3 # Startup script to implement /etc/sysconfig/iptables pre-defined rules.
5 # chkconfig: 2345 08 92
7 # description: Automates a packet filtering firewall with iptables.
9 # by bero@redhat.com, based on the ipchains script:
10 # Script Author: Joshua Jensen <joshua@redhat.com>
11 # -- hacked up by gafton with help from notting
12 # modified by Anton Altaparmakov <aia21@cam.ac.uk>:
13 # modified by Nils Philippsen <nils@redhat.de>
15 # config: /etc/sysconfig/iptables
17 IPTABLES_CONFIG=/etc/sysconfig/iptables
18 if [ ! -f $IPTABLES_CONFIG ]; then
20 start|restart|force-reload)
27 . /etc/rc.d/init.d/functions
29 if [ "$(kernelver)" -lt "002003000" ]; then
33 if /sbin/lsmod 2>/dev/null | grep -q ipchains; then
39 if fgrep -qsx $1 /proc/net/ip_tables_names; then
45 # don't do squat if we don't have the config file
46 if [ -f $IPTABLES_CONFIG ]; then
47 # If we don't clear these first, we might be adding to
49 tables=`cat /proc/net/ip_tables_names 2>/dev/null`
50 show "Flushing all current rules and user defined chains"
52 for i in $tables; do iptables -t $i -F; let ret+=$?; done
53 if [ $ret -eq 0 ]; then
58 show "Clearing all current rules and user defined chains"
60 for i in $tables; do iptables -t $i -X; let ret+=$?; done
61 if [ $ret -eq 0 ]; then
67 for i in $tables; do iptables -t $i -Z; done
69 show "Applying iptables firewall rules"
70 grep -v "^[[:space:]]*#" $IPTABLES_CONFIG | grep -v '^[[:space:]]*$' | /usr/sbin/iptables-restore -c && \
73 touch /var/lock/subsys/iptables
78 tables=`cat /proc/net/ip_tables_names 2>/dev/null`
79 show "Flushing all chains"
81 for i in $tables; do iptables -t $i -F; let ret+=$?; done
82 if [ $ret -eq 0 ]; then
88 show "Removing user defined chains"
90 for i in $tables; do iptables -t $i -X; let ret+=$?; done
91 if [ $ret -eq 0 ]; then
96 show "Resetting built-in chains to the default ACCEPT policy"
97 iftable filter -P INPUT ACCEPT && \
98 iftable filter -P OUTPUT ACCEPT && \
99 iftable filter -P FORWARD ACCEPT && \
100 iftable nat -P PREROUTING ACCEPT && \
101 iftable nat -P POSTROUTING ACCEPT && \
102 iftable nat -P OUTPUT ACCEPT && \
103 iftable mangle -P PREROUTING ACCEPT && \
104 iftable mangle -P OUTPUT ACCEPT && \
106 rm -f /var/lock/subsys/iptables
109 upstart_controlled --except status panic load save clear
120 restart|force-reload)
121 # "restart" is really just "start" as this isn't a daemon,
122 # and "start" clears any pre-defined rules anyway.
123 # This is really only here to make those who expect it happy
128 show "Changing target policies to DROP"
129 iftable filter -P INPUT DROP && \
130 iftable filter -P FORWARD DROP && \
131 iftable filter -P OUTPUT DROP && \
132 iftable nat -P PREROUTING DROP && \
133 iftable nat -P POSTROUTING DROP && \
134 iftable nat -P OUTPUT DROP && \
135 iftable mangle -P PREROUTING DROP && \
136 iftable mangle -P OUTPUT DROP && \
138 iftable filter -F INPUT && \
139 iftable filter -F FORWARD && \
140 iftable filter -F OUTPUT && \
141 iftable nat -F PREROUTING && \
142 iftable nat -F POSTROUTING && \
143 iftable nat -F OUTPUT && \
144 iftable mangle -F PREROUTING && \
145 iftable mangle -F OUTPUT && \
147 iftable filter -X INPUT && \
148 iftable filter -X FORWARD && \
149 iftable filter -X OUTPUT && \
150 iftable nat -X PREROUTING && \
151 iftable nat -X POSTROUTING && \
152 iftable nat -X OUTPUT && \
153 iftable mangle -X PREROUTING && \
154 iftable mangle -X OUTPUT && \
159 show "Saving current rules to %s" $IPTABLES_CONFIG
160 touch $IPTABLES_CONFIG
161 chmod 600 $IPTABLES_CONFIG
162 /usr/sbin/iptables-save -c > $IPTABLES_CONFIG 2>/dev/null && ok || fail
166 tables=`cat /proc/net/ip_tables_names 2>/dev/null`
167 for table in $tables; do
169 iptables -t $table -n --list
174 msg_usage "$0 {start|stop|restart|force-reload|panic|load|save|clear|status}"