1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
|
From 157a3fc396557f4bf40c6730c9df51d3c0803418 Mon Sep 17 00:00:00 2001
From: Bertrand Jacquin <bertrand@jacquin.bzh>
Date: Mon, 27 May 2013 22:36:39 +0200
Subject: [PATCH 9/9] Update executable path
---
sbin/init.d/firewall | 75 +++++++++++++++++++++++++---------------------------
sbin/init.d/monitor | 2 +-
2 files changed, 37 insertions(+), 40 deletions(-)
diff --git a/sbin/init.d/firewall b/sbin/init.d/firewall
index b15866c..a9e2939 100755
--- a/sbin/init.d/firewall
+++ b/sbin/init.d/firewall
@@ -14,9 +14,6 @@ option nat boolean_option
option conntrack option_conntrack
option modprobe multiple_option
-IPTABLES=/sbin/iptables
-IPRESTORE=/sbin/iptables-restore
-
conntrack_args=( )
function do_help {
@@ -123,20 +120,20 @@ function flush_rules {
# filter chain has a default policy set to DROP
for chain in INPUT OUTPUT FORWARD; do
- $IPTABLES -t filter -P $chain DROP
+ /sbin/iptables -t filter -P $chain DROP
done
# flush all rules in all tables
for table in mangle filter ${opt_stateful:+${opt_nat:+nat}}; do
- $IPTABLES -t $table -F
- $IPTABLES -t $table -X
+ /sbin/iptables -t $table -F
+ /sbin/iptables -t $table -X
done
# other chains have a default policy set to ACCEPT
for table in mangle ${opt_stateful:+${opt_nat:+nat}}; do
- chains=$($IPTABLES -t $table -L | grep "^Chain " | cut -f2 -d' ')
+ chains=$(/sbin/iptables -t $table -L | grep "^Chain " | cut -f2 -d' ')
for chain in $chains; do
- $IPTABLES -t $table -P $chain ACCEPT
+ /sbin/iptables -t $table -P $chain ACCEPT
done
done
@@ -162,7 +159,7 @@ function disable_forwarding {
# system.
function load_policy {
[ -n "$1" ] || return 1
- if ! [ -r "$opt_confdir/$1" ] || ! $IPRESTORE < "$opt_confdir/$1"; then
+ if ! [ -r "$opt_confdir/$1" ] || ! /sbin/iptables-restore < "$opt_confdir/$1"; then
flush_rules
return 1
fi
@@ -196,27 +193,27 @@ function block_on_error {
echo "Firewall: CRITICAL! cannot load any policy file !"
# we'll block external traffic and enable internal one in this case
echo "Firewall: Changing policy to block external traffic..."
- $IPTABLES -t filter -P INPUT DROP
- $IPTABLES -t filter -P OUTPUT DROP
- $IPTABLES -t filter -P FORWARD DROP
- $IPTABLES -t filter -F
+ /sbin/iptables -t filter -P INPUT DROP
+ /sbin/iptables -t filter -P OUTPUT DROP
+ /sbin/iptables -t filter -P FORWARD DROP
+ /sbin/iptables -t filter -F
- $IPTABLES -t filter -A INPUT -i lo -j ACCEPT
- $IPTABLES -t filter -A OUTPUT -o lo -j ACCEPT
- [ -n "$opt_stateful" ] && $IPTABLES -t filter -A INPUT -m state --state ESTABLISHED -j ACCEPT
- [ -n "$opt_stateful" ] && $IPTABLES -t filter -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
+ /sbin/iptables -t filter -A INPUT -i lo -j ACCEPT
+ /sbin/iptables -t filter -A OUTPUT -o lo -j ACCEPT
+ [ -n "$opt_stateful" ] && /sbin/iptables -t filter -A INPUT -m state --state ESTABLISHED -j ACCEPT
+ [ -n "$opt_stateful" ] && /sbin/iptables -t filter -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
- $IPTABLES -t mangle -P PREROUTING ACCEPT
- $IPTABLES -t mangle -P INPUT ACCEPT
- $IPTABLES -t mangle -P FORWARD DROP
- $IPTABLES -t mangle -P POSTROUTING ACCEPT
- $IPTABLES -t mangle -P OUTPUT ACCEPT
- $IPTABLES -t mangle -F
+ /sbin/iptables -t mangle -P PREROUTING ACCEPT
+ /sbin/iptables -t mangle -P INPUT ACCEPT
+ /sbin/iptables -t mangle -P FORWARD DROP
+ /sbin/iptables -t mangle -P POSTROUTING ACCEPT
+ /sbin/iptables -t mangle -P OUTPUT ACCEPT
+ /sbin/iptables -t mangle -F
- $IPTABLES -t mangle -A PREROUTING -i lo -j ACCEPT
- $IPTABLES -t mangle -A INPUT -i lo -j ACCEPT
- $IPTABLES -t mangle -A POSTROUTING -o lo -j ACCEPT
- $IPTABLES -t mangle -A OUTPUT -o lo -j ACCEPT
+ /sbin/iptables -t mangle -A PREROUTING -i lo -j ACCEPT
+ /sbin/iptables -t mangle -A INPUT -i lo -j ACCEPT
+ /sbin/iptables -t mangle -A POSTROUTING -o lo -j ACCEPT
+ /sbin/iptables -t mangle -A OUTPUT -o lo -j ACCEPT
disable_forwarding
echo
echo "################################################################"
@@ -339,7 +336,7 @@ function do_start {
# filter chain has a default policy set to ACCEPT if "no filter" is used
echo -n "Firewall: setting default policy to ACCEPT... "
for chain in INPUT OUTPUT FORWARD; do
- $IPTABLES -t filter -P $chain ACCEPT
+ /sbin/iptables -t filter -P $chain ACCEPT
done
echo "OK."
if [ -n "$opt_forward" ]; then
@@ -451,17 +448,17 @@ function do_block {
fi
echo -n "Firewall: Changing policy to block all external traffic... "
- $IPTABLES -t filter -A INPUT -i lo -j ACCEPT
- $IPTABLES -t filter -A OUTPUT -o lo -j ACCEPT
- $IPTABLES -t mangle -P PREROUTING DROP
- $IPTABLES -t mangle -P INPUT DROP
- $IPTABLES -t mangle -P FORWARD DROP
- $IPTABLES -t mangle -P POSTROUTING DROP
- $IPTABLES -t mangle -P OUTPUT DROP
- $IPTABLES -t mangle -A PREROUTING -i lo -j ACCEPT
- $IPTABLES -t mangle -A INPUT -i lo -j ACCEPT
- $IPTABLES -t mangle -A POSTROUTING -o lo -j ACCEPT
- $IPTABLES -t mangle -A OUTPUT -o lo -j ACCEPT
+ /sbin/iptables -t filter -A INPUT -i lo -j ACCEPT
+ /sbin/iptables -t filter -A OUTPUT -o lo -j ACCEPT
+ /sbin/iptables -t mangle -P PREROUTING DROP
+ /sbin/iptables -t mangle -P INPUT DROP
+ /sbin/iptables -t mangle -P FORWARD DROP
+ /sbin/iptables -t mangle -P POSTROUTING DROP
+ /sbin/iptables -t mangle -P OUTPUT DROP
+ /sbin/iptables -t mangle -A PREROUTING -i lo -j ACCEPT
+ /sbin/iptables -t mangle -A INPUT -i lo -j ACCEPT
+ /sbin/iptables -t mangle -A POSTROUTING -o lo -j ACCEPT
+ /sbin/iptables -t mangle -A OUTPUT -o lo -j ACCEPT
echo "OK."
return 0
}
diff --git a/sbin/init.d/monitor b/sbin/init.d/monitor
index 59cbb16..0942336 100755
--- a/sbin/init.d/monitor
+++ b/sbin/init.d/monitor
@@ -7,7 +7,7 @@ option check_interval standard_option 60
option facility standard_option
option try_restart boolean_option
option html standard_option
-option bin reserved_option /opt/exosec/bin/monitor
+option bin reserved_option /usr/sbin/monitor
option cmdline reserved_option \
'$bin -p $pidfile ${opt_html:+--html $opt_html} ${opt_facility:+--syslog $opt_facility} ${opt_try_restart:+--restart}'
option pidfile reserved_option /var/run/monitor.pid
|