3 # iptables Start iptables firewall
5 # chkconfig: 2345 08 92
6 # description: Starts, stops and saves iptables firewall
8 # config: /etc/sysconfig/iptables
9 # config: /etc/sysconfig/iptables-config
13 # Default-Start: 2 3 4 5
15 # Short-Description: start and stop iptables firewall
16 # Description: Start, stop and save iptables firewall
19 # from http://fr2.rpmfind.net/linux/fedora/releases/10/Everything/source/SRPMS/iptables-1.4.1.1-2.fc10.src.rpm
21 # Source function library.
22 . /etc/init.d/functions
25 IPTABLES_DATA=/etc/sysconfig/$IPTABLES
26 IPTABLES_CONFIG=/etc/sysconfig/${IPTABLES}-config
27 IPV=${IPTABLES%tables} # ip for ipv4 | ip6 for ipv6
28 [ "$IPV" = "ip" ] && _IPV="ipv4" || _IPV="ipv6"
29 PROC_IPTABLES_NAMES=/proc/net/${IPV}_tables_names
30 VAR_SUBSYS_IPTABLES=/var/lock/subsys/$IPTABLES
32 if [ ! -x /sbin/$IPTABLES ]; then
33 echo -n $"${IPTABLES}: /sbin/$IPTABLES does not exist."; warning; echo
38 /sbin/modprobe --version 2>&1 | grep -q module-init-tools \
42 # Default firewall configuration:
44 IPTABLES_MODULES_UNLOAD="yes"
45 IPTABLES_SAVE_ON_STOP="no"
46 IPTABLES_SAVE_ON_RESTART="no"
47 IPTABLES_SAVE_COUNTER="no"
48 IPTABLES_STATUS_NUMERIC="yes"
50 # Load firewall configuration.
51 [ -f "$IPTABLES_CONFIG" ] && . "$IPTABLES_CONFIG"
54 NF_MODULES=($(lsmod | awk "/^${IPV}table_/ {print \$1}") ${IPV}_tables)
55 NF_MODULES_COMMON=(x_tables nf_nat nf_conntrack) # Used by netfilter v4 and v6
58 NF_TABLES=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null)
62 # Unload module with all referring modules.
63 # At first all referring modules will be unloaded, then the module itself.
68 # Get referring modules.
69 # New modutils have another output format.
70 [ $NEW_MODUTILS = 1 ] \
71 && ref=$(lsmod | awk "/^${mod}/ { print \$4; }" | tr ',' ' ') \
72 || ref=$(lsmod | grep ^${mod} | cut -d "[" -s -f 2 | cut -d "]" -s -f 1)
74 # recursive call for all referring modules
81 # The extra test is for 2.6: The module might have autocleaned,
82 # after all referring modules are unloaded.
83 if grep -q "^${mod}" /proc/modules ; then
84 modprobe -r $mod > /dev/null 2>&1
86 [ $res -eq 0 ] || echo -n " $mod"
94 # Flush firewall rules and delete chains.
95 [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0
97 # Check if firewall is configured (has tables)
98 [ -z "$NF_TABLES" ] && return 1
100 echo -n $"${IPTABLES}: Flushing firewall rules: "
103 for i in $NF_TABLES; do
104 # Flush firewall rules.
108 # Delete firewall chains.
112 # Set counter to zero.
117 [ $ret -eq 0 ] && success || failure
123 # Set policy for configured tables.
126 # Check if iptable module is loaded
127 [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0
129 # Check if firewall is configured (has tables)
130 tables=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null)
131 [ -z "$tables" ] && return 1
133 echo -n $"${IPTABLES}: Setting chains to policy $policy: "
139 $IPTABLES -t raw -P PREROUTING $policy \
140 && $IPTABLES -t raw -P OUTPUT $policy \
144 $IPTABLES -t filter -P INPUT $policy \
145 && $IPTABLES -t filter -P OUTPUT $policy \
146 && $IPTABLES -t filter -P FORWARD $policy \
150 $IPTABLES -t nat -P PREROUTING $policy \
151 && $IPTABLES -t nat -P POSTROUTING $policy \
152 && $IPTABLES -t nat -P OUTPUT $policy \
156 $IPTABLES -t mangle -P PREROUTING $policy \
157 && $IPTABLES -t mangle -P POSTROUTING $policy \
158 && $IPTABLES -t mangle -P INPUT $policy \
159 && $IPTABLES -t mangle -P OUTPUT $policy \
160 && $IPTABLES -t mangle -P FORWARD $policy \
169 [ $ret -eq 0 ] && success || failure
175 # Do not start if there is no config file.
176 [ ! -f "$IPTABLES_DATA" ] && return 6
178 # check if ipv6 module load is deactivated
179 if [ "${_IPV}" = "ipv6" ] \
180 && grep -qIsE "^install[[:space:]]+${_IPV}[[:space:]]+/bin/(true|false)" /etc/modprobe.conf /etc/modprobe.d/* ; then
181 echo $"${IPTABLES}: ${_IPV} is disabled."
185 echo -n $"${IPTABLES}: Applying firewall rules: "
188 [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
190 $IPTABLES-restore $OPT $IPTABLES_DATA
191 if [ $? -eq 0 ]; then
194 failure; echo; return 1
197 # Tuntap initialization
199 if [ -z "$taps" -a -r /etc/planetlab/node_id ] ; then
200 # If this node is not "virtually multi-homed", just bring up
201 # the tap interface with a PLB private address. The PLB
202 # convention is to assign a unique 10.x.y.0/24 network to each
203 # node where x.y is the PlanetLab node ID of the machine in
206 # x = (node_id / 256) % 256
209 node_id=$(cat /etc/planetlab/node_id)
211 tap0=$(printf 10.%d.%d.1 $((($node_id / 256) % 256)) $(($node_id % 256)))
215 # Load additional modules (helpers)
216 if [ -n "$IPTABLES_MODULES" ]; then
217 echo -n $"${IPTABLES}: Loading additional modules: "
219 for mod in $IPTABLES_MODULES; do
221 modprobe $mod > /dev/null 2>&1
224 [ $ret -eq 0 ] && success || failure
228 for tap in $taps ; do
229 # Configuration for this tap (address/proxy)
234 # Set MAC address to something predictable
235 mac=$(printf 00:FF:%X:%X:%X:%X $(echo $addr | sed -e 's/\./ /g'))
237 # Bring up this interface. Optimize the MTU for the PlanetLab
238 # Backbone (1500/Ethernet - 4/GRE - 8/UDP - 20/IP = 1468).
239 ifconfig $tap down && \
240 ifconfig $tap hw ether $mac mtu 1468 && \
241 ifconfig $tap $addr ${proxy:+pointopoint $proxy} netmask ${tapmask:=255.255.255.255} up
243 # Stuffing the proxy for this address in the pointopoint field
244 # creates a static route to the proxy that we do not want
246 if [ -n "$proxy" -a "$proxy" != "$addr" ] ; then
250 # Enable route through this interface
251 ip route add default dev $tap tab 1 && \
252 ip rule add from $addr tab 1
256 touch $VAR_SUBSYS_IPTABLES
261 # Do not stop if iptables module is not loaded.
262 [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0
267 if [ "x$IPTABLES_MODULES_UNLOAD" = "xyes" ]; then
268 echo -n $"${IPTABLES}: Unloading modules: "
270 for mod in ${NF_MODULES[*]}; do
274 # try to unload remaining netfilter modules used by ipv4 and ipv6
276 for mod in ${NF_MODULES_COMMON[*]}; do
277 rmmod_r $mod >/dev/null
279 [ $ret -eq 0 ] && success || failure
283 # Take down vnet interfaces
284 for dev in $taps tap0 ; do
285 action $"Shutting down interface $dev: " \
286 ifconfig $dev 0.0.0.0 down
289 rm -f $VAR_SUBSYS_IPTABLES
294 # Check if iptable module is loaded
295 [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0
297 # Check if firewall is configured (has tables)
298 [ -z "$NF_TABLES" ] && return 6
300 echo -n $"${IPTABLES}: Saving firewall rules to $IPTABLES_DATA: "
303 [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
306 TMP_FILE=$(/bin/mktemp -q /tmp/$IPTABLES.XXXXXX) \
307 && chmod 600 "$TMP_FILE" \
308 && $IPTABLES-save $OPT > $TMP_FILE 2>/dev/null \
309 && size=$(stat -c '%s' $TMP_FILE) && [ $size -gt 0 ] \
311 if [ $ret -eq 0 ]; then
312 if [ -e $IPTABLES_DATA ]; then
313 cp -f $IPTABLES_DATA $IPTABLES_DATA.save \
314 && chmod 600 $IPTABLES_DATA.save \
317 if [ $ret -eq 0 ]; then
318 cp -f $TMP_FILE $IPTABLES_DATA \
319 && chmod 600 $IPTABLES_DATA \
323 [ $ret -eq 0 ] && success || failure
330 if [ ! -f "$VAR_SUBSYS_IPTABLES" -a -z "$NF_TABLES" ]; then
331 echo $"${IPTABLES}: Firewall is not running."
335 # Do not print status if lockfile is missing and iptables modules are not
337 # Check if iptable modules are loaded
338 if [ ! -e "$PROC_IPTABLES_NAMES" ]; then
339 echo $"${IPTABLES}: Firewall modules are not loaded."
343 # Check if firewall is configured (has tables)
344 if [ -z "$NF_TABLES" ]; then
345 echo $"${IPTABLES}: Firewall is not configured. "
350 [ "x$IPTABLES_STATUS_NUMERIC" = "xyes" ] && NUM="-n"
352 [ "x$IPTABLES_STATUS_VERBOSE" = "xyes" ] && VERBOSE="--verbose"
354 [ "x$IPTABLES_STATUS_LINENUMBERS" = "xyes" ] && COUNT="--line-numbers"
356 for table in $NF_TABLES; do
357 echo $"Table: $table"
358 $IPTABLES -t $table --list $NUM $VERBOSE $COUNT && echo
365 [ "x$IPTABLES_SAVE_ON_RESTART" = "xyes" ] && save
373 [ -f "$VAR_SUBSYS_IPTABLES" ] && exit 0
378 [ "x$IPTABLES_SAVE_ON_STOP" = "xyes" ] && save
382 restart|force-reload)
386 condrestart|try-restart)
387 [ ! -e "$VAR_SUBSYS_IPTABLES" ] && exit 0
405 echo $"Usage: ${IPTABLES} {start|stop|restart|condrestart|status|panic|save}"