|
cvsdist |
bfa5afa |
#!/bin/sh
|
|
cvsdist |
bfa5afa |
#
|
|
cvsdist |
bfa5afa |
# Startup script to implement /etc/sysconfig/iptables pre-defined rules.
|
|
cvsdist |
bfa5afa |
#
|
|
cvsdist |
bfa5afa |
# chkconfig: 2345 08 92
|
|
cvsdist |
bfa5afa |
#
|
|
cvsdist |
bfa5afa |
# description: Automates a packet filtering firewall with iptables.
|
|
cvsdist |
bfa5afa |
#
|
|
cvsdist |
bfa5afa |
# by bero@redhat.com, based on the ipchains script:
|
|
cvsdist |
bfa5afa |
# Script Author: Joshua Jensen <joshua@redhat.com>
|
|
cvsdist |
bfa5afa |
# -- hacked up by gafton with help from notting
|
|
cvsdist |
bfa5afa |
# modified by Anton Altaparmakov <aia21@cam.ac.uk>:
|
|
cvsdist |
bfa5afa |
# modified by Nils Philippsen <nils@redhat.de>
|
|
cvsdist |
bfa5afa |
#
|
|
cvsdist |
bfa5afa |
# config: /etc/sysconfig/iptables
|
|
cvsdist |
bfa5afa |
|
|
cvsdist |
bfa5afa |
# Source 'em up
|
|
cvsdist |
bfa5afa |
. /etc/init.d/functions
|
|
cvsdist |
bfa5afa |
|
|
cvsdist |
bfa5afa |
IPTABLES_CONFIG=/etc/sysconfig/iptables
|
|
cvsdist |
bfa5afa |
|
|
cvsdist |
bfa5afa |
if [ ! -x /sbin/iptables ]; then
|
|
cvsdist |
bfa5afa |
exit 0
|
|
cvsdist |
bfa5afa |
fi
|
|
cvsdist |
bfa5afa |
|
|
cvsdist |
bfa5afa |
KERNELMAJ=`uname -r | sed -e 's,\..*,,'`
|
|
cvsdist |
bfa5afa |
KERNELMIN=`uname -r | sed -e 's,[^\.]*\.,,' -e 's,\..*,,'`
|
|
cvsdist |
bfa5afa |
|
|
cvsdist |
bfa5afa |
if [ "$KERNELMAJ" -lt 2 ] ; then
|
|
cvsdist |
bfa5afa |
exit 0
|
|
cvsdist |
bfa5afa |
fi
|
|
cvsdist |
bfa5afa |
if [ "$KERNELMAJ" -eq 2 -a "$KERNELMIN" -lt 3 ] ; then
|
|
cvsdist |
bfa5afa |
exit 0
|
|
cvsdist |
bfa5afa |
fi
|
|
cvsdist |
bfa5afa |
|
|
cvsdist |
bfa5afa |
|
|
cvsdist |
bfa5afa |
|
|
cvsdist |
bfa5afa |
if /sbin/lsmod 2>/dev/null |grep -q ipchains ; then
|
|
cvsdist |
bfa5afa |
# Don't do both
|
|
cvsdist |
bfa5afa |
exit 0
|
|
cvsdist |
bfa5afa |
fi
|
|
cvsdist |
bfa5afa |
|
|
cvsdist |
bfa5afa |
start() {
|
|
cvsdist |
bfa5afa |
# don't do squat if we don't have the config file
|
|
cvsdist |
bfa5afa |
if [ -f $IPTABLES_CONFIG ]; then
|
|
cvsdist |
bfa5afa |
# If we don't clear these first, we might be adding to
|
|
cvsdist |
bfa5afa |
# pre-existing rules.
|
|
cvsdist |
bfa5afa |
action $"Flushing all current rules and user defined chains:" iptables -F
|
|
cvsdist |
bfa5afa |
action $"Clearing all current rules and user defined chains:" iptables -X
|
|
cvsdist |
bfa5afa |
chains=`cat /proc/net/ip_tables_names 2>/dev/null`
|
|
cvsdist |
bfa5afa |
for i in $chains; do iptables -t $i -F; done && \
|
|
cvsdist |
bfa5afa |
success $"Flushing all current rules and user defined chains:" || \
|
|
cvsdist |
bfa5afa |
failure $"Flushing all current rules and user defined chains:"
|
|
cvsdist |
bfa5afa |
for i in $chains; do iptables -t $i -X; done && \
|
|
cvsdist |
bfa5afa |
success $"Clearing all current rules and user defined chains:" || \
|
|
cvsdist |
bfa5afa |
failure $"Clearing all current rules and user defined chains:"
|
|
cvsdist |
bfa5afa |
|
|
cvsdist |
bfa5afa |
for i in $chains; do iptables -t $i -Z; done
|
|
cvsdist |
bfa5afa |
|
|
cvsdist |
bfa5afa |
echo $"Applying iptables firewall rules: "
|
|
cvsdist |
bfa5afa |
grep -v "^[[:space:]]*#" $IPTABLES_CONFIG | grep -v '^[[:space:]]*$' | /sbin/iptables-restore -c && \
|
|
cvsdist |
bfa5afa |
success $"Applying iptables firewall rules" || \
|
|
cvsdist |
bfa5afa |
failure $"Applying iptables firewall rules"
|
|
cvsdist |
bfa5afa |
echo
|
|
cvsdist |
bfa5afa |
touch /var/lock/subsys/iptables
|
|
cvsdist |
bfa5afa |
fi
|
|
cvsdist |
bfa5afa |
}
|
|
cvsdist |
bfa5afa |
|
|
cvsdist |
bfa5afa |
stop() {
|
|
cvsdist |
bfa5afa |
chains=`cat /proc/net/ip_tables_names 2>/dev/null`
|
|
cvsdist |
bfa5afa |
for i in $chains; do iptables -t $i -F; done && \
|
|
cvsdist |
bfa5afa |
success $"Flushing all chains:" || \
|
|
cvsdist |
bfa5afa |
failure $"Flushing all chains:"
|
|
cvsdist |
bfa5afa |
for i in $chains; do iptables -t $i -X; done && \
|
|
cvsdist |
bfa5afa |
success $"Removing user defined chains:" || \
|
|
cvsdist |
bfa5afa |
failure $"Removing user defined chains:"
|
|
cvsdist |
bfa5afa |
echo -n $"Resetting built-in chains to the default ACCEPT policy:"
|
|
cvsdist |
bfa5afa |
iptables -P INPUT ACCEPT && \
|
|
cvsdist |
bfa5afa |
iptables -P OUTPUT ACCEPT && \
|
|
cvsdist |
bfa5afa |
iptables -P FORWARD ACCEPT && \
|
|
cvsdist |
bfa5afa |
iptables -t nat -P PREROUTING ACCEPT && \
|
|
cvsdist |
bfa5afa |
iptables -t nat -P POSTROUTING ACCEPT && \
|
|
cvsdist |
bfa5afa |
iptables -t nat -P OUTPUT ACCEPT && \
|
|
cvsdist |
bfa5afa |
iptables -t mangle -P PREROUTING ACCEPT && \
|
|
cvsdist |
bfa5afa |
iptables -t mangle -P OUTPUT ACCEPT && \
|
|
cvsdist |
bfa5afa |
success $"Resetting built-in chains to the default ACCEPT policy" || \
|
|
cvsdist |
bfa5afa |
failure $"Resetting built-in chains to the default ACCEPT policy"
|
|
cvsdist |
bfa5afa |
echo
|
|
cvsdist |
bfa5afa |
rm -f /var/lock/subsys/iptables
|
|
cvsdist |
bfa5afa |
}
|
|
cvsdist |
bfa5afa |
|
|
cvsdist |
bfa5afa |
case "$1" in
|
|
cvsdist |
bfa5afa |
start)
|
|
cvsdist |
bfa5afa |
start
|
|
cvsdist |
bfa5afa |
;;
|
|
cvsdist |
bfa5afa |
|
|
cvsdist |
bfa5afa |
stop)
|
|
cvsdist |
bfa5afa |
stop
|
|
cvsdist |
bfa5afa |
;;
|
|
cvsdist |
bfa5afa |
|
|
cvsdist |
bfa5afa |
restart)
|
|
cvsdist |
bfa5afa |
# "restart" is really just "start" as this isn't a daemon,
|
|
cvsdist |
bfa5afa |
# and "start" clears any pre-defined rules anyway.
|
|
cvsdist |
bfa5afa |
# This is really only here to make those who expect it happy
|
|
cvsdist |
bfa5afa |
start
|
|
cvsdist |
bfa5afa |
;;
|
|
cvsdist |
bfa5afa |
|
|
cvsdist |
bfa5afa |
condrestart)
|
|
cvsdist |
bfa5afa |
[ -e /var/lock/subsys/iptables ] && start
|
|
cvsdist |
bfa5afa |
;;
|
|
cvsdist |
bfa5afa |
|
|
cvsdist |
bfa5afa |
status)
|
|
cvsdist |
bfa5afa |
echo $"Table: filter"
|
|
cvsdist |
bfa5afa |
iptables --list
|
|
cvsdist |
bfa5afa |
echo $"Table: nat"
|
|
cvsdist |
bfa5afa |
iptables -t nat --list
|
|
cvsdist |
bfa5afa |
echo $"Table: mangle"
|
|
cvsdist |
bfa5afa |
iptables -t mangle --list
|
|
cvsdist |
bfa5afa |
;;
|
|
cvsdist |
bfa5afa |
|
|
cvsdist |
bfa5afa |
panic)
|
|
cvsdist |
bfa5afa |
echo -n $"Changing target policies to DROP: "
|
|
cvsdist |
bfa5afa |
iptables -P INPUT DROP && \
|
|
cvsdist |
bfa5afa |
iptables -P FORWARD DROP && \
|
|
cvsdist |
bfa5afa |
iptables -P OUTPUT DROP && \
|
|
cvsdist |
bfa5afa |
iptables -t nat -P PREROUTING DROP && \
|
|
cvsdist |
bfa5afa |
iptables -t nat -P POSTROUTING DROP && \
|
|
cvsdist |
bfa5afa |
iptables -t nat -P OUTPUT DROP && \
|
|
cvsdist |
bfa5afa |
iptables -t mangle -P PREROUTING DROP && \
|
|
cvsdist |
bfa5afa |
iptables -t mangle -P OUTPUT DROP && \
|
|
cvsdist |
bfa5afa |
success $"Changing target policies to DROP" || \
|
|
cvsdist |
bfa5afa |
failure $"Changing target policies to DROP"
|
|
cvsdist |
bfa5afa |
echo
|
|
cvsdist |
bfa5afa |
iptables -F INPUT && \
|
|
cvsdist |
bfa5afa |
iptables -F FORWARD && \
|
|
cvsdist |
bfa5afa |
iptables -F OUTPUT && \
|
|
cvsdist |
bfa5afa |
iptables -t nat -F PREROUTING && \
|
|
cvsdist |
bfa5afa |
iptables -t nat -F POSTROUTING && \
|
|
cvsdist |
bfa5afa |
iptables -t nat -F OUTPUT && \
|
|
cvsdist |
bfa5afa |
iptables -t mangle -F PREROUTING && \
|
|
cvsdist |
bfa5afa |
iptables -t mangle -F OUTPUT && \
|
|
cvsdist |
bfa5afa |
success $"Flushing all chains:" || \
|
|
cvsdist |
bfa5afa |
failure $"Flushing all chains:"
|
|
cvsdist |
bfa5afa |
iptables -X INPUT && \
|
|
cvsdist |
bfa5afa |
iptables -X FORWARD && \
|
|
cvsdist |
bfa5afa |
iptables -X OUTPUT && \
|
|
cvsdist |
bfa5afa |
iptables -t nat -X PREROUTING && \
|
|
cvsdist |
bfa5afa |
iptables -t nat -X POSTROUTING && \
|
|
cvsdist |
bfa5afa |
iptables -t nat -X OUTPUT && \
|
|
cvsdist |
bfa5afa |
iptables -t mangle -X PREROUTING && \
|
|
cvsdist |
bfa5afa |
iptables -t mangle -X OUTPUT && \
|
|
cvsdist |
bfa5afa |
success $"Removing user defined chains:" || \
|
|
cvsdist |
bfa5afa |
failure $"Removing user defined chains:"
|
|
cvsdist |
bfa5afa |
;;
|
|
cvsdist |
bfa5afa |
|
|
cvsdist |
bfa5afa |
save)
|
|
cvsdist |
bfa5afa |
echo -n $"Saving current rules to $IPTABLES_CONFIG: "
|
|
cvsdist |
bfa5afa |
touch $IPTABLES_CONFIG
|
|
cvsdist |
bfa5afa |
chmod 600 $IPTABLES_CONFIG
|
|
cvsdist |
bfa5afa |
/sbin/iptables-save -c > $IPTABLES_CONFIG 2>/dev/null && \
|
|
cvsdist |
bfa5afa |
success $"Saving current rules to $IPTABLES_CONFIG" || \
|
|
cvsdist |
bfa5afa |
failure $"Saving current rules to $IPTABLES_CONFIG"
|
|
cvsdist |
bfa5afa |
echo
|
|
cvsdist |
bfa5afa |
;;
|
|
cvsdist |
bfa5afa |
|
|
cvsdist |
bfa5afa |
*)
|
|
cvsdist |
bfa5afa |
echo $"Usage: $0 {start|stop|restart|condrestart|status|panic|save}"
|
|
cvsdist |
bfa5afa |
exit 1
|
|
cvsdist |
bfa5afa |
esac
|
|
cvsdist |
bfa5afa |
|
|
cvsdist |
bfa5afa |
exit 0
|
|
cvsdist |
bfa5afa |
|