Added: a mechanism to check if FW rules are set

scripts/lfirewall

@@ -50,6 +50,59 @@ if ! [ -x $IP_TABLES ]; then
 	exit 0
 fi
 
+do_action=do_exec
+
+IPTABLES_CHECK=__iptables_check_action
+IPTABLES_ADD=__iptable_add_action
+IPTABLES_SET_POLICY=__iptable_set_policy_action
+
+do_exec () {
+	case $1 in
+		__iptable_add_action)
+			shift
+			iptables_option=-A
+		;;
+		__iptable_set_policy_action)
+			shift
+			iptables_option=-P
+		;;
+		*)
+			echo "Nothing to be done for $1"
+		;;
+	esac
+	$IP_TABLES $iptables_option $*	
+}
+
+do_check () {
+	the_action=$1
+	shift
+	case $the_action in
+		__iptable_add_action)
+			iptables_option=-A
+		;;
+		__iptable_set_policy_action)
+			return 0
+		;;
+		*)
+			echo "Nothing to be done for $1"
+		;;
+	esac
+	default_option=-C
+	$do_log "$the_action:" $IP_TABLES -C $*
+	$IP_TABLES -C $*
+	global_status=$((global_status+$?))
+}
+
+log_action () {
+	echo $*
+}
+
+do_not_log_action () {
+	return 0
+}
+
+do_log=do_not_log_action
+
 ##########################
 # Start the Firewall rules
 ##########################
@@ -60,73 +113,74 @@ fw_start () {
 	#**************************************************************************#
 
 	### Keep existing connections
-	$IP_TABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+	$do_action $IPTABLES_ADD INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 	# Services
 	if [ -n "$TCP_SERVICES" ] ; then
 		for PORT in $TCP_SERVICES; do
-			$IP_TABLES -A INPUT -p tcp --dport ${PORT} -j ACCEPT
+			$do_action $IPTABLES_ADD INPUT -p tcp --dport ${PORT} -j ACCEPT
 		done
 	fi
 	if [ -n "$UDP_SERVICES" ] ; then
 		for PORT in $UDP_SERVICES; do
-			$IP_TABLES -A INPUT -p udp --dport ${PORT} -j ACCEPT
+			$do_action $IPTABLES_ADD INPUT -p udp --dport ${PORT} -j ACCEPT
 		done
 	fi
 	# Remote management
 	if [ -n "$NETWORK_MGMT" ] ; then
-		$IP_TABLES -A INPUT -p tcp --src ${NETWORK_MGMT} --dport ${SSH_PORT} -j ACCEPT
+		$do_action $IPTABLES_ADD INPUT -p tcp --src ${NETWORK_MGMT} --dport ${SSH_PORT} -j ACCEPT
 	else
-		$IP_TABLES -A INPUT -p tcp --dport ${SSH_PORT}  -j ACCEPT
+		$do_action $IPTABLES_ADD INPUT -p tcp --dport ${SSH_PORT}  -j ACCEPT
 	fi
 
 	#**************************************************************************#
 	# NGINX
 	#**************************************************************************#
-	$IP_TABLES -A INPUT -i lo -s localhost -d localhost -j ACCEPT
-	$IP_TABLES -A OUTPUT -o lo -s localhost -d localhost -j ACCEPT
-	$IP_TABLES -A INPUT  -p tcp --dport http -j ACCEPT
-        $IP_TABLES -A INPUT  -p tcp --dport https -j ACCEPT
+	$do_action $IPTABLES_ADD INPUT -i lo -s localhost -d localhost -j ACCEPT
+	$do_action $IPTABLES_ADD OUTPUT -o lo -s localhost -d localhost -j ACCEPT
+	$do_action $IPTABLES_ADD INPUT  -p tcp --dport http -j ACCEPT
+        $do_action $IPTABLES_ADD INPUT  -p tcp --dport https -j ACCEPT
 
 
 	# Remote testing
 	### Allows PING
-	$IP_TABLES -A INPUT -p icmp -j ACCEPT
+	$do_action $IPTABLES_ADD INPUT -p icmp -j ACCEPT
+
 	### Allows LOOPBACK
-	$IP_TABLES -A INPUT -i lo -j ACCEPT
+	$do_action $IPTABLES_ADD INPUT -i lo -j ACCEPT
 
 	$IP_TABLES -P INPUT DROP
-	$IP_TABLES -A INPUT -j LOG
+	$do_action $IPTABLES_ADD INPUT -j LOG
 
 	#**************************************************************************#
 	# Output:
 	#**************************************************************************#
 	### Allows LOOPBACK
-	$IP_TABLES -A OUTPUT -j ACCEPT -o lo
+	$do_action $IPTABLES_ADD OUTPUT -j ACCEPT -o lo
 
 	###
-	$IP_TABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+	$do_action $IPTABLES_ADD OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 
 	# ICMP is permitted:
 	### Allows ping:
-	$IP_TABLES -A OUTPUT -p icmp -j ACCEPT
+	$do_action $IPTABLES_ADD OUTPUT -p icmp -j ACCEPT
 
 	# As well as the services we have defined:
 	if [ -n "$REMOTE_TCP_SERVICES" ] ; then
 		for PORT in $REMOTE_TCP_SERVICES; do
-			$IP_TABLES -A OUTPUT -p tcp --dport ${PORT} -j ACCEPT
+			$do_action $IPTABLES_ADD OUTPUT -p tcp --dport ${PORT} -j ACCEPT
 		done
 	fi
 	if [ -n "$REMOTE_UDP_SERVICES" ] ; then
 		for PORT in $REMOTE_UDP_SERVICES; do
-			$IP_TABLES -A OUTPUT -p udp --dport ${PORT} -j ACCEPT
+			$do_action $IPTABLES_ADD OUTPUT -p udp --dport ${PORT} -j ACCEPT
 		done
 	fi
 	# All other connections are registered in syslog
-	$IP_TABLES -A OUTPUT -j LOG
-	$IP_TABLES -A OUTPUT -j REJECT
-	$IP_TABLES -P OUTPUT DROP
+	$do_action $IPTABLES_ADD OUTPUT -j LOG
+	$do_action $IPTABLES_ADD OUTPUT -j REJECT
+	$do_action $IPTABLES_SET_POLICY OUTPUT DROP
 
-	$IP_TABLES -A FORWARD -j LOG
+	$do_action $IPTABLES_ADD FORWARD -j LOG
 
 	#**************************************************************************#
 	# DOS attack protection
@@ -231,6 +285,22 @@ case "$1" in
 		fw_test
 		echo -n "Previous configuration will be restore in 30 seconds"
 	;;
+	status)
+		do_action=do_check
+		global_status=0
+		if [[ "$2" = "-v" ]] ; then
+			do_log=log_action
+		fi
+		# Start will not really start but exec the "check" action
+		fw_start
+		if [[ 0 -eq "$global_status" ]] ; then
+			echo "Firewall rules match configuration"
+			exit 0
+		else
+			echo "Some firewall rules are not set correctly"
+			exit $global_status
+		fi
+	;;
 	*)
 		echo "Usage: $0 {start|dropall|stop|restart|clear|test}"
 		echo "###############################################################"