]>
Commit | Line | Data |
---|---|---|
99b23241 | 1 | #!/bin/sh |
2 | # | |
3 | # Startup script to implement /etc/sysconfig/iptables pre-defined rules. | |
4 | # | |
5 | # chkconfig: 2345 08 92 | |
6 | # | |
7 | # description: Automates a packet filtering firewall with iptables. | |
8 | # | |
9 | # by bero@redhat.com, based on the ipchains script: | |
10 | # Script Author: Joshua Jensen <joshua@redhat.com> | |
11 | # -- hacked up by gafton with help from notting | |
12 | # modified by Anton Altaparmakov <aia21@cam.ac.uk>: | |
13 | # modified by Nils Philippsen <nils@redhat.de> | |
14 | # | |
15 | # config: /etc/sysconfig/iptables | |
16 | ||
17 | # Source 'em up | |
18 | . /etc/rc.d/init.d/functions | |
19 | ||
20 | IPTABLES_CONFIG=/etc/sysconfig/iptables | |
21 | ||
22 | if [ ! -x /usr/sbin/iptables ]; then | |
23 | exit 0 | |
24 | fi | |
25 | ||
26 | KERNELMAJ=`uname -r | sed -e 's,\..*,,'` | |
27 | KERNELMIN=`uname -r | sed -e 's,[^\.]*\.,,' -e 's,\..*,,'` | |
28 | ||
29 | if [ "$KERNELMAJ" -lt 2 ] ; then | |
30 | exit 0 | |
31 | fi | |
32 | if [ "$KERNELMAJ" -eq 2 -a "$KERNELMIN" -lt 3 ] ; then | |
33 | exit 0 | |
34 | fi | |
35 | ||
36 | ||
37 | ||
38 | if /sbin/lsmod 2>/dev/null |grep -q ipchains ; then | |
39 | # Don't do both | |
40 | exit 0 | |
41 | fi | |
42 | ||
43 | iftable() { | |
44 | if fgrep -qsx $1 /proc/net/ip_tables_names; then | |
45 | iptables -t "$@" | |
46 | fi | |
47 | } | |
48 | ||
49 | start() { | |
50 | # don't do squat if we don't have the config file | |
51 | if [ -f $IPTABLES_CONFIG ]; then | |
52 | # If we don't clear these first, we might be adding to | |
53 | # pre-existing rules. | |
54 | chains=`cat /proc/net/ip_tables_names 2>/dev/null` | |
55 | show "Flushing all current rules and user defined chains:" | |
56 | let ret=0 | |
57 | for i in $chains; do iptables -t $i -F; let ret+=$?; done | |
58 | iptables -F | |
59 | let ret+=$? | |
60 | if [ $ret -eq 0 ]; then | |
61 | ok | |
62 | else | |
63 | fail | |
64 | fi | |
65 | show "Clearing all current rules and user defined chains:" | |
66 | let ret=0 | |
67 | for i in $chains; do iptables -t $i -X; let ret+=$?; done | |
68 | iptables -X | |
69 | let ret+=$? | |
70 | if [ $ret -eq 0 ]; then | |
71 | ok | |
72 | else | |
73 | fail | |
74 | fi | |
75 | ||
76 | for i in $chains; do iptables -t $i -Z; done | |
77 | ||
78 | show "Applying iptables firewall rules:" | |
79 | grep -v "^[[:space:]]*#" $IPTABLES_CONFIG | grep -v '^[[:space:]]*$' | /usr/sbin/iptables-restore -c && \ | |
80 | ok || \ | |
81 | fail | |
82 | touch /var/lock/subsys/iptables | |
83 | fi | |
84 | } | |
85 | ||
86 | stop() { | |
87 | chains=`cat /proc/net/ip_tables_names 2>/dev/null` | |
88 | show "Flushing all chains:" | |
89 | let ret=0 | |
90 | for i in $chains; do iptables -t $i -F; let ret+=$?; done | |
91 | iptables -F; let ret+=$? | |
92 | if [ $ret -eq 0 ]; then | |
93 | ok | |
94 | else | |
95 | fail | |
96 | fi | |
97 | ||
98 | show "Removing user defined chains:" | |
99 | let ret=0 | |
100 | for i in $chains; do iptables -t $i -X; let ret+=$?; done | |
101 | iptables -X; let ret+=$? | |
102 | if [ $ret -eq 0 ]; then | |
103 | ok | |
104 | else | |
105 | fail | |
106 | fi | |
107 | show "Resetting built-in chains to the default ACCEPT policy:" | |
108 | iftable filter -P INPUT ACCEPT && \ | |
109 | iftable filter -P OUTPUT ACCEPT && \ | |
110 | iftable filter -P FORWARD ACCEPT && \ | |
111 | iftable nat -P PREROUTING ACCEPT && \ | |
112 | iftable nat -P POSTROUTING ACCEPT && \ | |
113 | iftable nat -P OUTPUT ACCEPT && \ | |
114 | iftable mangle -P PREROUTING ACCEPT && \ | |
115 | iftable mangle -P OUTPUT ACCEPT && \ | |
116 | ok || \ | |
117 | fail | |
118 | rm -f /var/lock/subsys/iptables | |
119 | } | |
120 | ||
121 | case "$1" in | |
122 | start) | |
123 | start | |
124 | ;; | |
125 | ||
126 | stop) | |
127 | stop | |
128 | ;; | |
129 | ||
c631739a | 130 | restart|force-reload) |
99b23241 | 131 | # "restart" is really just "start" as this isn't a daemon, |
132 | # and "start" clears any pre-defined rules anyway. | |
133 | # This is really only here to make those who expect it happy | |
134 | start | |
135 | ;; | |
136 | ||
c631739a | 137 | # condrestart) |
138 | # [ -e /var/lock/subsys/iptables ] && start | |
139 | # ;; | |
99b23241 | 140 | |
141 | status) | |
142 | tables=`cat /proc/net/ip_tables_names 2>/dev/null` | |
143 | for table in $tables; do | |
144 | echo "Table: $table" | |
145 | iptables -t $table -n --list | |
146 | done | |
147 | ;; | |
148 | ||
149 | panic) | |
150 | show "Changing target policies to DROP: " | |
151 | iftable filter -P INPUT DROP && \ | |
152 | iftable filter -P FORWARD DROP && \ | |
153 | iftable filter -P OUTPUT DROP && \ | |
154 | iftable nat -P PREROUTING DROP && \ | |
155 | iftable nat -P POSTROUTING DROP && \ | |
156 | iftable nat -P OUTPUT DROP && \ | |
157 | iftable mangle -P PREROUTING DROP && \ | |
158 | iftable mangle -P OUTPUT DROP && \ | |
159 | ok "Changing target policies to DROP" || \ | |
160 | fail "Changing target policies to DROP" | |
161 | iftable filter -F INPUT && \ | |
162 | iftable filter -F FORWARD && \ | |
163 | iftable filter -F OUTPUT && \ | |
164 | iftable nat -F PREROUTING && \ | |
165 | iftable nat -F POSTROUTING && \ | |
166 | iftable nat -F OUTPUT && \ | |
167 | iftable mangle -F PREROUTING && \ | |
168 | iftable mangle -F OUTPUT && \ | |
169 | ok "Flushing all chains:" || \ | |
170 | fail "Flushing all chains:" | |
171 | iftable filter -X INPUT && \ | |
172 | iftable filter -X FORWARD && \ | |
173 | iftable filter -X OUTPUT && \ | |
174 | iftable nat -X PREROUTING && \ | |
175 | iftable nat -X POSTROUTING && \ | |
176 | iftable nat -X OUTPUT && \ | |
177 | iftable mangle -X PREROUTING && \ | |
178 | iftable mangle -X OUTPUT && \ | |
179 | ok "Removing user defined chains:" || \ | |
180 | fail "Removing user defined chains:" | |
181 | ;; | |
182 | ||
183 | save) | |
184 | show "Saving current rules to $IPTABLES_CONFIG: " | |
185 | touch $IPTABLES_CONFIG | |
186 | chmod 600 $IPTABLES_CONFIG | |
187 | /usr/sbin/iptables-save -c > $IPTABLES_CONFIG 2>/dev/null && \ | |
188 | ok "Saving current rules to $IPTABLES_CONFIG" || \ | |
189 | fail "Saving current rules to $IPTABLES_CONFIG" | |
190 | ;; | |
191 | ||
192 | *) | |
c631739a | 193 | echo "Usage: $0 {start|stop|restart|force-reload|status|panic|save}" |
194 | exit 3 | |
99b23241 | 195 | esac |
196 | ||
197 | exit 0 | |
198 |