#!/bin/sh # $Header: /root/magellan-cvs/src/iptables/iptables.rc,v 1.2 2008-03-27 10:40:32 niro Exp $ #%rlevels: 2:s 3:s 4:s 5:s 0:k 1:k 6:k #%start: 15 #%stop: 55 #deps #%needs: #%before: #%after: source /etc/sysconfig/rc source $rc_functions # default cmds SVC_NAME=iptables IPTABLES=/sbin/iptables IPTABLES_SAVE=/sbin/iptables-save IPTABLES_RESTORE=/sbin/iptables-restore IPTABLES_PROC=/proc/net/ip_tables_names # read config source /etc/conf.d/${SVC_NAME} checkconfig() { if [[ ! -f ${IPTABLES_SAVE_PATH} ]] then rc_echo -e ${COLRED} "Not starting ${SVC_NAME}. First create some rules then run:" rc_echo -e ${COLRED} "/etc/init.d/${SVC_NAME} save" exit 1 fi return 0 } set_table_policy() { local chains local chain table=$1 policy=$2 # select correct rules from corresponding chains case ${table} in nat) chains="PREROUTING POSTROUTING OUTPUT";; mangle) chains="PREROUTING INPUT FORWARD OUTPUT POSTROUTING";; filter) chains="INPUT FORWARD OUTPUT";; *) chains="";; esac # set rules to given policy for chain in ${chains} do ${IPTABLES} -t ${table} -P ${chain} ${policy} done } case "$1" in start) checkconfig rc_print "Loading ${SVC_NAME} ruleset ..." ${IPTABLES_RESTORE} ${SAVE_RESTORE_OPTIONS} < "${IPTABLES_SAVE_PATH}" evaluate_retval update_svcstatus $1 splash svc_started "$(basename $0)" 0 ;; stop) if [[ ${SAVE_ON_STOP} = yes ]] then $0 save fi rc_print "Stopping ${SVC_NAME} and reseting ruleset ..." for rule in $(<${IPTABLES_PROC}) do # flush rules ${IPTABLES} -F -t ${rule} # delete chains ${IPTABLES} -X -t ${rule} # set all policies to ACCEPT set_table_policy ${rule} ACCEPT done evaluate_retval update_svcstatus $1 splash svc_stopped "$(basename $0)" 0 ;; reload) rc_print "Flushing ${SVC_NAME} ruleset ..." for rule in $(<${IPTABLES_PROC}) do # flush rules ${IPTABLES} -F -t ${rule} # delete chains ${IPTABLES} -X -t ${rule} done $0 start ;; save) rc_print "Saving ${SVC_NAME} ruleset ..." [ ! -d $(dirname ${IPTABLES_SAVE_PATH}) ] && install -d $(dirname ${IPTABLES_SAVE_PATH}) touch "${IPTABLES_SAVE_PATH}" chmod 0600 "${IPTABLES_SAVE_PATH}" ${IPTABLES_SAVE} ${SAVE_RESTORE_OPTIONS} > "${IPTABLES_SAVE_PATH}" ;; panic) rc_print "Enabled Panic-Mode for ${SVC_NAME} (DROP ALL) ..." for rule in $(<${IPTABLES_PROC}) do ${IPTABLES} -F -t ${rule} ${IPTABLES} -X -t ${rule} set_table_policy ${rule} DROP done evaluate_retval ;; restart) $0 stop sleep 1 $0 start ;; *) rc_echo "Usage: $0 {start|stop|reload|save|panic|restart}" exit 1 ;; esac