]>
Commit | Line | Data |
---|---|---|
99b23241 | 1 | #!/bin/sh |
2 | # | |
3 | # Startup script to implement /etc/sysconfig/iptables pre-defined rules. | |
4 | # | |
5 | # chkconfig: 2345 08 92 | |
6 | # | |
7 | # description: Automates a packet filtering firewall with iptables. | |
8 | # | |
9 | # by bero@redhat.com, based on the ipchains script: | |
10 | # Script Author: Joshua Jensen <joshua@redhat.com> | |
11 | # -- hacked up by gafton with help from notting | |
12 | # modified by Anton Altaparmakov <aia21@cam.ac.uk>: | |
13 | # modified by Nils Philippsen <nils@redhat.de> | |
14 | # | |
15 | # config: /etc/sysconfig/iptables | |
16 | ||
674da384 ER |
17 | IPTABLES_CONFIG=/etc/sysconfig/iptables |
18 | if [ ! -f $IPTABLES_CONFIG ]; then | |
19 | case "$1" in | |
20 | start|restart|force-reload) | |
21 | exit 0 | |
22 | ;; | |
23 | esac | |
24 | fi | |
25 | ||
99b23241 | 26 | # Source 'em up |
27 | . /etc/rc.d/init.d/functions | |
28 | ||
8c98cbae | 29 | if [ "$(kernelver)" -lt "002003000" ]; then |
99b23241 | 30 | exit 0 |
31 | fi | |
32 | ||
8dd60b88 | 33 | if /sbin/lsmod 2>/dev/null | grep -q ipchains; then |
99b23241 | 34 | # Don't do both |
35 | exit 0 | |
36 | fi | |
37 | ||
38 | iftable() { | |
39 | if fgrep -qsx $1 /proc/net/ip_tables_names; then | |
40 | iptables -t "$@" | |
41 | fi | |
42 | } | |
43 | ||
44 | start() { | |
45 | # don't do squat if we don't have the config file | |
46 | if [ -f $IPTABLES_CONFIG ]; then | |
8dd60b88 ER |
47 | # If we don't clear these first, we might be adding to |
48 | # pre-existing rules. | |
49 | tables=`cat /proc/net/ip_tables_names 2>/dev/null` | |
ede828b7 | 50 | show "Flushing all current rules and user defined chains" |
8dd60b88 ER |
51 | let ret=0 |
52 | for i in $tables; do iptables -t $i -F; let ret+=$?; done | |
53 | if [ $ret -eq 0 ]; then | |
54 | ok | |
55 | else | |
56 | fail | |
57 | fi | |
ede828b7 | 58 | show "Clearing all current rules and user defined chains" |
8dd60b88 ER |
59 | let ret=0 |
60 | for i in $tables; do iptables -t $i -X; let ret+=$?; done | |
61 | if [ $ret -eq 0 ]; then | |
62 | ok | |
63 | else | |
64 | fail | |
65 | fi | |
66 | ||
67 | for i in $tables; do iptables -t $i -Z; done | |
68 | ||
ede828b7 | 69 | show "Applying iptables firewall rules" |
99b23241 | 70 | grep -v "^[[:space:]]*#" $IPTABLES_CONFIG | grep -v '^[[:space:]]*$' | /usr/sbin/iptables-restore -c && \ |
8dd60b88 ER |
71 | ok || \ |
72 | fail | |
73 | touch /var/lock/subsys/iptables | |
99b23241 | 74 | fi |
75 | } | |
76 | ||
77 | stop() { | |
a2c2db2b | 78 | tables=`cat /proc/net/ip_tables_names 2>/dev/null` |
ede828b7 ER |
79 | show "Flushing all chains" |
80 | let ret=0 | |
81 | for i in $tables; do iptables -t $i -F; let ret+=$?; done | |
82 | if [ $ret -eq 0 ]; then | |
83 | ok | |
84 | else | |
85 | fail | |
86 | fi | |
8dd60b88 | 87 | |
ede828b7 ER |
88 | show "Removing user defined chains" |
89 | let ret=0 | |
90 | for i in $tables; do iptables -t $i -X; let ret+=$?; done | |
91 | if [ $ret -eq 0 ]; then | |
92 | ok | |
93 | else | |
94 | fail | |
95 | fi | |
96 | show "Resetting built-in chains to the default ACCEPT policy" | |
99b23241 | 97 | iftable filter -P INPUT ACCEPT && \ |
ede828b7 ER |
98 | iftable filter -P OUTPUT ACCEPT && \ |
99 | iftable filter -P FORWARD ACCEPT && \ | |
100 | iftable nat -P PREROUTING ACCEPT && \ | |
101 | iftable nat -P POSTROUTING ACCEPT && \ | |
102 | iftable nat -P OUTPUT ACCEPT && \ | |
103 | iftable mangle -P PREROUTING ACCEPT && \ | |
104 | iftable mangle -P OUTPUT ACCEPT && \ | |
105 | ok || fail | |
99b23241 | 106 | rm -f /var/lock/subsys/iptables |
107 | } | |
108 | ||
655beef5 ER |
109 | upstart_controlled --except status panic load save clear |
110 | ||
99b23241 | 111 | case "$1" in |
cf239a77 | 112 | start|load) |
99b23241 | 113 | start |
114 | ;; | |
115 | ||
b6a3d695 | 116 | stop|clear) |
99b23241 | 117 | stop |
118 | ;; | |
119 | ||
c631739a | 120 | restart|force-reload) |
99b23241 | 121 | # "restart" is really just "start" as this isn't a daemon, |
122 | # and "start" clears any pre-defined rules anyway. | |
123 | # This is really only here to make those who expect it happy | |
124 | start | |
125 | ;; | |
126 | ||
99b23241 | 127 | panic) |
ede828b7 | 128 | show "Changing target policies to DROP" |
99b23241 | 129 | iftable filter -P INPUT DROP && \ |
ede828b7 ER |
130 | iftable filter -P FORWARD DROP && \ |
131 | iftable filter -P OUTPUT DROP && \ | |
132 | iftable nat -P PREROUTING DROP && \ | |
133 | iftable nat -P POSTROUTING DROP && \ | |
134 | iftable nat -P OUTPUT DROP && \ | |
135 | iftable mangle -P PREROUTING DROP && \ | |
136 | iftable mangle -P OUTPUT DROP && \ | |
137 | ok || fail | |
138 | iftable filter -F INPUT && \ | |
139 | iftable filter -F FORWARD && \ | |
140 | iftable filter -F OUTPUT && \ | |
141 | iftable nat -F PREROUTING && \ | |
142 | iftable nat -F POSTROUTING && \ | |
143 | iftable nat -F OUTPUT && \ | |
144 | iftable mangle -F PREROUTING && \ | |
145 | iftable mangle -F OUTPUT && \ | |
146 | ok || fail | |
147 | iftable filter -X INPUT && \ | |
148 | iftable filter -X FORWARD && \ | |
149 | iftable filter -X OUTPUT && \ | |
150 | iftable nat -X PREROUTING && \ | |
151 | iftable nat -X POSTROUTING && \ | |
152 | iftable nat -X OUTPUT && \ | |
153 | iftable mangle -X PREROUTING && \ | |
154 | iftable mangle -X OUTPUT && \ | |
155 | ok || fail | |
156 | ;; | |
99b23241 | 157 | |
158 | save) | |
ede828b7 | 159 | show "Saving current rules to %s" $IPTABLES_CONFIG |
99b23241 | 160 | touch $IPTABLES_CONFIG |
161 | chmod 600 $IPTABLES_CONFIG | |
ede828b7 | 162 | /usr/sbin/iptables-save -c > $IPTABLES_CONFIG 2>/dev/null && ok || fail |
99b23241 | 163 | ;; |
164 | ||
396a51c8 ER |
165 | status) |
166 | tables=`cat /proc/net/ip_tables_names 2>/dev/null` | |
167 | for table in $tables; do | |
168 | echo "Table: $table" | |
169 | iptables -t $table -n --list | |
170 | done | |
171 | ;; | |
172 | ||
99b23241 | 173 | *) |
b6a3d695 | 174 | msg_usage "$0 {start|stop|restart|force-reload|panic|load|save|clear|status}" |
c631739a | 175 | exit 3 |
99b23241 | 176 | esac |
177 | ||
178 | exit 0 |