[packages/iptables.git] / iptables.init

#!/bin/sh
#
# Startup script to implement /etc/sysconfig/iptables pre-defined rules.
#
# chkconfig: 2345 08 92
#
# description: Automates a packet filtering firewall with iptables.
#
# by bero@redhat.com, based on the ipchains script:
# Script Author:	Joshua Jensen <joshua@redhat.com>
#   -- hacked up by gafton with help from notting
# modified by Anton Altaparmakov <aia21@cam.ac.uk>:
# modified by Nils Philippsen <nils@redhat.de>
#
# config: /etc/sysconfig/iptables

# Source 'em up
. /etc/rc.d/init.d/functions

IPTABLES_CONFIG=/etc/sysconfig/iptables

if [ ! -x /usr/sbin/iptables ]; then
	exit 0
fi

KERNELMAJ=`uname -r | sed                   -e 's,\..*,,'`
KERNELMIN=`uname -r | sed -e 's,[^\.]*\.,,' -e 's,\..*,,'`

if [ "$KERNELMAJ" -lt 2 ] ; then
	exit 0
fi
if [ "$KERNELMAJ" -eq 2 -a "$KERNELMIN" -lt 3 ] ; then
	exit 0
fi


if  /sbin/lsmod 2>/dev/null |grep -q ipchains ; then
	# Don't do both
	exit 0
fi

iftable() {
	if fgrep -qsx $1 /proc/net/ip_tables_names; then
		iptables -t "$@"
	fi
}

start() {
	# don't do squat if we don't have the config file
	if [ -f $IPTABLES_CONFIG ]; then
	    # If we don't clear these first, we might be adding to
	    #  pre-existing rules.
	    chains=`cat /proc/net/ip_tables_names 2>/dev/null`
	    show "Flushing all current rules and user defined chains:"
	    let ret=0
            for i in $chains; do iptables -t $i -F; let ret+=$?; done
            iptables -F
            let ret+=$?
            if [ $ret -eq 0 ]; then
              ok
            else
              fail
            fi
            show "Clearing all current rules and user defined chains:"
            let ret=0
            for i in $chains; do iptables -t $i -X; let ret+=$?; done
            iptables -X
            let ret+=$?
            if [ $ret -eq 0 ]; then
              ok
            else
              fail
            fi

            for i in $chains; do iptables -t $i -Z; done

	    show "Applying iptables firewall rules:"
		grep -v "^[[:space:]]*#" $IPTABLES_CONFIG | grep -v '^[[:space:]]*$' | /usr/sbin/iptables-restore -c && \
		    ok || \
		    fail
	    touch /var/lock/subsys/iptables
	fi
}

stop() {
	chains=`cat /proc/net/ip_tables_names 2>/dev/null`
        show "Flushing all chains:"
        let ret=0
        for i in $chains; do iptables -t $i -F; let ret+=$?; done
        iptables -F; let ret+=$?
        if [ $ret -eq 0 ]; then
                ok
        else
                fail
        fi

        show "Removing user defined chains:"
        let ret=0
        for i in $chains; do iptables -t $i -X; let ret+=$?; done
        iptables -X; let ret+=$?
        if [ $ret -eq 0 ]; then
                ok
        else
                fail
        fi
        show "Resetting built-in chains to the default ACCEPT policy:"
	iftable filter -P INPUT ACCEPT && \
	   iftable filter -P OUTPUT ACCEPT && \
	   iftable filter -P FORWARD ACCEPT && \
	   iftable nat -P PREROUTING ACCEPT && \
	   iftable nat -P POSTROUTING ACCEPT && \
	   iftable nat -P OUTPUT ACCEPT && \
           iftable mangle -P PREROUTING ACCEPT && \
           iftable mangle -P OUTPUT ACCEPT && \
	   ok || \
	   fail
	rm -f /var/lock/subsys/iptables
}

case "$1" in
  start)
	start
	;;

  stop)
	stop
	;;

  restart|force-reload)
	# "restart" is really just "start" as this isn't a daemon,
	#  and "start" clears any pre-defined rules anyway.
	#  This is really only here to make those who expect it happy
	start
	;;

#  condrestart)
#	[ -e /var/lock/subsys/iptables ] && start
#	;;

  status)
	tables=`cat /proc/net/ip_tables_names 2>/dev/null`
	for table in $tables; do
		echo "Table: $table"
		iptables -t $table -n --list
	done
	;;

  panic)
	show "Changing target policies to DROP: "	
	iftable filter -P INPUT DROP && \
	    iftable filter -P FORWARD DROP && \
	    iftable filter -P OUTPUT DROP && \
	    iftable nat -P PREROUTING DROP && \
	    iftable nat -P POSTROUTING DROP && \
	    iftable nat -P OUTPUT DROP && \
	    iftable mangle -P PREROUTING DROP && \
	    iftable mangle -P OUTPUT DROP && \
	    ok "Changing target policies to DROP" || \
	    fail "Changing target policies to DROP"
        iftable filter -F INPUT && \
                iftable filter -F FORWARD && \
                iftable filter -F OUTPUT && \
                iftable nat -F PREROUTING && \
                iftable nat -F POSTROUTING && \
                iftable nat -F OUTPUT && \
                iftable mangle -F PREROUTING && \
                iftable mangle -F OUTPUT && \
                ok "Flushing all chains:" || \
                fail "Flushing all chains:"
        iftable filter -X INPUT && \
                iftable filter -X FORWARD && \
                iftable filter -X OUTPUT && \
                iftable nat -X PREROUTING && \
                iftable nat -X POSTROUTING && \
                iftable nat -X OUTPUT && \
                iftable mangle -X PREROUTING && \
                iftable mangle -X OUTPUT && \
                ok "Removing user defined chains:" || \
                fail "Removing user defined chains:"
        ;;

  save)
	show "Saving current rules to $IPTABLES_CONFIG: "
	touch $IPTABLES_CONFIG
	chmod 600 $IPTABLES_CONFIG
	/usr/sbin/iptables-save -c > $IPTABLES_CONFIG  2>/dev/null && \
	  ok "Saving current rules to $IPTABLES_CONFIG" || \
	  fail "Saving current rules to $IPTABLES_CONFIG"
	;;

  *)
	echo "Usage: $0 {start|stop|restart|force-reload|status|panic|save}"
	exit 3
esac

exit 0
Commit	Line	Data
99b23241	1	#!/bin/sh
	2	#
	3	# Startup script to implement /etc/sysconfig/iptables pre-defined rules.
	4	#
	5	# chkconfig: 2345 08 92
	6	#
	7	# description: Automates a packet filtering firewall with iptables.
	8	#
	9	# by bero@redhat.com, based on the ipchains script:
	10	# Script Author: Joshua Jensen <joshua@redhat.com>
	11	# -- hacked up by gafton with help from notting
	12	# modified by Anton Altaparmakov <aia21@cam.ac.uk>:
	13	# modified by Nils Philippsen <nils@redhat.de>
	14	#
	15	# config: /etc/sysconfig/iptables
	16
	17	# Source 'em up
	18	. /etc/rc.d/init.d/functions
	19
	20	IPTABLES_CONFIG=/etc/sysconfig/iptables
	21
	22	if [ ! -x /usr/sbin/iptables ]; then
	23	exit 0
	24	fi
	25
	26	KERNELMAJ=`uname -r \| sed -e 's,\..*,,'`
	27	KERNELMIN=`uname -r \| sed -e 's,[^\.]\.,,' -e 's,\..,,'`
	28
	29	if [ "$KERNELMAJ" -lt 2 ] ; then
	30	exit 0
	31	fi
	32	if [ "$KERNELMAJ" -eq 2 -a "$KERNELMIN" -lt 3 ] ; then
	33	exit 0
	34	fi
	35
	36
	37
	38	if /sbin/lsmod 2>/dev/null \|grep -q ipchains ; then
	39	# Don't do both
	40	exit 0
	41	fi
	42
	43	iftable() {
	44	if fgrep -qsx $1 /proc/net/ip_tables_names; then
	45	iptables -t "$@"
	46	fi
	47	}
	48
	49	start() {
	50	# don't do squat if we don't have the config file
	51	if [ -f $IPTABLES_CONFIG ]; then
	52	# If we don't clear these first, we might be adding to
	53	# pre-existing rules.
	54	chains=`cat /proc/net/ip_tables_names 2>/dev/null`
	55	show "Flushing all current rules and user defined chains:"
	56	let ret=0
	57	for i in $chains; do iptables -t $i -F; let ret+=$?; done
	58	iptables -F
	59	let ret+=$?
	60	if [ $ret -eq 0 ]; then
	61	ok
	62	else
	63	fail
	64	fi
65	show "Clearing all current rules and user defined chains:"
66	let ret=0
67	for i in $chains; do iptables -t $i -X; let ret+=$?; done
68	iptables -X
69	let ret+=$?
70	if [ $ret -eq 0 ]; then
71	ok
72	else
73	fail
74	fi
75
76	for i in $chains; do iptables -t $i -Z; done
77
78	show "Applying iptables firewall rules:"
79	grep -v "^[[:space:]]#" $IPTABLES_CONFIG \| grep -v '^[[:space:]]$' \| /usr/sbin/iptables-restore -c && \
80	ok \|\| \
81	fail
82	touch /var/lock/subsys/iptables
83	fi
84	}
85
86	stop() {
87	chains=`cat /proc/net/ip_tables_names 2>/dev/null`
88	show "Flushing all chains:"
89	let ret=0
90	for i in $chains; do iptables -t $i -F; let ret+=$?; done
91	iptables -F; let ret+=$?
92	if [ $ret -eq 0 ]; then
93	ok
94	else
95	fail
96	fi
97
98	show "Removing user defined chains:"
99	let ret=0
100	for i in $chains; do iptables -t $i -X; let ret+=$?; done
101	iptables -X; let ret+=$?
102	if [ $ret -eq 0 ]; then
103	ok
104	else
105	fail
106	fi
107	show "Resetting built-in chains to the default ACCEPT policy:"
108	iftable filter -P INPUT ACCEPT && \
109	iftable filter -P OUTPUT ACCEPT && \
110	iftable filter -P FORWARD ACCEPT && \
111	iftable nat -P PREROUTING ACCEPT && \
112	iftable nat -P POSTROUTING ACCEPT && \
113	iftable nat -P OUTPUT ACCEPT && \
114	iftable mangle -P PREROUTING ACCEPT && \
115	iftable mangle -P OUTPUT ACCEPT && \
116	ok \|\| \
117	fail
118	rm -f /var/lock/subsys/iptables
119	}
120
121	case "$1" in
122	start)
123	start
124	;;
125
126	stop)
127	stop
128	;;
129
c631739a	130	restart\|force-reload)
99b23241	131	# "restart" is really just "start" as this isn't a daemon,
	132	# and "start" clears any pre-defined rules anyway.
	133	# This is really only here to make those who expect it happy
	134	start
	135	;;
	136
c631739a	137	# condrestart)
	138	# [ -e /var/lock/subsys/iptables ] && start
	139	# ;;
99b23241	140
	141	status)
	142	tables=`cat /proc/net/ip_tables_names 2>/dev/null`
	143	for table in $tables; do
	144	echo "Table: $table"
	145	iptables -t $table -n --list
	146	done
	147	;;
	148
	149	panic)
	150	show "Changing target policies to DROP: "
	151	iftable filter -P INPUT DROP && \
	152	iftable filter -P FORWARD DROP && \
	153	iftable filter -P OUTPUT DROP && \
	154	iftable nat -P PREROUTING DROP && \
	155	iftable nat -P POSTROUTING DROP && \
	156	iftable nat -P OUTPUT DROP && \
	157	iftable mangle -P PREROUTING DROP && \
	158	iftable mangle -P OUTPUT DROP && \
	159	ok "Changing target policies to DROP" \|\| \
	160	fail "Changing target policies to DROP"
	161	iftable filter -F INPUT && \
	162	iftable filter -F FORWARD && \
	163	iftable filter -F OUTPUT && \
	164	iftable nat -F PREROUTING && \
	165	iftable nat -F POSTROUTING && \
	166	iftable nat -F OUTPUT && \
	167	iftable mangle -F PREROUTING && \
	168	iftable mangle -F OUTPUT && \
	169	ok "Flushing all chains:" \|\| \
	170	fail "Flushing all chains:"
	171	iftable filter -X INPUT && \
	172	iftable filter -X FORWARD && \
	173	iftable filter -X OUTPUT && \
	174	iftable nat -X PREROUTING && \
	175	iftable nat -X POSTROUTING && \
	176	iftable nat -X OUTPUT && \
	177	iftable mangle -X PREROUTING && \
	178	iftable mangle -X OUTPUT && \
	179	ok "Removing user defined chains:" \|\| \
	180	fail "Removing user defined chains:"
	181	;;
	182
	183	save)
	184	show "Saving current rules to $IPTABLES_CONFIG: "
	185	touch $IPTABLES_CONFIG
	186	chmod 600 $IPTABLES_CONFIG
	187	/usr/sbin/iptables-save -c > $IPTABLES_CONFIG 2>/dev/null && \
	188	ok "Saving current rules to $IPTABLES_CONFIG" \|\| \
	189	fail "Saving current rules to $IPTABLES_CONFIG"
	190	;;
	191
	192	*)
c631739a	193	echo "Usage: $0 {start\|stop\|restart\|force-reload\|status\|panic\|save}"
c631739a	194	exit 3
99b23241	195	esac
	196
	197	exit 0
	198