Annotation of /trunk/iptables/iptables.sh
Parent Directory | Revision Log
Revision 1825 -
(hide annotations)
(download)
(as text)
Sat Jun 30 18:03:13 2012 UTC (12 years, 3 months ago) by niro
File MIME type: application/x-sh
File size: 2292 byte(s)
Sat Jun 30 18:03:13 2012 UTC (12 years, 3 months ago) by niro
File MIME type: application/x-sh
File size: 2292 byte(s)
-prepare usr-move
1 | niro | 1610 | #!/bin/bash |
2 | # $Id$ | ||
3 | # iptables configuration script for systemd | ||
4 | |||
5 | # default cmds | ||
6 | SVC_NAME=iptables | ||
7 | niro | 1825 | IPTABLES=/usr/bin/iptables |
8 | IPTABLES_SAVE=/usr/bin/iptables-save | ||
9 | IPTABLES_RESTORE=/usr/bin/iptables-restore | ||
10 | niro | 1610 | IPTABLES_PROC=/proc/net/ip_tables_names |
11 | niro | 1698 | SYSTEMDLIBDIR=/usr/lib/systemd |
12 | niro | 1610 | |
13 | # read config | ||
14 | source /etc/conf.d/${SVC_NAME} | ||
15 | |||
16 | checkconfig() | ||
17 | { | ||
18 | if [[ ! -f ${IPTABLES_SAVE_PATH} ]] | ||
19 | then | ||
20 | echo "Not starting ${SVC_NAME}. First create some rules then run:" | ||
21 | niro | 1698 | echo "${SYSTEMDLIBDIR}/magellan-${SVC_NAME} save" |
22 | niro | 1610 | exit 1 |
23 | fi | ||
24 | return 0 | ||
25 | } | ||
26 | |||
27 | set_table_policy() | ||
28 | { | ||
29 | local chains | ||
30 | local chain | ||
31 | |||
32 | table=$1 | ||
33 | policy=$2 | ||
34 | |||
35 | # select correct rules from corresponding chains | ||
36 | case ${table} in | ||
37 | nat) chains="PREROUTING POSTROUTING OUTPUT";; | ||
38 | mangle) chains="PREROUTING INPUT FORWARD OUTPUT POSTROUTING";; | ||
39 | filter) chains="INPUT FORWARD OUTPUT";; | ||
40 | *) chains="";; | ||
41 | esac | ||
42 | |||
43 | # set rules to given policy | ||
44 | for chain in ${chains} | ||
45 | do | ||
46 | ${IPTABLES} -t ${table} -P ${chain} ${policy} | ||
47 | done | ||
48 | } | ||
49 | |||
50 | case "$1" in | ||
51 | start) | ||
52 | checkconfig | ||
53 | echo "Loading ${SVC_NAME} ruleset ..." | ||
54 | ${IPTABLES_RESTORE} ${SAVE_RESTORE_OPTIONS} < "${IPTABLES_SAVE_PATH}" | ||
55 | ;; | ||
56 | |||
57 | stop) | ||
58 | if [[ ${SAVE_ON_STOP} = yes ]] | ||
59 | then | ||
60 | $0 save | ||
61 | fi | ||
62 | |||
63 | echo "Stopping ${SVC_NAME} and reseting ruleset ..." | ||
64 | for rule in $(<${IPTABLES_PROC}) | ||
65 | do | ||
66 | # flush rules | ||
67 | ${IPTABLES} -F -t ${rule} | ||
68 | |||
69 | # delete chains | ||
70 | ${IPTABLES} -X -t ${rule} | ||
71 | |||
72 | # set all policies to ACCEPT | ||
73 | set_table_policy ${rule} ACCEPT | ||
74 | done | ||
75 | ;; | ||
76 | |||
77 | reload) | ||
78 | echo "Flushing ${SVC_NAME} ruleset ..." | ||
79 | for rule in $(<${IPTABLES_PROC}) | ||
80 | do | ||
81 | # flush rules | ||
82 | ${IPTABLES} -F -t ${rule} | ||
83 | |||
84 | # delete chains | ||
85 | ${IPTABLES} -X -t ${rule} | ||
86 | done | ||
87 | $0 start | ||
88 | ;; | ||
89 | |||
90 | save) | ||
91 | echo "Saving ${SVC_NAME} ruleset ..." | ||
92 | [ ! -d $(dirname ${IPTABLES_SAVE_PATH}) ] && | ||
93 | install -d $(dirname ${IPTABLES_SAVE_PATH}) | ||
94 | touch "${IPTABLES_SAVE_PATH}" | ||
95 | chmod 0600 "${IPTABLES_SAVE_PATH}" | ||
96 | ${IPTABLES_SAVE} ${SAVE_RESTORE_OPTIONS} > "${IPTABLES_SAVE_PATH}" | ||
97 | ;; | ||
98 | |||
99 | panic) | ||
100 | echo "Enabled Panic-Mode for ${SVC_NAME} (DROP ALL) ..." | ||
101 | for rule in $(<${IPTABLES_PROC}) | ||
102 | do | ||
103 | ${IPTABLES} -F -t ${rule} | ||
104 | ${IPTABLES} -X -t ${rule} | ||
105 | |||
106 | set_table_policy ${rule} DROP | ||
107 | done | ||
108 | ;; | ||
109 | |||
110 | restart) | ||
111 | $0 stop | ||
112 | sleep 1 | ||
113 | $0 start | ||
114 | ;; | ||
115 | |||
116 | *) | ||
117 | echo "Usage: $0 {start|stop|reload|save|panic|restart}" | ||
118 | exit 1 | ||
119 | ;; | ||
120 | esac |