#!/bin/sh # # iptables Start iptables firewall # # chkconfig: 2345 08 92 # description: Starts, stops and saves iptables firewall # # config: /etc/sysconfig/iptables # config: /etc/sysconfig/iptables-config # Source function library. . /etc/init.d/functions IPTABLES=iptables IPTABLES_DATA=/etc/sysconfig/$IPTABLES IPTABLES_CONFIG=/etc/sysconfig/${IPTABLES}-config IPV=${IPTABLES%tables} # ip for ipv4 | ip6 for ipv6 PROC_IPTABLES_NAMES=/proc/net/${IPV}_tables_names VAR_SUBSYS_IPTABLES=/var/lock/subsys/$IPTABLES if [ ! -x /sbin/$IPTABLES ]; then echo -n $"/sbin/$IPTABLES does not exist."; warning; echo exit 0 fi if lsmod 2>/dev/null | grep -q ipchains ; then echo -n $"ipchains and $IPTABLES can not be used together."; warning; echo exit 0 fi # Old or new modutils /sbin/modprobe --version 2>&1 | grep -q module-init-tools \ && NEW_MODUTILS=1 \ || NEW_MODUTILS=0 # Default firewall configuration: IPTABLES_MODULES="" IPTABLES_MODULES_UNLOAD="yes" IPTABLES_SAVE_ON_STOP="no" IPTABLES_SAVE_ON_RESTART="no" IPTABLES_SAVE_COUNTER="no" IPTABLES_STATUS_NUMERIC="no" # Load firewall configuration. [ -f "$IPTABLES_CONFIG" ] && . "$IPTABLES_CONFIG" rmmod_r() { # Unload module with all referring modules. # At first all referring modules will be unloaded, then the module itself. local mod=$1 local ret=0 local ref= # Get referring modules. # New modutils have another output format. [ $NEW_MODUTILS = 1 ] \ && ref=`lsmod | awk "/^${mod}/ { print \\\$4; }" | tr ',' ' '` \ || ref=`lsmod | grep ^${mod} | cut -d "[" -s -f 2 | cut -d "]" -s -f 1` # recursive call for all referring modules for i in $ref; do rmmod_r $i let ret+=$?; done # Unload module. # The extra test is for 2.6: The module might have autocleaned, # after all referring modules are unloaded. if grep -q "^${mod}" /proc/modules ; then modprobe -r $mod > /dev/null 2>&1 let ret+=$?; fi return $ret } flush_n_delete() { # Flush firewall rules and delete chains. [ -e "$PROC_IPTABLES_NAMES" ] || return 1 # Check if firewall is configured (has tables) tables=`cat $PROC_IPTABLES_NAMES 2>/dev/null` [ -z "$tables" ] && return 1 echo -n $"Flushing firewall rules: " ret=0 # For all tables for i in $tables; do # Flush firewall rules. $IPTABLES -t $i -F; let ret+=$?; # Delete firewall chains. $IPTABLES -t $i -X; let ret+=$?; # Set counter to zero. $IPTABLES -t $i -Z; let ret+=$?; done [ $ret -eq 0 ] && success || failure echo return $ret } set_policy() { # Set policy for configured tables. policy=$1 # Check if iptable module is loaded [ ! -e "$PROC_IPTABLES_NAMES" ] && return 1 # Check if firewall is configured (has tables) tables=`cat $PROC_IPTABLES_NAMES 2>/dev/null` [ -z "$tables" ] && return 1 echo -n $"Setting chains to policy $policy: " ret=0 for i in $tables; do echo -n "$i " case "$i" in filter) $IPTABLES -t filter -P INPUT $policy \ && $IPTABLES -t filter -P OUTPUT $policy \ && $IPTABLES -t filter -P FORWARD $policy \ || let ret+=1 ;; nat) $IPTABLES -t nat -P PREROUTING $policy \ && $IPTABLES -t nat -P POSTROUTING $policy \ && $IPTABLES -t nat -P OUTPUT $policy \ || let ret+=1 ;; mangle) $IPTABLES -t mangle -P PREROUTING $policy \ && $IPTABLES -t mangle -P POSTROUTING $policy \ && $IPTABLES -t mangle -P INPUT $policy \ && $IPTABLES -t mangle -P OUTPUT $policy \ && $IPTABLES -t mangle -P FORWARD $policy \ || let ret+=1 ;; *) let ret+=1 ;; esac done [ $ret -eq 0 ] && success || failure echo return $ret } start() { # Do not start if there is no config file. [ -f "$IPTABLES_DATA" ] || return 1 echo -n $"Applying $IPTABLES firewall rules: " OPT= [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c" $IPTABLES-restore $OPT $IPTABLES_DATA if [ $? -eq 0 ]; then success; echo else failure; echo; return 1 fi # Tuntap initialization if [ -z "$taps" -a -r /etc/planetlab/node_id ] ; then # If this node is not "virtually multi-homed", just bring up # the tap interface with a PLB private address. The PLB # convention is to assign a unique 10.x.y.0/24 network to each # node where x.y is the PlanetLab node ID of the machine in # host order: # # x = (node_id / 256) % 256 # y = node_id % 256 # node_id=$(cat /etc/planetlab/node_id) taps="tap0" tap0=$(printf 10.%d.%d.1 $((($node_id / 256) % 256)) $(($node_id % 256))) tapmask=255.0.0.0 fi # Load additional modules (helpers) if [ -n "$IPTABLES_MODULES" ]; then echo -n $"Loading additional $IPTABLES modules: " ret=0 for mod in $IPTABLES_MODULES; do echo -n "$mod " modprobe $mod > /dev/null 2>&1 let ret+=$?; done [ $ret -eq 0 ] && success || failure echo fi for tap in $taps ; do # Configuration for this tap (address/proxy) eval cfg=\$$tap addr=${cfg%/*} proxy=${cfg#*/} # Set MAC address to something predictable mac=$(printf 00:FF:%X:%X:%X:%X $(echo $addr | sed -e 's/\./ /g')) # Bring up this interface. Optimize the MTU for the PlanetLab # Backbone (1500/Ethernet - 4/GRE - 8/UDP - 20/IP = 1468). ifconfig $tap down && \ ifconfig $tap hw ether $mac mtu 1468 && \ ifconfig $tap $addr ${proxy:+pointopoint $proxy} netmask ${tapmask:=255.255.255.255} up # Stuffing the proxy for this address in the pointopoint field # creates a static route to the proxy that we do not want # present. if [ -n "$proxy" -a "$proxy" != "$addr" ] ; then ip route del $proxy fi # Enable route through this interface ip route add default dev $tap tab 1 && \ ip rule add from $addr tab 1 done touch $VAR_SUBSYS_IPTABLES return $ret } stop() { # Do not stop if iptables module is not loaded. [ -e "$PROC_IPTABLES_NAMES" ] || return 1 flush_n_delete set_policy ACCEPT if [ "x$IPTABLES_MODULES_UNLOAD" = "xyes" ]; then echo -n $"Unloading $IPTABLES modules: " ret=0 rmmod_r ${IPV}_tables let ret+=$?; rmmod_r ${IPV}_conntrack let ret+=$?; [ $ret -eq 0 ] && success || failure echo fi # Take down vnet interfaces for dev in $taps tap0 ; do action $"Shutting down interface $dev: " \ ifconfig $dev 0.0.0.0 down done rm -f $VAR_SUBSYS_IPTABLES return $ret } save() { # Check if iptable module is loaded [ ! -e "$PROC_IPTABLES_NAMES" ] && return 1 # Check if firewall is configured (has tables) tables=`cat $PROC_IPTABLES_NAMES 2>/dev/null` [ -z "$tables" ] && return 1 echo -n $"Saving firewall rules to $IPTABLES_DATA: " OPT= [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c" ret=0 TMP_FILE=`/bin/mktemp -q /tmp/$IPTABLES.XXXXXX` \ && chmod 600 "$TMP_FILE" \ && $IPTABLES-save $OPT > $TMP_FILE 2>/dev/null \ && size=`stat -c '%s' $TMP_FILE` && [ $size -gt 0 ] \ || ret=1 if [ $ret -eq 0 ]; then if [ -e $IPTABLES_DATA ]; then cp -f $IPTABLES_DATA $IPTABLES_DATA.save \ && chmod 600 $IPTABLES_DATA.save \ || ret=1 fi if [ $ret -eq 0 ]; then cp -f $TMP_FILE $IPTABLES_DATA \ && chmod 600 $IPTABLES_DATA \ || ret=1 fi fi [ $ret -eq 0 ] && success || failure echo rm -f $TMP_FILE return $ret } status() { # Do not print status if lockfile is missing and iptables modules are not # loaded. # Check if iptable module is loaded if [ ! -f "$VAR_SUBSYS_IPTABLES" ]; then echo $"Firewall is stopped." return 1 fi # Check if firewall is configured (has tables) if [ ! -e "$PROC_IPTABLES_NAMES" ]; then echo $"Firewall is not configured. " return 1 fi tables=`cat $PROC_IPTABLES_NAMES 2>/dev/null` if [ -z "$tables" ]; then echo $"Firewall is not configured. " return 1 fi NUM= [ "x$IPTABLES_STATUS_NUMERIC" = "xyes" ] && NUM="-n" for table in $tables; do echo $"Table: $table" $IPTABLES -t $table --list $NUM && echo done return 0 } restart() { [ "x$IPTABLES_SAVE_ON_RESTART" = "xyes" ] && save stop start } case "$1" in start) stop start RETVAL=$? ;; stop) [ "x$IPTABLES_SAVE_ON_STOP" = "xyes" ] && save stop RETVAL=$? ;; restart) restart RETVAL=$? ;; condrestart) [ -e "$VAR_SUBSYS_IPTABLES" ] && restart ;; status) status RETVAL=$? ;; panic) flush_n_delete set_policy DROP RETVAL=$? ;; save) save RETVAL=$? ;; *) echo $"Usage: $0 {start|stop|restart|condrestart|status|panic|save}" exit 1 ;; esac exit $RETVAL