X-Git-Url: http://git.onelab.eu/?p=iptables.git;a=blobdiff_plain;f=iptables.init;h=73f0de314e1785940431b9f9bc3567cad5940635;hp=ec50ee073f67deb31db87ef861550f81d64ed919;hb=HEAD;hpb=0aab852e51b9511a1abe6a8970a2e26620bc079b diff --git a/iptables.init b/iptables.init old mode 100755 new mode 100644 index ec50ee0..73f0de3 --- a/iptables.init +++ b/iptables.init @@ -7,6 +7,16 @@ # # config: /etc/sysconfig/iptables # config: /etc/sysconfig/iptables-config +# +### BEGIN INIT INFO +# Provides: iptables +# Required-Start: +# Required-Stop: +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: start and stop iptables firewall +# Description: Start, stop and save iptables firewall +### END INIT INFO # Source function library. . /etc/init.d/functions @@ -15,17 +25,13 @@ IPTABLES=iptables IPTABLES_DATA=/etc/sysconfig/$IPTABLES IPTABLES_CONFIG=/etc/sysconfig/${IPTABLES}-config IPV=${IPTABLES%tables} # ip for ipv4 | ip6 for ipv6 +[ "$IPV" = "ip" ] && _IPV="ipv4" || _IPV="ipv6" PROC_IPTABLES_NAMES=/proc/net/${IPV}_tables_names VAR_SUBSYS_IPTABLES=/var/lock/subsys/$IPTABLES if [ ! -x /sbin/$IPTABLES ]; then - echo -n $"/sbin/$IPTABLES does not exist."; warning; echo - exit 0 -fi - -if lsmod 2>/dev/null | grep -q ipchains ; then - echo -n $"ipchains and $IPTABLES can not be used together."; warning; echo - exit 0 + echo -n $"${IPTABLES}: /sbin/$IPTABLES does not exist."; warning; echo + exit 5 fi # Old or new modutils @@ -39,11 +45,21 @@ IPTABLES_MODULES_UNLOAD="yes" IPTABLES_SAVE_ON_STOP="no" IPTABLES_SAVE_ON_RESTART="no" IPTABLES_SAVE_COUNTER="no" -IPTABLES_STATUS_NUMERIC="no" +IPTABLES_STATUS_NUMERIC="yes" +IPTABLES_STATUS_VERBOSE="no" +IPTABLES_STATUS_LINENUMBERS="yes" # Load firewall configuration. [ -f "$IPTABLES_CONFIG" ] && . "$IPTABLES_CONFIG" +# Netfilter modules +NF_MODULES=($(lsmod | awk "/^${IPV}table_/ {print \$1}") ${IPV}_tables) +NF_MODULES_COMMON=(x_tables nf_nat nf_conntrack) # Used by netfilter v4 and v6 + +# Get active tables +NF_TABLES=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null) + + rmmod_r() { # Unload module with all referring modules. # At first all referring modules will be unloaded, then the module itself. @@ -54,8 +70,8 @@ rmmod_r() { # Get referring modules. # New modutils have another output format. [ $NEW_MODUTILS = 1 ] \ - && ref=`lsmod | awk "/^${mod}/ { print \\\$4; }" | tr ',' ' '` \ - || ref=`lsmod | grep ^${mod} | cut -d "[" -s -f 2 | cut -d "]" -s -f 1` + && ref=$(lsmod | awk "/^${mod}/ { print \$4; }" | tr ',' ' ') \ + || ref=$(lsmod | grep ^${mod} | cut -d "[" -s -f 2 | cut -d "]" -s -f 1) # recursive call for all referring modules for i in $ref; do @@ -68,7 +84,9 @@ rmmod_r() { # after all referring modules are unloaded. if grep -q "^${mod}" /proc/modules ; then modprobe -r $mod > /dev/null 2>&1 - let ret+=$?; + res=$? + [ $res -eq 0 ] || echo -n " $mod" + let ret+=$res; fi return $ret @@ -76,16 +94,15 @@ rmmod_r() { flush_n_delete() { # Flush firewall rules and delete chains. - [ -e "$PROC_IPTABLES_NAMES" ] || return 1 + [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0 # Check if firewall is configured (has tables) - tables=`cat $PROC_IPTABLES_NAMES 2>/dev/null` - [ -z "$tables" ] && return 1 + [ -z "$NF_TABLES" ] && return 1 - echo -n $"Flushing firewall rules: " + echo -n $"${IPTABLES}: Flushing firewall rules: " ret=0 # For all tables - for i in $tables; do + for i in $NF_TABLES; do # Flush firewall rules. $IPTABLES -t $i -F; let ret+=$?; @@ -109,17 +126,22 @@ set_policy() { policy=$1 # Check if iptable module is loaded - [ ! -e "$PROC_IPTABLES_NAMES" ] && return 1 + [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0 # Check if firewall is configured (has tables) - tables=`cat $PROC_IPTABLES_NAMES 2>/dev/null` + tables=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null) [ -z "$tables" ] && return 1 - echo -n $"Setting chains to policy $policy: " + echo -n $"${IPTABLES}: Setting chains to policy $policy: " ret=0 for i in $tables; do echo -n "$i " case "$i" in + raw) + $IPTABLES -t raw -P PREROUTING $policy \ + && $IPTABLES -t raw -P OUTPUT $policy \ + || let ret+=1 + ;; filter) $IPTABLES -t filter -P INPUT $policy \ && $IPTABLES -t filter -P OUTPUT $policy \ @@ -153,9 +175,16 @@ set_policy() { start() { # Do not start if there is no config file. - [ -f "$IPTABLES_DATA" ] || return 1 + [ ! -f "$IPTABLES_DATA" ] && return 6 + + # check if ipv6 module load is deactivated + if [ "${_IPV}" = "ipv6" ] \ + && grep -qIsE "^install[[:space:]]+${_IPV}[[:space:]]+/bin/(true|false)" /etc/modprobe.conf /etc/modprobe.d/* ; then + echo $"${IPTABLES}: ${_IPV} is disabled." + return 150 + fi - echo -n $"Applying $IPTABLES firewall rules: " + echo -n $"${IPTABLES}: Applying firewall rules: " OPT= [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c" @@ -167,27 +196,9 @@ start() { failure; echo; return 1 fi - # Tuntap initialization - - if [ -z "$taps" -a -r /etc/planetlab/node_id ] ; then - # If this node is not "virtually multi-homed", just bring up - # the tap interface with a PLB private address. The PLB - # convention is to assign a unique 10.x.y.0/24 network to each - # node where x.y is the PlanetLab node ID of the machine in - # host order: - # - # x = (node_id / 256) % 256 - # y = node_id % 256 - # - node_id=$(cat /etc/planetlab/node_id) - taps="tap0" - tap0=$(printf 10.%d.%d.1 $((($node_id / 256) % 256)) $(($node_id % 256))) - tapmask=255.0.0.0 - fi - # Load additional modules (helpers) if [ -n "$IPTABLES_MODULES" ]; then - echo -n $"Loading additional $IPTABLES modules: " + echo -n $"${IPTABLES}: Loading additional modules: " ret=0 for mod in $IPTABLES_MODULES; do echo -n "$mod " @@ -197,86 +208,55 @@ start() { [ $ret -eq 0 ] && success || failure echo fi - - for tap in $taps ; do - # Configuration for this tap (address/proxy) - eval cfg=\$$tap - addr=${cfg%/*} - proxy=${cfg#*/} - - # Set MAC address to something predictable - mac=$(printf 00:FF:%X:%X:%X:%X $(echo $addr | sed -e 's/\./ /g')) - - # Bring up this interface. Optimize the MTU for the PlanetLab - # Backbone (1500/Ethernet - 4/GRE - 8/UDP - 20/IP = 1468). - ifconfig $tap down && \ - ifconfig $tap hw ether $mac mtu 1468 && \ - ifconfig $tap $addr ${proxy:+pointopoint $proxy} netmask ${tapmask:=255.255.255.255} up - - # Stuffing the proxy for this address in the pointopoint field - # creates a static route to the proxy that we do not want - # present. - if [ -n "$proxy" -a "$proxy" != "$addr" ] ; then - ip route del $proxy - fi - - # Enable route through this interface - ip route add default dev $tap tab 1 && \ - ip rule add from $addr tab 1 - done - touch $VAR_SUBSYS_IPTABLES return $ret } stop() { - - # Do not stop if iptables module is not loaded. - [ -e "$PROC_IPTABLES_NAMES" ] || return 1 + # Do not stop if iptables module is not loaded. + [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0 flush_n_delete set_policy ACCEPT if [ "x$IPTABLES_MODULES_UNLOAD" = "xyes" ]; then - echo -n $"Unloading $IPTABLES modules: " + echo -n $"${IPTABLES}: Unloading modules: " ret=0 - rmmod_r ${IPV}_tables - let ret+=$?; - rmmod_r ${IPV}_conntrack - let ret+=$?; + for mod in ${NF_MODULES[*]}; do + rmmod_r $mod + let ret+=$?; + done + # try to unload remaining netfilter modules used by ipv4 and ipv6 + # netfilter + for mod in ${NF_MODULES_COMMON[*]}; do + rmmod_r $mod >/dev/null + done [ $ret -eq 0 ] && success || failure echo fi - - # Take down vnet interfaces - for dev in $taps tap0 ; do - action $"Shutting down interface $dev: " \ - ifconfig $dev 0.0.0.0 down - done - + rm -f $VAR_SUBSYS_IPTABLES return $ret } save() { # Check if iptable module is loaded - [ ! -e "$PROC_IPTABLES_NAMES" ] && return 1 + [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0 # Check if firewall is configured (has tables) - tables=`cat $PROC_IPTABLES_NAMES 2>/dev/null` - [ -z "$tables" ] && return 1 + [ -z "$NF_TABLES" ] && return 6 - echo -n $"Saving firewall rules to $IPTABLES_DATA: " + echo -n $"${IPTABLES}: Saving firewall rules to $IPTABLES_DATA: " OPT= [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c" ret=0 - TMP_FILE=`/bin/mktemp -q /tmp/$IPTABLES.XXXXXX` \ + TMP_FILE=$(/bin/mktemp -q /tmp/$IPTABLES.XXXXXX) \ && chmod 600 "$TMP_FILE" \ && $IPTABLES-save $OPT > $TMP_FILE 2>/dev/null \ - && size=`stat -c '%s' $TMP_FILE` && [ $size -gt 0 ] \ + && size=$(stat -c '%s' $TMP_FILE) && [ $size -gt 0 ] \ || ret=1 if [ $ret -eq 0 ]; then if [ -e $IPTABLES_DATA ]; then @@ -297,31 +277,35 @@ save() { } status() { + if [ ! -f "$VAR_SUBSYS_IPTABLES" -a -z "$NF_TABLES" ]; then + echo $"${IPTABLES}: Firewall is not running." + return 3 + fi + # Do not print status if lockfile is missing and iptables modules are not # loaded. - # Check if iptable module is loaded - if [ ! -f "$VAR_SUBSYS_IPTABLES" ]; then - echo $"Firewall is stopped." - return 1 + # Check if iptable modules are loaded + if [ ! -e "$PROC_IPTABLES_NAMES" ]; then + echo $"${IPTABLES}: Firewall modules are not loaded." + return 3 fi # Check if firewall is configured (has tables) - if [ ! -e "$PROC_IPTABLES_NAMES" ]; then - echo $"Firewall is not configured. " - return 1 - fi - tables=`cat $PROC_IPTABLES_NAMES 2>/dev/null` - if [ -z "$tables" ]; then - echo $"Firewall is not configured. " - return 1 + if [ -z "$NF_TABLES" ]; then + echo $"${IPTABLES}: Firewall is not configured. " + return 3 fi NUM= [ "x$IPTABLES_STATUS_NUMERIC" = "xyes" ] && NUM="-n" + VERBOSE= + [ "x$IPTABLES_STATUS_VERBOSE" = "xyes" ] && VERBOSE="--verbose" + COUNT= + [ "x$IPTABLES_STATUS_LINENUMBERS" = "xyes" ] && COUNT="--line-numbers" - for table in $tables; do + for table in $NF_TABLES; do echo $"Table: $table" - $IPTABLES -t $table --list $NUM && echo + $IPTABLES -t $table --list $NUM $VERBOSE $COUNT && echo done return 0 @@ -333,9 +317,10 @@ restart() { start } + case "$1" in start) - stop + [ -f "$VAR_SUBSYS_IPTABLES" ] && exit 0 start RETVAL=$? ;; @@ -344,12 +329,14 @@ case "$1" in stop RETVAL=$? ;; - restart) + restart|force-reload) restart RETVAL=$? ;; - condrestart) - [ -e "$VAR_SUBSYS_IPTABLES" ] && restart + condrestart|try-restart) + [ ! -e "$VAR_SUBSYS_IPTABLES" ] && exit 0 + restart + RETVAL=$? ;; status) status @@ -365,8 +352,8 @@ case "$1" in RETVAL=$? ;; *) - echo $"Usage: $0 {start|stop|restart|condrestart|status|panic|save}" - exit 1 + echo $"Usage: ${IPTABLES} {start|stop|restart|condrestart|status|panic|save}" + RETVAL=2 ;; esac