[packages/iptables.git] / iptables.init

#!/bin/sh
#
# Startup script to implement /etc/sysconfig/iptables pre-defined rules.
#
# chkconfig: 2345 08 92
#
# description: Automates a packet filtering firewall with iptables.
#
# by bero@redhat.com, based on the ipchains script:
# Script Author:	Joshua Jensen <joshua@redhat.com>
#   -- hacked up by gafton with help from notting
# modified by Anton Altaparmakov <aia21@cam.ac.uk>:
# modified by Nils Philippsen <nils@redhat.de>
#
# config: /etc/sysconfig/iptables

IPTABLES_CONFIG=/etc/sysconfig/iptables
if [ ! -f $IPTABLES_CONFIG ]; then
	case "$1" in
	start|restart|force-reload)
		exit 0
	;;
	esac
fi

# Source 'em up
. /etc/rc.d/init.d/functions

if [ "$(kernelver)" -lt "002003000" ]; then
	exit 0
fi

if /sbin/lsmod 2>/dev/null | grep -q ipchains; then
	# Don't do both
	exit 0
fi

IPTABLES_SAVE_ON_STOP="no"
IPTABLES_SAVE_COUNTER="no"
IPTABLES_STATUS_NUMERIC="yes"
IPTABLES_STATUS_VERBOSE="no"
IPTABLES_STATUS_LINENUMBERS="yes"
[ -f /etc/sysconfig/iptables-config ] && . /etc/sysconfig/iptables-config
_SAVEOPT=
is_yes $IPTABLES_SAVE_COUNTER && _SAVEOPT="-c"

if [ "$1" = "--quiet" ]; then
	shift
	show() { return 0; }
	ok() { return 0; }
	fail() { return 1; }
fi

iftable() {
	if fgrep -qsx $1 /proc/net/ip_tables_names; then
		iptables -t "$@"
	fi
}

start() {
	# don't do squat if we don't have the config file
	if [ -f $IPTABLES_CONFIG ]; then
		# If we don't clear these first, we might be adding to
		#  pre-existing rules.
		tables=`cat /proc/net/ip_tables_names 2>/dev/null`
		show "Flushing all current rules and user defined chains"
		let ret=0
		for i in $tables; do iptables -t $i -F; let ret+=$?; done
		if [ $ret -eq 0 ]; then
			ok
		else
			fail
		fi
		show "Clearing all current rules and user defined chains"
		let ret=0
		for i in $tables; do iptables -t $i -X; let ret+=$?; done
		if [ $ret -eq 0 ]; then
			ok
		else
			fail
		fi

		for i in $tables; do iptables -t $i -Z; done

		show "Applying iptables firewall rules"
		grep -v "^[[:space:]]*#" $IPTABLES_CONFIG | grep -v '^[[:space:]]*$' | /usr/sbin/iptables-restore $_SAVEOPT && \
			ok || \
			fail
		touch /var/lock/subsys/iptables
	fi
}

stop() {
	tables=`cat /proc/net/ip_tables_names 2>/dev/null`
	show "Flushing all chains"
	let ret=0
	for i in $tables; do iptables -t $i -F; let ret+=$?; done
	if [ $ret -eq 0 ]; then
		ok
	else
		fail
	fi

	show "Removing user defined chains"
	let ret=0
	for i in $tables; do iptables -t $i -X; let ret+=$?; done
	if [ $ret -eq 0 ]; then
		ok
	else
		fail
	fi
	show "Resetting built-in chains to the default ACCEPT policy"
	iftable filter -P INPUT ACCEPT && \
	iftable filter -P OUTPUT ACCEPT && \
	iftable filter -P FORWARD ACCEPT && \
	iftable nat -P PREROUTING ACCEPT && \
	iftable nat -P POSTROUTING ACCEPT && \
	iftable nat -P OUTPUT ACCEPT && \
	iftable mangle -P PREROUTING ACCEPT && \
	iftable mangle -P OUTPUT ACCEPT && \
	ok || fail
	rm -f /var/lock/subsys/iptables
}

save() {
	show "Saving current rules to %s" $IPTABLES_CONFIG
	touch $IPTABLES_CONFIG
	chmod 600 $IPTABLES_CONFIG
	/usr/sbin/iptables-save $_SAVEOPT > $IPTABLES_CONFIG  2>/dev/null && ok || fail
}

upstart_controlled --except status panic load save clear

case "$1" in
  start|load)
	start
	;;
  stop)
	is_yes $IPTABLES_SAVE_ON_STOP && save
	stop
	;;
  clear)
	stop
	;;
  restart|force-reload)
	# "restart" is really just "start" as this isn't a daemon,
	#  and "start" clears any pre-defined rules anyway.
	#  This is really only here to make those who expect it happy
	start
	;;
  panic)
	show "Changing target policies to DROP"
	iftable filter -P INPUT DROP && \
	iftable filter -P FORWARD DROP && \
	iftable filter -P OUTPUT DROP && \
	iftable nat -P PREROUTING DROP && \
	iftable nat -P POSTROUTING DROP && \
	iftable nat -P OUTPUT DROP && \
	iftable mangle -P PREROUTING DROP && \
	iftable mangle -P OUTPUT DROP && \
	ok || fail
	iftable filter -F INPUT && \
	iftable filter -F FORWARD && \
	iftable filter -F OUTPUT && \
	iftable nat -F PREROUTING && \
	iftable nat -F POSTROUTING && \
	iftable nat -F OUTPUT && \
	iftable mangle -F PREROUTING && \
	iftable mangle -F OUTPUT && \
	ok || fail
	iftable filter -X INPUT && \
	iftable filter -X FORWARD && \
	iftable filter -X OUTPUT && \
	iftable nat -X PREROUTING && \
	iftable nat -X POSTROUTING && \
	iftable nat -X OUTPUT && \
	iftable mangle -X PREROUTING && \
	iftable mangle -X OUTPUT && \
	ok || fail
	;;
  save)
	save
	;;
  status)
	is_yes $IPTABLES_STATUS_NUMERIC && _NUMERIC="-n"
	is_yes $IPTABLES_STATUS_VERBOSE && _VERBOSE="--verbose"
	is_yes $IPTABLES_STATUS_LINENUMBERS && _LINES="--line-numbers"
	tables=`cat /proc/net/ip_tables_names 2>/dev/null`
	for table in $tables; do
		echo "Table: $table"
		iptables -t $table --list $_NUMERIC $_VERBOSE $_LINES
	done
	;;
  *)
	msg_usage "$0 {start|stop|restart|force-reload|panic|load|save|clear|status}"
	exit 3
esac

exit 0
Commit	Line	Data
99b23241	1	#!/bin/sh
	2	#
	3	# Startup script to implement /etc/sysconfig/iptables pre-defined rules.
	4	#
	5	# chkconfig: 2345 08 92
	6	#
	7	# description: Automates a packet filtering firewall with iptables.
	8	#
	9	# by bero@redhat.com, based on the ipchains script:
	10	# Script Author: Joshua Jensen <joshua@redhat.com>
	11	# -- hacked up by gafton with help from notting
	12	# modified by Anton Altaparmakov <aia21@cam.ac.uk>:
	13	# modified by Nils Philippsen <nils@redhat.de>
	14	#
	15	# config: /etc/sysconfig/iptables
	16
674da384 ER	17	IPTABLES_CONFIG=/etc/sysconfig/iptables
	18	if [ ! -f $IPTABLES_CONFIG ]; then
	19	case "$1" in
	20	start\|restart\|force-reload)
	21	exit 0
	22	;;
	23	esac
	24	fi
	25
99b23241	26	# Source 'em up
	27	. /etc/rc.d/init.d/functions
	28
8c98cbae	29	if [ "$(kernelver)" -lt "002003000" ]; then
99b23241	30	exit 0
	31	fi
	32
8dd60b88	33	if /sbin/lsmod 2>/dev/null \| grep -q ipchains; then
99b23241	34	# Don't do both
	35	exit 0
	36	fi
	37
a94df067 JR	38	IPTABLES_SAVE_ON_STOP="no"
	39	IPTABLES_SAVE_COUNTER="no"
	40	IPTABLES_STATUS_NUMERIC="yes"
	41	IPTABLES_STATUS_VERBOSE="no"
	42	IPTABLES_STATUS_LINENUMBERS="yes"
	43	[ -f /etc/sysconfig/iptables-config ] && . /etc/sysconfig/iptables-config
	44	_SAVEOPT=
	45	is_yes $IPTABLES_SAVE_COUNTER && _SAVEOPT="-c"
	46
28c4b6ff JR	47	if [ "$1" = "--quiet" ]; then
	48	shift
	49	show() { return 0; }
	50	ok() { return 0; }
	51	fail() { return 1; }
	52	fi
	53
99b23241	54	iftable() {
	55	if fgrep -qsx $1 /proc/net/ip_tables_names; then
	56	iptables -t "$@"
	57	fi
	58	}
	59
	60	start() {
	61	# don't do squat if we don't have the config file
	62	if [ -f $IPTABLES_CONFIG ]; then
8dd60b88 ER	63	# If we don't clear these first, we might be adding to
	64	# pre-existing rules.
	65	tables=`cat /proc/net/ip_tables_names 2>/dev/null`
ede828b7	66	show "Flushing all current rules and user defined chains"
8dd60b88 ER	67	let ret=0
	68	for i in $tables; do iptables -t $i -F; let ret+=$?; done
	69	if [ $ret -eq 0 ]; then
	70	ok
	71	else
	72	fail
	73	fi
ede828b7	74	show "Clearing all current rules and user defined chains"
8dd60b88 ER	75	let ret=0
	76	for i in $tables; do iptables -t $i -X; let ret+=$?; done
	77	if [ $ret -eq 0 ]; then
	78	ok
	79	else
	80	fail
	81	fi
	82
	83	for i in $tables; do iptables -t $i -Z; done
	84
ede828b7	85	show "Applying iptables firewall rules"
a94df067	86	grep -v "^[[:space:]]#" $IPTABLES_CONFIG \| grep -v '^[[:space:]]$' \| /usr/sbin/iptables-restore $_SAVEOPT && \
8dd60b88 ER	87	ok \|\| \
	88	fail
	89	touch /var/lock/subsys/iptables
99b23241	90	fi
	91	}
	92
	93	stop() {
a2c2db2b	94	tables=`cat /proc/net/ip_tables_names 2>/dev/null`
ede828b7 ER	95	show "Flushing all chains"
	96	let ret=0
	97	for i in $tables; do iptables -t $i -F; let ret+=$?; done
	98	if [ $ret -eq 0 ]; then
	99	ok
	100	else
	101	fail
	102	fi
8dd60b88	103
ede828b7 ER	104	show "Removing user defined chains"
	105	let ret=0
	106	for i in $tables; do iptables -t $i -X; let ret+=$?; done
	107	if [ $ret -eq 0 ]; then
	108	ok
	109	else
	110	fail
	111	fi
	112	show "Resetting built-in chains to the default ACCEPT policy"
99b23241	113	iftable filter -P INPUT ACCEPT && \
ede828b7 ER	114	iftable filter -P OUTPUT ACCEPT && \
	115	iftable filter -P FORWARD ACCEPT && \
	116	iftable nat -P PREROUTING ACCEPT && \
	117	iftable nat -P POSTROUTING ACCEPT && \
	118	iftable nat -P OUTPUT ACCEPT && \
	119	iftable mangle -P PREROUTING ACCEPT && \
	120	iftable mangle -P OUTPUT ACCEPT && \
	121	ok \|\| fail
99b23241	122	rm -f /var/lock/subsys/iptables
	123	}
	124
a94df067 JR	125	save() {
	126	show "Saving current rules to %s" $IPTABLES_CONFIG
	127	touch $IPTABLES_CONFIG
	128	chmod 600 $IPTABLES_CONFIG
	129	/usr/sbin/iptables-save $_SAVEOPT > $IPTABLES_CONFIG 2>/dev/null && ok \|\| fail
	130	}
	131
655beef5 ER	132	upstart_controlled --except status panic load save clear
655beef5 ER	133
99b23241	134	case "$1" in
cf239a77	135	start\|load)
99b23241	136	start
99b23241	137	;;
a94df067 JR	138	stop)
	139	is_yes $IPTABLES_SAVE_ON_STOP && save
	140	stop
	141	;;
	142	clear)
99b23241	143	stop
99b23241	144	;;
c631739a	145	restart\|force-reload)
99b23241	146	# "restart" is really just "start" as this isn't a daemon,
	147	# and "start" clears any pre-defined rules anyway.
	148	# This is really only here to make those who expect it happy
	149	start
	150	;;
99b23241	151	panic)
ede828b7	152	show "Changing target policies to DROP"
99b23241	153	iftable filter -P INPUT DROP && \
ede828b7 ER	154	iftable filter -P FORWARD DROP && \
	155	iftable filter -P OUTPUT DROP && \
	156	iftable nat -P PREROUTING DROP && \
	157	iftable nat -P POSTROUTING DROP && \
	158	iftable nat -P OUTPUT DROP && \
	159	iftable mangle -P PREROUTING DROP && \
	160	iftable mangle -P OUTPUT DROP && \
	161	ok \|\| fail
	162	iftable filter -F INPUT && \
	163	iftable filter -F FORWARD && \
	164	iftable filter -F OUTPUT && \
	165	iftable nat -F PREROUTING && \
	166	iftable nat -F POSTROUTING && \
	167	iftable nat -F OUTPUT && \
	168	iftable mangle -F PREROUTING && \
	169	iftable mangle -F OUTPUT && \
	170	ok \|\| fail
	171	iftable filter -X INPUT && \
	172	iftable filter -X FORWARD && \
	173	iftable filter -X OUTPUT && \
	174	iftable nat -X PREROUTING && \
	175	iftable nat -X POSTROUTING && \
	176	iftable nat -X OUTPUT && \
	177	iftable mangle -X PREROUTING && \
	178	iftable mangle -X OUTPUT && \
	179	ok \|\| fail
	180	;;
99b23241	181	save)
a94df067	182	save
99b23241	183	;;
396a51c8	184	status)
a94df067 JR	185	is_yes $IPTABLES_STATUS_NUMERIC && _NUMERIC="-n"
	186	is_yes $IPTABLES_STATUS_VERBOSE && _VERBOSE="--verbose"
	187	is_yes $IPTABLES_STATUS_LINENUMBERS && _LINES="--line-numbers"
396a51c8 ER	188	tables=`cat /proc/net/ip_tables_names 2>/dev/null`
	189	for table in $tables; do
	190	echo "Table: $table"
53ff372c	191	iptables -t $table --list $_NUMERIC $_VERBOSE $_LINES
396a51c8 ER	192	done
396a51c8 ER	193	;;
99b23241	194	*)
b6a3d695	195	msg_usage "$0 {start\|stop\|restart\|force-reload\|panic\|load\|save\|clear\|status}"
c631739a	196	exit 3
99b23241	197	esac
	198
	199	exit 0