Contents of /trunk/iptables/iptables.sh
Parent Directory | Revision Log
Revision 1610 -
(show annotations)
(download)
(as text)
Thu Jan 12 12:19:29 2012 UTC (12 years, 5 months ago) by niro
File MIME type: application/x-sh
File size: 2238 byte(s)
Thu Jan 12 12:19:29 2012 UTC (12 years, 5 months ago) by niro
File MIME type: application/x-sh
File size: 2238 byte(s)
-added systemd service files
1 | #!/bin/bash |
2 | # $Id$ |
3 | # iptables configuration script for systemd |
4 | |
5 | # default cmds |
6 | SVC_NAME=iptables |
7 | IPTABLES=/sbin/iptables |
8 | IPTABLES_SAVE=/sbin/iptables-save |
9 | IPTABLES_RESTORE=/sbin/iptables-restore |
10 | IPTABLES_PROC=/proc/net/ip_tables_names |
11 | |
12 | # read config |
13 | source /etc/conf.d/${SVC_NAME} |
14 | |
15 | checkconfig() |
16 | { |
17 | if [[ ! -f ${IPTABLES_SAVE_PATH} ]] |
18 | then |
19 | echo "Not starting ${SVC_NAME}. First create some rules then run:" |
20 | echo "/etc/init.d/${SVC_NAME} save" |
21 | exit 1 |
22 | fi |
23 | return 0 |
24 | } |
25 | |
26 | set_table_policy() |
27 | { |
28 | local chains |
29 | local chain |
30 | |
31 | table=$1 |
32 | policy=$2 |
33 | |
34 | # select correct rules from corresponding chains |
35 | case ${table} in |
36 | nat) chains="PREROUTING POSTROUTING OUTPUT";; |
37 | mangle) chains="PREROUTING INPUT FORWARD OUTPUT POSTROUTING";; |
38 | filter) chains="INPUT FORWARD OUTPUT";; |
39 | *) chains="";; |
40 | esac |
41 | |
42 | # set rules to given policy |
43 | for chain in ${chains} |
44 | do |
45 | ${IPTABLES} -t ${table} -P ${chain} ${policy} |
46 | done |
47 | } |
48 | |
49 | case "$1" in |
50 | start) |
51 | checkconfig |
52 | echo "Loading ${SVC_NAME} ruleset ..." |
53 | ${IPTABLES_RESTORE} ${SAVE_RESTORE_OPTIONS} < "${IPTABLES_SAVE_PATH}" |
54 | ;; |
55 | |
56 | stop) |
57 | if [[ ${SAVE_ON_STOP} = yes ]] |
58 | then |
59 | $0 save |
60 | fi |
61 | |
62 | echo "Stopping ${SVC_NAME} and reseting ruleset ..." |
63 | for rule in $(<${IPTABLES_PROC}) |
64 | do |
65 | # flush rules |
66 | ${IPTABLES} -F -t ${rule} |
67 | |
68 | # delete chains |
69 | ${IPTABLES} -X -t ${rule} |
70 | |
71 | # set all policies to ACCEPT |
72 | set_table_policy ${rule} ACCEPT |
73 | done |
74 | ;; |
75 | |
76 | reload) |
77 | echo "Flushing ${SVC_NAME} ruleset ..." |
78 | for rule in $(<${IPTABLES_PROC}) |
79 | do |
80 | # flush rules |
81 | ${IPTABLES} -F -t ${rule} |
82 | |
83 | # delete chains |
84 | ${IPTABLES} -X -t ${rule} |
85 | done |
86 | $0 start |
87 | ;; |
88 | |
89 | save) |
90 | echo "Saving ${SVC_NAME} ruleset ..." |
91 | [ ! -d $(dirname ${IPTABLES_SAVE_PATH}) ] && |
92 | install -d $(dirname ${IPTABLES_SAVE_PATH}) |
93 | touch "${IPTABLES_SAVE_PATH}" |
94 | chmod 0600 "${IPTABLES_SAVE_PATH}" |
95 | ${IPTABLES_SAVE} ${SAVE_RESTORE_OPTIONS} > "${IPTABLES_SAVE_PATH}" |
96 | ;; |
97 | |
98 | panic) |
99 | echo "Enabled Panic-Mode for ${SVC_NAME} (DROP ALL) ..." |
100 | for rule in $(<${IPTABLES_PROC}) |
101 | do |
102 | ${IPTABLES} -F -t ${rule} |
103 | ${IPTABLES} -X -t ${rule} |
104 | |
105 | set_table_policy ${rule} DROP |
106 | done |
107 | ;; |
108 | |
109 | restart) |
110 | $0 stop |
111 | sleep 1 |
112 | $0 start |
113 | ;; |
114 | |
115 | *) |
116 | echo "Usage: $0 {start|stop|reload|save|panic|restart}" |
117 | exit 1 |
118 | ;; |
119 | esac |