API tools faq
paste
Advertisement
rockdrilla

/etc/init.d/iptables-persistent rc.2

rockdrilla
Nov 20th, 2013
478
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 7.28 KB | None | 0 0
raw download clone embed print report diff
  1. #!/bin/sh
  2. #    Written by Simon Richter <sjr@debian.org>
  3. #    Modified by Jonathan Wiltshire <jmw@debian.org>
  4. #        with help from Christoph Anton Mitterer
  5. #    Modified by Konstantin Demin <rockdrilla@gmail.com>
  6. #        with God willing
  7.  
  8. ### BEGIN INIT INFO
  9. # Provides:          iptables-persistent
  10. # Required-Start:    mountkernfs $local_fs
  11. # Required-Stop:     $local_fs
  12. # Default-Start:     2 3 4 5
  13. # Default-Stop:      0 1 6
  14. # X-Start-Before:    $network
  15. # X-Stop-After:      $network
  16. # Short-Description: Set up iptables rules
  17. # Description:       Loads/saves current iptables rules from/to /etc/iptables
  18. #                    to provide a persistent rule set during boot time
  19. ### END INIT INFO
  20.  
  21. export PATH=/sbin:/bin
  22.  
  23. . /lib/lsb/init-functions
  24.  
  25. RULES=/etc/iptables/rules
  26. RULES_set=${RULES}.ipset
  27. RULES_v4=${RULES}.ipv4
  28. RULES_v6=${RULES}.ipv6
  29.  
  30.  
  31. binary_exist() {
  32.     IFS_BAK=${IFS} IFS=':' notfound=1
  33.  
  34.     # if PATH ends with ':' then search in current directory too (IFS hack)
  35.     case "${PATH}" in
  36.     *[!:]:) PATH="${PATH}:" ;;
  37.     esac
  38.  
  39.     case "$1" in
  40.     */*)
  41.         binary_exist_h "$1" && notfound=0
  42.     ;;
  43.     *)
  44.         for location in ${PATH}; do
  45.             test -z "${location}" && location=.
  46.             binary_exist_h "${location}/$1" && notfound=0 && break
  47.         done
  48.     ;;
  49.     esac
  50.     IFS=${IFS_BAK}
  51.     return ${notfound}
  52. }
  53. binary_exist_h() { test -f "$1" && test -x "$1"; }
  54.  
  55. # keep in sync with test_avail()
  56. init_avail() {
  57.     for subsys in ipset ipv4 ipv6; do
  58.         case "${subsys}" in
  59.         ipset)
  60.             dirs='/sys/module/ip_set '
  61.             files=
  62.             binaries='ipset '
  63.         ;;
  64.         ipv4)
  65.             dirs=
  66.             files='/proc/net/ip_tables_names '
  67.             binaries='iptables iptables-restore iptables-save '
  68.         ;;
  69.         ipv6)
  70.             dirs=
  71.             files='/proc/net/ip6_tables_names '
  72.             binaries='ip6tables ip6tables-restore ip6tables-save '
  73.         ;;
  74.         *) continue ;; # this may not happen at all.
  75.         esac
  76.  
  77.         for flavour in K U; do
  78.             err=0
  79.             case "${flavour}" in
  80.             K)  for i in ${dirs}; do test -d $i || err=1; done
  81.                 for i in ${files}; do test -e $i || err=1; done
  82.             ;;
  83.             U)  for i in ${binaries}; do binary_exist $i || err=1; done
  84.             ;;
  85.             *) continue ;; # this may not happen at all.
  86.             esac
  87.  
  88.             eval "avail_${subsys}_${flavour}() { return ${err};}"
  89.         done
  90.     done
  91.  
  92.     return 0
  93. }
  94.  
  95. test_avail() {
  96.     subsys=$1 flavour=
  97.     case "$2" in
  98.     kernel) flavour=K ;; # kernel-space
  99.     *)      flavour=U ;; # user-space
  100.     esac
  101.  
  102.     case "${subsys}" in
  103.     ipset) ;;
  104.     ipv4) ;;
  105.     ipv6) ;;
  106.     *) return 2 ;;
  107.     esac
  108.  
  109.     eval "avail_${subsys}_${flavour}"
  110. }
  111.  
  112. m_ok=' [ok]'
  113. m_skip=' [skip]'
  114. m_err=' {ERROR}'
  115.  
  116.  
  117. load_rules() {
  118.     log_action_begin_msg "Loading iptables rules"
  119.  
  120.     subsystems='ipset ipv4 ipv6'
  121.     test $# -ne 0 && subsystems=$@
  122.  
  123.     for i in ${subsystems}; do
  124.         title= cmd= file=
  125.         case "$i" in
  126.         ipset)  title=IPset  cmd=load_rules_ipset  file=${RULES_set} ;;
  127.         ipv4)   title=IPv4   cmd=load_rules_ipv4   file=${RULES_v4}  ;;
  128.         ipv6)   title=IPv6   cmd=load_rules_ipv6   file=${RULES_v6}  ;;
  129.         *)
  130.             # todo: notify user if subsystem isn't recognized or supported
  131.             continue
  132.         ;;
  133.         esac
  134.  
  135.         test_avail $i user || continue
  136.  
  137.         log_action_cont_msg " ${title}"
  138.  
  139.         if test -f ${file}; then
  140.             ${cmd} < ${file} 2> /dev/null
  141.  
  142.             if test $? -ne 0
  143.             then log_action_cont_msg "${m_err}"
  144. #           else log_action_cont_msg "${m_ok}"
  145.             fi
  146.         else
  147.             log_action_cont_msg "${m_skip}"
  148.         fi
  149.     done
  150.  
  151.     log_action_end_msg 0
  152.     return 0
  153. }
  154. load_rules_ipset() {
  155.     ipset restore
  156. }
  157. load_rules_ipv4() {
  158.     iptables-restore
  159. }
  160. load_rules_ipv6() {
  161.     ip6tables-restore
  162. }
  163.  
  164. save_rules() {
  165.     log_action_begin_msg "Saving rules"
  166.  
  167.     subsystems='ipset ipv4 ipv6'
  168.     test $# -ne 0 && subsystems=$@
  169.  
  170.     for i in ${subsystems}; do
  171.         title= cmd= file=
  172.         case "$i" in
  173.         ipset)  title=IPset  cmd=save_rules_ipset  file=${RULES_set} ;;
  174.         ipv4)   title=IPv4   cmd=save_rules_ipv4   file=${RULES_v4}  ;;
  175.         ipv6)   title=IPv6   cmd=save_rules_ipv6   file=${RULES_v6}  ;;
  176.         *)
  177.             # todo: notify user if subsystem isn't recognized or supported
  178.             continue
  179.         ;;
  180.         esac
  181.  
  182.         test_avail $i user || continue
  183.  
  184.         log_action_cont_msg " ${title}"
  185.  
  186.         if test -f ${file}; then
  187.             ${cmd} > ${file} 2> /dev/null
  188.  
  189.             if test $? -ne 0
  190.             then log_action_cont_msg "${m_err}"
  191. #           else log_action_cont_msg "${m_ok}"
  192.             fi
  193.         else
  194.             log_action_cont_msg "${m_skip}"
  195.         fi
  196.     done
  197.  
  198.     log_action_end_msg 0
  199.     return 0
  200. }
  201. save_rules_ipset() {
  202.     ipset save
  203. }
  204. save_rules_ipv4() {
  205.     iptables-save
  206. }
  207. save_rules_ipv6() {
  208.     ip6tables-save
  209. }
  210.  
  211. flush_rules() {
  212.     log_action_begin_msg "Flushing rules"
  213.  
  214.     # reversed order IS correct
  215.     subsystems='ipv6 ipv4 ipset'
  216.     test $# -ne 0 && subsystems=$@
  217.  
  218.     for i; do
  219.         case "$i" in
  220.         ipset)  title=IPSet  cmd=flush_rules_ipset ;;
  221.         ipv4)   title=IPv4   cmd=flush_rules_ipv4  ;;
  222.         ipv6)   title=IPv6   cmd=flush_rules_ipv6  ;;
  223.         *)
  224.             # todo: notify user if subsystem isn't recognized or supported
  225.             continue
  226.         ;;
  227.         esac
  228.  
  229.         test_avail $i || continue
  230.  
  231.         log_action_cont_msg " ${title}"
  232.  
  233.         if test_avail $i kernel; then
  234.             ${cmd}
  235.  
  236.             if test $? -ne 0
  237.             then log_action_cont_msg "${m_err}"
  238. #           else log_action_cont_msg "${m_ok}"
  239.             fi
  240.         else
  241.             log_action_cont_msg "${m_skip}"
  242.         fi
  243.     done
  244.  
  245.     log_action_end_msg 0
  246.     return 0
  247. }
  248. flush_rules_ipset() {
  249.     ipset flush
  250.     ipset destroy
  251. }
  252. flush_rules_ipv4() {
  253.     for chain in INPUT FORWARD OUTPUT; do
  254.         iptables -P ${chain} ACCEPT
  255.     done
  256.     for table in $(cat /proc/net/ip_tables_names); do
  257.         iptables -t ${table} -F
  258.         iptables -t ${table} -X
  259.         iptables -t ${table} -Z
  260.     done
  261. }
  262. flush_rules_ipv6() {
  263.     for chain in INPUT FORWARD OUTPUT; do
  264.         ip6tables -P ${chain} ACCEPT
  265.     done
  266.     for table in $(cat /proc/net/ip6_tables_names); do
  267.         ip6tables -t ${table} -F
  268.         ip6tables -t ${table} -X
  269.         ip6tables -t ${table} -Z
  270.     done
  271. }
  272.  
  273.  
  274. act=$1; shift
  275. case "${act}" in
  276. start|reload)
  277.     init_avail
  278.     load_rules "$@"
  279. ;;
  280. save)
  281.     init_avail
  282.     save_rules "$@"
  283. ;;
  284. flush)
  285.     init_avail
  286.     flush_rules "$@"
  287. ;;
  288. restart|force-reload)
  289.     init_avail
  290.     flush_rules "$@"
  291.     load_rules "$@"
  292. ;;
  293. stop)
  294.     # Why? because if stop is used, the firewall gets flushed for a variable
  295.     # amount of time during package upgrades, leaving the machine vulnerable
  296.     # It's also not always desirable to flush during purge
  297.     echo 'Automatic flushing disabled, use "flush" instead of "stop"' >&2
  298. ;;
  299. *)
  300.     echo "Usage: $0 {start|restart|reload|force-reload|save|flush}" >&2
  301.     exit 1
  302. ;;
  303. esac
  304.  
  305. exit 0
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!