3 # iptables Start iptables firewall
5 # chkconfig: 2345 08 92
6 # description: Starts, stops and saves iptables firewall
8 # config: /etc/sysconfig/iptables
9 # config: /etc/sysconfig/iptables-config
11 # Source function library.
12 . /etc/init.d/functions
15 IPTABLES_DATA=/etc/sysconfig/$IPTABLES
16 IPTABLES_CONFIG=/etc/sysconfig/${IPTABLES}-config
17 IPV=${IPTABLES%tables} # ip for ipv4 | ip6 for ipv6
18 PROC_IPTABLES_NAMES=/proc/net/${IPV}_tables_names
19 VAR_SUBSYS_IPTABLES=/var/lock/subsys/$IPTABLES
21 if [ ! -x /sbin/$IPTABLES ]; then
22 echo -n $"/sbin/$IPTABLES does not exist."; warning; echo
26 if lsmod 2>/dev/null | grep -q ipchains ; then
27 echo -n $"ipchains and $IPTABLES can not be used together."; warning; echo
32 /sbin/modprobe --version 2>&1 | grep -q module-init-tools \
36 # Default firewall configuration:
38 IPTABLES_MODULES_UNLOAD="yes"
39 IPTABLES_SAVE_ON_STOP="no"
40 IPTABLES_SAVE_ON_RESTART="no"
41 IPTABLES_SAVE_COUNTER="no"
42 IPTABLES_STATUS_NUMERIC="no"
44 # Load firewall configuration.
45 [ -f "$IPTABLES_CONFIG" ] && . "$IPTABLES_CONFIG"
48 # Unload module with all referring modules.
49 # At first all referring modules will be unloaded, then the module itself.
54 # Get referring modules.
55 # New modutils have another output format.
56 [ $NEW_MODUTILS = 1 ] \
57 && ref=`lsmod | awk "/^${mod}/ { print \\\$4; }" | tr ',' ' '` \
58 || ref=`lsmod | grep ^${mod} | cut -d "[" -s -f 2 | cut -d "]" -s -f 1`
60 # recursive call for all referring modules
67 # The extra test is for 2.6: The module might have autocleaned,
68 # after all referring modules are unloaded.
69 if grep -q "^${mod}" /proc/modules ; then
70 modprobe -r $mod > /dev/null 2>&1
78 # Flush firewall rules and delete chains.
79 [ -e "$PROC_IPTABLES_NAMES" ] || return 1
81 # Check if firewall is configured (has tables)
82 tables=`cat $PROC_IPTABLES_NAMES 2>/dev/null`
83 [ -z "$tables" ] && return 1
85 echo -n $"Flushing firewall rules: "
89 # Flush firewall rules.
93 # Delete firewall chains.
97 # Set counter to zero.
102 [ $ret -eq 0 ] && success || failure
108 # Set policy for configured tables.
111 # Check if iptable module is loaded
112 [ ! -e "$PROC_IPTABLES_NAMES" ] && return 1
114 # Check if firewall is configured (has tables)
115 tables=`cat $PROC_IPTABLES_NAMES 2>/dev/null`
116 [ -z "$tables" ] && return 1
118 echo -n $"Setting chains to policy $policy: "
124 $IPTABLES -t filter -P INPUT $policy \
125 && $IPTABLES -t filter -P OUTPUT $policy \
126 && $IPTABLES -t filter -P FORWARD $policy \
130 $IPTABLES -t nat -P PREROUTING $policy \
131 && $IPTABLES -t nat -P POSTROUTING $policy \
132 && $IPTABLES -t nat -P OUTPUT $policy \
136 $IPTABLES -t mangle -P PREROUTING $policy \
137 && $IPTABLES -t mangle -P POSTROUTING $policy \
138 && $IPTABLES -t mangle -P INPUT $policy \
139 && $IPTABLES -t mangle -P OUTPUT $policy \
140 && $IPTABLES -t mangle -P FORWARD $policy \
149 [ $ret -eq 0 ] && success || failure
155 # Do not start if there is no config file.
156 [ -f "$IPTABLES_DATA" ] || return 1
158 echo -n $"Applying $IPTABLES firewall rules: "
161 [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
163 $IPTABLES-restore $OPT $IPTABLES_DATA
164 if [ $? -eq 0 ]; then
167 failure; echo; return 1
170 # Tuntap initialization
172 if [ -z "$taps" -a -r /etc/planetlab/node_id ] ; then
173 # If this node is not "virtually multi-homed", just bring up
174 # the tap interface with a PLB private address. The PLB
175 # convention is to assign a unique 10.x.y.0/24 network to each
176 # node where x.y is the PlanetLab node ID of the machine in
179 # x = (node_id / 256) % 256
182 node_id=$(cat /etc/planetlab/node_id)
184 tap0=$(printf 10.%d.%d.1 $((($node_id / 256) % 256)) $(($node_id % 256)))
188 for tap in $taps ; do
189 # Configuration for this tap (address/proxy)
194 # Set MAC address to something predictable
195 mac=$(printf 00:FF:%X:%X:%X:%X $(echo $addr | sed -e 's/\./ /g'))
197 # Bring up this interface. Optimize the MTU for the PlanetLab
198 # Backbone (1500/Ethernet - 4/GRE - 8/UDP - 20/IP = 1468).
199 ifconfig $tap down && \
200 ifconfig $tap hw ether $mac mtu 1468 && \
201 ifconfig $tap $addr ${proxy:+pointopoint $proxy} netmask ${tapmask:=255.255.255.255} up
203 # Stuffing the proxy for this address in the pointopoint field
204 # creates a static route to the proxy that we do not want
206 if [ -n "$proxy" -a "$proxy" != "$addr" ] ; then
210 # Enable route through this interface
211 ip route add default dev $tap tab 1 && \
212 ip rule add from $addr tab 1
215 # Load additional modules (helpers)
216 if [ -n "$IPTABLES_MODULES" ]; then
217 echo -n $"Loading additional $IPTABLES modules: "
219 for mod in $IPTABLES_MODULES; do
221 modprobe $mod > /dev/null 2>&1
224 [ $ret -eq 0 ] && success || failure
228 touch $VAR_SUBSYS_IPTABLES
234 # Do not stop if iptables module is not loaded.
235 [ -e "$PROC_IPTABLES_NAMES" ] || return 1
240 if [ "x$IPTABLES_MODULES_UNLOAD" = "xyes" ]; then
241 echo -n $"Unloading $IPTABLES modules: "
243 rmmod_r ${IPV}_tables
245 rmmod_r ${IPV}_conntrack
247 [ $ret -eq 0 ] && success || failure
251 # Take down vnet interfaces
252 for dev in $taps tap0 ; do
253 action $"Shutting down interface $dev: " \
254 ifconfig $dev 0.0.0.0 down
257 rm -f $VAR_SUBSYS_IPTABLES
262 # Check if iptable module is loaded
263 [ ! -e "$PROC_IPTABLES_NAMES" ] && return 1
265 # Check if firewall is configured (has tables)
266 tables=`cat $PROC_IPTABLES_NAMES 2>/dev/null`
267 [ -z "$tables" ] && return 1
269 echo -n $"Saving firewall rules to $IPTABLES_DATA: "
272 [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
275 TMP_FILE=`/bin/mktemp -q /tmp/$IPTABLES.XXXXXX` \
276 && chmod 600 "$TMP_FILE" \
277 && $IPTABLES-save $OPT > $TMP_FILE 2>/dev/null \
278 && size=`stat -c '%s' $TMP_FILE` && [ $size -gt 0 ] \
280 if [ $ret -eq 0 ]; then
281 if [ -e $IPTABLES_DATA ]; then
282 cp -f $IPTABLES_DATA $IPTABLES_DATA.save \
283 && chmod 600 $IPTABLES_DATA.save \
286 if [ $ret -eq 0 ]; then
287 cp -f $TMP_FILE $IPTABLES_DATA \
288 && chmod 600 $IPTABLES_DATA \
292 [ $ret -eq 0 ] && success || failure
299 # Do not print status if lockfile is missing and iptables modules are not
301 # Check if iptable module is loaded
302 if [ ! -f "$VAR_SUBSYS_IPTABLES" ]; then
303 echo $"Firewall is stopped."
307 # Check if firewall is configured (has tables)
308 if [ ! -e "$PROC_IPTABLES_NAMES" ]; then
309 echo $"Firewall is not configured. "
312 tables=`cat $PROC_IPTABLES_NAMES 2>/dev/null`
313 if [ -z "$tables" ]; then
314 echo $"Firewall is not configured. "
319 [ "x$IPTABLES_STATUS_NUMERIC" = "xyes" ] && NUM="-n"
321 for table in $tables; do
322 echo $"Table: $table"
323 $IPTABLES -t $table --list $NUM && echo
330 [ "x$IPTABLES_SAVE_ON_RESTART" = "xyes" ] && save
342 [ "x$IPTABLES_SAVE_ON_STOP" = "xyes" ] && save
351 [ -e "$VAR_SUBSYS_IPTABLES" ] && restart
367 echo $"Usage: $0 {start|stop|restart|condrestart|status|panic|save}"