Shorewall restart on PPP link change

I’ve found great joy running a Shorewall firewall on a Linux box but I came across the problem that when the PPP interface for an ADSL, WiMAX or VPN link goes up or down, Shorewall needs to be restarted to take the new IP address assignments into account. To this solve this problem I’ve written a few scripts to make it all work nicely for South African users.

Firstly put the following two scripts in the /usr/bin directory (or any directory of your choice):

/usr/bin/shorewall-flag-restart.sh (chmod u+x):

#!/bin/bash
set –e
set –u
RESTART_NEEDED=/var/lib/shorewall/shorewall-restartneeded
set -o noclobber
if [ ! -r $RESTART_NEEDED ]; then
    date > $RESTART_NEEDED 2>&1
fi

/usr/bin/shorewall-check-restart.sh (chmod u+x):

#!/bin/bash

set -e
set -u

RESTART_NEEDED=/var/lib/shorewall/shorewall-restartneeded
RESTARTING=/var/lib/shorewall/shorewall-restarting
RESTARTED=/var/lib/shorewall/shorewall-restarted

# The restart needed flag is put in place by the ip up/down scripts.  If
# it doesn’t exist or is older than the shorewall restart flag file, we
# don’t need to do anything.
if [ ! -r $RESTART_NEEDED ]; then
    exit 0
fi
if [ -r $RESTARTING ]; then
    exit 0
fi
if [ $RESTARTED -nt $RESTART_NEEDED ]; then
    rm -f $RESTART_NEEDED
    exit 0
fi

# Make a mutex – should exit the script if this file already exists,
# due to the combination of the set -e and noclobber options.
set -o noclobber
echo "$$: `date`" >$RESTARTING

## We only remove the $RESTART_NEEDED if the restart succeeds.
#if /sbin/shorewall restart >/dev/null 2>&1; then
#    rm -f $RESTARTING
#    rm -f $RESTART_NEEDED
#else
#    rm -f $RESTARTING
#fi

# Remove the $RESTART_NEEDED and replace if failure.
rm -f $RESTART_NEEDED
if /sbin/shorewall restart >/dev/null 2>&1; then
    rm -f $RESTARTING
else
    rm -f $RESTARTING
    if [ ! -r $RESTARTING ]; then
        echo "$$: `date`" >$RESTART_NEEDED
    fi
fi

Then symbolic link the shorewall-flag-restart.sh script in the /etc/ppp/ip-up.d/ and /etc/ppp-ip-down.d/ directories so that the firewall gets restarted when a PPP interface goes up or down:

ln -s /usr/bin/shorewall-flag-restart.sh /etc/ppp/ip-up.d/shorewall-flag-restart
ln -s /usr/bin/shorewall-flag-restart.sh /etc/ppp/ip-down.d/shorewall-flag-restart

Then schedule cron to check for the restart flag every minute:

/etc/cron.d/shorewall-restart:

MAILTO=root
*/1 * * * * root  [ -x /usr/bin/shorewall-check-restart.sh ] && /usr/bin/shorewall-check-restart.sh >/dev/null

These scripts were developed and tested on a Debian system. If anyone has any improvements or recommendations I’d appreciate to hear from you.

Be Sociable, Share!