[packages/iptables.git] / iptables.init

#!/bin/sh
#
# Startup script to implement /etc/sysconfig/iptables pre-defined rules.
#
# chkconfig: 2345 08 92
#
# description: Automates a packet filtering firewall with iptables.
#
# by bero@redhat.com, based on the ipchains script:
# Script Author:	Joshua Jensen <joshua@redhat.com>
#   -- hacked up by gafton with help from notting
# modified by Anton Altaparmakov <aia21@cam.ac.uk>:
# modified by Nils Philippsen <nils@redhat.de>
#
# config: /etc/sysconfig/iptables

IPTABLES_CONFIG=/etc/sysconfig/iptables
if [ ! -f $IPTABLES_CONFIG ]; then
	case "$1" in
	start|restart|force-reload)
		exit 0
	;;
	esac
fi

# Source 'em up
. /etc/rc.d/init.d/functions

if [ "$(kernelver)" -lt "002003000" ]; then
	exit 0
fi

if /sbin/lsmod 2>/dev/null | grep -q ipchains; then
	# Don't do both
	exit 0
fi

iftable() {
	if fgrep -qsx $1 /proc/net/ip_tables_names; then
		iptables -t "$@"
	fi
}

start() {
	# don't do squat if we don't have the config file
	if [ -f $IPTABLES_CONFIG ]; then
		# If we don't clear these first, we might be adding to
		#  pre-existing rules.
		tables=`cat /proc/net/ip_tables_names 2>/dev/null`
		show "Flushing all current rules and user defined chains"
		let ret=0
		for i in $tables; do iptables -t $i -F; let ret+=$?; done
		if [ $ret -eq 0 ]; then
			ok
		else
			fail
		fi
		show "Clearing all current rules and user defined chains"
		let ret=0
		for i in $tables; do iptables -t $i -X; let ret+=$?; done
		if [ $ret -eq 0 ]; then
			ok
		else
			fail
		fi

		for i in $tables; do iptables -t $i -Z; done

		show "Applying iptables firewall rules"
		grep -v "^[[:space:]]*#" $IPTABLES_CONFIG | grep -v '^[[:space:]]*$' | /usr/sbin/iptables-restore -c && \
			ok || \
			fail
		touch /var/lock/subsys/iptables
	fi
}

stop() {
	tables=`cat /proc/net/ip_tables_names 2>/dev/null`
	show "Flushing all chains"
	let ret=0
	for i in $tables; do iptables -t $i -F; let ret+=$?; done
	if [ $ret -eq 0 ]; then
		ok
	else
		fail
	fi

	show "Removing user defined chains"
	let ret=0
	for i in $tables; do iptables -t $i -X; let ret+=$?; done
	if [ $ret -eq 0 ]; then
		ok
	else
		fail
	fi
	show "Resetting built-in chains to the default ACCEPT policy"
	iftable filter -P INPUT ACCEPT && \
	iftable filter -P OUTPUT ACCEPT && \
	iftable filter -P FORWARD ACCEPT && \
	iftable nat -P PREROUTING ACCEPT && \
	iftable nat -P POSTROUTING ACCEPT && \
	iftable nat -P OUTPUT ACCEPT && \
	iftable mangle -P PREROUTING ACCEPT && \
	iftable mangle -P OUTPUT ACCEPT && \
	ok || fail
	rm -f /var/lock/subsys/iptables
}

upstart_controlled --except status panic load save clear

case "$1" in
  start|load)
	start
	;;

  stop|clear)
	stop
	;;

  restart|force-reload)
	# "restart" is really just "start" as this isn't a daemon,
	#  and "start" clears any pre-defined rules anyway.
	#  This is really only here to make those who expect it happy
	start
	;;

  panic)
	show "Changing target policies to DROP"
	iftable filter -P INPUT DROP && \
	iftable filter -P FORWARD DROP && \
	iftable filter -P OUTPUT DROP && \
	iftable nat -P PREROUTING DROP && \
	iftable nat -P POSTROUTING DROP && \
	iftable nat -P OUTPUT DROP && \
	iftable mangle -P PREROUTING DROP && \
	iftable mangle -P OUTPUT DROP && \
	ok || fail
	iftable filter -F INPUT && \
	iftable filter -F FORWARD && \
	iftable filter -F OUTPUT && \
	iftable nat -F PREROUTING && \
	iftable nat -F POSTROUTING && \
	iftable nat -F OUTPUT && \
	iftable mangle -F PREROUTING && \
	iftable mangle -F OUTPUT && \
	ok || fail
	iftable filter -X INPUT && \
	iftable filter -X FORWARD && \
	iftable filter -X OUTPUT && \
	iftable nat -X PREROUTING && \
	iftable nat -X POSTROUTING && \
	iftable nat -X OUTPUT && \
	iftable mangle -X PREROUTING && \
	iftable mangle -X OUTPUT && \
	ok || fail
	;;

  save)
	show "Saving current rules to %s" $IPTABLES_CONFIG
	touch $IPTABLES_CONFIG
	chmod 600 $IPTABLES_CONFIG
	/usr/sbin/iptables-save -c > $IPTABLES_CONFIG  2>/dev/null && ok || fail
	;;

  status)
	tables=`cat /proc/net/ip_tables_names 2>/dev/null`
	for table in $tables; do
		echo "Table: $table"
		iptables -t $table -n --list
	done
	;;

  *)
	msg_usage "$0 {start|stop|restart|force-reload|panic|load|save|clear|status}"
	exit 3
esac

exit 0
Commit	Line	Data
99b23241	1	#!/bin/sh
	2	#
	3	# Startup script to implement /etc/sysconfig/iptables pre-defined rules.
	4	#
	5	# chkconfig: 2345 08 92
	6	#
	7	# description: Automates a packet filtering firewall with iptables.
	8	#
	9	# by bero@redhat.com, based on the ipchains script:
	10	# Script Author: Joshua Jensen <joshua@redhat.com>
	11	# -- hacked up by gafton with help from notting
	12	# modified by Anton Altaparmakov <aia21@cam.ac.uk>:
	13	# modified by Nils Philippsen <nils@redhat.de>
	14	#
	15	# config: /etc/sysconfig/iptables
	16
674da384 ER	17	IPTABLES_CONFIG=/etc/sysconfig/iptables
	18	if [ ! -f $IPTABLES_CONFIG ]; then
	19	case "$1" in
	20	start\|restart\|force-reload)
	21	exit 0
	22	;;
	23	esac
	24	fi
	25
99b23241	26	# Source 'em up
	27	. /etc/rc.d/init.d/functions
	28
8c98cbae	29	if [ "$(kernelver)" -lt "002003000" ]; then
99b23241	30	exit 0
	31	fi
	32
8dd60b88	33	if /sbin/lsmod 2>/dev/null \| grep -q ipchains; then
99b23241	34	# Don't do both
	35	exit 0
	36	fi
	37
	38	iftable() {
	39	if fgrep -qsx $1 /proc/net/ip_tables_names; then
	40	iptables -t "$@"
	41	fi
	42	}
	43
	44	start() {
	45	# don't do squat if we don't have the config file
	46	if [ -f $IPTABLES_CONFIG ]; then
8dd60b88 ER	47	# If we don't clear these first, we might be adding to
	48	# pre-existing rules.
	49	tables=`cat /proc/net/ip_tables_names 2>/dev/null`
ede828b7	50	show "Flushing all current rules and user defined chains"
8dd60b88 ER	51	let ret=0
	52	for i in $tables; do iptables -t $i -F; let ret+=$?; done
	53	if [ $ret -eq 0 ]; then
	54	ok
	55	else
	56	fail
	57	fi
ede828b7	58	show "Clearing all current rules and user defined chains"
8dd60b88 ER	59	let ret=0
	60	for i in $tables; do iptables -t $i -X; let ret+=$?; done
	61	if [ $ret -eq 0 ]; then
	62	ok
	63	else
	64	fail
	65	fi
	66
	67	for i in $tables; do iptables -t $i -Z; done
	68
ede828b7	69	show "Applying iptables firewall rules"
99b23241	70	grep -v "^[[:space:]]#" $IPTABLES_CONFIG \| grep -v '^[[:space:]]$' \| /usr/sbin/iptables-restore -c && \
8dd60b88 ER	71	ok \|\| \
	72	fail
	73	touch /var/lock/subsys/iptables
99b23241	74	fi
	75	}
	76
	77	stop() {
a2c2db2b	78	tables=`cat /proc/net/ip_tables_names 2>/dev/null`
ede828b7 ER	79	show "Flushing all chains"
	80	let ret=0
	81	for i in $tables; do iptables -t $i -F; let ret+=$?; done
	82	if [ $ret -eq 0 ]; then
	83	ok
	84	else
	85	fail
	86	fi
8dd60b88	87
ede828b7 ER	88	show "Removing user defined chains"
	89	let ret=0
	90	for i in $tables; do iptables -t $i -X; let ret+=$?; done
	91	if [ $ret -eq 0 ]; then
	92	ok
	93	else
	94	fail
	95	fi
	96	show "Resetting built-in chains to the default ACCEPT policy"
99b23241	97	iftable filter -P INPUT ACCEPT && \
ede828b7 ER	98	iftable filter -P OUTPUT ACCEPT && \
	99	iftable filter -P FORWARD ACCEPT && \
	100	iftable nat -P PREROUTING ACCEPT && \
	101	iftable nat -P POSTROUTING ACCEPT && \
	102	iftable nat -P OUTPUT ACCEPT && \
	103	iftable mangle -P PREROUTING ACCEPT && \
	104	iftable mangle -P OUTPUT ACCEPT && \
	105	ok \|\| fail
99b23241	106	rm -f /var/lock/subsys/iptables
	107	}
	108
655beef5 ER	109	upstart_controlled --except status panic load save clear
655beef5 ER	110
99b23241	111	case "$1" in
cf239a77	112	start\|load)
99b23241	113	start
	114	;;
	115
b6a3d695	116	stop\|clear)
99b23241	117	stop
	118	;;
	119
c631739a	120	restart\|force-reload)
99b23241	121	# "restart" is really just "start" as this isn't a daemon,
	122	# and "start" clears any pre-defined rules anyway.
	123	# This is really only here to make those who expect it happy
	124	start
	125	;;
	126
99b23241	127	panic)
ede828b7	128	show "Changing target policies to DROP"
99b23241	129	iftable filter -P INPUT DROP && \
ede828b7 ER	130	iftable filter -P FORWARD DROP && \
	131	iftable filter -P OUTPUT DROP && \
	132	iftable nat -P PREROUTING DROP && \
	133	iftable nat -P POSTROUTING DROP && \
	134	iftable nat -P OUTPUT DROP && \
	135	iftable mangle -P PREROUTING DROP && \
	136	iftable mangle -P OUTPUT DROP && \
	137	ok \|\| fail
	138	iftable filter -F INPUT && \
	139	iftable filter -F FORWARD && \
	140	iftable filter -F OUTPUT && \
	141	iftable nat -F PREROUTING && \
	142	iftable nat -F POSTROUTING && \
	143	iftable nat -F OUTPUT && \
	144	iftable mangle -F PREROUTING && \
	145	iftable mangle -F OUTPUT && \
	146	ok \|\| fail
	147	iftable filter -X INPUT && \
	148	iftable filter -X FORWARD && \
	149	iftable filter -X OUTPUT && \
	150	iftable nat -X PREROUTING && \
	151	iftable nat -X POSTROUTING && \
	152	iftable nat -X OUTPUT && \
	153	iftable mangle -X PREROUTING && \
	154	iftable mangle -X OUTPUT && \
	155	ok \|\| fail
	156	;;
99b23241	157
99b23241	158	save)
ede828b7	159	show "Saving current rules to %s" $IPTABLES_CONFIG
99b23241	160	touch $IPTABLES_CONFIG
99b23241	161	chmod 600 $IPTABLES_CONFIG
ede828b7	162	/usr/sbin/iptables-save -c > $IPTABLES_CONFIG 2>/dev/null && ok \|\| fail
99b23241	163	;;
99b23241	164
396a51c8 ER	165	status)
	166	tables=`cat /proc/net/ip_tables_names 2>/dev/null`
	167	for table in $tables; do
	168	echo "Table: $table"
	169	iptables -t $table -n --list
	170	done
	171	;;
	172
99b23241	173	*)
b6a3d695	174	msg_usage "$0 {start\|stop\|restart\|force-reload\|panic\|load\|save\|clear\|status}"
c631739a	175	exit 3
99b23241	176	esac
	177
	178	exit 0