trunk/iptables/iptables.sh

#!/bin/bash
# $Id$
# iptables configuration script for systemd

# default cmds
SVC_NAME=iptables
IPTABLES=/sbin/iptables
IPTABLES_SAVE=/sbin/iptables-save
IPTABLES_RESTORE=/sbin/iptables-restore
IPTABLES_PROC=/proc/net/ip_tables_names

# read config
source /etc/conf.d/${SVC_NAME}

checkconfig()
{
	if [[ ! -f ${IPTABLES_SAVE_PATH} ]]
	then
		echo "Not starting ${SVC_NAME}. First create some rules then run:"
		echo "/etc/init.d/${SVC_NAME} save"
		exit 1
	fi
	return 0
}

set_table_policy()
{
	local chains
	local chain

	table=$1
	policy=$2

	# select correct rules from corresponding chains
	case ${table} in
		nat)    chains="PREROUTING POSTROUTING OUTPUT";;
		mangle) chains="PREROUTING INPUT FORWARD OUTPUT POSTROUTING";;
		filter) chains="INPUT FORWARD OUTPUT";;
		*)      chains="";;
	esac

	# set rules to given policy
	for chain in ${chains}
	do
		${IPTABLES} -t ${table} -P ${chain} ${policy}
	done
}

case "$1" in
	start)
		checkconfig
		echo "Loading ${SVC_NAME} ruleset ..."
		${IPTABLES_RESTORE} ${SAVE_RESTORE_OPTIONS} < "${IPTABLES_SAVE_PATH}"
		;;

	stop)
		if [[ ${SAVE_ON_STOP} = yes ]]
		then
			$0 save
		fi

		echo "Stopping ${SVC_NAME} and reseting ruleset ..."
		for rule in $(<${IPTABLES_PROC})
		do
			# flush rules
			${IPTABLES} -F -t ${rule}

			# delete chains
			${IPTABLES} -X -t ${rule}

			# set all policies to ACCEPT
			set_table_policy ${rule} ACCEPT
		done
		;;

	reload)
		echo "Flushing ${SVC_NAME} ruleset ..."
		for rule in $(<${IPTABLES_PROC})
		do
			# flush rules
			${IPTABLES} -F -t ${rule}

			# delete chains
			${IPTABLES} -X -t ${rule}
		done
		$0 start
		;;

	save)
		echo "Saving ${SVC_NAME} ruleset ..."
		[ ! -d $(dirname ${IPTABLES_SAVE_PATH}) ] &&
			install -d $(dirname ${IPTABLES_SAVE_PATH})
		touch "${IPTABLES_SAVE_PATH}"
		chmod 0600 "${IPTABLES_SAVE_PATH}"
		${IPTABLES_SAVE} ${SAVE_RESTORE_OPTIONS} > "${IPTABLES_SAVE_PATH}"
		;;

	panic)
		echo "Enabled Panic-Mode for ${SVC_NAME} (DROP ALL) ..."
		for rule in $(<${IPTABLES_PROC})
		do
			${IPTABLES} -F -t ${rule}
			${IPTABLES} -X -t ${rule}

			set_table_policy ${rule} DROP
		done
		;;

	restart)
		$0 stop
		sleep 1
		$0 start
		;;

	*)
		echo "Usage: $0 {start|stop|reload|save|panic|restart}"
		exit 1
		;;
esac
1	niro	1610	#!/bin/bash
2			# $Id$
3			# iptables configuration script for systemd
4
5			# default cmds
6			SVC_NAME=iptables
7			IPTABLES=/sbin/iptables
8			IPTABLES_SAVE=/sbin/iptables-save
9			IPTABLES_RESTORE=/sbin/iptables-restore
10			IPTABLES_PROC=/proc/net/ip_tables_names
11
12			# read config
13			source /etc/conf.d/${SVC_NAME}
14
15			checkconfig()
16			{
17			if [[ ! -f ${IPTABLES_SAVE_PATH} ]]
18			then
19			echo "Not starting ${SVC_NAME}. First create some rules then run:"
20			echo "/etc/init.d/${SVC_NAME} save"
21			exit 1
22			fi
23			return 0
24			}
25
26			set_table_policy()
27			{
28			local chains
29			local chain
30
31			table=$1
32			policy=$2
33
34			# select correct rules from corresponding chains
35			case ${table} in
36			nat) chains="PREROUTING POSTROUTING OUTPUT";;
37			mangle) chains="PREROUTING INPUT FORWARD OUTPUT POSTROUTING";;
38			filter) chains="INPUT FORWARD OUTPUT";;
39			*) chains="";;
40			esac
41
42			# set rules to given policy
43			for chain in ${chains}
44			do
45			${IPTABLES} -t ${table} -P ${chain} ${policy}
46			done
47			}
48
49			case "$1" in
50			start)
51			checkconfig
52			echo "Loading ${SVC_NAME} ruleset ..."
53			${IPTABLES_RESTORE} ${SAVE_RESTORE_OPTIONS} < "${IPTABLES_SAVE_PATH}"
54			;;
55
56			stop)
57			if [[ ${SAVE_ON_STOP} = yes ]]
58			then
59			$0 save
60			fi
61
62			echo "Stopping ${SVC_NAME} and reseting ruleset ..."
63			for rule in $(<${IPTABLES_PROC})
64			do
65			# flush rules
66			${IPTABLES} -F -t ${rule}
67
68			# delete chains
69			${IPTABLES} -X -t ${rule}
70
71			# set all policies to ACCEPT
72			set_table_policy ${rule} ACCEPT
73			done
74			;;
75
76			reload)
77			echo "Flushing ${SVC_NAME} ruleset ..."
78			for rule in $(<${IPTABLES_PROC})
79			do
80			# flush rules
81			${IPTABLES} -F -t ${rule}
82
83			# delete chains
84			${IPTABLES} -X -t ${rule}
85			done
86			$0 start
87			;;
88
89			save)
90			echo "Saving ${SVC_NAME} ruleset ..."
91			[ ! -d $(dirname ${IPTABLES_SAVE_PATH}) ] &&
92			install -d $(dirname ${IPTABLES_SAVE_PATH})
93			touch "${IPTABLES_SAVE_PATH}"
94			chmod 0600 "${IPTABLES_SAVE_PATH}"
95			${IPTABLES_SAVE} ${SAVE_RESTORE_OPTIONS} > "${IPTABLES_SAVE_PATH}"
96			;;
97
98			panic)
99			echo "Enabled Panic-Mode for ${SVC_NAME} (DROP ALL) ..."
100			for rule in $(<${IPTABLES_PROC})
101			do
102			${IPTABLES} -F -t ${rule}
103			${IPTABLES} -X -t ${rule}
104
105			set_table_policy ${rule} DROP
106			done
107			;;
108
109			restart)
110			$0 stop
111			sleep 1
112			$0 start
113			;;
114
115			*)
116			echo "Usage: $0 {start\|stop\|reload\|save\|panic\|restart}"
117			exit 1
118			;;
119			esac