Added: local configuration file + rewritten iptables commands

etc/lfirewall.conf

@@ -1,3 +1,10 @@
+###############################################################################
+# Do not edit the lfirewall.conf directly                                     #
+# Instead copy it first and edit the lfirewall.conf.local                     #
+#                                                                             #
+# cp /etc/lfirewall/lfirewall.conf /etc/lfirewall/lfirewall.conf.local        #
+###############################################################################
+
 # Firewall configuration file
 # Uncomment the services you need there
 
@@ -16,6 +23,8 @@ ALLOW_IP_FORWARDING=0
 #################################
 
 # SSH
+SSH_PORT="22"
+
 TCP_SERVICES="22"
 
 # SAMBA

scripts/lfirewall

@@ -120,19 +120,26 @@ SSH_PORT="22"
 # Default IP_TABLES command path
 IP_TABLES="/sbin/iptables"
 
-CONFIGURATION_FILE=/etc/lfirewall/lfirewall.conf
+CONFIGURATION_DIR=/etc/lfirewall
+CONFIGURATION_FILE=${CONFIGURATION_DIR}/lfirewall.conf
+CONFIGURATION_LOCAL_FILE=${CONFIGURATION_DIR}/lfirewall.conf.local
 if [ -f $CONFIGURATION_FILE ] ; then
 	set +u
 	. $CONFIGURATION_FILE
 	set -u
 fi
+if [ -f $CONFIGURATION_LOCAL_FILE ] ; then
+	set +u
+	. $CONFIGURATION_LOCAL_FILE
+	set -u
+fi
 
 if ! [ -x $IP_TABLES ]; then
 	echo "$IP_TABLES is not executable or not present" >&2
 	exit 1
 fi
 
-if ! /usr/sbin/ifup --no-act $NETWORK_IF
+if ! /usr/sbin/ifup --no-act $NETWORK_IF > /dev/null 2>&1
 then
 	echo "Network interface '$NETWORK_IF' is not present or configured" >&2
 	exit 2
@@ -227,6 +234,16 @@ fw_start () {
 		$do_action $IPTABLES_ADD $IT_INPUT -p tcp --dport ${SSH_PORT}  -j ACCEPT
 	fi
 
+	# SSH
+	if [ ! -z "${SSH_PORT:-}" ] ; then
+	    $do_action $IPTABLES_ADD $IT_OUTPUT -t filter -p tcp --dport "$SSH_PORT" -j ACCEPT
+		$do_action $IPTABLES_ADD $IT_INPUT -t filter -p tcp --dport "$SSH_PORT" -j ACCEPT
+	else
+	    $do_action $IPTABLES_ADD $IT_OUTPUT -t filter -p tcp --dport "22" -j ACCEPT
+		$do_action $IPTABLES_ADD $IT_INPUT -t filter -p tcp --dport "22" -j ACCEPT
+	fi
+
+
 	#**************************************************************************#
 	# NGINX
 	#**************************************************************************#
@@ -305,8 +322,6 @@ fw_start () {
 	echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
 	echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
 
-	iptables -t filter -A $IT_OUTPUT -p tcp --dport 22 -j ACCEPT
-	iptables -t filter -A $IT_INPUT -p tcp --dport 22 -j ACCEPT
 }
 
 do_this(){
@@ -404,7 +419,7 @@ case "$1" in
 	status)
 		do_action=do_check
 		global_status=0
-		if [ "$2" = "-v" ] ; then
+		if [ "${2:-}" = "-v" ] ; then
 			do_log=log_action
 		fi
 		# Start will not really start but exec the "check" action