#!/bin/bash # $Id$ # ebtables configuration script for systemd # default cmds SVC_NAME=ebtables IPTABLES=/sbin/ebtables IPTABLES_SAVE=/sbin/ebtables-save IPTABLES_RESTORE=/sbin/ebtables-restore IPTABLES_PROC=/proc/net/eb_tables_names SYSTEMDLIBDIR=/usr/lib/systemd # read config source /etc/conf.d/${SVC_NAME} checkconfig() { if [[ ! -f ${EBTABLES_SAVE_PATH} ]] then echo "Not starting ${SVC_NAME}. First create some rules then run:" echo "${SYSTEMDLIBDIR}/magellan-${SVC_NAME} save" exit 1 fi return 0 } set_table_policy() { local chains local chain table=$1 policy=$2 # select correct rules from corresponding chains case ${table} in nat) chains="PREROUTING POSTROUTING OUTPUT";; broute) chains="BROUTING";; filter) chains="INPUT FORWARD OUTPUT";; *) chains="";; esac # set rules to given policy for chain in ${chains} do ${EBTABLES} -t ${table} -P ${chain} ${policy} done } case "$1" in start) checkconfig echo "Loading ${SVC_NAME} ruleset ..." ${IPTABLES_RESTORE} ${SAVE_RESTORE_OPTIONS} < "${EBTABLES_SAVE_PATH}" ;; stop) if [[ ${SAVE_ON_STOP} = yes ]] then $0 save fi echo "Stopping ${SVC_NAME} and reseting ruleset ..." for rule in $(<${EBTABLES_PROC}) do # flush rules ${EBTABLES} -F -t ${rule} # delete chains ${EBTABLES} -X -t ${rule} # set all policies to ACCEPT set_table_policy ${rule} ACCEPT done ;; reload) echo "Flushing ${SVC_NAME} ruleset ..." for rule in $(<${EBTABLES_PROC}) do # flush rules ${EBTABLES} -F -t ${rule} # delete chains ${EBTABLES} -X -t ${rule} done $0 start ;; save) echo "Saving ${SVC_NAME} ruleset ..." [ ! -d $(dirname ${EBTABLES_SAVE_PATH}) ] && install -d $(dirname ${EBTABLES_SAVE_PATH}) touch "${EBTABLES_SAVE_PATH}" chmod 0600 "${EBTABLES_SAVE_PATH}" ${EBTABLES_SAVE} ${SAVE_RESTORE_OPTIONS} > "${EBTABLES_SAVE_PATH}" ;; panic) echo "Enabled Panic-Mode for ${SVC_NAME} (DROP ALL) ..." for rule in $(<${EBTABLES_PROC}) do ${EBTABLES} -F -t ${rule} ${EBTABLES} -X -t ${rule} set_table_policy ${rule} DROP done ;; restart) $0 stop sleep 1 $0 start ;; *) echo "Usage: $0 {start|stop|reload|save|panic|restart}" exit 1 ;; esac