#!/bin/sh # # Startup script for nupyf # # chkconfig: 345 87 16 # description: nupyf is user filtering firewall. # processname: nupyf # Source function library. . /etc/rc.d/init.d/functions ipt="/sbin/iptables" iptsave="/sbin/iptables-save" iptrestore="/sbin/iptables-restore" nupyf="/usr/bin/nupyf" BASEDIR=/etc/nuface LOCAL_RULES=$BASEDIR/local_rules LOCAL_RULES_D=$BASEDIR/local_rules.d LOCAL_NAT_RULES=$BASEDIR/nat #FWD_RULES=$BASEDIR/dyn/fwd_rules STOP_RULES=$BASEDIR/stop_rules NONUFW_RULES=$BASEDIR/dyn/nonufw_rules BACKUP_FILE=/var/lib/nuface/backups/firewall_good_conf MANGLE_RULES_PRE=$BASEDIR/pre-mangle MANGLE_RULES_POST=$BASEDIR/post-mangle MANGLE_RULES_DYN=$BASEDIR/dyn/vpn_rules NUFW_RULES_DIR=$BASEDIR/dyn/nufw STD_RULES_DIR=$BASEDIR/dyn/standard DISPATCH_RULES=dispatch_rules FWD_RULES=forward_rules INPUT_RULES=input_rules OUTPUT_RULES=output_rules NAT_RULES=nat_rules LDAP_DATA=/etc/nuface/dyn/ldap_objects NUPYF_CONF=/etc/nuface/desc/nupyf.conf LOCK_FILE=/var/lock/subsys/nupyf # are theses rules managed by nuface or not? MANAGE_INPUT=1 MANAGE_OUTPUT=1 MANAGE_NAT=1 # test generated files rules for dir in $NUFW_RULES_DIR $STD_RULES_DIR; do if [ ! -f $dir/$DISPATCH_RULES ]; then echo "Sorry. Can't find file ${dir}/${DISPATCH_RULES}" exit -1 fi if [ ! -f $dir/$FWD_RULES ]; then echo "Sorry. Can't find file ${dir}/${FWD_RULES}" exit -1 fi if [ $MANAGE_INPUT == 1 ] && [ ! -f $dir/$INPUT_RULES ]; then echo "Sorry. Can't find file ${dir}/${INPUT_RULES}" exit -1 fi if [ $MANAGE_OUTPUT == 1 ] && [ ! -f $dir/$OUTPUT_RULES ]; then echo "Sorry. Can't find file ${dir}/${OUTPUT_RULES}" exit -1 fi if [ $MANAGE_NAT == 1 ] && [ ! -f $dir/$NAT_RULES ]; then echo "Sorry. Can't find file ${dir}/${NAT_RULES}" exit -1 fi done #if [ ! -f $NONUFW_RULES ]; then # echo "Sorry. Can't find file ${NONUFW_RULES}" # exit -1 #fi reload_good_conf() { echo "A problem occured, reloading old config" $iptrestore < ${BACKUP_FILE} /bin/rm ${LOCK_FILE} exit -1 } try_run(){ if [ -f $1 ]; then . $1 fi } reset_chains() { $ipt -F $ipt -X $ipt -t nat -F $ipt -t nat -X $ipt -t mangle -F $ipt -t mangle -X } load_mangle(){ if [ -f $MANGLE_RULES_PRE ] && [ -f $MANGLE_RULES_POST ]; then . $MANGLE_RULES_PRE . $MANGLE_RULES_POST if [ -f $MANGLE_RULES_DYN ]; then . $MANGLE_RULES_DYN fi fi } # load rules generated by nuface # arg1: directory where rules files has been written load_dyn_rules(){ dir=$1 echo " o Dispatch Rules" . $dir/$DISPATCH_RULES if [ $MANAGE_INPUT == 1 ]; then echo ' o Input Rules' . $dir/$INPUT_RULES fi if [ $MANAGE_OUTPUT == 1 ]; then echo " o Output Rules" . $dir/$OUTPUT_RULES fi echo " o Forward Rules" . $dir/$FWD_RULES if [ $MANAGE_NAT == 1 ]; then echo " o Nat Rules" . $dir/$NAT_RULES fi } #load local rules load_local_rules(){ if [ -f $LOCAL_RULES ]; then . $LOCAL_RULES fi if [ -d $LOCAL_RULES_D ]; then for f in $LOCAL_RULES_D/*.rules; do if [ -f $f ]; then . $f fi done fi } if [ -f $LOCK_FILE ]; then echo "Lock file ${LOCK_FILE} exists. Is script already running? If not, please delete lock by hand." exit -1 fi touch $LOCK_FILE case $1 in start | restart | reload) echo "Saving current configuration as good" $iptsave > ${BACKUP_FILE} set -e trap reload_good_conf ERR reset_chains echo "Loading new firewall configuration" echo " o Local rules" load_local_rules load_dyn_rules $NUFW_RULES_DIR if [ -f $LOCAL_NAT_RULES ]; then . $LOCAL_NAT_RULES fi load_mangle if [ -f $LDAP_DATA ]; then echo "Merging ldap with nupyf" $nupyf --config $NUPYF_CONF --loadldap $LDAP_DATA rm -f $LDAP_DATA fi set +e trap - ;; stop) echo "Loading stopped configuration" reset_chains echo " o Local rules" load_local_rules if [ $MANAGE_INPUT == 1 ] || [ $MANAGE_OUTPUT == 1 ]; then echo " o Dispatch Rules" . $STD_RULES_DIR/$DISPATCH_RULES fi if [ $MANAGE_INPUT == 1 ]; then echo " o Input Rules" . $STD_RULES_DIR/$INPUT_RULES fi if [ $MANAGE_OUTPUT ==1 ]; then echo " o Output Rules" . $STD_RULES_DIR/$OUTPUT_RULES fi if [ -f $STOP_RULES ]; then echo " o Stop Rules" . $STOP_RULES fi ;; nonufw | panic | standard) echo "Loading \"classical\" firewall configuration" $iptsave > ${BACKUP_FILE} set -e trap reload_good_conf ERR reset_chains echo " o Local rules" load_local_rules load_dyn_rules $STD_RULES_DIR if [ -f $LOCAL_NAT_RULES ]; then . $LOCAL_NAT_RULES fi set -e trap - ;; *) echo "Usage: $0 start|stop|restart|reload" ;; esac /bin/rm ${LOCK_FILE}