPNAT_NUM=1 IPSTATE='/dev/ipstate' IPSTATE_NUM=2 IPAUTH='/dev/ipauth' IPAUTH_NUM=3 IPSYNC='/dev/ipsync' IPSYNC_NUM=4 IPSCAN='/dev/ipscan' IPSCAN_NUM=5 IPLOOKUP='/dev/iplookup' IPLOOKUP_NUM=6 create_individual_node $IPL $DEV_NUM $IPL_NUM create_individual_node $IPNAT $DEV_NUM $IPNAT_NUM create_individual_node $IPSTATE $DEV_NUM $IPSTATE_NUM create_individual_node $IPAUTH $DEV_NUM $IPAUTH_NUM create_individual_node $IPSYNC $DEV_NUM $IPSYNC_NUM create_individual_node $IPSCAN $DEV_NUM $IPSCAN_NUM create_individual_node $IPLOOKUP $DEV_NUM $IPLOOKUP_NUM } load_default_rulesets() { IPF_CONF=/etc/ipf.conf IPNAT_CONF=/etc/ipnat.conf if [ -f $IPF_CONF ]; then /sbin/ipf -n -Fa -f $IPF_CONF if [ $? -ne 0 ]; then handle_error "Could not load ipfilter ruleset $IPF_CONF" fi else handle_error "Could not find ipfilter ruleset $IPF_CONF" fi if [ -f $IPNAT_CONF ]; then /sbin/ipnat -n -C -f $IPNAT_CONF > /dev/null 2&>1 if [ $? -ne 0 ]; then handle_error "Could not load ipnat ruleset $IPNAT_CONF" fi else handle_error "Could not find ipnat ruleset $IPNAT_CONF" fi } ip_forwarding() { FORWARD_KNOB="net.ipv4.conf.all.forwarding" case "$1" in start) /sbin/sysctl -w ${FORWARD_KNOB}=1 > /dev/null 2>&1 if [ $? -ne 0 ]; then handle_error "Starting IP forwarding did not return zero" fi ;; stop) /sbin/sysctl -w ${FORWARD_KNOB}=0 > /dev/null 2>&1 ;; *) handle_error "ip_forwarding somehow called without start/stop argument" ;; esac } ip_mon() { IPMON_PID=/var/run/ipmon.pid IPMON=/usr/bin/ipmon IPMON_ARGS="-s -D -P $IPMON_PID" case "$1" in start) if [ -x $IPMON ]; then startproc -p $IPMON_PID $IPMON $IPMON_ARGS if [ $? -ne 0 ]; then handle_error "Starting $IPMON was not successful." fi else handle_error "Could not find $IPMON." fi ;; stop) if [ -f $IPMON_PID ]; then killproc -p $IPMON_PID $IPMON -TERM $IPMON if [ $? -ne 0 ]; then handle_error "$IPMON did not die cleanly." fi else handle_error "$IPMON_PID not found to kill ipmon" fi ;; *) handle_error "Somehow ip_mon was called without a start/stop argument." ;; esac } # Shell functions sourced from /etc/rc.status: # rc_check check and set local and overall rc status # rc_status check and set local and overall rc status # rc_status -v ditto but be verbose in local rc status # rc_status -v -r ditto and clear the local rc status # rc_failed set local and overall rc status to failed # rc_reset clear local rc status (overall remains) # rc_exit exit appropriate to overall rc status # First reset status of this service rc_reset case "$1" in start) echo -n "Starting ipfilter" /sbin/modprobe ipfilter > /dev/null 2>&1 if [ $? -ne 0 ]; then handle_error "Could not load ipfilter module" fi make_nodes load_default_rulesets ip_mon "start" ip_forwarding "start" rc_status -v ;; stop) echo -n "Stopping ipfilter" ip_forwarding "stop" ip_mon "stop" /sbin/modprobe -r ipfilter rc_status -v ;; restart) $0 stop $0 start rc_status ;; *) echo "Usage: $0 {start|stop|restart}" exit 1 ;; esac rc_exit