Contents of /trunk/iptables/iptables.sh
Parent Directory | Revision Log
Revision 1825 -
(show annotations)
(download)
(as text)
Sat Jun 30 18:03:13 2012 UTC (12 years, 3 months ago) by niro
File MIME type: application/x-sh
File size: 2292 byte(s)
Sat Jun 30 18:03:13 2012 UTC (12 years, 3 months ago) by niro
File MIME type: application/x-sh
File size: 2292 byte(s)
-prepare usr-move
1 | #!/bin/bash |
2 | # $Id$ |
3 | # iptables configuration script for systemd |
4 | |
5 | # default cmds |
6 | SVC_NAME=iptables |
7 | IPTABLES=/usr/bin/iptables |
8 | IPTABLES_SAVE=/usr/bin/iptables-save |
9 | IPTABLES_RESTORE=/usr/bin/iptables-restore |
10 | IPTABLES_PROC=/proc/net/ip_tables_names |
11 | SYSTEMDLIBDIR=/usr/lib/systemd |
12 | |
13 | # read config |
14 | source /etc/conf.d/${SVC_NAME} |
15 | |
16 | checkconfig() |
17 | { |
18 | if [[ ! -f ${IPTABLES_SAVE_PATH} ]] |
19 | then |
20 | echo "Not starting ${SVC_NAME}. First create some rules then run:" |
21 | echo "${SYSTEMDLIBDIR}/magellan-${SVC_NAME} save" |
22 | exit 1 |
23 | fi |
24 | return 0 |
25 | } |
26 | |
27 | set_table_policy() |
28 | { |
29 | local chains |
30 | local chain |
31 | |
32 | table=$1 |
33 | policy=$2 |
34 | |
35 | # select correct rules from corresponding chains |
36 | case ${table} in |
37 | nat) chains="PREROUTING POSTROUTING OUTPUT";; |
38 | mangle) chains="PREROUTING INPUT FORWARD OUTPUT POSTROUTING";; |
39 | filter) chains="INPUT FORWARD OUTPUT";; |
40 | *) chains="";; |
41 | esac |
42 | |
43 | # set rules to given policy |
44 | for chain in ${chains} |
45 | do |
46 | ${IPTABLES} -t ${table} -P ${chain} ${policy} |
47 | done |
48 | } |
49 | |
50 | case "$1" in |
51 | start) |
52 | checkconfig |
53 | echo "Loading ${SVC_NAME} ruleset ..." |
54 | ${IPTABLES_RESTORE} ${SAVE_RESTORE_OPTIONS} < "${IPTABLES_SAVE_PATH}" |
55 | ;; |
56 | |
57 | stop) |
58 | if [[ ${SAVE_ON_STOP} = yes ]] |
59 | then |
60 | $0 save |
61 | fi |
62 | |
63 | echo "Stopping ${SVC_NAME} and reseting ruleset ..." |
64 | for rule in $(<${IPTABLES_PROC}) |
65 | do |
66 | # flush rules |
67 | ${IPTABLES} -F -t ${rule} |
68 | |
69 | # delete chains |
70 | ${IPTABLES} -X -t ${rule} |
71 | |
72 | # set all policies to ACCEPT |
73 | set_table_policy ${rule} ACCEPT |
74 | done |
75 | ;; |
76 | |
77 | reload) |
78 | echo "Flushing ${SVC_NAME} ruleset ..." |
79 | for rule in $(<${IPTABLES_PROC}) |
80 | do |
81 | # flush rules |
82 | ${IPTABLES} -F -t ${rule} |
83 | |
84 | # delete chains |
85 | ${IPTABLES} -X -t ${rule} |
86 | done |
87 | $0 start |
88 | ;; |
89 | |
90 | save) |
91 | echo "Saving ${SVC_NAME} ruleset ..." |
92 | [ ! -d $(dirname ${IPTABLES_SAVE_PATH}) ] && |
93 | install -d $(dirname ${IPTABLES_SAVE_PATH}) |
94 | touch "${IPTABLES_SAVE_PATH}" |
95 | chmod 0600 "${IPTABLES_SAVE_PATH}" |
96 | ${IPTABLES_SAVE} ${SAVE_RESTORE_OPTIONS} > "${IPTABLES_SAVE_PATH}" |
97 | ;; |
98 | |
99 | panic) |
100 | echo "Enabled Panic-Mode for ${SVC_NAME} (DROP ALL) ..." |
101 | for rule in $(<${IPTABLES_PROC}) |
102 | do |
103 | ${IPTABLES} -F -t ${rule} |
104 | ${IPTABLES} -X -t ${rule} |
105 | |
106 | set_table_policy ${rule} DROP |
107 | done |
108 | ;; |
109 | |
110 | restart) |
111 | $0 stop |
112 | sleep 1 |
113 | $0 start |
114 | ;; |
115 | |
116 | *) |
117 | echo "Usage: $0 {start|stop|reload|save|panic|restart}" |
118 | exit 1 |
119 | ;; |
120 | esac |