#!/bin/bash
#
# Startup script to implement /etc/sysconfig/ipchains pre-defined rules.
#
# chkconfig: 2345 08 92
#
# description: Automates a packet filtering firewall with ipchains.
#
# Script Author:	Joshua Jensen 
#   -- hacked up by gafton with help from notting
#
# config: /etc/sysconfig/ipchains

# This is an interactive program, we need the current locale

[ -f /etc/profile.d/lang.sh ] && . /etc/profile.d/lang.sh

if [ "$LANG" = "ja" -o "$LANG" = "ja_JP.eucJP" ]; then
    # We can't Japanese on normal console at boot time.
    # So, force to set LANG=C
    if [ "$TERM" = "linux" ] ; then
        LANG=C
    fi
fi

# Source 'em up
. /etc/init.d/functions

IPCHAINS_CONFIG=/etc/sysconfig/ipchains

if [ ! -x /sbin/ipchains ]; then
	exit 0
fi

KERNELMAJ=$(uname -r | sed                   -e 's,\..*,,')
KERNELMIN=$(uname -r | sed -e 's,[^\.]*\.,,' -e 's,\..*,,')

if [ "$KERNELMAJ" -lt 2 ] ; then
	exit 0
fi
if [ "$KERNELMAJ" -eq 2 -a "$KERNELMIN" -lt 2 ] ; then
	exit 0
fi

if [ "$KERNELMAJ" -eq 2 -a "$KERNELMIN" -eq 4 ]; then
	if [ ! -f /proc/net/ip_fwchains -a -f $IPCHAINS_CONFIG ]; then
		modprobe ipchains >/dev/null 2>&1 || exit 0
	fi
fi

case "$1" in
  start)
	# don't do squat if we don't have the config file
	if [ -f $IPCHAINS_CONFIG ]; then
	    # If we don't clear these first, we might be adding to
	    #  pre-existing rules.
	    action $"Flushing all current rules and user defined chains:" ipchains -F
	    action $"Clearing all current rules and user defined chains:" ipchains -X
	    ipchains -Z
	    echo -n $"Applying ipchains firewall rules: "
		grep -v "^[[:space:]]*#" $IPCHAINS_CONFIG | grep -v '^[[:space:]]*$' | /sbin/ipchains-restore -p -f && \
		    success $"Applying ipchains firewall rules" || \
		    failure $"Applying ipchains firewall rules"
	    echo
	    touch /var/lock/subsys/ipchains
	fi
	;;

  stop)
	action "Flushing all chains:" ipchains -F
	action "Removing user defined chains:" ipchains -X
	echo -n $"Resetting built-in chains to the default ACCEPT policy:"
	ipchains -P input ACCEPT && \
	    ipchains -P forward ACCEPT && \
	    ipchains -P output ACCEPT && \
	  success $"Resetting built-in chains to the default ACCEPT policy" || \
	  failure $"Resetting built-in chains to the default ACCEPT policy"
	echo
	rm -f /var/lock/subsys/ipchains
	rmmod ipchains
	;;

  restart)
	# "restart" is really just "start" as this isn't a daemon,
	#  and "start" clears any pre-defined rules anyway.
	#  This is really only here to make those who expect it happy
	$0 start
	;;

  status)
	ipchains -nL
	;;

  panic)
	echo -n $"Changing target policies to DENY: "	
	ipchains -P input DENY && \
	    ipchains -P forward DENY && \
	    ipchains -P output DENY && \
	  success $"Changing target policies to DENY" || \
	  failure $"Changing target policies to DENY"
	echo
	action $"Flushing all chains:" ipchains -F
	action $"Removing user defined chains:" ipchains -X
	;;

  save)
        echo -n $"Saving current rules to $IPCHAINS_CONFIG: "
	touch $IPCHAINS_CONFIG
	chmod 600 $IPCHAINS_CONFIG
	/sbin/ipchains-save > $IPCHAINS_CONFIG  2>/dev/null && \
	  success $"Saving current rules to $IPCHAINS_CONFIG" || \
	  failure $"Saving current rules to $IPCHAINS_CONFIG"
	echo
	;;

  *)
	echo $"Usage: $0 {start|stop|restart|status|panic|save}"
	exit 1
esac

exit 0