Group :: System/Kernel and hardware
RPM: iptables
Navigation
Main Changelog Spec Patches Sources Download Gear Bugs and FR Repocop
#!/bin/sh
#
# iptables Start iptables firewall
#
# chkconfig: - 08 92
# description: Automates a packet filtering firewall with iptables
#
# config: /etc/sysconfig/iptables
# config: /etc/sysconfig/iptables_params
WITHOUT_RC_COMPAT=1
# Source function library
. /etc/init.d/functions
IPTABLES=iptables
IPTABLES_FILTER=cat
IPTABLES_RESTORE="$IPTABLES-restore"
IPTABLES_RESTORE_ARGS=
IPTABLES_SAVE="$IPTABLES-save"
IPTABLES_SAVE_ARGS=
IPTABLES_STATUS_ARGS=
IPTABLES_SAVE_ON_STOP=no
IPTABLES_SAVE_ON_RESTART=no
IPTABLES_DATA="/etc/sysconfig/$IPTABLES"
IPTABLES_MODULES="/etc/sysconfig/${IPTABLES}_modules"
IPTABLES_CONFIG="/etc/sysconfig/${IPTABLES}_params"
LOCKFILE="/var/lock/subsys/$IPTABLES"
IPV="${IPTABLES%tables}" # ip for ipv4 | ip6 for ipv6
IPTABLES_TABLES_NAMES="/proc/net/${IPV}_tables_names"
# Source config
SourceIfNotEmpty "$IPTABLES_CONFIG"
RETVAL=0
load_modules()
{
[ -s "$IPTABLES_MODULES" ] || return 0
# Loop over every line in $IPTABLES_MODULES
(cat "$IPTABLES_MODULES"; echo) |while read module args; do
# Ignore empty lines and comments
[ -n "${module##\#*}" ] || continue
action "Loading module $module for $IPTABLES:" \
modprobe "$module" $args 2>/dev/null
done
}
start()
{
local tmp
tmp=`mktemp -t "$IPTABLES.XXXXXXXX"` &&
$IPTABLES_FILTER <"$IPTABLES_DATA" |
egrep -v '^[[:space:]]*(#|$)' >"$tmp" &&
[ -s "$tmp" ]
RETVAL=$?
if [ $RETVAL -ne 0 ]; then
[ -z "$tmp" ] || rm -f "$tmp"
printf %s $"$IPTABLES firewall is not configured"
passed "$IPTABLES start"
echo
return $RETVAL
fi
if [ -e /proc/net/ip_fwchains ]; then
printf %s $"ipchains and $IPTABLES can not be used together"
passed "$IPTABLES $*"
echo
RETVAL=1
return $RETVAL
fi
load_modules
action $"Applying $IPTABLES firewall rules:" \
$IPTABLES_RESTORE $IPTABLES_RESTORE_ARGS <"$tmp"
RETVAL=$?
rm -f "$tmp"
if [ $RETVAL = 0 ]; then
touch "$LOCKFILE"
else
rm -f "$LOCKFILE"
fi
return $RETVAL
}
tables=
read_tables()
{
tables="$(cat "$IPTABLES_TABLES_NAMES" 2>/dev/null)"
[ -n "$tables" ]
}
set_policy()
{
local policy i
policy="$1"
printf %s $"Setting chains policy to $policy: "
RETVAL=0
for i in $tables; do
printf %s "$i "
case "$i" in
raw)
$IPTABLES -t raw -P PREROUTING $policy &&
$IPTABLES -t raw -P OUTPUT $policy ||
RETVAL=1
;;
filter)
$IPTABLES -t filter -P INPUT $policy &&
$IPTABLES -t filter -P OUTPUT $policy &&
$IPTABLES -t filter -P FORWARD $policy ||
RETVAL=1
;;
nat)
$IPTABLES -t nat -P PREROUTING $policy &&
$IPTABLES -t nat -P POSTROUTING $policy &&
$IPTABLES -t nat -P OUTPUT $policy ||
RETVAL=1
;;
mangle)
$IPTABLES -t mangle -P PREROUTING $policy &&
$IPTABLES -t mangle -P POSTROUTING $policy &&
$IPTABLES -t mangle -P INPUT $policy &&
$IPTABLES -t mangle -P OUTPUT $policy &&
$IPTABLES -t mangle -P FORWARD $policy ||
RETVAL=1
;;
esac
done
[ "$RETVAL" -eq 0 ] &&
success "Setting chains policy to $policy" ||
failure "Setting chains policy to $policy"
echo
return $RETVAL
}
flush_delete()
{
local i
RETVAL=0
printf %s $"Flushing firewall rules: "
for i in $tables; do
printf %s "$i "
$IPTABLES -t $i -F || RETVAL=1
done
[ "$RETVAL" -eq 0 ] &&
success "Flushing firewall rules" ||
failure "Flushing firewall rules"
echo
[ "$RETVAL" -eq 0 ] || return $RETVAL
printf %s $"Removing user defined chains: "
for i in $tables; do
printf %s "$i "
$IPTABLES -t $i -X || RETVAL=1
done
[ "$RETVAL" -eq 0 ] &&
success "Removing user defined chains" ||
failure "Removing user defined chains"
echo
[ "$RETVAL" -eq 0 ] || return $RETVAL
printf %s $"Zeroing packet and byte counters: "
for i in $tables; do
printf %s "$i "
$IPTABLES -t $i -Z || RETVAL=1
done
[ "$RETVAL" -eq 0 ] &&
success "Zeroing packet and byte counters" ||
failure "Zeroing packet and byte counters"
echo
return $RETVAL
}
unload_modules()
{
local t
for t in $tables; do
local m="${IPV}table_${t}"
action "Unloading module $m:" modprobe -r "$m"
done
return 0
}
fwstatus()
{
local i
if read_tables; then
for i in $tables; do
printf %s\\n $"Table: $i"
$IPTABLES -t $i --list $IPTABLES_STATUS_ARGS && echo
done
RETVAL=0
else
printf %s\\n $"$IPTABLES firewall is not started"
RETVAL=1
fi
return $RETVAL
}
save()
{
local tmp
if read_tables; then
printf %s $"Saving current rules to $IPTABLES_DATA: "
if tmp=`mktemp "$IPTABLES_DATA.XXXXXXXX"` &&
$IPTABLES_SAVE $IPTABLES_SAVE_ARGS >"$tmp"; then
[ -s "$IPTABLES_DATA" ] &&
ln -f "$IPTABLES_DATA" "$IPTABLES_DATA.save"
mv -f "$tmp" "$IPTABLES_DATA"
RETVAL=$?
else
RETVAL=1
fi
if [ $RETVAL -eq 0 ]; then
success "Saving current rules to $IPTABLES_DATA"
else
failure "Saving current rules to $IPTABLES_DATA"
[ -z "$tmp" ] || rm -f "$tmp"
fi
echo
else
printf %s $"$IPTABLES firewall is not started"
passed "$IPTABLES save"
echo
RETVAL=1
fi
return $RETVAL
}
stop()
{
if read_tables; then
set_policy ACCEPT &&
flush_delete &&
unload_modules
RETVAL=$?
else
printf %s $"$IPTABLES firewall is not started"
passed "$IPTABLES stop"
echo
RETVAL=1
fi
rm -f "$LOCKFILE"
return $RETVAL
}
panic()
{
if read_tables; then
set_policy DROP &&
flush_delete &&
RETVAL=$?
else
printf %s $"$IPTABLES firewall is not started"
passed "$IPTABLES panic"
echo
RETVAL=1
fi
return $RETVAL
}
case "$1" in
start)
start
;;
save)
save
;;
status)
fwstatus
;;
panic)
panic
;;
stop)
is_yes "$IPTABLES_SAVE_ON_STOP" && save
stop
;;
restart|reload)
is_yes "$IPTABLES_SAVE_ON_RESTART" && save
start
;;
condrestart)
[ -e "$LOCKFILE" ] && start
;;
condstop)
[ -e "$LOCKFILE" ] && stop
;;
*)
msg_usage "${0##*/} {condrestart|condstop|panic|restart|save|start|status|stop}"
RETVAL=1
esac
exit $RETVAL