Advertisement
rockdrilla

/etc/init.d/iptables-persistent rc.1

Nov 20th, 2013
479
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 6.79 KB | None | 0 0
  1. #!/bin/sh
  2. #   Written by Simon Richter <sjr@debian.org>
  3. #   Modified by Jonathan Wiltshire <jmw@debian.org>
  4. #       with help from Christoph Anton Mitterer
  5. #   Modified by Konstantin Demin <rockdrilla@gmail.com>
  6. #       with God willing
  7.  
  8. ### BEGIN INIT INFO
  9. # Provides:          iptables-persistent
  10. # Required-Start:    mountkernfs $local_fs
  11. # Required-Stop:     $local_fs
  12. # Default-Start:     2 3 4 5
  13. # Default-Stop:      0 1 6
  14. # X-Start-Before:    $network
  15. # X-Stop-After:      $network
  16. # Short-Description: Set up iptables rules
  17. # Description:       Loads/saves current iptables rules from/to /etc/iptables
  18. #                    to provide a persistent rule set during boot time
  19. ### END INIT INFO
  20.  
  21. export PATH=/sbin:/bin
  22.  
  23. . /lib/lsb/init-functions
  24.  
  25. RULES=/etc/iptables/rules
  26. RULES_set=${RULES}.ipset
  27. RULES_v4=${RULES}.ipv4
  28. RULES_v6=${RULES}.ipv6
  29.  
  30.  
  31. binary_exist() {
  32.     # todo: partial re-implement /bin/which
  33. }
  34.  
  35. # keep in sync with test_avail()
  36. init_avail() {
  37.     for subsys in ipset ipv4 ipv6; do
  38.         case "${subsys}" in
  39.         ipset)
  40.             dirs='/sys/module/ip_set '
  41.             files=
  42.             binaries='ipset '
  43.         ;;
  44.         ipv4)
  45.             dirs=
  46.             files='/proc/net/ip_tables_names '
  47.             binaries='iptables iptables-restore iptables-save '
  48.         ;;
  49.         ipv6)
  50.             dirs=
  51.             files='/proc/net/ip6_tables_names '
  52.             binaries='ip6tables ip6tables-restore ip6tables-save '
  53.         ;;
  54.         *) continue ;; # this may not happen at all.
  55.         esac
  56.  
  57.         for flavour in K U; do
  58.             err=0
  59.             case "${flavour}" in
  60.             K)    for i in ${dirs}; do test -d $i || err=1; done
  61.                 for i in ${files}; do test -e $i || err=1; done
  62.             ;;
  63.             U)    for i in ${binaries}; do binary_exist $i || err=1; done
  64.             ;;
  65.             *) continue ;; # this may not happen at all.
  66.             esac
  67.  
  68.             eval "avail_${subsys}_${flavour}() { return ${err};}"
  69.         done
  70.     done
  71.  
  72.     return 0
  73. }
  74.  
  75. test_avail() {
  76.     subsys=$1 flavour=
  77.     case "$2" in
  78.     kernel) flavour=K ;; # kernel-space
  79.     *)      flavour=U ;; # user-space
  80.     esac
  81.  
  82.     case "${subsys}" in
  83.     ipset) ;;
  84.     ipv4) ;;
  85.     ipv6) ;;
  86.     *) return 2 ;;
  87.     esac
  88.  
  89.     eval "avail_${subsys}_${flavour}"
  90. }
  91.  
  92. m_ok=' [ok]'
  93. m_skip=' [skip]'
  94. m_err=' {ERROR}'
  95.  
  96.  
  97. load_rules() {
  98.     log_action_begin_msg "Loading iptables rules"
  99.  
  100.     subsystems='ipset ipv4 ipv6'
  101.     test $# -ne 0 && subsystems=$@
  102.  
  103.     for i in ${subsystems}; do
  104.         title= cmd= file=
  105.         case "$i" in
  106.         ipset)  title=IPset  cmd=load_rules_ipset  file=${RULES_set} ;;
  107.         ipv4)   title=IPv4   cmd=load_rules_ipv4   file=${RULES_v4}  ;;
  108.         ipv6)   title=IPv6   cmd=load_rules_ipv6   file=${RULES_v6}  ;;
  109.         *)
  110.             # todo: notify user if subsystem isn't recognized or supported
  111.             continue
  112.         ;;
  113.         esac
  114.  
  115.         test_avail $i user || continue
  116.  
  117.         log_action_cont_msg " ${title}"
  118.  
  119.         if test -f ${file}; then
  120.             ${cmd} < ${file} 2> /dev/null
  121.  
  122.             if test $? -ne 0
  123.             then log_action_cont_msg "${m_err}"
  124. #           else log_action_cont_msg "${m_ok}"
  125.             fi
  126.         else
  127.             log_action_cont_msg "${m_skip}"
  128.         fi
  129.     done
  130.  
  131.     log_action_end_msg 0
  132.     return 0
  133. }
  134. load_rules_ipset() {
  135.     ipset restore
  136. }
  137. load_rules_ipv4() {
  138.     iptables-restore
  139. }
  140. load_rules_ipv6() {
  141.     ip6tables-restore
  142. }
  143.  
  144. save_rules() {
  145.     log_action_begin_msg "Saving rules"
  146.  
  147.     subsystems='ipset ipv4 ipv6'
  148.     test $# -ne 0 && subsystems=$@
  149.  
  150.     for i in ${subsystems}; do
  151.         title= cmd= file=
  152.         case "$i" in
  153.         ipset)  title=IPset  cmd=save_rules_ipset  file=${RULES_set} ;;
  154.         ipv4)   title=IPv4   cmd=save_rules_ipv4   file=${RULES_v4}  ;;
  155.         ipv6)   title=IPv6   cmd=save_rules_ipv6   file=${RULES_v6}  ;;
  156.         *)
  157.             # todo: notify user if subsystem isn't recognized or supported
  158.             continue
  159.         ;;
  160.         esac
  161.  
  162.         test_avail $i user || continue
  163.  
  164.         log_action_cont_msg " ${title}"
  165.  
  166.         if test -f ${file}; then
  167.             ${cmd} > ${file} 2> /dev/null
  168.  
  169.             if test $? -ne 0
  170.             then log_action_cont_msg "${m_err}"
  171. #           else log_action_cont_msg "${m_ok}"
  172.             fi
  173.         else
  174.             log_action_cont_msg "${m_skip}"
  175.         fi
  176.     done
  177.  
  178.     log_action_end_msg 0
  179.     return 0
  180. }
  181. save_rules_ipset() {
  182.     ipset save
  183. }
  184. save_rules_ipv4() {
  185.     iptables-save
  186. }
  187. save_rules_ipv6() {
  188.     ip6tables-save
  189. }
  190.  
  191. flush_rules() {
  192.     log_action_begin_msg "Flushing rules"
  193.  
  194.     # reversed order IS correct
  195.     subsystems='ipv6 ipv4 ipset'
  196.     test $# -ne 0 && subsystems=$@
  197.  
  198.     for i; do
  199.         case "$i" in
  200.         ipset)  title=IPSet  cmd=flush_rules_ipset ;;
  201.         ipv4)   title=IPv4   cmd=flush_rules_ipv4  ;;
  202.         ipv6)   title=IPv6   cmd=flush_rules_ipv6  ;;
  203.         *)
  204.             # todo: notify user if subsystem isn't recognized or supported
  205.             continue
  206.         ;;
  207.         esac
  208.  
  209.         test_avail $i || continue
  210.  
  211.         log_action_cont_msg " ${title}"
  212.  
  213.         if test_avail $i kernel; then
  214.             ${cmd}
  215.  
  216.             if test $? -ne 0
  217.             then log_action_cont_msg "${m_err}"
  218. #           else log_action_cont_msg "${m_ok}"
  219.             fi
  220.         else
  221.             log_action_cont_msg "${m_skip}"
  222.         fi
  223.     done
  224.  
  225.     log_action_end_msg 0
  226.     return 0
  227. }
  228. flush_rules_ipset() {
  229.     ipset flush
  230.     ipset destroy
  231. }
  232. flush_rules_ipv4() {
  233.     for chain in INPUT FORWARD OUTPUT; do
  234.         iptables -P ${chain} ACCEPT
  235.     done
  236.     for table in $(cat /proc/net/ip_tables_names); do
  237.         iptables -t ${table} -F
  238.         iptables -t ${table} -X
  239.         iptables -t ${table} -Z
  240.     done
  241. }
  242. flush_rules_ipv6() {
  243.     for chain in INPUT FORWARD OUTPUT; do
  244.         ip6tables -P ${chain} ACCEPT
  245.     done
  246.     for table in $(cat /proc/net/ip6_tables_names); do
  247.         ip6tables -t ${table} -F
  248.         ip6tables -t ${table} -X
  249.         ip6tables -t ${table} -Z
  250.     done
  251. }
  252.  
  253.  
  254. act=$1; shift
  255. case "${act}" in
  256. start|reload)
  257.     init_avail
  258.     load_rules "$@"
  259. ;;
  260. save)
  261.     init_avail
  262.     save_rules "$@"
  263. ;;
  264. flush)
  265.     init_avail
  266.     flush_rules "$@"
  267. ;;
  268. restart|force-reload)
  269.     init_avail
  270.     flush_rules "$@"
  271.     load_rules "$@"
  272. ;;
  273. stop)
  274.     # Why? because if stop is used, the firewall gets flushed for a variable
  275.     # amount of time during package upgrades, leaving the machine vulnerable
  276.     # It's also not always desirable to flush during purge
  277.     echo 'Automatic flushing disabled, use "flush" instead of "stop"' >&2
  278. ;;
  279. *)
  280.     echo "Usage: $0 {start|restart|reload|force-reload|save|flush}" >&2
  281.     exit 1
  282. ;;
  283. esac
  284.  
  285. exit 0
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement