From: Mark Huang Date: Mon, 1 Nov 2004 20:38:05 +0000 (+0000) Subject: FC2 source additions X-Git-Tag: iptables-1.3.8-0~28 X-Git-Url: http://git.onelab.eu/?a=commitdiff_plain;h=c9be062daea902ff30ae056c42d465ad09754bb1;p=iptables.git FC2 source additions --- diff --git a/iptables-config b/iptables-config new file mode 100644 index 0000000..80e37fb --- /dev/null +++ b/iptables-config @@ -0,0 +1,37 @@ +# Load additional iptables modules (nat helpers) +# Default: -none- +# Space separated list of nat helpers (e.g. 'ip_nat_ftp ip_nat_irc'), which +# are loaded after the firewall rules are applied. Options for the helpers are +# stored in /etc/modules.conf. +#IPTABLES_MODULES="" + +# Unload modules on restart and stop +# Value: yes|no, default: yes +# This option has to be 'yes' to get to a sane state for a firewall +# restart or stop. Only set to 'no' if there are problems unloading netfilter +# modules. +#IPTABLES_MODULES_UNLOAD="yes" + +# Save current firewall rules on stop. +# Value: yes|no, default: no +# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets stopped +# (e.g. on system shutdown). +#IPTABLES_SAVE_ON_STOP="no" + +# Save current firewall rules on restart. +# Value: yes|no, default: no +# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets +# restarted. +#IPTABLES_SAVE_ON_RESTART="no" + +# Save (and restore) rule and chain counter. +# Value: yes|no, default: no +# Save counters for rules and chains to /etc/sysconfig/iptables if +# 'service iptables save' is called or on stop or restart if SAVE_ON_STOP or +# SAVE_ON_RESTART is enabled. +#IPTABLES_SAVE_COUNTER="no" + +# Numeric status output +# Value: yes|no, default: no +# Print IP addresses and port numbers in numeric format in the status output. +#IPTABLES_STATUS_NUMERIC="no" diff --git a/iptables.init b/iptables.init new file mode 100755 index 0000000..5c99246 --- /dev/null +++ b/iptables.init @@ -0,0 +1,320 @@ +#!/bin/sh +# +# iptables Start iptables firewall +# +# chkconfig: 2345 08 92 +# description: Starts, stops and saves iptables firewall +# +# config: /etc/sysconfig/iptables +# config: /etc/sysconfig/iptables-config + +# Source function library. +. /etc/init.d/functions + +IPTABLES=iptables +IPTABLES_DATA=/etc/sysconfig/$IPTABLES +IPTABLES_CONFIG=/etc/sysconfig/${IPTABLES}-config +IPV=${IPTABLES%tables} # ip for ipv4 | ip6 for ipv6 +PROC_IPTABLES_NAMES=/proc/net/${IPV}_tables_names +VAR_SUBSYS_IPTABLES=/var/lock/subsys/$IPTABLES + +if [ ! -x /sbin/$IPTABLES ]; then + echo -n $"/sbin/$IPTABLES does not exist."; warning; echo + exit 0 +fi + +if lsmod 2>/dev/null | grep -q ipchains ; then + echo -n $"ipchains and $IPTABLES can not be used together."; warning; echo + exit 0 +fi + +# Old or new modutils +/sbin/modprobe --version 2>&1 | grep -q module-init-tools \ + && NEW_MODUTILS=1 \ + || NEW_MODUTILS=0 + +# Default firewall configuration: +IPTABLES_MODULES="" +IPTABLES_MODULES_UNLOAD="yes" +IPTABLES_SAVE_ON_STOP="no" +IPTABLES_SAVE_ON_RESTART="no" +IPTABLES_SAVE_COUNTER="no" +IPTABLES_STATUS_NUMERIC="no" + +# Load firewall configuration. +[ -f "$IPTABLES_CONFIG" ] && . "$IPTABLES_CONFIG" + +rmmod_r() { + # Unload module with all referring modules. + # At first all referring modules will be unloaded, then the module itself. + local mod=$1 + local ret=0 + local ref= + + # Get referring modules. + # New modutils have another output format. + [ $NEW_MODUTILS = 1 ] \ + && ref=`lsmod | awk "/^${mod}/ { print \\\$4; }" | tr ',' ' '` \ + || ref=`lsmod | grep ^${mod} | cut -d "[" -s -f 2 | cut -d "]" -s -f 1` + + # recursive call for all referring modules + for i in $ref; do + rmmod_r $i + let ret+=$?; + done + + # Unload module. + # The extra test is for 2.6: The module might have autocleaned, + # after all referring modules are unloaded. + if grep -q "^${mod}" /proc/modules ; then + modprobe -r $mod > /dev/null 2>&1 + let ret+=$?; + fi + + return $ret +} + +flush_n_delete() { + # Flush firewall rules and delete chains. + [ -e "$PROC_IPTABLES_NAMES" ] || return 1 + + # Check if firewall is configured (has tables) + tables=`cat $PROC_IPTABLES_NAMES 2>/dev/null` + [ -z "$tables" ] && return 1 + + echo -n $"Flushing firewall rules: " + ret=0 + # For all tables + for i in $tables; do + # Flush firewall rules. + $IPTABLES -t $i -F; + let ret+=$?; + + # Delete firewall chains. + $IPTABLES -t $i -X; + let ret+=$?; + + # Set counter to zero. + $IPTABLES -t $i -Z; + let ret+=$?; + done + + [ $ret -eq 0 ] && success || failure + echo + return $ret +} + +set_policy() { + # Set policy for configured tables. + policy=$1 + + # Check if iptable module is loaded + [ ! -e "$PROC_IPTABLES_NAMES" ] && return 1 + + # Check if firewall is configured (has tables) + tables=`cat $PROC_IPTABLES_NAMES 2>/dev/null` + [ -z "$tables" ] && return 1 + + echo -n $"Setting chains to policy $policy: " + ret=0 + for i in $tables; do + echo -n "$i " + case "$i" in + filter) + $IPTABLES -t filter -P INPUT $policy \ + && $IPTABLES -t filter -P OUTPUT $policy \ + && $IPTABLES -t filter -P FORWARD $policy \ + || let ret+=1 + ;; + nat) + $IPTABLES -t nat -P PREROUTING $policy \ + && $IPTABLES -t nat -P POSTROUTING $policy \ + && $IPTABLES -t nat -P OUTPUT $policy \ + || let ret+=1 + ;; + mangle) + $IPTABLES -t mangle -P PREROUTING $policy \ + && $IPTABLES -t mangle -P POSTROUTING $policy \ + && $IPTABLES -t mangle -P INPUT $policy \ + && $IPTABLES -t mangle -P OUTPUT $policy \ + && $IPTABLES -t mangle -P FORWARD $policy \ + || let ret+=1 + ;; + *) + let ret+=1 + ;; + esac + done + + [ $ret -eq 0 ] && success || failure + echo + return $ret +} + +start() { + # Do not start if there is no config file. + [ -f "$IPTABLES_DATA" ] || return 1 + + echo -n $"Applying $IPTABLES firewall rules: " + + OPT= + [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c" + + $IPTABLES-restore $OPT $IPTABLES_DATA + if [ $? -eq 0 ]; then + success; echo + else + failure; echo; return 1 + fi + + # Load additional modules (helpers) + if [ -n "$IPTABLES_MODULES" ]; then + echo -n $"Loading additional $IPTABLES modules: " + ret=0 + for mod in $IPTABLES_MODULES; do + echo -n "$mod " + modprobe $mod > /dev/null 2>&1 + let ret+=$?; + done + [ $ret -eq 0 ] && success || failure + echo + fi + + touch $VAR_SUBSYS_IPTABLES + return $ret +} + +stop() { + # Do not stop if iptables module is not loaded. + [ -e "$PROC_IPTABLES_NAMES" ] || return 1 + + flush_n_delete + set_policy ACCEPT + + if [ "x$IPTABLES_MODULES_UNLOAD" = "xyes" ]; then + echo -n $"Unloading $IPTABLES modules: " + ret=0 + rmmod_r ${IPV}_tables + let ret+=$?; + rmmod_r ${IPV}_conntrack + let ret+=$?; + [ $ret -eq 0 ] && success || failure + echo + fi + + rm -f $VAR_SUBSYS_IPTABLES + return $ret +} + +save() { + # Check if iptable module is loaded + [ ! -e "$PROC_IPTABLES_NAMES" ] && return 1 + + # Check if firewall is configured (has tables) + tables=`cat $PROC_IPTABLES_NAMES 2>/dev/null` + [ -z "$tables" ] && return 1 + + echo -n $"Saving firewall rules to $IPTABLES_DATA: " + + OPT= + [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c" + + ret=0 + TMP_FILE=`/bin/mktemp -q /tmp/$IPTABLES.XXXXXX` \ + && chmod 600 "$TMP_FILE" \ + && $IPTABLES-save $OPT > $TMP_FILE 2>/dev/null \ + && size=`stat -c '%s' $TMP_FILE` && [ $size -gt 0 ] \ + || ret=1 + if [ $ret -eq 0 ]; then + if [ -e $IPTABLES_DATA ]; then + cp -f $IPTABLES_DATA $IPTABLES_DATA.save \ + && chmod 600 $IPTABLES_DATA.save \ + || ret=1 + fi + if [ $ret -eq 0 ]; then + cp -f $TMP_FILE $IPTABLES_DATA \ + && chmod 600 $IPTABLES_DATA \ + || ret=1 + fi + fi + [ $ret -eq 0 ] && success || failure + echo + rm -f $TMP_FILE + return $ret +} + +status() { + # Do not print status if lockfile is missing and iptables modules are not + # loaded. + # Check if iptable module is loaded + if [ ! -f "$VAR_SUBSYS_IPTABLES" ]; then + echo $"Firewall is stopped." + return 1 + fi + + # Check if firewall is configured (has tables) + if [ ! -e "$PROC_IPTABLES_NAMES" ]; then + echo $"Firewall is not configured. " + return 1 + fi + tables=`cat $PROC_IPTABLES_NAMES 2>/dev/null` + if [ -z "$tables" ]; then + echo $"Firewall is not configured. " + return 1 + fi + + NUM= + [ "x$IPTABLES_STATUS_NUMERIC" = "xyes" ] && NUM="-n" + + for table in $tables; do + echo $"Table: $table" + $IPTABLES -t $table --list $NUM && echo + done + + return 0 +} + +restart() { + [ "x$IPTABLES_SAVE_ON_RESTART" = "xyes" ] && save + stop + start +} + +case "$1" in + start) + stop + start + RETVAL=$? + ;; + stop) + [ "x$IPTABLES_SAVE_ON_STOP" = "xyes" ] && save + stop + RETVAL=$? + ;; + restart) + restart + RETVAL=$? + ;; + condrestart) + [ -e "$VAR_SUBSYS_IPTABLES" ] && restart + ;; + status) + status + RETVAL=$? + ;; + panic) + flush_n_delete + set_policy DROP + RETVAL=$? + ;; + save) + save + RETVAL=$? + ;; + *) + echo $"Usage: $0 {start|stop|restart|condrestart|status|panic|save}" + exit 1 + ;; +esac + +exit $RETVAL