Annotation of /trunk/iptables/iptables.sh
Parent Directory | Revision Log
Revision 1610 -
(hide annotations)
(download)
(as text)
Thu Jan 12 12:19:29 2012 UTC (12 years, 8 months ago) by niro
File MIME type: application/x-sh
File size: 2238 byte(s)
Thu Jan 12 12:19:29 2012 UTC (12 years, 8 months ago) by niro
File MIME type: application/x-sh
File size: 2238 byte(s)
-added systemd service files
1 | niro | 1610 | #!/bin/bash |
2 | # $Id$ | ||
3 | # iptables configuration script for systemd | ||
4 | |||
5 | # default cmds | ||
6 | SVC_NAME=iptables | ||
7 | IPTABLES=/sbin/iptables | ||
8 | IPTABLES_SAVE=/sbin/iptables-save | ||
9 | IPTABLES_RESTORE=/sbin/iptables-restore | ||
10 | IPTABLES_PROC=/proc/net/ip_tables_names | ||
11 | |||
12 | # read config | ||
13 | source /etc/conf.d/${SVC_NAME} | ||
14 | |||
15 | checkconfig() | ||
16 | { | ||
17 | if [[ ! -f ${IPTABLES_SAVE_PATH} ]] | ||
18 | then | ||
19 | echo "Not starting ${SVC_NAME}. First create some rules then run:" | ||
20 | echo "/etc/init.d/${SVC_NAME} save" | ||
21 | exit 1 | ||
22 | fi | ||
23 | return 0 | ||
24 | } | ||
25 | |||
26 | set_table_policy() | ||
27 | { | ||
28 | local chains | ||
29 | local chain | ||
30 | |||
31 | table=$1 | ||
32 | policy=$2 | ||
33 | |||
34 | # select correct rules from corresponding chains | ||
35 | case ${table} in | ||
36 | nat) chains="PREROUTING POSTROUTING OUTPUT";; | ||
37 | mangle) chains="PREROUTING INPUT FORWARD OUTPUT POSTROUTING";; | ||
38 | filter) chains="INPUT FORWARD OUTPUT";; | ||
39 | *) chains="";; | ||
40 | esac | ||
41 | |||
42 | # set rules to given policy | ||
43 | for chain in ${chains} | ||
44 | do | ||
45 | ${IPTABLES} -t ${table} -P ${chain} ${policy} | ||
46 | done | ||
47 | } | ||
48 | |||
49 | case "$1" in | ||
50 | start) | ||
51 | checkconfig | ||
52 | echo "Loading ${SVC_NAME} ruleset ..." | ||
53 | ${IPTABLES_RESTORE} ${SAVE_RESTORE_OPTIONS} < "${IPTABLES_SAVE_PATH}" | ||
54 | ;; | ||
55 | |||
56 | stop) | ||
57 | if [[ ${SAVE_ON_STOP} = yes ]] | ||
58 | then | ||
59 | $0 save | ||
60 | fi | ||
61 | |||
62 | echo "Stopping ${SVC_NAME} and reseting ruleset ..." | ||
63 | for rule in $(<${IPTABLES_PROC}) | ||
64 | do | ||
65 | # flush rules | ||
66 | ${IPTABLES} -F -t ${rule} | ||
67 | |||
68 | # delete chains | ||
69 | ${IPTABLES} -X -t ${rule} | ||
70 | |||
71 | # set all policies to ACCEPT | ||
72 | set_table_policy ${rule} ACCEPT | ||
73 | done | ||
74 | ;; | ||
75 | |||
76 | reload) | ||
77 | echo "Flushing ${SVC_NAME} ruleset ..." | ||
78 | for rule in $(<${IPTABLES_PROC}) | ||
79 | do | ||
80 | # flush rules | ||
81 | ${IPTABLES} -F -t ${rule} | ||
82 | |||
83 | # delete chains | ||
84 | ${IPTABLES} -X -t ${rule} | ||
85 | done | ||
86 | $0 start | ||
87 | ;; | ||
88 | |||
89 | save) | ||
90 | echo "Saving ${SVC_NAME} ruleset ..." | ||
91 | [ ! -d $(dirname ${IPTABLES_SAVE_PATH}) ] && | ||
92 | install -d $(dirname ${IPTABLES_SAVE_PATH}) | ||
93 | touch "${IPTABLES_SAVE_PATH}" | ||
94 | chmod 0600 "${IPTABLES_SAVE_PATH}" | ||
95 | ${IPTABLES_SAVE} ${SAVE_RESTORE_OPTIONS} > "${IPTABLES_SAVE_PATH}" | ||
96 | ;; | ||
97 | |||
98 | panic) | ||
99 | echo "Enabled Panic-Mode for ${SVC_NAME} (DROP ALL) ..." | ||
100 | for rule in $(<${IPTABLES_PROC}) | ||
101 | do | ||
102 | ${IPTABLES} -F -t ${rule} | ||
103 | ${IPTABLES} -X -t ${rule} | ||
104 | |||
105 | set_table_policy ${rule} DROP | ||
106 | done | ||
107 | ;; | ||
108 | |||
109 | restart) | ||
110 | $0 stop | ||
111 | sleep 1 | ||
112 | $0 start | ||
113 | ;; | ||
114 | |||
115 | *) | ||
116 | echo "Usage: $0 {start|stop|reload|save|panic|restart}" | ||
117 | exit 1 | ||
118 | ;; | ||
119 | esac |