From 157a3fc396557f4bf40c6730c9df51d3c0803418 Mon Sep 17 00:00:00 2001 From: Bertrand Jacquin Date: Mon, 27 May 2013 22:36:39 +0200 Subject: [PATCH 9/9] Update executable path --- sbin/init.d/firewall | 75 +++++++++++++++++++++++++--------------------------- sbin/init.d/monitor | 2 +- 2 files changed, 37 insertions(+), 40 deletions(-) diff --git a/sbin/init.d/firewall b/sbin/init.d/firewall index b15866c..a9e2939 100755 --- a/sbin/init.d/firewall +++ b/sbin/init.d/firewall @@ -14,9 +14,6 @@ option nat boolean_option option conntrack option_conntrack option modprobe multiple_option -IPTABLES=/sbin/iptables -IPRESTORE=/sbin/iptables-restore - conntrack_args=( ) function do_help { @@ -123,20 +120,20 @@ function flush_rules { # filter chain has a default policy set to DROP for chain in INPUT OUTPUT FORWARD; do - $IPTABLES -t filter -P $chain DROP + /sbin/iptables -t filter -P $chain DROP done # flush all rules in all tables for table in mangle filter ${opt_stateful:+${opt_nat:+nat}}; do - $IPTABLES -t $table -F - $IPTABLES -t $table -X + /sbin/iptables -t $table -F + /sbin/iptables -t $table -X done # other chains have a default policy set to ACCEPT for table in mangle ${opt_stateful:+${opt_nat:+nat}}; do - chains=$($IPTABLES -t $table -L | grep "^Chain " | cut -f2 -d' ') + chains=$(/sbin/iptables -t $table -L | grep "^Chain " | cut -f2 -d' ') for chain in $chains; do - $IPTABLES -t $table -P $chain ACCEPT + /sbin/iptables -t $table -P $chain ACCEPT done done @@ -162,7 +159,7 @@ function disable_forwarding { # system. function load_policy { [ -n "$1" ] || return 1 - if ! [ -r "$opt_confdir/$1" ] || ! $IPRESTORE < "$opt_confdir/$1"; then + if ! [ -r "$opt_confdir/$1" ] || ! /sbin/iptables-restore < "$opt_confdir/$1"; then flush_rules return 1 fi @@ -196,27 +193,27 @@ function block_on_error { echo "Firewall: CRITICAL! cannot load any policy file !" # we'll block external traffic and enable internal one in this case echo "Firewall: Changing policy to block external traffic..." - $IPTABLES -t filter -P INPUT DROP - $IPTABLES -t filter -P OUTPUT DROP - $IPTABLES -t filter -P FORWARD DROP - $IPTABLES -t filter -F + /sbin/iptables -t filter -P INPUT DROP + /sbin/iptables -t filter -P OUTPUT DROP + /sbin/iptables -t filter -P FORWARD DROP + /sbin/iptables -t filter -F - $IPTABLES -t filter -A INPUT -i lo -j ACCEPT - $IPTABLES -t filter -A OUTPUT -o lo -j ACCEPT - [ -n "$opt_stateful" ] && $IPTABLES -t filter -A INPUT -m state --state ESTABLISHED -j ACCEPT - [ -n "$opt_stateful" ] && $IPTABLES -t filter -A OUTPUT -m state --state ESTABLISHED -j ACCEPT + /sbin/iptables -t filter -A INPUT -i lo -j ACCEPT + /sbin/iptables -t filter -A OUTPUT -o lo -j ACCEPT + [ -n "$opt_stateful" ] && /sbin/iptables -t filter -A INPUT -m state --state ESTABLISHED -j ACCEPT + [ -n "$opt_stateful" ] && /sbin/iptables -t filter -A OUTPUT -m state --state ESTABLISHED -j ACCEPT - $IPTABLES -t mangle -P PREROUTING ACCEPT - $IPTABLES -t mangle -P INPUT ACCEPT - $IPTABLES -t mangle -P FORWARD DROP - $IPTABLES -t mangle -P POSTROUTING ACCEPT - $IPTABLES -t mangle -P OUTPUT ACCEPT - $IPTABLES -t mangle -F + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD DROP + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -F - $IPTABLES -t mangle -A PREROUTING -i lo -j ACCEPT - $IPTABLES -t mangle -A INPUT -i lo -j ACCEPT - $IPTABLES -t mangle -A POSTROUTING -o lo -j ACCEPT - $IPTABLES -t mangle -A OUTPUT -o lo -j ACCEPT + /sbin/iptables -t mangle -A PREROUTING -i lo -j ACCEPT + /sbin/iptables -t mangle -A INPUT -i lo -j ACCEPT + /sbin/iptables -t mangle -A POSTROUTING -o lo -j ACCEPT + /sbin/iptables -t mangle -A OUTPUT -o lo -j ACCEPT disable_forwarding echo echo "################################################################" @@ -339,7 +336,7 @@ function do_start { # filter chain has a default policy set to ACCEPT if "no filter" is used echo -n "Firewall: setting default policy to ACCEPT... " for chain in INPUT OUTPUT FORWARD; do - $IPTABLES -t filter -P $chain ACCEPT + /sbin/iptables -t filter -P $chain ACCEPT done echo "OK." if [ -n "$opt_forward" ]; then @@ -451,17 +448,17 @@ function do_block { fi echo -n "Firewall: Changing policy to block all external traffic... " - $IPTABLES -t filter -A INPUT -i lo -j ACCEPT - $IPTABLES -t filter -A OUTPUT -o lo -j ACCEPT - $IPTABLES -t mangle -P PREROUTING DROP - $IPTABLES -t mangle -P INPUT DROP - $IPTABLES -t mangle -P FORWARD DROP - $IPTABLES -t mangle -P POSTROUTING DROP - $IPTABLES -t mangle -P OUTPUT DROP - $IPTABLES -t mangle -A PREROUTING -i lo -j ACCEPT - $IPTABLES -t mangle -A INPUT -i lo -j ACCEPT - $IPTABLES -t mangle -A POSTROUTING -o lo -j ACCEPT - $IPTABLES -t mangle -A OUTPUT -o lo -j ACCEPT + /sbin/iptables -t filter -A INPUT -i lo -j ACCEPT + /sbin/iptables -t filter -A OUTPUT -o lo -j ACCEPT + /sbin/iptables -t mangle -P PREROUTING DROP + /sbin/iptables -t mangle -P INPUT DROP + /sbin/iptables -t mangle -P FORWARD DROP + /sbin/iptables -t mangle -P POSTROUTING DROP + /sbin/iptables -t mangle -P OUTPUT DROP + /sbin/iptables -t mangle -A PREROUTING -i lo -j ACCEPT + /sbin/iptables -t mangle -A INPUT -i lo -j ACCEPT + /sbin/iptables -t mangle -A POSTROUTING -o lo -j ACCEPT + /sbin/iptables -t mangle -A OUTPUT -o lo -j ACCEPT echo "OK." return 0 } diff --git a/sbin/init.d/monitor b/sbin/init.d/monitor index 59cbb16..0942336 100755 --- a/sbin/init.d/monitor +++ b/sbin/init.d/monitor @@ -7,7 +7,7 @@ option check_interval standard_option 60 option facility standard_option option try_restart boolean_option option html standard_option -option bin reserved_option /opt/exosec/bin/monitor +option bin reserved_option /usr/sbin/monitor option cmdline reserved_option \ '$bin -p $pidfile ${opt_html:+--html $opt_html} ${opt_facility:+--syslog $opt_facility} ${opt_try_restart:+--restart}' option pidfile reserved_option /var/run/monitor.pid