Advertisement
Max13

[CentOS] /etc/init.d/iptables

May 9th, 2012
370
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 8.79 KB | None | 0 0
  1. #!/bin/sh
  2. #
  3. # iptables  Start iptables firewall
  4. #
  5. # chkconfig: 2345 08 92
  6. # description:  Starts, stops and saves iptables firewall
  7. #
  8. # config: /etc/sysconfig/iptables
  9. # config: /etc/sysconfig/iptables-config
  10. #
  11. ### BEGIN INIT INFO
  12. # Provides: iptables
  13. # Required-Start:
  14. # Required-Stop:
  15. # Default-Start: 2 3 4 5
  16. # Default-Stop: 0 1 6
  17. # Short-Description: start and stop iptables firewall
  18. # Description: Start, stop and save iptables firewall
  19. ### END INIT INFO
  20.  
  21. # Source function library.
  22. . /etc/init.d/functions
  23.  
  24. IPTABLES=iptables
  25. IPTABLES_DATA=/etc/sysconfig/$IPTABLES
  26. IPTABLES_CONFIG=/etc/sysconfig/${IPTABLES}-config
  27. IPV=${IPTABLES%tables} # ip for ipv4 | ip6 for ipv6
  28. [ "$IPV" = "ip" ] && _IPV="ipv4" || _IPV="ipv6"
  29. PROC_IPTABLES_NAMES=/proc/net/${IPV}_tables_names
  30. VAR_SUBSYS_IPTABLES=/var/lock/subsys/$IPTABLES
  31.  
  32. # only usable for root
  33. [ $EUID = 0 ] || exit 4
  34.  
  35. if [ ! -x /sbin/$IPTABLES ]; then
  36.     echo -n $"${IPTABLES}: /sbin/$IPTABLES does not exist."; warning; echo
  37.     exit 5
  38. fi
  39.  
  40. # Old or new modutils
  41. /sbin/modprobe --version 2>&1 | grep -q module-init-tools \
  42.     && NEW_MODUTILS=1 \
  43.     || NEW_MODUTILS=0
  44.  
  45. # Default firewall configuration:
  46. IPTABLES_MODULES=""
  47. IPTABLES_MODULES_UNLOAD="yes"
  48. IPTABLES_SAVE_ON_STOP="no"
  49. IPTABLES_SAVE_ON_RESTART="no"
  50. IPTABLES_SAVE_COUNTER="no"
  51. IPTABLES_STATUS_NUMERIC="yes"
  52. IPTABLES_STATUS_VERBOSE="no"
  53. IPTABLES_STATUS_LINENUMBERS="yes"
  54.  
  55. # Load firewall configuration.
  56. [ -f "$IPTABLES_CONFIG" ] && . "$IPTABLES_CONFIG"
  57.  
  58. # Netfilter modules
  59. NF_MODULES=($(lsmod | awk "/^${IPV}table_/ {print \$1}") ${IPV}_tables)
  60. NF_MODULES_COMMON=(x_tables nf_nat nf_conntrack) # Used by netfilter v4 and v6
  61.  
  62. # Get active tables
  63. NF_TABLES=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null)
  64.  
  65.  
  66. rmmod_r() {
  67.     # Unload module with all referring modules.
  68.     # At first all referring modules will be unloaded, then the module itself.
  69.     local mod=$1
  70.     local ret=0
  71.     local ref=
  72.  
  73.     # Get referring modules.
  74.     # New modutils have another output format.
  75.     [ $NEW_MODUTILS = 1 ] \
  76.     && ref=$(lsmod | awk "/^${mod}/ { print \$4; }" | tr ',' ' ') \
  77.     || ref=$(lsmod | grep ^${mod} | cut -d "[" -s -f 2 | cut -d "]" -s -f 1)
  78.  
  79.     # recursive call for all referring modules
  80.     for i in $ref; do
  81.     rmmod_r $i
  82.     let ret+=$?;
  83.     done
  84.  
  85.     # Unload module.
  86.     # The extra test is for 2.6: The module might have autocleaned,
  87.     # after all referring modules are unloaded.
  88.     if grep -q "^${mod}" /proc/modules ; then
  89.     modprobe -r $mod > /dev/null 2>&1
  90.     res=$?
  91.     [ $res -eq 0 ] || echo -n " $mod"
  92.     let ret+=$res;
  93.     fi
  94.  
  95.     return $ret
  96. }
  97.  
  98. flush_n_delete() {
  99.     # Flush firewall rules and delete chains.
  100.     [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0
  101.  
  102.     # Check if firewall is configured (has tables)
  103.     [ -z "$NF_TABLES" ] && return 1
  104.  
  105.     echo -n $"${IPTABLES}: Flushing firewall rules: "
  106.     ret=0
  107.     # For all tables
  108.     for i in $NF_TABLES; do
  109.         # Flush firewall rules.
  110.     $IPTABLES -t $i -F;
  111.     let ret+=$?;
  112.  
  113.         # Delete firewall chains.
  114.     $IPTABLES -t $i -X;
  115.     let ret+=$?;
  116.  
  117.     # Set counter to zero.
  118.     $IPTABLES -t $i -Z;
  119.     let ret+=$?;
  120.     done
  121.  
  122.     [ $ret -eq 0 ] && success || failure
  123.     echo
  124.     return $ret
  125. }
  126.  
  127. set_policy() {
  128.     # Set policy for configured tables.
  129.     policy=$1
  130.  
  131.     # Check if iptable module is loaded
  132.     [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0
  133.  
  134.     # Check if firewall is configured (has tables)
  135.     tables=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null)
  136.     [ -z "$tables" ] && return 1
  137.  
  138.     echo -n $"${IPTABLES}: Setting chains to policy $policy: "
  139.     ret=0
  140.     for i in $tables; do
  141.     echo -n "$i "
  142.     case "$i" in
  143.         raw)
  144.         $IPTABLES -t raw -P PREROUTING $policy \
  145.             && $IPTABLES -t raw -P OUTPUT $policy \
  146.             || let ret+=1
  147.         ;;
  148.         filter)
  149.                 $IPTABLES -t filter -P INPUT $policy \
  150.             && $IPTABLES -t filter -P OUTPUT $policy \
  151.             && $IPTABLES -t filter -P FORWARD $policy \
  152.             || let ret+=1
  153.         ;;
  154.         nat)
  155.         $IPTABLES -t nat -P PREROUTING $policy \
  156.             && $IPTABLES -t nat -P POSTROUTING $policy \
  157.             && $IPTABLES -t nat -P OUTPUT $policy \
  158.             || let ret+=1
  159.         ;;
  160.         mangle)
  161.             $IPTABLES -t mangle -P PREROUTING $policy \
  162.             && $IPTABLES -t mangle -P POSTROUTING $policy \
  163.             && $IPTABLES -t mangle -P INPUT $policy \
  164.             && $IPTABLES -t mangle -P OUTPUT $policy \
  165.             && $IPTABLES -t mangle -P FORWARD $policy \
  166.             || let ret+=1
  167.         ;;
  168.         *)
  169.             let ret+=1
  170.         ;;
  171.         esac
  172.     done
  173.  
  174.     [ $ret -eq 0 ] && success || failure
  175.     echo
  176.     return $ret
  177. }
  178.  
  179. start() {
  180.     # Do not start if there is no config file.
  181.     [ ! -f "$IPTABLES_DATA" ] && return 6
  182.  
  183.     # check if ipv6 module load is deactivated
  184.     if [ "${_IPV}" = "ipv6" ] \
  185.     && grep -qIsE "^install[[:space:]]+${_IPV}[[:space:]]+/bin/(true|false)" /etc/modprobe.conf /etc/modprobe.d/* ; then
  186.     echo $"${IPTABLES}: ${_IPV} is disabled."
  187.     return 150
  188.     fi
  189.  
  190.     echo -n $"${IPTABLES}: Applying firewall rules: "
  191.  
  192.     OPT=
  193.     [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
  194.  
  195.     $IPTABLES-restore $OPT $IPTABLES_DATA
  196.     if [ $? -eq 0 ]; then
  197.     success; echo
  198.     else
  199.     failure; echo; return 1
  200.     fi
  201.    
  202.     # Load additional modules (helpers)
  203.     if [ -n "$IPTABLES_MODULES" ]; then
  204.     echo -n $"${IPTABLES}: Loading additional modules: "
  205.     ret=0
  206.     for mod in $IPTABLES_MODULES; do
  207.         echo -n "$mod "
  208.         modprobe $mod > /dev/null 2>&1
  209.         let ret+=$?;
  210.     done
  211.     [ $ret -eq 0 ] && success || failure
  212.     echo
  213.     fi
  214.    
  215.     touch $VAR_SUBSYS_IPTABLES
  216.     return $ret
  217. }
  218.  
  219. stop() {
  220.     # Do not stop if iptables module is not loaded.
  221.     [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0
  222.  
  223.     flush_n_delete
  224.     set_policy ACCEPT
  225.    
  226.     if [ "x$IPTABLES_MODULES_UNLOAD" = "xyes" ]; then
  227.     echo -n $"${IPTABLES}: Unloading modules: "
  228.     ret=0
  229.     for mod in ${NF_MODULES[*]}; do
  230.         rmmod_r $mod
  231.         let ret+=$?;
  232.     done
  233.     # try to unload remaining netfilter modules used by ipv4 and ipv6
  234.     # netfilter
  235.     for mod in ${NF_MODULES_COMMON[*]}; do
  236.         rmmod_r $mod >/dev/null
  237.     done
  238.     [ $ret -eq 0 ] && success || failure
  239.     echo
  240.     fi
  241.    
  242.     rm -f $VAR_SUBSYS_IPTABLES
  243.     return $ret
  244. }
  245.  
  246. save() {
  247.     # Check if iptable module is loaded
  248.     [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0
  249.  
  250.     # Check if firewall is configured (has tables)
  251.     [ -z "$NF_TABLES" ] && return 6
  252.  
  253.     echo -n $"${IPTABLES}: Saving firewall rules to $IPTABLES_DATA: "
  254.  
  255.     OPT=
  256.     [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
  257.  
  258.     ret=0
  259.     TMP_FILE=$(/bin/mktemp -q $IPTABLES_DATA.XXXXXX) \
  260.     && chmod 600 "$TMP_FILE" \
  261.     && $IPTABLES-save $OPT > $TMP_FILE 2>/dev/null \
  262.     && size=$(stat -c '%s' $TMP_FILE) && [ $size -gt 0 ] \
  263.     || ret=1
  264.     if [ $ret -eq 0 ]; then
  265.     if [ -e $IPTABLES_DATA ]; then
  266.         cp -f $IPTABLES_DATA $IPTABLES_DATA.save \
  267.         && chmod 600 $IPTABLES_DATA.save \
  268.         && restorecon $IPTABLES_DATA.save \
  269.         || ret=1
  270.     fi
  271.     if [ $ret -eq 0 ]; then
  272.         mv -f $TMP_FILE $IPTABLES_DATA \
  273.         && chmod 600 $IPTABLES_DATA \
  274.         && restorecon $IPTABLES_DATA \
  275.             || ret=1
  276.     fi
  277.     fi
  278.     rm -f $TMP_FILE
  279.     [ $ret -eq 0 ] && success || failure
  280.     echo
  281.     return $ret
  282. }
  283.  
  284. status() {
  285.     if [ ! -f "$VAR_SUBSYS_IPTABLES" -a -z "$NF_TABLES" ]; then
  286.     echo $"${IPTABLES}: Firewall is not running."
  287.     return 3
  288.     fi
  289.  
  290.     # Do not print status if lockfile is missing and iptables modules are not
  291.     # loaded.
  292.     # Check if iptable modules are loaded
  293.     if [ ! -e "$PROC_IPTABLES_NAMES" ]; then
  294.     echo $"${IPTABLES}: Firewall modules are not loaded."
  295.     return 3
  296.     fi
  297.  
  298.     # Check if firewall is configured (has tables)
  299.     if [ -z "$NF_TABLES" ]; then
  300.     echo $"${IPTABLES}: Firewall is not configured. "
  301.     return 3
  302.     fi
  303.  
  304.     NUM=
  305.     [ "x$IPTABLES_STATUS_NUMERIC" = "xyes" ] && NUM="-n"
  306.     VERBOSE=
  307.     [ "x$IPTABLES_STATUS_VERBOSE" = "xyes" ] && VERBOSE="--verbose"
  308.     COUNT=
  309.     [ "x$IPTABLES_STATUS_LINENUMBERS" = "xyes" ] && COUNT="--line-numbers"
  310.  
  311.     for table in $NF_TABLES; do
  312.     echo $"Table: $table"
  313.     $IPTABLES -t $table --list $NUM $VERBOSE $COUNT && echo
  314.     done
  315.  
  316.     return 0
  317. }
  318.  
  319. restart() {
  320.     [ "x$IPTABLES_SAVE_ON_RESTART" = "xyes" ] && save
  321.     stop
  322.     start
  323. }
  324.  
  325.  
  326. case "$1" in
  327.     start)
  328.     [ -f "$VAR_SUBSYS_IPTABLES" ] && exit 0
  329.     start
  330.     RETVAL=$?
  331.     ;;
  332.     stop)
  333.     [ "x$IPTABLES_SAVE_ON_STOP" = "xyes" ] && save
  334.     stop
  335.     RETVAL=$?
  336.     ;;
  337.     restart|force-reload)
  338.     restart
  339.     RETVAL=$?
  340.     ;;
  341.     reload)
  342.     # unimplemented
  343.     RETVAL=3
  344.     ;;
  345.     condrestart|try-restart)
  346.     [ ! -e "$VAR_SUBSYS_IPTABLES" ] && exit 0
  347.     restart
  348.     RETVAL=$?
  349.     ;;
  350.     status)
  351.     status
  352.     RETVAL=$?
  353.     ;;
  354.     panic)
  355.     flush_n_delete
  356.     set_policy DROP
  357.     RETVAL=$?
  358.         ;;
  359.     save)
  360.     save
  361.     RETVAL=$?
  362.     ;;
  363.     *)
  364.     echo $"Usage: ${IPTABLES} {start|stop|restart|condrestart|status|panic|save}"
  365.     RETVAL=2
  366.     ;;
  367. esac
  368.  
  369. exit $RETVAL
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement