stop is now the idiom to remove rules.

scripts/lfirewall

@@ -28,15 +28,16 @@ cat <<-EOF
 
 	COMMANDS
 
-		start : starts the firewall
-		clear : stops the firewall (removes all IPTABLES rules and let all connections work)
-		stop  : stops all network connections (USE with CAUTION)
-		test	: tests the existing rules for 30 seconds
-		saveuser: backup of the user (custom) rules
+		start		: starts the firewall
+		stop		: stops the firewall (removes rules set by this script)
+		clear		: clears the firewall (removes all IPTABLES rules and let all connections work)
+		dropall 	: drops all network connections (USE with CAUTION)
+		test		: tests the existing rules for 30 seconds
+		saveuser	: backup of the user (custom) rules
 
 	OPTIONS
 		-v --verbose	: verbose mode
-		-h --help			: display this help message
+		-h --help		: display this help message
 		-l --logging	: enables logging (prefix: iptables-logging)
 
 	BACKING UP USER RULES
@@ -48,8 +49,8 @@ cat <<-EOF
 			$(basename ${0}) saveuser
 
 	AUTHOR
-		Original author: Nicolargo
-		Modified by: Laurent Hubert
+		Author: Laurent Hubert
+		Idea by: Nicolargo
 EOF
 }
 
@@ -336,10 +337,6 @@ fw_execute () {
 	#**************************************************************************#
 	# See http://rockdio.org/ayudatech/how-to-stop-small-ddos-attacks-some-basic-security-advice/
 	#
-	#$IP_TABLES -I $IT_INPUT -p tcp --dport 80 -i $NETWORK_IF -m state --state NEW -m recent --set
-	#$IP_TABLES -I $IT_INPUT -p tcp --dport 80 -i $NETWORK_IF -m state --state NEW -m recent --update --seconds 30 --hitcount 20 -j DROP
-	#$IP_TABLES -I $IT_INPUT -p tcp --dport 443 -i $NETWORK_IF -m state --state NEW -m recent --set
-	#$IP_TABLES -I $IT_INPUT -p tcp --dport 443 -i $NETWORK_IF -m state --state NEW -m recent --update --seconds 30 --hitcount 20 -j DROP
 	$do_action $IPTABLES_INSERT $IT_INPUT -p tcp --dport 80 -i $NETWORK_IF -m state --state NEW -m recent --set
 	$do_action $IPTABLES_INSERT $IT_INPUT -p tcp --dport 80 -i $NETWORK_IF -m state --state NEW -m recent --update --seconds 30 --hitcount 20 -j DROP
 	$do_action $IPTABLES_INSERT $IT_INPUT -p tcp --dport 443 -i $NETWORK_IF -m state --state NEW -m recent --set
@@ -366,6 +363,7 @@ fw_network_protection(){
 		echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
 		echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
 		echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
+		echo "Firewall network protection enhancement set"
 	fi
 }
 
@@ -407,8 +405,8 @@ fw_restore_user(){
 do_delete () {
 	the_action=$1
 	shift
-	if [[ ${verbose} -ge 1 ]] ; then
-		echo "Trying to delete:" $(translate_iptables_rule $IP_TABLES $the_action $*)
+	if [[ ${verbose} -gt 1 ]] ; then
+		$do_log "Trying to delete:" $(translate_iptables_rule $IP_TABLES $the_action $*)
 	fi
 	case $the_action in
 		__iptable_add_action)
@@ -419,7 +417,7 @@ do_delete () {
 		;;
 		__iptable_set_policy_action)
 			CHAIN_NAME="$1"
-			$do_log "DELETING: $IP_TABLES -P $CHAIN_NAME DROP" $*
+			$do_log "DELETING: $IP_TABLES -P $CHAIN_NAME DROP"
 			$IP_TABLES -P $CHAIN_NAME ACCEPT
 			return 0
 		;;
@@ -453,6 +451,20 @@ fw_stop () {
 	fi
 }
 
+
+##########################
+# Drop all connections
+##########################
+
+fw_dropall(){
+		do_this $IP_TABLES -F
+        do_this $IP_TABLES -t nat -F
+        do_this $IP_TABLES -t mangle -F
+        do_this $IP_TABLES -P $IT_INPUT DROP
+        do_this $IP_TABLES -P FORWARD DROP
+        do_this $IP_TABLES -P $IT_OUTPUT ACCEPT
+}
+
 ##########################
 # Clear the Firewall rules
 ##########################
@@ -460,9 +472,9 @@ fw_stop () {
 fw_clear () {
 	do_this $IP_TABLES -F
 	do_this $IP_TABLES -X
-	do_this $IPTABLES -P INPUT ACCEPT
-	do_this $IPTABLES -P FORWARD ACCEPT
-	do_this $IPTABLES -P OUTPUT ACCEPT
+	do_this $IP_TABLES -P INPUT ACCEPT
+	do_this $IP_TABLES -P FORWARD ACCEPT
+	do_this $IP_TABLES -P OUTPUT ACCEPT
 }
 
 ##########################
@@ -490,19 +502,20 @@ fw_restore () {
 fw_test () {
 	fw_save
 	sleep 30 && echo "Restore previous Firewall rules..." && fw_restore &
-	fw_clear
+	fw_stop
 	fw_execute do_exec
 }
 
+if [[ ${verbose} -gt 0 ]] ; then
+	do_log=log_action
+fi
 case "$1" in
 	start|restart)
-		if [ "${2:-}" = "-v" ] ; then
-			do_log=log_action
-		fi
 		echo -n "Starting firewall.."
 		fw_stop
 		fw_restore_user
 		fw_execute do_exec
+		echo "Firewall rules added"
 		fw_network_protection
 		echo "done."
 	;;
@@ -512,9 +525,6 @@ case "$1" in
 		echo "done."
 	;;
 	stop)
-		if [ "${2:-}" = "-v" ] ; then
-			do_log=log_action
-		fi
 		echo "###############################################################"
 		echo "I do not stop for now."
 		echo "Use 'clear' to remove all firewall blocking rules."
@@ -529,7 +539,7 @@ case "$1" in
 	;;
 	dropall)
 		echo -n "Droping all connections !!!"
-		fw_stop
+		fw_dropall
 		echo "done."
 	;;
 	test)
@@ -539,9 +549,6 @@ case "$1" in
 	;;
 	status)
 		global_status=0
-		if [ "${2:-}" = "-v" ] ; then
-			do_log=log_action
-		fi
 		# Start will not really start but exec the "check" action
 		fw_execute do_check
 		if [ 0 -eq "$global_status" ] ; then

systemd/lfirewall.service

@@ -8,7 +8,7 @@ After=local-fs.target
 [Service]
 Type=oneshot
 ExecStart=/sbin/lfirewall start
-ExecStop=/sbin/lfirewall clear
+ExecStop=/sbin/lfirewall stop
 ExecStartPost=/sbin/lfirewall status
 RemainAfterExit=yes