From 11ca1d159986122f9947e1a62aa577375f5e1338 Mon Sep 17 00:00:00 2001
From: Gregory Colpart <reg@evolix.fr>
Date: Fri, 21 Oct 2011 02:10:24 +0200
Subject: [PATCH] Improve rocks-solid comportment of the firewall script !

---
 firewall.rc  |  5 +++++
 minifirewall | 49 ++++++++++++++++++++++++++-----------------------
 2 files changed, 31 insertions(+), 23 deletions(-)

diff --git a/firewall.rc b/firewall.rc
index 5fc775f..d46e72d 100644
--- a/firewall.rc
+++ b/firewall.rc
@@ -77,3 +77,8 @@ NTPOK='0.0.0.0/0'
 # /sbin/iptables ....
 # /sbin/iptables ....
 # /sbin/iptables ....
+
+# allow HTTP/HTTPS IPv6 traffic
+/sbin/ip6tables -A INPUT -i eth0 -p tcp --sport 80 --match state --state ESTABLISHED,RELATED -j ACCEPT
+/sbin/ip6tables -A INPUT -i eth0 -p tcp --sport 443 --match state --state ESTABLISHED,RELATED -j ACCEPT
+
diff --git a/minifirewall b/minifirewall
index 1ecafda..6408661 100755
--- a/minifirewall
+++ b/minifirewall
@@ -1,4 +1,4 @@
-#!/bin/sh -e
+#!/bin/sh
 
 # minifirewall is shellscripts for easy firewalling on a standalone server
 # See http://git.evolix.org/?p=evolinux/minifirewall.git;a=summary
@@ -12,7 +12,7 @@
 # Script netfilter/iptables
 # http://netfilter.org/
 #
-# Designed for Linux kernel 2.4/2.6
+# Designed for Linux kernel 2.6
 # http://www.kernel.org/
 
 # Description
@@ -37,7 +37,6 @@ DESC="minifirewall"
 NAME="minifirewall"
 
 
-
 ###
 # Configuration des variables
 ###
@@ -64,6 +63,10 @@ case "$1" in
 
      echo "Demarrage regles IPTables..."
 
+# Stop and warn if error!
+set -e
+trap 'echo "ERROR in minifirewall configuration (fix it now!) or script manipulation (fix yourself)." ' INT TERM EXIT
+
 # 1.Protections diverses
 
 # ne pas repondre aux ping broadcast
@@ -114,16 +117,16 @@ $IPT -A LOG_ACCEPT -j ACCEPT
 configfile="/etc/firewall.rc"
 
 if ! test -f $configfile; then
-	echo "$configfile does not exist" >&2
-	exit 1
+    echo "$configfile does not exist" >&2
+    exit 1
 fi
 
 tmpfile=`mktemp`
 . $configfile 2>$tmpfile >&2
 if [ -s $tmpfile ]; then
-	echo "$configfile returns standard or error output (see below). Stopping."
-	cat $tmpfile
-	exit 1
+        echo "$configfile returns standard or error output (see below). Stopping."
+        cat $tmpfile
+        exit 1
 fi
 rm $tmpfile
 
@@ -147,21 +150,6 @@ for x in $PRIVILEGIEDIPS
 # chain for restrictions (blacklist ips/ranges)
 $IPT -N NEEDRESTRICT
 
-# politique
-
-# par defaut rien ne rentre
-$IPT -P INPUT DROP
-$IPT6 -P INPUT DROP
-
-# par defaut rien ne transite (obsolete, notamment pour les VM)
-#echo 0 > /proc/sys/net/ipv4/ip_forward
-#$IPT -P FORWARD DROP
-#$IPT6 -P FORWARD DROP
-
-# par defaut tout peut sortir (sinon voir OUTPUTDROP)
-$IPT -P OUTPUT ACCEPT
-$IPT6 -P OUTPUT ACCEPT
-
 # On autorise tout sur l'interface loopback
 $IPT -A INPUT -i lo -j ACCEPT
 $IPT6 -A INPUT -i lo -j ACCEPT
@@ -296,7 +284,22 @@ for x in $NTPOK
 $IPT -A INPUT -p icmp -j ACCEPT
 $IPT6 -A INPUT -p icmpv6 -j ACCEPT
 
+# politique
 
+# par defaut rien ne rentre
+$IPT -P INPUT DROP
+$IPT6 -P INPUT DROP
+
+# par defaut rien ne transite (obsolete, notamment pour les VM)
+#echo 0 > /proc/sys/net/ipv4/ip_forward
+#$IPT -P FORWARD DROP
+#$IPT6 -P FORWARD DROP
+
+# par defaut tout peut sortir (sinon voir OUTPUTDROP)
+$IPT -P OUTPUT ACCEPT
+$IPT6 -P OUTPUT ACCEPT
+
+trap - INT TERM EXIT
 
     echo "Fin du chargement des regles... "
   ;;