#!/bin/sh
#
# Startup script to implement /etc/sysconfig/ipchains pre-defined rules.
#
# chkconfig: - 08 92
#
# description: Automates a packet filtering firewall with ipchains.
#
# Script Author:	Joshua Jensen <joshua@redhat.com>
#   -- hacked up by gafton with help from notting
#
# config: /etc/sysconfig/ipchains

# Sorce 'em up
. /etc/rc.d/init.d/functions

IPCHAINS_CONFIG=/etc/sysconfig/ipchains

if [ ! -x /sbin/ipchains ]; then
    exit 0
fi

case "$1" in
  start)
	# don't do squat if we don't have the config file
	if [ -f $IPCHAINS_CONFIG ]; then
	    # If we don't clear these first, we might be adding to
	    #  pre-existing rules.
	    action "Flushing all current rules and user defined chains:" ipchains -F
	    action "Clearing all current rules and user defined chains:" ipchains -X
	    ipchains -Z
	    echo -n "Applying ipchains firewall rules: "
		grep -v "^#" $IPCHAINS_CONFIG | ipchains-restore -p -f && \
		    success "Applying ipchains firewall rules" || \
		    failure "Applying ipchains firewall rules"
	    echo
	    touch /var/lock/subsys/ipchains
	fi
	;;

  stop)
	action "Flushing all chains:" ipchains -F
	action "Removing user defined chains:" ipchains -X
	echo -n "Resetting built-in chains to the default ACCEPT policy:"
	ipchains -P input ACCEPT && \
	    ipchains -P forward ACCEPT && \
	    ipchains -P output ACCEPT && \
	  success "Resetting built-in chains to the default ACCEPT policy" || \
	  failure "Resetting built-in chains to the default ACCEPT policy"
	echo
	rm -f /var/lock/subsys/ipchains
	;;

  restart)
	# "restart" is really just "start" as this isn't a daemon,
	#  and "start" clears any pre-defined rules anyway.
	#  This is really only here to make those who expect it happy
	$0 start
	;;

  status)
	ipchains -nL
	;;

  panic)
	echo -n "Changing target policies to DENY: "	
	ipchains -P input DENY && \
	    ipchains -P forward DENY && \
	    ipchains -P output DENY && \
	  success "Changing target policies to DENY" || \
	  failure "Changing target policies to DENY"
	action "Flushing all chains:" ipchains -F
	action "Removing user defined chains:" ipchains -X
	;;

  save)
	echo -n "Saving current rules to $IPCHAINS_CONFIG: "
	ipchains-save > $IPCHAINS_CONFIG  2>/dev/null && \
	  success "Saving current rules to $IPCHAINS_CONFIG" || \
	  failure "Saving current rules to $IPCHAINS_CONFIG"
	;;

  *)
	echo "Usage: $0 {start|stop|restart|status|panic|save}"
	exit 1
esac

exit 0

