trunk/iptables/iptables.rc

#!/bin/sh
# $Header: /root/magellan-cvs/src/iptables/iptables.rc,v 1.2 2008-03-27 10:40:32 niro Exp $

#%rlevels: 2:s 3:s 4:s 5:s 0:k 1:k 6:k
#%start: 15
#%stop: 55

#deps
#%needs:
#%before:
#%after:

source /etc/sysconfig/rc
source $rc_functions

# default cmds
SVC_NAME=iptables
IPTABLES=/sbin/iptables
IPTABLES_SAVE=/sbin/iptables-save
IPTABLES_RESTORE=/sbin/iptables-restore
IPTABLES_PROC=/proc/net/ip_tables_names

# read config
source /etc/conf.d/${SVC_NAME}

checkconfig()
{
	if [[ ! -f ${IPTABLES_SAVE_PATH} ]]
	then
		rc_echo -e ${COLRED} "Not starting ${SVC_NAME}. First create some rules then run:"
		rc_echo -e ${COLRED} "/etc/init.d/${SVC_NAME} save"
		exit 1
	fi
	return 0
}

set_table_policy()
{
	local chains
	local chain

	table=$1
	policy=$2

	# select correct rules from corresponding chains
	case ${table} in
		nat)    chains="PREROUTING POSTROUTING OUTPUT";;
		mangle) chains="PREROUTING INPUT FORWARD OUTPUT POSTROUTING";;
		filter) chains="INPUT FORWARD OUTPUT";;
		*)      chains="";;
	esac

	# set rules to given policy
	for chain in ${chains}
	do
		${IPTABLES} -t ${table} -P ${chain} ${policy}
	done
}

case "$1" in
	start)
		checkconfig
		rc_print "Loading ${SVC_NAME} ruleset ..."

		${IPTABLES_RESTORE} ${SAVE_RESTORE_OPTIONS} < "${IPTABLES_SAVE_PATH}"
		evaluate_retval

		update_svcstatus $1
		splash svc_started "$(basename $0)" 0
		;;

	stop)
		if [[ ${SAVE_ON_STOP} = yes ]]
		then
			$0 save
		fi

		rc_print "Stopping ${SVC_NAME} and reseting ruleset ..."

		for rule in $(<${IPTABLES_PROC})
		do
			# flush rules
			${IPTABLES} -F -t ${rule}
	
			# delete chains
			${IPTABLES} -X -t ${rule}

			# set all policies to ACCEPT
			set_table_policy ${rule} ACCEPT
		done
		evaluate_retval

		update_svcstatus $1
		splash svc_stopped "$(basename $0)" 0
		;;

	reload)
		rc_print "Flushing ${SVC_NAME} ruleset ..."
		for rule in $(<${IPTABLES_PROC})
		do
			# flush rules
			${IPTABLES} -F -t ${rule}
	
			# delete chains
			${IPTABLES} -X -t ${rule}
		done
		$0 start
		;;

	save)
		rc_print "Saving ${SVC_NAME} ruleset ..."
		[ ! -d $(dirname ${IPTABLES_SAVE_PATH}) ] &&
			install -d $(dirname ${IPTABLES_SAVE_PATH})
		touch "${IPTABLES_SAVE_PATH}"
		chmod 0600 "${IPTABLES_SAVE_PATH}"
		${IPTABLES_SAVE} ${SAVE_RESTORE_OPTIONS} > "${IPTABLES_SAVE_PATH}"
		;;

	panic)
		rc_print "Enabled Panic-Mode for ${SVC_NAME} (DROP ALL) ..."
		for rule in $(<${IPTABLES_PROC})
		do
			${IPTABLES} -F -t ${rule}
			${IPTABLES} -X -t ${rule}

			set_table_policy ${rule} DROP
		done
		evaluate_retval
		;;

	restart)
		$0 stop
		sleep 1
		$0 start
		;;

	*)
		rc_echo "Usage: $0 {start|stop|reload|save|panic|restart}"
		exit 1
		;;
esac
1	#!/bin/sh
2	# $Header: /root/magellan-cvs/src/iptables/iptables.rc,v 1.2 2008-03-27 10:40:32 niro Exp $
3
4	#%rlevels: 2:s 3:s 4:s 5:s 0:k 1:k 6:k
5	#%start: 15
6	#%stop: 55
7
8	#deps
9	#%needs:
10	#%before:
11	#%after:
12
13	source /etc/sysconfig/rc
14	source $rc_functions
15
16	# default cmds
17	SVC_NAME=iptables
18	IPTABLES=/sbin/iptables
19	IPTABLES_SAVE=/sbin/iptables-save
20	IPTABLES_RESTORE=/sbin/iptables-restore
21	IPTABLES_PROC=/proc/net/ip_tables_names
22
23	# read config
24	source /etc/conf.d/${SVC_NAME}
25
26	checkconfig()
27	{
28	if [[ ! -f ${IPTABLES_SAVE_PATH} ]]
29	then
30	rc_echo -e ${COLRED} "Not starting ${SVC_NAME}. First create some rules then run:"
31	rc_echo -e ${COLRED} "/etc/init.d/${SVC_NAME} save"
32	exit 1
33	fi
34	return 0
35	}
36
37	set_table_policy()
38	{
39	local chains
40	local chain
41
42	table=$1
43	policy=$2
44
45	# select correct rules from corresponding chains
46	case ${table} in
47	nat) chains="PREROUTING POSTROUTING OUTPUT";;
48	mangle) chains="PREROUTING INPUT FORWARD OUTPUT POSTROUTING";;
49	filter) chains="INPUT FORWARD OUTPUT";;
50	*) chains="";;
51	esac
52
53	# set rules to given policy
54	for chain in ${chains}
55	do
56	${IPTABLES} -t ${table} -P ${chain} ${policy}
57	done
58	}
59
60	case "$1" in
61	start)
62	checkconfig
63	rc_print "Loading ${SVC_NAME} ruleset ..."
64
65	${IPTABLES_RESTORE} ${SAVE_RESTORE_OPTIONS} < "${IPTABLES_SAVE_PATH}"
66	evaluate_retval
67
68	update_svcstatus $1
69	splash svc_started "$(basename $0)" 0
70	;;
71
72	stop)
73	if [[ ${SAVE_ON_STOP} = yes ]]
74	then
75	$0 save
76	fi
77
78	rc_print "Stopping ${SVC_NAME} and reseting ruleset ..."
79
80	for rule in $(<${IPTABLES_PROC})
81	do
82	# flush rules
83	${IPTABLES} -F -t ${rule}
84
85	# delete chains
86	${IPTABLES} -X -t ${rule}
87
88	# set all policies to ACCEPT
89	set_table_policy ${rule} ACCEPT
90	done
91	evaluate_retval
92
93	update_svcstatus $1
94	splash svc_stopped "$(basename $0)" 0
95	;;
96
97	reload)
98	rc_print "Flushing ${SVC_NAME} ruleset ..."
99	for rule in $(<${IPTABLES_PROC})
100	do
101	# flush rules
102	${IPTABLES} -F -t ${rule}
103
104	# delete chains
105	${IPTABLES} -X -t ${rule}
106	done
107	$0 start
108	;;
109
110	save)
111	rc_print "Saving ${SVC_NAME} ruleset ..."
112	[ ! -d $(dirname ${IPTABLES_SAVE_PATH}) ] &&
113	install -d $(dirname ${IPTABLES_SAVE_PATH})
114	touch "${IPTABLES_SAVE_PATH}"
115	chmod 0600 "${IPTABLES_SAVE_PATH}"
116	${IPTABLES_SAVE} ${SAVE_RESTORE_OPTIONS} > "${IPTABLES_SAVE_PATH}"
117	;;
118
119	panic)
120	rc_print "Enabled Panic-Mode for ${SVC_NAME} (DROP ALL) ..."
121	for rule in $(<${IPTABLES_PROC})
122	do
123	${IPTABLES} -F -t ${rule}
124	${IPTABLES} -X -t ${rule}
125
126	set_table_policy ${rule} DROP
127	done
128	evaluate_retval
129	;;
130
131	restart)
132	$0 stop
133	sleep 1
134	$0 start
135	;;
136
137	*)
138	rc_echo "Usage: $0 {start\|stop\|reload\|save\|panic\|restart}"
139	exit 1
140	;;
141	esac