]>
Commit | Line | Data |
---|---|---|
99b23241 | 1 | #!/bin/sh |
2 | # | |
3 | # Startup script to implement /etc/sysconfig/iptables pre-defined rules. | |
4 | # | |
5 | # chkconfig: 2345 08 92 | |
6 | # | |
7 | # description: Automates a packet filtering firewall with iptables. | |
8 | # | |
9 | # by bero@redhat.com, based on the ipchains script: | |
10 | # Script Author: Joshua Jensen <joshua@redhat.com> | |
11 | # -- hacked up by gafton with help from notting | |
12 | # modified by Anton Altaparmakov <aia21@cam.ac.uk>: | |
13 | # modified by Nils Philippsen <nils@redhat.de> | |
14 | # | |
15 | # config: /etc/sysconfig/iptables | |
16 | ||
674da384 ER |
17 | IPTABLES_CONFIG=/etc/sysconfig/iptables |
18 | if [ ! -f $IPTABLES_CONFIG ]; then | |
19 | case "$1" in | |
20 | start|restart|force-reload) | |
21 | exit 0 | |
22 | ;; | |
23 | esac | |
24 | fi | |
25 | ||
99b23241 | 26 | # Source 'em up |
27 | . /etc/rc.d/init.d/functions | |
28 | ||
8c98cbae | 29 | if [ "$(kernelver)" -lt "002003000" ]; then |
99b23241 | 30 | exit 0 |
31 | fi | |
32 | ||
8dd60b88 | 33 | if /sbin/lsmod 2>/dev/null | grep -q ipchains; then |
99b23241 | 34 | # Don't do both |
35 | exit 0 | |
36 | fi | |
37 | ||
a94df067 JR |
38 | IPTABLES_SAVE_ON_STOP="no" |
39 | IPTABLES_SAVE_COUNTER="no" | |
40 | IPTABLES_STATUS_NUMERIC="yes" | |
41 | IPTABLES_STATUS_VERBOSE="no" | |
42 | IPTABLES_STATUS_LINENUMBERS="yes" | |
43 | [ -f /etc/sysconfig/iptables-config ] && . /etc/sysconfig/iptables-config | |
44 | _SAVEOPT= | |
45 | is_yes $IPTABLES_SAVE_COUNTER && _SAVEOPT="-c" | |
46 | ||
28c4b6ff JR |
47 | if [ "$1" = "--quiet" ]; then |
48 | shift | |
49 | show() { return 0; } | |
50 | ok() { return 0; } | |
51 | fail() { return 1; } | |
52 | fi | |
53 | ||
99b23241 | 54 | iftable() { |
55 | if fgrep -qsx $1 /proc/net/ip_tables_names; then | |
56 | iptables -t "$@" | |
57 | fi | |
58 | } | |
59 | ||
60 | start() { | |
61 | # don't do squat if we don't have the config file | |
62 | if [ -f $IPTABLES_CONFIG ]; then | |
8dd60b88 ER |
63 | # If we don't clear these first, we might be adding to |
64 | # pre-existing rules. | |
65 | tables=`cat /proc/net/ip_tables_names 2>/dev/null` | |
ede828b7 | 66 | show "Flushing all current rules and user defined chains" |
8dd60b88 ER |
67 | let ret=0 |
68 | for i in $tables; do iptables -t $i -F; let ret+=$?; done | |
69 | if [ $ret -eq 0 ]; then | |
70 | ok | |
71 | else | |
72 | fail | |
73 | fi | |
ede828b7 | 74 | show "Clearing all current rules and user defined chains" |
8dd60b88 ER |
75 | let ret=0 |
76 | for i in $tables; do iptables -t $i -X; let ret+=$?; done | |
77 | if [ $ret -eq 0 ]; then | |
78 | ok | |
79 | else | |
80 | fail | |
81 | fi | |
82 | ||
83 | for i in $tables; do iptables -t $i -Z; done | |
84 | ||
ede828b7 | 85 | show "Applying iptables firewall rules" |
a94df067 | 86 | grep -v "^[[:space:]]*#" $IPTABLES_CONFIG | grep -v '^[[:space:]]*$' | /usr/sbin/iptables-restore $_SAVEOPT && \ |
8dd60b88 ER |
87 | ok || \ |
88 | fail | |
89 | touch /var/lock/subsys/iptables | |
99b23241 | 90 | fi |
91 | } | |
92 | ||
93 | stop() { | |
a2c2db2b | 94 | tables=`cat /proc/net/ip_tables_names 2>/dev/null` |
ede828b7 ER |
95 | show "Flushing all chains" |
96 | let ret=0 | |
97 | for i in $tables; do iptables -t $i -F; let ret+=$?; done | |
98 | if [ $ret -eq 0 ]; then | |
99 | ok | |
100 | else | |
101 | fail | |
102 | fi | |
8dd60b88 | 103 | |
ede828b7 ER |
104 | show "Removing user defined chains" |
105 | let ret=0 | |
106 | for i in $tables; do iptables -t $i -X; let ret+=$?; done | |
107 | if [ $ret -eq 0 ]; then | |
108 | ok | |
109 | else | |
110 | fail | |
111 | fi | |
112 | show "Resetting built-in chains to the default ACCEPT policy" | |
99b23241 | 113 | iftable filter -P INPUT ACCEPT && \ |
ede828b7 ER |
114 | iftable filter -P OUTPUT ACCEPT && \ |
115 | iftable filter -P FORWARD ACCEPT && \ | |
116 | iftable nat -P PREROUTING ACCEPT && \ | |
117 | iftable nat -P POSTROUTING ACCEPT && \ | |
118 | iftable nat -P OUTPUT ACCEPT && \ | |
119 | iftable mangle -P PREROUTING ACCEPT && \ | |
120 | iftable mangle -P OUTPUT ACCEPT && \ | |
121 | ok || fail | |
99b23241 | 122 | rm -f /var/lock/subsys/iptables |
123 | } | |
124 | ||
a94df067 JR |
125 | save() { |
126 | show "Saving current rules to %s" $IPTABLES_CONFIG | |
127 | touch $IPTABLES_CONFIG | |
128 | chmod 600 $IPTABLES_CONFIG | |
129 | /usr/sbin/iptables-save $_SAVEOPT > $IPTABLES_CONFIG 2>/dev/null && ok || fail | |
130 | } | |
131 | ||
655beef5 ER |
132 | upstart_controlled --except status panic load save clear |
133 | ||
99b23241 | 134 | case "$1" in |
cf239a77 | 135 | start|load) |
99b23241 | 136 | start |
137 | ;; | |
a94df067 JR |
138 | stop) |
139 | is_yes $IPTABLES_SAVE_ON_STOP && save | |
140 | stop | |
141 | ;; | |
142 | clear) | |
99b23241 | 143 | stop |
144 | ;; | |
c631739a | 145 | restart|force-reload) |
99b23241 | 146 | # "restart" is really just "start" as this isn't a daemon, |
147 | # and "start" clears any pre-defined rules anyway. | |
148 | # This is really only here to make those who expect it happy | |
149 | start | |
150 | ;; | |
99b23241 | 151 | panic) |
ede828b7 | 152 | show "Changing target policies to DROP" |
99b23241 | 153 | iftable filter -P INPUT DROP && \ |
ede828b7 ER |
154 | iftable filter -P FORWARD DROP && \ |
155 | iftable filter -P OUTPUT DROP && \ | |
156 | iftable nat -P PREROUTING DROP && \ | |
157 | iftable nat -P POSTROUTING DROP && \ | |
158 | iftable nat -P OUTPUT DROP && \ | |
159 | iftable mangle -P PREROUTING DROP && \ | |
160 | iftable mangle -P OUTPUT DROP && \ | |
161 | ok || fail | |
162 | iftable filter -F INPUT && \ | |
163 | iftable filter -F FORWARD && \ | |
164 | iftable filter -F OUTPUT && \ | |
165 | iftable nat -F PREROUTING && \ | |
166 | iftable nat -F POSTROUTING && \ | |
167 | iftable nat -F OUTPUT && \ | |
168 | iftable mangle -F PREROUTING && \ | |
169 | iftable mangle -F OUTPUT && \ | |
170 | ok || fail | |
171 | iftable filter -X INPUT && \ | |
172 | iftable filter -X FORWARD && \ | |
173 | iftable filter -X OUTPUT && \ | |
174 | iftable nat -X PREROUTING && \ | |
175 | iftable nat -X POSTROUTING && \ | |
176 | iftable nat -X OUTPUT && \ | |
177 | iftable mangle -X PREROUTING && \ | |
178 | iftable mangle -X OUTPUT && \ | |
179 | ok || fail | |
180 | ;; | |
99b23241 | 181 | save) |
a94df067 | 182 | save |
99b23241 | 183 | ;; |
396a51c8 | 184 | status) |
a94df067 JR |
185 | is_yes $IPTABLES_STATUS_NUMERIC && _NUMERIC="-n" |
186 | is_yes $IPTABLES_STATUS_VERBOSE && _VERBOSE="--verbose" | |
187 | is_yes $IPTABLES_STATUS_LINENUMBERS && _LINES="--line-numbers" | |
396a51c8 ER |
188 | tables=`cat /proc/net/ip_tables_names 2>/dev/null` |
189 | for table in $tables; do | |
190 | echo "Table: $table" | |
53ff372c | 191 | iptables -t $table --list $_NUMERIC $_VERBOSE $_LINES |
396a51c8 ER |
192 | done |
193 | ;; | |
99b23241 | 194 | *) |
b6a3d695 | 195 | msg_usage "$0 {start|stop|restart|force-reload|panic|load|save|clear|status}" |
c631739a | 196 | exit 3 |
99b23241 | 197 | esac |
198 | ||
199 | exit 0 |