trunk/iptables/iptables.sh

#!/bin/bash
# $Id$
# iptables configuration script for systemd

# default cmds
SVC_NAME=iptables
IPTABLES=/sbin/iptables
IPTABLES_SAVE=/sbin/iptables-save
IPTABLES_RESTORE=/sbin/iptables-restore
IPTABLES_PROC=/proc/net/ip_tables_names

# read config
source /etc/conf.d/${SVC_NAME}

checkconfig()
{
	if [[ ! -f ${IPTABLES_SAVE_PATH} ]]
	then
		echo "Not starting ${SVC_NAME}. First create some rules then run:"
		echo "/etc/init.d/${SVC_NAME} save"
		exit 1
	fi
	return 0
}

set_table_policy()
{
	local chains
	local chain

	table=$1
	policy=$2

	# select correct rules from corresponding chains
	case ${table} in
		nat)    chains="PREROUTING POSTROUTING OUTPUT";;
		mangle) chains="PREROUTING INPUT FORWARD OUTPUT POSTROUTING";;
		filter) chains="INPUT FORWARD OUTPUT";;
		*)      chains="";;
	esac

	# set rules to given policy
	for chain in ${chains}
	do
		${IPTABLES} -t ${table} -P ${chain} ${policy}
	done
}

case "$1" in
	start)
		checkconfig
		echo "Loading ${SVC_NAME} ruleset ..."
		${IPTABLES_RESTORE} ${SAVE_RESTORE_OPTIONS} < "${IPTABLES_SAVE_PATH}"
		;;

	stop)
		if [[ ${SAVE_ON_STOP} = yes ]]
		then
			$0 save
		fi

		echo "Stopping ${SVC_NAME} and reseting ruleset ..."
		for rule in $(<${IPTABLES_PROC})
		do
			# flush rules
			${IPTABLES} -F -t ${rule}

			# delete chains
			${IPTABLES} -X -t ${rule}

			# set all policies to ACCEPT
			set_table_policy ${rule} ACCEPT
		done
		;;

	reload)
		echo "Flushing ${SVC_NAME} ruleset ..."
		for rule in $(<${IPTABLES_PROC})
		do
			# flush rules
			${IPTABLES} -F -t ${rule}

			# delete chains
			${IPTABLES} -X -t ${rule}
		done
		$0 start
		;;

	save)
		echo "Saving ${SVC_NAME} ruleset ..."
		[ ! -d $(dirname ${IPTABLES_SAVE_PATH}) ] &&
			install -d $(dirname ${IPTABLES_SAVE_PATH})
		touch "${IPTABLES_SAVE_PATH}"
		chmod 0600 "${IPTABLES_SAVE_PATH}"
		${IPTABLES_SAVE} ${SAVE_RESTORE_OPTIONS} > "${IPTABLES_SAVE_PATH}"
		;;

	panic)
		echo "Enabled Panic-Mode for ${SVC_NAME} (DROP ALL) ..."
		for rule in $(<${IPTABLES_PROC})
		do
			${IPTABLES} -F -t ${rule}
			${IPTABLES} -X -t ${rule}

			set_table_policy ${rule} DROP
		done
		;;

	restart)
		$0 stop
		sleep 1
		$0 start
		;;

	*)
		echo "Usage: $0 {start|stop|reload|save|panic|restart}"
		exit 1
		;;
esac
1	#!/bin/bash
2	# $Id$
3	# iptables configuration script for systemd
4
5	# default cmds
6	SVC_NAME=iptables
7	IPTABLES=/sbin/iptables
8	IPTABLES_SAVE=/sbin/iptables-save
9	IPTABLES_RESTORE=/sbin/iptables-restore
10	IPTABLES_PROC=/proc/net/ip_tables_names
11
12	# read config
13	source /etc/conf.d/${SVC_NAME}
14
15	checkconfig()
16	{
17	if [[ ! -f ${IPTABLES_SAVE_PATH} ]]
18	then
19	echo "Not starting ${SVC_NAME}. First create some rules then run:"
20	echo "/etc/init.d/${SVC_NAME} save"
21	exit 1
22	fi
23	return 0
24	}
25
26	set_table_policy()
27	{
28	local chains
29	local chain
30
31	table=$1
32	policy=$2
33
34	# select correct rules from corresponding chains
35	case ${table} in
36	nat) chains="PREROUTING POSTROUTING OUTPUT";;
37	mangle) chains="PREROUTING INPUT FORWARD OUTPUT POSTROUTING";;
38	filter) chains="INPUT FORWARD OUTPUT";;
39	*) chains="";;
40	esac
41
42	# set rules to given policy
43	for chain in ${chains}
44	do
45	${IPTABLES} -t ${table} -P ${chain} ${policy}
46	done
47	}
48
49	case "$1" in
50	start)
51	checkconfig
52	echo "Loading ${SVC_NAME} ruleset ..."
53	${IPTABLES_RESTORE} ${SAVE_RESTORE_OPTIONS} < "${IPTABLES_SAVE_PATH}"
54	;;
55
56	stop)
57	if [[ ${SAVE_ON_STOP} = yes ]]
58	then
59	$0 save
60	fi
61
62	echo "Stopping ${SVC_NAME} and reseting ruleset ..."
63	for rule in $(<${IPTABLES_PROC})
64	do
65	# flush rules
66	${IPTABLES} -F -t ${rule}
67
68	# delete chains
69	${IPTABLES} -X -t ${rule}
70
71	# set all policies to ACCEPT
72	set_table_policy ${rule} ACCEPT
73	done
74	;;
75
76	reload)
77	echo "Flushing ${SVC_NAME} ruleset ..."
78	for rule in $(<${IPTABLES_PROC})
79	do
80	# flush rules
81	${IPTABLES} -F -t ${rule}
82
83	# delete chains
84	${IPTABLES} -X -t ${rule}
85	done
86	$0 start
87	;;
88
89	save)
90	echo "Saving ${SVC_NAME} ruleset ..."
91	[ ! -d $(dirname ${IPTABLES_SAVE_PATH}) ] &&
92	install -d $(dirname ${IPTABLES_SAVE_PATH})
93	touch "${IPTABLES_SAVE_PATH}"
94	chmod 0600 "${IPTABLES_SAVE_PATH}"
95	${IPTABLES_SAVE} ${SAVE_RESTORE_OPTIONS} > "${IPTABLES_SAVE_PATH}"
96	;;
97
98	panic)
99	echo "Enabled Panic-Mode for ${SVC_NAME} (DROP ALL) ..."
100	for rule in $(<${IPTABLES_PROC})
101	do
102	${IPTABLES} -F -t ${rule}
103	${IPTABLES} -X -t ${rule}
104
105	set_table_policy ${rule} DROP
106	done
107	;;
108
109	restart)
110	$0 stop
111	sleep 1
112	$0 start
113	;;
114
115	*)
116	echo "Usage: $0 {start\|stop\|reload\|save\|panic\|restart}"
117	exit 1
118	;;
119	esac