/etc/init.d/iptables

1. #!/bin/sh
2. #
3. # iptables      Start iptables firewall
4. #
5. # chkconfig: 2345 08 92
6. # description:  Starts, stops and saves iptables firewall
7. #
8. # config: /etc/sysconfig/iptables
9. # config: /etc/sysconfig/iptables-config
10. #
11. ### BEGIN INIT INFO
12. # Provides: iptables
13. # Required-Start:
14. # Required-Stop:
15. # Default-Start: 2 3 4 5
16. # Default-Stop: 0 1 6
17. # Short-Description: start and stop iptables firewall
18. # Description: Start, stop and save iptables firewall
19. ### END INIT INFO
20.  
21. # Source function library.
22. . /etc/init.d/functions
23.  
24. IPTABLES=iptables
25. IPTABLES_DATA=/etc/sysconfig/$IPTABLES
26. IPTABLES_FALLBACK_DATA=${IPTABLES_DATA}.fallback
27. IPTABLES_CONFIG=/etc/sysconfig/${IPTABLES}-config
28. IPV=${IPTABLES%tables} # ip for ipv4 | ip6 for ipv6
29. [ "$IPV" = "ip" ] && _IPV="ipv4" || _IPV="ipv6"
30. PROC_IPTABLES_NAMES=/proc/net/${IPV}_tables_names
31. VAR_SUBSYS_IPTABLES=/var/lock/subsys/$IPTABLES
32.  
33. # only usable for root
34. [ $EUID = 0 ] || exit 4
35.  
36. if [ ! -x /sbin/$IPTABLES ]; then
37.     echo -n $"${IPTABLES}: /sbin/$IPTABLES does not exist."; warning; echo
38.     exit 5
39. fi
40.  
41. # Old or new modutils
42. /sbin/modprobe --version 2>&1 | grep -q module-init-tools \
43.     && NEW_MODUTILS=1 \
44.     || NEW_MODUTILS=0
45.  
46. # Default firewall configuration:
47. IPTABLES_MODULES=""
48. IPTABLES_MODULES_UNLOAD="yes"
49. IPTABLES_SAVE_ON_STOP="no"
50. IPTABLES_SAVE_ON_RESTART="no"
51. IPTABLES_SAVE_COUNTER="no"
52. IPTABLES_STATUS_NUMERIC="yes"
53. IPTABLES_STATUS_VERBOSE="no"
54. IPTABLES_STATUS_LINENUMBERS="yes"
55. IPTABLES_SYSCTL_LOAD_LIST=""
56.  
57. # Load firewall configuration.
58. [ -f "$IPTABLES_CONFIG" ] && . "$IPTABLES_CONFIG"
59.  
60. # Netfilter modules
61. NF_MODULES=($(lsmod | awk "/^${IPV}table_/ {print \$1}") ${IPV}_tables)
62. NF_MODULES_COMMON=(x_tables nf_nat nf_conntrack) # Used by netfilter v4 and v6
63.  
64. # Get active tables
65. NF_TABLES=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null)
66.  
67.  
68. rmmod_r() {
69.     # Unload module with all referring modules.
70.     # At first all referring modules will be unloaded, then the module itself.
71.     local mod=$1
72.     local ret=0
73.     local ref=
74.  
75.     # Get referring modules.
76.     # New modutils have another output format.
77.     [ $NEW_MODUTILS = 1 ] \
78.         && ref=$(lsmod | awk "/^${mod}/ { print \$4; }" | tr ',' ' ') \
79.         || ref=$(lsmod | grep ^${mod} | cut -d "[" -s -f 2 | cut -d "]" -s -f 1)
80.  
81.     # recursive call for all referring modules
82.     for i in $ref; do
83.         rmmod_r $i
84.         let ret+=$?;
85.     done
86.  
87.     # Unload module.
88.     # The extra test is for 2.6: The module might have autocleaned,
89.     # after all referring modules are unloaded.
90.     if grep -q "^${mod}" /proc/modules ; then
91.         modprobe -r $mod > /dev/null 2>&1
92.         res=$?
93.         [ $res -eq 0 ] || echo -n " $mod"
94.         let ret+=$res;
95.     fi
96.  
97.     return $ret
98. }
99.  
100. flush_n_delete() {
101.     # Flush firewall rules and delete chains.
102.     [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0
103.  
104.     # Check if firewall is configured (has tables)
105.     [ -z "$NF_TABLES" ] && return 1
106.  
107.     echo -n $"${IPTABLES}: Flushing firewall rules: "
108.     ret=0
109.     # For all tables
110.     for i in $NF_TABLES; do
111.         # Flush firewall rules.
112.         $IPTABLES -t $i -F;
113.         let ret+=$?;
114.  
115.         # Delete firewall chains.
116.         $IPTABLES -t $i -X;
117.         let ret+=$?;
118.  
119.         # Set counter to zero.
120.         $IPTABLES -t $i -Z;
121.         let ret+=$?;
122.     done
123.  
124.     [ $ret -eq 0 ] && success || failure
125.     echo
126.     return $ret
127. }
128.  
129. set_policy() {
130.     # Set policy for configured tables.
131.     policy=$1
132.  
133.     # Check if iptable module is loaded
134.     [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0
135.  
136.     # Check if firewall is configured (has tables)
137.     tables=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null)
138.     [ -z "$tables" ] && return 1
139.  
140.     echo -n $"${IPTABLES}: Setting chains to policy $policy: "
141.     ret=0
142.     for i in $tables; do
143.         echo -n "$i "
144.         case "$i" in
145.             raw)
146.                 $IPTABLES -t raw -P PREROUTING $policy \
147.                     && $IPTABLES -t raw -P OUTPUT $policy \
148.                     || let ret+=1
149.                 ;;
150.             filter)
151.                 $IPTABLES -t filter -P INPUT $policy \
152.                     && $IPTABLES -t filter -P OUTPUT $policy \
153.                     && $IPTABLES -t filter -P FORWARD $policy \
154.                     || let ret+=1
155.                 ;;
156.             nat)
157.                 $IPTABLES -t nat -P PREROUTING $policy \
158.                     && $IPTABLES -t nat -P POSTROUTING $policy \
159.                     && $IPTABLES -t nat -P OUTPUT $policy \
160.                     || let ret+=1
161.                 ;;
162.             mangle)
163.                 $IPTABLES -t mangle -P PREROUTING $policy \
164.                     && $IPTABLES -t mangle -P POSTROUTING $policy \
165.                     && $IPTABLES -t mangle -P INPUT $policy \
166.                     && $IPTABLES -t mangle -P OUTPUT $policy \
167.                     && $IPTABLES -t mangle -P FORWARD $policy \
168.                     || let ret+=1
169.                 ;;
170.             *)
171.                 let ret+=1
172.                 ;;
173.         esac
174.     done
175.  
176.     [ $ret -eq 0 ] && success || failure
177.     echo
178.     return $ret
179. }
180.  
181. load_sysctl() {
182.     # load matched sysctl values
183.     if [ -n "$IPTABLES_SYSCTL_LOAD_LIST" ]; then
184.         echo -n $"Loading sysctl settings: "
185.         ret=0
186.         for item in $IPTABLES_SYSCTL_LOAD_LIST; do
187.             fgrep $item /etc/sysctl.conf | sysctl -p - >/dev/null
188.             let ret+=$?;
189.         done
190.         [ $ret -eq 0 ] && success || failure
191.         echo
192.     fi
193.     return $ret
194. }
195.  
196. start() {
197.     # Do not start if there is no config file.
198.     [ ! -f "$IPTABLES_DATA" ] && return 6
199.  
200.     # check if ipv6 module load is deactivated
201.     if [ "${_IPV}" = "ipv6" ] \
202.         && grep -qIsE "^install[[:space:]]+${_IPV}[[:space:]]+/bin/(true|false)" /etc/modprobe.conf /etc/modprobe.d/* ; then
203.         echo $"${IPTABLES}: ${_IPV} is disabled."
204.         return 150
205.     fi
206.  
207.     echo -n $"${IPTABLES}: Applying firewall rules: "
208.  
209.     OPT=
210.     [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
211.  
212.     $IPTABLES-restore $OPT $IPTABLES_DATA
213.     if [ $? -eq 0 ]; then
214.         success; echo
215.     else
216.         failure; echo;
217.         if [ -f "$IPTABLES_FALLBACK_DATA" ]; then
218.             echo -n $"${IPTABLES}: Applying firewall fallback rules: "
219.             $IPTABLES-restore $OPT $IPTABLES_FALLBACK_DATA
220.             if [ $? -eq 0 ]; then
221.                 success; echo
222.             else
223.                 failure; echo; return 1
224.             fi
225.         else
226.             return 1
227.         fi
228.     fi
229.    
230.     # Load additional modules (helpers)
231.     if [ -n "$IPTABLES_MODULES" ]; then
232.         echo -n $"${IPTABLES}: Loading additional modules: "
233.         ret=0
234.         for mod in $IPTABLES_MODULES; do
235.             echo -n "$mod "
236.             modprobe $mod > /dev/null 2>&1
237.             let ret+=$?;
238.         done
239.         [ $ret -eq 0 ] && success || failure
240.         echo
241.     fi
242.    
243.     # Load sysctl settings
244.     load_sysctl
245.  
246.     touch $VAR_SUBSYS_IPTABLES
247.     return $ret
248. }
249.  
250. stop() {
251.     # Do not stop if iptables module is not loaded.
252.     [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0
253.  
254.     # Set default chain policy to ACCEPT, in order to not break shutdown
255.     # on systems where the default policy is DROP and root device is
256.     # network-based (i.e.: iSCSI, NFS)
257.     set_policy ACCEPT
258.     # And then, flush the rules and delete chains
259.     flush_n_delete
260.    
261.     if [ "x$IPTABLES_MODULES_UNLOAD" = "xyes" ]; then
262.         echo -n $"${IPTABLES}: Unloading modules: "
263.         ret=0
264.         for mod in ${NF_MODULES[*]}; do
265.             rmmod_r $mod
266.             let ret+=$?;
267.         done
268.         # try to unload remaining netfilter modules used by ipv4 and ipv6
269.         # netfilter
270.         for mod in ${NF_MODULES_COMMON[*]}; do
271.             rmmod_r $mod >/dev/null
272.         done
273.         [ $ret -eq 0 ] && success || failure
274.         echo
275.     fi
276.    
277.     rm -f $VAR_SUBSYS_IPTABLES
278.     return $ret
279. }
280.  
281. save() {
282.     # Check if iptable module is loaded
283.     [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0
284.  
285.     # Check if firewall is configured (has tables)
286.     [ -z "$NF_TABLES" ] && return 6
287.  
288.     echo -n $"${IPTABLES}: Saving firewall rules to $IPTABLES_DATA: "
289.  
290.     OPT=
291.     [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
292.  
293.     ret=0
294.     TMP_FILE=$(/bin/mktemp -q $IPTABLES_DATA.XXXXXX) \
295.         && chmod 600 "$TMP_FILE" \
296.         && $IPTABLES-save $OPT > $TMP_FILE 2>/dev/null \
297.         && size=$(stat -c '%s' $TMP_FILE) && [ $size -gt 0 ] \
298.         || ret=1
299.     if [ $ret -eq 0 ]; then
300.         if [ -e $IPTABLES_DATA ]; then
301.             cp -f $IPTABLES_DATA $IPTABLES_DATA.save \
302.                 && chmod 600 $IPTABLES_DATA.save \
303.                 && restorecon $IPTABLES_DATA.save \
304.                 || ret=1
305.         fi
306.         if [ $ret -eq 0 ]; then
307.             mv -f $TMP_FILE $IPTABLES_DATA \
308.                 && chmod 600 $IPTABLES_DATA \
309.                 && restorecon $IPTABLES_DATA \
310.                 || ret=1
311.         fi
312.     fi
313.     rm -f $TMP_FILE
314.     [ $ret -eq 0 ] && success || failure
315.     echo
316.     return $ret
317. }
318.  
319. status() {
320.     if [ ! -f "$VAR_SUBSYS_IPTABLES" -a -z "$NF_TABLES" ]; then
321.         echo $"${IPTABLES}: Firewall is not running."
322.         return 3
323.     fi
324.  
325.     # Do not print status if lockfile is missing and iptables modules are not
326.     # loaded.
327.     # Check if iptable modules are loaded
328.     if [ ! -e "$PROC_IPTABLES_NAMES" ]; then
329.         echo $"${IPTABLES}: Firewall modules are not loaded."
330.         return 3
331.     fi
332.  
333.     # Check if firewall is configured (has tables)
334.     if [ -z "$NF_TABLES" ]; then
335.         echo $"${IPTABLES}: Firewall is not configured. "
336.         return 3
337.     fi
338.  
339.     NUM=
340.     [ "x$IPTABLES_STATUS_NUMERIC" = "xyes" ] && NUM="-n"
341.     VERBOSE=
342.     [ "x$IPTABLES_STATUS_VERBOSE" = "xyes" ] && VERBOSE="--verbose"
343.     COUNT=
344.     [ "x$IPTABLES_STATUS_LINENUMBERS" = "xyes" ] && COUNT="--line-numbers"
345.  
346.     for table in $NF_TABLES; do
347.         echo $"Table: $table"
348.         $IPTABLES -t $table --list $NUM $VERBOSE $COUNT && echo
349.     done
350.  
351.     return 0
352. }
353.  
354. reload() {
355.     # Do not reload if there is no config file.
356.     [ ! -f "$IPTABLES_DATA" ] && return 6
357.  
358.     # check if ipv6 module load is deactivated
359.     if [ "${_IPV}" = "ipv6" ] \
360.         && grep -qIsE "^install[[:space:]]+${_IPV}[[:space:]]+/bin/(true|false)" /etc/modprobe.conf /etc/modprobe.d/* ; then
361.         echo $"${IPTABLES}: ${_IPV} is disabled."
362.         return 150
363.     fi
364.  
365.     echo -n $"${IPTABLES}: Trying to reload firewall rules: "
366.  
367.     OPT=
368.     [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
369.  
370.     $IPTABLES-restore $OPT $IPTABLES_DATA
371.     if [ $? -eq 0 ]; then
372.         success; echo
373.     else
374.         failure; echo; echo "Firewall rules are not changed."; return 1
375.     fi
376.  
377.     # Load additional modules (helpers)
378.     if [ -n "$IPTABLES_MODULES" ]; then
379.         echo -n $"${IPTABLES}: Loading additional modules: "
380.         ret=0
381.         for mod in $IPTABLES_MODULES; do
382.             echo -n "$mod "
383.             modprobe $mod > /dev/null 2>&1
384.             let ret+=$?;
385.         done
386.         [ $ret -eq 0 ] && success || failure
387.         echo
388.     fi
389.  
390.     # Load sysctl settings
391.     load_sysctl
392.  
393.     return $ret
394. }
395.  
396. restart() {
397.     [ "x$IPTABLES_SAVE_ON_RESTART" = "xyes" ] && save
398.     stop
399.     start
400. }
401.  
402.  
403. case "$1" in
404.     start)
405.         [ -f "$VAR_SUBSYS_IPTABLES" ] && exit 0
406.         start
407.         RETVAL=$?
408.         ;;
409.     stop)
410.         [ "x$IPTABLES_SAVE_ON_STOP" = "xyes" ] && save
411.         stop
412.         RETVAL=$?
413.         ;;
414.     restart|force-reload)
415.         restart
416.         RETVAL=$?
417.         ;;
418.     reload)
419.         [ -e "$VAR_SUBSYS_IPTABLES" ] && reload
420.         RETVAL=$?
421.         ;;      
422.     condrestart|try-restart)
423.         [ ! -e "$VAR_SUBSYS_IPTABLES" ] && exit 0
424.         restart
425.         RETVAL=$?
426.         ;;
427.     status)
428.         status
429.         RETVAL=$?
430.         ;;
431.     panic)
432.         set_policy DROP
433.         RETVAL=$?
434.         ;;
435.     save)
436.         save
437.         RETVAL=$?
438.         ;;
439.     *)
440.         echo $"Usage: ${IPTABLES} {start|stop|reload|restart|condrestart|status|panic|save}"
441.         RETVAL=2
442.         ;;
443. esac
444.  
445. exit $RETVAL