--- /dev/null
+#!/bin/sh
+#
+# iptables Start iptables firewall
+#
+# chkconfig: 2345 08 92
+# description: Starts, stops and saves iptables firewall
+#
+# config: /etc/sysconfig/iptables
+# config: /etc/sysconfig/iptables-config
+
+# Source function library.
+. /etc/init.d/functions
+
+IPTABLES=iptables
+IPTABLES_DATA=/etc/sysconfig/$IPTABLES
+IPTABLES_CONFIG=/etc/sysconfig/${IPTABLES}-config
+IPV=${IPTABLES%tables} # ip for ipv4 | ip6 for ipv6
+PROC_IPTABLES_NAMES=/proc/net/${IPV}_tables_names
+VAR_SUBSYS_IPTABLES=/var/lock/subsys/$IPTABLES
+
+if [ ! -x /sbin/$IPTABLES ]; then
+ echo -n $"/sbin/$IPTABLES does not exist."; warning; echo
+ exit 0
+fi
+
+if lsmod 2>/dev/null | grep -q ipchains ; then
+ echo -n $"ipchains and $IPTABLES can not be used together."; warning; echo
+ exit 0
+fi
+
+# Old or new modutils
+/sbin/modprobe --version 2>&1 | grep -q module-init-tools \
+ && NEW_MODUTILS=1 \
+ || NEW_MODUTILS=0
+
+# Default firewall configuration:
+IPTABLES_MODULES=""
+IPTABLES_MODULES_UNLOAD="yes"
+IPTABLES_SAVE_ON_STOP="no"
+IPTABLES_SAVE_ON_RESTART="no"
+IPTABLES_SAVE_COUNTER="no"
+IPTABLES_STATUS_NUMERIC="no"
+
+# Load firewall configuration.
+[ -f "$IPTABLES_CONFIG" ] && . "$IPTABLES_CONFIG"
+
+rmmod_r() {
+ # Unload module with all referring modules.
+ # At first all referring modules will be unloaded, then the module itself.
+ local mod=$1
+ local ret=0
+ local ref=
+
+ # Get referring modules.
+ # New modutils have another output format.
+ [ $NEW_MODUTILS = 1 ] \
+ && ref=`lsmod | awk "/^${mod}/ { print \\\$4; }" | tr ',' ' '` \
+ || ref=`lsmod | grep ^${mod} | cut -d "[" -s -f 2 | cut -d "]" -s -f 1`
+
+ # recursive call for all referring modules
+ for i in $ref; do
+ rmmod_r $i
+ let ret+=$?;
+ done
+
+ # Unload module.
+ # The extra test is for 2.6: The module might have autocleaned,
+ # after all referring modules are unloaded.
+ if grep -q "^${mod}" /proc/modules ; then
+ modprobe -r $mod > /dev/null 2>&1
+ let ret+=$?;
+ fi
+
+ return $ret
+}
+
+flush_n_delete() {
+ # Flush firewall rules and delete chains.
+ [ -e "$PROC_IPTABLES_NAMES" ] || return 1
+
+ # Check if firewall is configured (has tables)
+ tables=`cat $PROC_IPTABLES_NAMES 2>/dev/null`
+ [ -z "$tables" ] && return 1
+
+ echo -n $"Flushing firewall rules: "
+ ret=0
+ # For all tables
+ for i in $tables; do
+ # Flush firewall rules.
+ $IPTABLES -t $i -F;
+ let ret+=$?;
+
+ # Delete firewall chains.
+ $IPTABLES -t $i -X;
+ let ret+=$?;
+
+ # Set counter to zero.
+ $IPTABLES -t $i -Z;
+ let ret+=$?;
+ done
+
+ [ $ret -eq 0 ] && success || failure
+ echo
+ return $ret
+}
+
+set_policy() {
+ # Set policy for configured tables.
+ policy=$1
+
+ # Check if iptable module is loaded
+ [ ! -e "$PROC_IPTABLES_NAMES" ] && return 1
+
+ # Check if firewall is configured (has tables)
+ tables=`cat $PROC_IPTABLES_NAMES 2>/dev/null`
+ [ -z "$tables" ] && return 1
+
+ echo -n $"Setting chains to policy $policy: "
+ ret=0
+ for i in $tables; do
+ echo -n "$i "
+ case "$i" in
+ filter)
+ $IPTABLES -t filter -P INPUT $policy \
+ && $IPTABLES -t filter -P OUTPUT $policy \
+ && $IPTABLES -t filter -P FORWARD $policy \
+ || let ret+=1
+ ;;
+ nat)
+ $IPTABLES -t nat -P PREROUTING $policy \
+ && $IPTABLES -t nat -P POSTROUTING $policy \
+ && $IPTABLES -t nat -P OUTPUT $policy \
+ || let ret+=1
+ ;;
+ mangle)
+ $IPTABLES -t mangle -P PREROUTING $policy \
+ && $IPTABLES -t mangle -P POSTROUTING $policy \
+ && $IPTABLES -t mangle -P INPUT $policy \
+ && $IPTABLES -t mangle -P OUTPUT $policy \
+ && $IPTABLES -t mangle -P FORWARD $policy \
+ || let ret+=1
+ ;;
+ *)
+ let ret+=1
+ ;;
+ esac
+ done
+
+ [ $ret -eq 0 ] && success || failure
+ echo
+ return $ret
+}
+
+start() {
+ # Do not start if there is no config file.
+ [ -f "$IPTABLES_DATA" ] || return 1
+
+ echo -n $"Applying $IPTABLES firewall rules: "
+
+ OPT=
+ [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
+
+ $IPTABLES-restore $OPT $IPTABLES_DATA
+ if [ $? -eq 0 ]; then
+ success; echo
+ else
+ failure; echo; return 1
+ fi
+
+ # Tuntap initialization
+
+ if [ -z "$taps" -a -r /etc/planetlab/node_id ] ; then
+ # If this node is not "virtually multi-homed", just bring up
+ # the tap interface with a PLB private address. The PLB
+ # convention is to assign a unique 10.x.y.0/24 network to each
+ # node where x.y is the PlanetLab node ID of the machine in
+ # host order:
+ #
+ # x = (node_id / 256) % 256
+ # y = node_id % 256
+ #
+ node_id=$(cat /etc/planetlab/node_id)
+ taps="tap0"
+ tap0=$(printf 10.%d.%d.1 $((($node_id / 256) % 256)) $(($node_id % 256)))
+ tapmask=255.0.0.0
+ fi
+
+ # Load additional modules (helpers)
+ if [ -n "$IPTABLES_MODULES" ]; then
+ echo -n $"Loading additional $IPTABLES modules: "
+ ret=0
+ for mod in $IPTABLES_MODULES; do
+ echo -n "$mod "
+ modprobe $mod > /dev/null 2>&1
+ let ret+=$?;
+ done
+ [ $ret -eq 0 ] && success || failure
+ echo
+ fi
+
+ for tap in $taps ; do
+ # Configuration for this tap (address/proxy)
+ eval cfg=\$$tap
+ addr=${cfg%/*}
+ proxy=${cfg#*/}
+
+ # Set MAC address to something predictable
+ mac=$(printf 00:FF:%X:%X:%X:%X $(echo $addr | sed -e 's/\./ /g'))
+
+ # Bring up this interface. Optimize the MTU for the PlanetLab
+ # Backbone (1500/Ethernet - 4/GRE - 8/UDP - 20/IP = 1468).
+ ifconfig $tap down && \
+ ifconfig $tap hw ether $mac mtu 1468 && \
+ ifconfig $tap $addr ${proxy:+pointopoint $proxy} netmask ${tapmask:=255.255.255.255} up
+
+ # Stuffing the proxy for this address in the pointopoint field
+ # creates a static route to the proxy that we do not want
+ # present.
+ if [ -n "$proxy" -a "$proxy" != "$addr" ] ; then
+ ip route del $proxy
+ fi
+
+ # Enable route through this interface
+ ip route add default dev $tap tab 1 && \
+ ip rule add from $addr tab 1
+ done
+
+
+ touch $VAR_SUBSYS_IPTABLES
+ return $ret
+}
+
+stop() {
+
+ # Do not stop if iptables module is not loaded.
+ [ -e "$PROC_IPTABLES_NAMES" ] || return 1
+
+ flush_n_delete
+ set_policy ACCEPT
+
+ if [ "x$IPTABLES_MODULES_UNLOAD" = "xyes" ]; then
+ echo -n $"Unloading $IPTABLES modules: "
+ ret=0
+ rmmod_r ${IPV}_tables
+ let ret+=$?;
+ rmmod_r ${IPV}_conntrack
+ let ret+=$?;
+ [ $ret -eq 0 ] && success || failure
+ echo
+ fi
+
+ # Take down vnet interfaces
+ for dev in $taps tap0 ; do
+ action $"Shutting down interface $dev: " \
+ ifconfig $dev 0.0.0.0 down
+ done
+
+ rm -f $VAR_SUBSYS_IPTABLES
+ return $ret
+}
+
+save() {
+ # Check if iptable module is loaded
+ [ ! -e "$PROC_IPTABLES_NAMES" ] && return 1
+
+ # Check if firewall is configured (has tables)
+ tables=`cat $PROC_IPTABLES_NAMES 2>/dev/null`
+ [ -z "$tables" ] && return 1
+
+ echo -n $"Saving firewall rules to $IPTABLES_DATA: "
+
+ OPT=
+ [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
+
+ ret=0
+ TMP_FILE=`/bin/mktemp -q /tmp/$IPTABLES.XXXXXX` \
+ && chmod 600 "$TMP_FILE" \
+ && $IPTABLES-save $OPT > $TMP_FILE 2>/dev/null \
+ && size=`stat -c '%s' $TMP_FILE` && [ $size -gt 0 ] \
+ || ret=1
+ if [ $ret -eq 0 ]; then
+ if [ -e $IPTABLES_DATA ]; then
+ cp -f $IPTABLES_DATA $IPTABLES_DATA.save \
+ && chmod 600 $IPTABLES_DATA.save \
+ || ret=1
+ fi
+ if [ $ret -eq 0 ]; then
+ cp -f $TMP_FILE $IPTABLES_DATA \
+ && chmod 600 $IPTABLES_DATA \
+ || ret=1
+ fi
+ fi
+ [ $ret -eq 0 ] && success || failure
+ echo
+ rm -f $TMP_FILE
+ return $ret
+}
+
+status() {
+ # Do not print status if lockfile is missing and iptables modules are not
+ # loaded.
+ # Check if iptable module is loaded
+ if [ ! -f "$VAR_SUBSYS_IPTABLES" ]; then
+ echo $"Firewall is stopped."
+ return 1
+ fi
+
+ # Check if firewall is configured (has tables)
+ if [ ! -e "$PROC_IPTABLES_NAMES" ]; then
+ echo $"Firewall is not configured. "
+ return 1
+ fi
+ tables=`cat $PROC_IPTABLES_NAMES 2>/dev/null`
+ if [ -z "$tables" ]; then
+ echo $"Firewall is not configured. "
+ return 1
+ fi
+
+ NUM=
+ [ "x$IPTABLES_STATUS_NUMERIC" = "xyes" ] && NUM="-n"
+
+ for table in $tables; do
+ echo $"Table: $table"
+ $IPTABLES -t $table --list $NUM && echo
+ done
+
+ return 0
+}
+
+restart() {
+ [ "x$IPTABLES_SAVE_ON_RESTART" = "xyes" ] && save
+ stop
+ start
+}
+
+case "$1" in
+ start)
+ stop
+ start
+ RETVAL=$?
+ ;;
+ stop)
+ [ "x$IPTABLES_SAVE_ON_STOP" = "xyes" ] && save
+ stop
+ RETVAL=$?
+ ;;
+ restart)
+ restart
+ RETVAL=$?
+ ;;
+ condrestart)
+ [ -e "$VAR_SUBSYS_IPTABLES" ] && restart
+ ;;
+ status)
+ status
+ RETVAL=$?
+ ;;
+ panic)
+ flush_n_delete
+ set_policy DROP
+ RETVAL=$?
+ ;;
+ save)
+ save
+ RETVAL=$?
+ ;;
+ *)
+ echo $"Usage: $0 {start|stop|restart|condrestart|status|panic|save}"
+ exit 1
+ ;;
+esac
+
+exit $RETVAL