trunk/iptables/iptables.rc

#!/bin/sh
# $Header: /root/magellan-cvs/src/iptables/iptables.rc,v 1.2 2008-03-27 10:40:32 niro Exp $

#%rlevels: 2:s 3:s 4:s 5:s 0:k 1:k 6:k
#%start: 15
#%stop: 55

#deps
#%needs:
#%before:
#%after:

source /etc/sysconfig/rc
source $rc_functions

# default cmds
SVC_NAME=iptables
IPTABLES=/sbin/iptables
IPTABLES_SAVE=/sbin/iptables-save
IPTABLES_RESTORE=/sbin/iptables-restore
IPTABLES_PROC=/proc/net/ip_tables_names

# read config
source /etc/conf.d/${SVC_NAME}

checkconfig()
{
	if [[ ! -f ${IPTABLES_SAVE_PATH} ]]
	then
		echo -e ${COLRED} "Not starting ${SVC_NAME}. First create some rules then run:"
		echo -e ${COLRED} "/etc/init.d/${SVC_NAME} save"
		exit 1
	fi
	return 0
}

set_table_policy()
{
	local chains
	local chain

	table=$1
	policy=$2

	# select correct rules from corresponding chains
	case ${table} in
		nat)    chains="PREROUTING POSTROUTING OUTPUT";;
		mangle) chains="PREROUTING INPUT FORWARD OUTPUT POSTROUTING";;
		filter) chains="INPUT FORWARD OUTPUT";;
		*)      chains="";;
	esac

	# set rules to given policy
	for chain in ${chains}
	do
		${IPTABLES} -t ${table} -P ${chain} ${policy}
	done
}

case "$1" in
	start)
		checkconfig
		echo -e ${COLOREDSTAR}"Loading ${SVC_NAME} ruleset ..."

		${IPTABLES_RESTORE} ${SAVE_RESTORE_OPTIONS} < "${IPTABLES_SAVE_PATH}"
		evaluate_retval

		update_svcstatus $1
		splash svc_started "$(basename $0)" 0
		;;

	stop)
		if [[ ${SAVE_ON_STOP} = yes ]]
		then
			$0 save
		fi

		echo -e ${COLOREDSTAR}"Stopping ${SVC_NAME} and reseting ruleset ..."

		for rule in $(<${IPTABLES_PROC})
		do
			# flush rules
			${IPTABLES} -F -t ${rule}
	
			# delete chains
			${IPTABLES} -X -t ${rule}

			# set all policies to ACCEPT
			set_table_policy ${rule} ACCEPT
		done
		evaluate_retval

		update_svcstatus $1
		splash svc_stopped "$(basename $0)" 0
		;;

	reload)
		echo -e ${COLOREDSTAR}"Flushing ${SVC_NAME} ruleset ..."
		for rule in $(<${IPTABLES_PROC})
		do
			# flush rules
			${IPTABLES} -F -t ${rule}
	
			# delete chains
			${IPTABLES} -X -t ${rule}
		done
		$0 start
		;;

	save)
		echo -e ${COLOREDSTAR}"Saving ${SVC_NAME} ruleset ..."
		[ ! -d $(dirname ${IPTABLES_SAVE_PATH}) ] &&
			install -d $(dirname ${IPTABLES_SAVE_PATH})
		touch "${IPTABLES_SAVE_PATH}"
		chmod 0600 "${IPTABLES_SAVE_PATH}"
		${IPTABLES_SAVE} ${SAVE_RESTORE_OPTIONS} > "${IPTABLES_SAVE_PATH}"
		;;

	panic)
		echo -e ${COLOREDSTAR}"Enabled Panic-Mode for ${SVC_NAME} (DROP ALL) ..."
		for rule in $(<${IPTABLES_PROC})
		do
			${IPTABLES} -F -t ${rule}
			${IPTABLES} -X -t ${rule}

			set_table_policy ${rule} DROP
		done
		evaluate_retval
		;;

	restart)
		$0 stop
		sleep 1
		$0 start
		;;

	*)
		echo "Usage: $0 {start|stop|reload|save|panic|restart}"
		exit 1
		;;
esac
1	niro	51	#!/bin/sh
2	niro	548	# $Header: /root/magellan-cvs/src/iptables/iptables.rc,v 1.2 2008-03-27 10:40:32 niro Exp $
3	niro	51
4			#%rlevels: 2:s 3:s 4:s 5:s 0:k 1:k 6:k
5			#%start: 15
6			#%stop: 55
7
8			#deps
9			#%needs:
10			#%before:
11			#%after:
12
13			source /etc/sysconfig/rc
14			source $rc_functions
15
16			# default cmds
17			SVC_NAME=iptables
18			IPTABLES=/sbin/iptables
19			IPTABLES_SAVE=/sbin/iptables-save
20			IPTABLES_RESTORE=/sbin/iptables-restore
21			IPTABLES_PROC=/proc/net/ip_tables_names
22
23			# read config
24			source /etc/conf.d/${SVC_NAME}
25
26			checkconfig()
27			{
28			if [[ ! -f ${IPTABLES_SAVE_PATH} ]]
29			then
30			echo -e ${COLRED} "Not starting ${SVC_NAME}. First create some rules then run:"
31			echo -e ${COLRED} "/etc/init.d/${SVC_NAME} save"
32			exit 1
33			fi
34			return 0
35			}
36
37			set_table_policy()
38			{
39			local chains
40			local chain
41
42			table=$1
43			policy=$2
44
45			# select correct rules from corresponding chains
46			case ${table} in
47			nat) chains="PREROUTING POSTROUTING OUTPUT";;
48			mangle) chains="PREROUTING INPUT FORWARD OUTPUT POSTROUTING";;
49			filter) chains="INPUT FORWARD OUTPUT";;
50			*) chains="";;
51			esac
52
53			# set rules to given policy
54			for chain in ${chains}
55			do
56			${IPTABLES} -t ${table} -P ${chain} ${policy}
57			done
58			}
59
60			case "$1" in
61			start)
62			checkconfig
63			echo -e ${COLOREDSTAR}"Loading ${SVC_NAME} ruleset ..."
64
65			${IPTABLES_RESTORE} ${SAVE_RESTORE_OPTIONS} < "${IPTABLES_SAVE_PATH}"
66			evaluate_retval
67
68			update_svcstatus $1
69			splash svc_started "$(basename $0)" 0
70			;;
71
72			stop)
73			if [[ ${SAVE_ON_STOP} = yes ]]
74			then
75			$0 save
76			fi
77
78			echo -e ${COLOREDSTAR}"Stopping ${SVC_NAME} and reseting ruleset ..."
79
80			for rule in $(<${IPTABLES_PROC})
81			do
82			# flush rules
83			${IPTABLES} -F -t ${rule}
84
85			# delete chains
86			${IPTABLES} -X -t ${rule}
87
88			# set all policies to ACCEPT
89			set_table_policy ${rule} ACCEPT
90			done
91			evaluate_retval
92
93			update_svcstatus $1
94			splash svc_stopped "$(basename $0)" 0
95			;;
96
97			reload)
98			echo -e ${COLOREDSTAR}"Flushing ${SVC_NAME} ruleset ..."
99			for rule in $(<${IPTABLES_PROC})
100			do
101			# flush rules
102			${IPTABLES} -F -t ${rule}
103
104			# delete chains
105			${IPTABLES} -X -t ${rule}
106			done
107			$0 start
108			;;
109
110			save)
111			echo -e ${COLOREDSTAR}"Saving ${SVC_NAME} ruleset ..."
112	niro	548	[ ! -d $(dirname ${IPTABLES_SAVE_PATH}) ] &&
113	niro	51	install -d $(dirname ${IPTABLES_SAVE_PATH})
114			touch "${IPTABLES_SAVE_PATH}"
115			chmod 0600 "${IPTABLES_SAVE_PATH}"
116			${IPTABLES_SAVE} ${SAVE_RESTORE_OPTIONS} > "${IPTABLES_SAVE_PATH}"
117			;;
118
119			panic)
120			echo -e ${COLOREDSTAR}"Enabled Panic-Mode for ${SVC_NAME} (DROP ALL) ..."
121			for rule in $(<${IPTABLES_PROC})
122			do
123			${IPTABLES} -F -t ${rule}
124			${IPTABLES} -X -t ${rule}
125
126			set_table_policy ${rule} DROP
127			done
128			evaluate_retval
129			;;
130
131			restart)
132			$0 stop
133			sleep 1
134			$0 start
135			;;
136
137			*)
138			echo "Usage: $0 {start\|stop\|reload\|save\|panic\|restart}"
139			exit 1
140			;;
141			esac