• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1#!/bin/bash
2#
3# iptables	Start iptables firewall
4#
5# chkconfig: 2345 08 92
6# description:	Starts, stops and saves iptables firewall
7#
8# config: /etc/sysconfig/iptables
9# config: /etc/sysconfig/iptables-config
10#
11### BEGIN INIT INFO
12# Provides: iptables
13# Required-Start:
14# Required-Stop:
15# Default-Start: 2 3 4 5
16# Default-Stop: 0 1 6
17# Short-Description: start and stop iptables firewall
18# Description: Start, stop and save iptables firewall
19### END INIT INFO
20
21# compat for removed initscripts dependency
22success() {
23	echo -n "[  OK  ]"
24	return 0
25}
26
27warning() {
28	echo -n "[WARNING]"
29	return 1
30}
31
32failure() {
33	echo -n "[FAILED]"
34	return 1
35}
36
37IPTABLES=iptables
38IPTABLES_DATA=/etc/sysconfig/$IPTABLES
39IPTABLES_FALLBACK_DATA=${IPTABLES_DATA}.fallback
40IPTABLES_CONFIG=/etc/sysconfig/${IPTABLES}-config
41IPV=${IPTABLES%tables} # ip for ipv4 | ip6 for ipv6
42[ "$IPV" = "ip" ] && _IPV="ipv4" || _IPV="ipv6"
43PROC_IPTABLES_NAMES=/proc/net/${IPV}_tables_names
44VAR_SUBSYS_IPTABLES=/var/lock/subsys/$IPTABLES
45
46# only usable for root
47if [ $EUID != 0 ]; then
48    echo -n $"${IPTABLES}: Only usable by root."; warning; echo
49    exit 4
50fi
51
52if [ ! -x /sbin/$IPTABLES ]; then
53    echo -n $"${IPTABLES}: /sbin/$IPTABLES does not exist."; warning; echo
54    exit 5
55fi
56
57# Old or new modutils
58/sbin/modprobe --version 2>&1 | grep -q 'kmod version' \
59    && NEW_MODUTILS=1 \
60    || NEW_MODUTILS=0
61
62# Default firewall configuration:
63IPTABLES_MODULES=""
64IPTABLES_SAVE_ON_STOP="no"
65IPTABLES_SAVE_ON_RESTART="no"
66IPTABLES_SAVE_COUNTER="no"
67IPTABLES_STATUS_NUMERIC="yes"
68IPTABLES_STATUS_VERBOSE="no"
69IPTABLES_STATUS_LINENUMBERS="yes"
70IPTABLES_SYSCTL_LOAD_LIST=""
71IPTABLES_RESTORE_WAIT=600
72IPTABLES_RESTORE_WAIT_INTERVAL=1000000
73
74# Load firewall configuration.
75[ -f "$IPTABLES_CONFIG" ] && . "$IPTABLES_CONFIG"
76
77# Get active tables
78NF_TABLES=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null)
79
80
81flush_n_delete() {
82    # Flush firewall rules and delete chains.
83    [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0
84
85    # Check if firewall is configured (has tables)
86    [ -z "$NF_TABLES" ] && return 1
87
88    echo -n $"${IPTABLES}: Flushing firewall rules: "
89    ret=0
90    # For all tables
91    for i in $NF_TABLES; do
92        # Flush firewall rules.
93	$IPTABLES -t $i -F;
94	let ret+=$?;
95
96        # Delete firewall chains.
97	$IPTABLES -t $i -X;
98	let ret+=$?;
99
100	# Set counter to zero.
101	$IPTABLES -t $i -Z;
102	let ret+=$?;
103    done
104
105    [ $ret -eq 0 ] && success || failure
106    echo
107    return $ret
108}
109
110set_policy() {
111    # Set policy for configured tables.
112    policy=$1
113
114    # Check if iptable module is loaded
115    [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0
116
117    # Check if firewall is configured (has tables)
118    tables=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null)
119    [ -z "$tables" ] && return 1
120
121    echo -n $"${IPTABLES}: Setting chains to policy $policy: "
122    ret=0
123    for i in $tables; do
124	echo -n "$i "
125	case "$i" in
126            security)
127		$IPTABLES -t filter -P INPUT $policy \
128		    && $IPTABLES -t filter -P OUTPUT $policy \
129		    && $IPTABLES -t filter -P FORWARD $policy \
130		    || let ret+=1
131		;;
132	    raw)
133		$IPTABLES -t raw -P PREROUTING $policy \
134		    && $IPTABLES -t raw -P OUTPUT $policy \
135		    || let ret+=1
136		;;
137	    filter)
138                $IPTABLES -t filter -P INPUT $policy \
139		    && $IPTABLES -t filter -P OUTPUT $policy \
140		    && $IPTABLES -t filter -P FORWARD $policy \
141		    || let ret+=1
142		;;
143	    nat)
144		$IPTABLES -t nat -P PREROUTING $policy \
145		    && $IPTABLES -t nat -P POSTROUTING $policy \
146		    && $IPTABLES -t nat -P OUTPUT $policy \
147		    || let ret+=1
148		;;
149	    mangle)
150	        $IPTABLES -t mangle -P PREROUTING $policy \
151		    && $IPTABLES -t mangle -P POSTROUTING $policy \
152		    && $IPTABLES -t mangle -P INPUT $policy \
153		    && $IPTABLES -t mangle -P OUTPUT $policy \
154		    && $IPTABLES -t mangle -P FORWARD $policy \
155		    || let ret+=1
156		;;
157	    *)
158	        let ret+=1
159		;;
160        esac
161    done
162
163    [ $ret -eq 0 ] && success || failure
164    echo
165    return $ret
166}
167
168load_sysctl() {
169    # load matched sysctl values
170    if [ -n "$IPTABLES_SYSCTL_LOAD_LIST" ]; then
171        echo -n $"Loading sysctl settings: "
172        ret=0
173        for item in $IPTABLES_SYSCTL_LOAD_LIST; do
174            fgrep -hs $item /etc/sysctl.d/* | sysctl -p - >/dev/null
175            let ret+=$?;
176        done
177        [ $ret -eq 0 ] && success || failure
178        echo
179    fi
180    return $ret
181}
182
183start() {
184    # Do not start if there is no config file.
185    if [ ! -f "$IPTABLES_DATA" ]; then
186	echo -n $"${IPTABLES}: No config file."; warning; echo
187	return 6
188    fi
189
190    # check if ipv6 module load is deactivated
191    if [ "${_IPV}" = "ipv6" ] \
192	&& grep -qIsE "^install[[:space:]]+${_IPV}[[:space:]]+/bin/(true|false)" /etc/modprobe.conf /etc/modprobe.d/* ; then
193	echo $"${IPTABLES}: ${_IPV} is disabled."
194	return 150
195    fi
196
197    echo -n $"${IPTABLES}: Applying firewall rules: "
198
199    OPT=
200    [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
201    if [ $IPTABLES_RESTORE_WAIT -ne 0 ]; then
202       OPT="${OPT} --wait ${IPTABLES_RESTORE_WAIT}"
203       if [ $IPTABLES_RESTORE_WAIT_INTERVAL -lt 1000000 ]; then
204           OPT="${OPT} --wait-interval ${IPTABLES_RESTORE_WAIT_INTERVAL}"
205       fi
206    fi
207
208    $IPTABLES-restore $OPT $IPTABLES_DATA
209    if [ $? -eq 0 ]; then
210	success; echo
211    else
212	failure; echo;
213	if [ -f "$IPTABLES_FALLBACK_DATA" ]; then
214	    echo -n $"${IPTABLES}: Applying firewall fallback rules: "
215	    $IPTABLES-restore $OPT $IPTABLES_FALLBACK_DATA
216	    if [ $? -eq 0 ]; then
217		success; echo
218	    else
219		failure; echo; return 1
220	    fi
221	else
222	    return 1
223	fi
224    fi
225
226    # Load additional modules (helpers)
227    if [ -n "$IPTABLES_MODULES" ]; then
228	echo -n $"${IPTABLES}: Loading additional modules: "
229	ret=0
230	for mod in $IPTABLES_MODULES; do
231	    echo -n "$mod "
232	    modprobe $mod > /dev/null 2>&1
233	    let ret+=$?;
234	done
235	[ $ret -eq 0 ] && success || failure
236	echo
237    fi
238
239    # Load sysctl settings
240    load_sysctl
241
242    touch $VAR_SUBSYS_IPTABLES
243    return $ret
244}
245
246stop() {
247    # Do not stop if iptables module is not loaded.
248    [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0
249
250    # Set default chain policy to ACCEPT, in order to not break shutdown
251    # on systems where the default policy is DROP and root device is
252    # network-based (i.e.: iSCSI, NFS)
253    set_policy ACCEPT
254    # And then, flush the rules and delete chains
255    flush_n_delete
256
257    rm -f $VAR_SUBSYS_IPTABLES
258    return $ret
259}
260
261save() {
262    # Check if iptable module is loaded
263    if [ ! -e "$PROC_IPTABLES_NAMES" ]; then
264	echo -n $"${IPTABLES}: Nothing to save."; warning; echo
265	return 0
266    fi
267
268    # Check if firewall is configured (has tables)
269    if [ -z "$NF_TABLES" ]; then
270	echo -n $"${IPTABLES}: Nothing to save."; warning; echo
271	return 6
272    fi
273
274    echo -n $"${IPTABLES}: Saving firewall rules to $IPTABLES_DATA: "
275
276    OPT=
277    [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
278
279    ret=0
280    TMP_FILE=$(/bin/mktemp -q $IPTABLES_DATA.XXXXXX) \
281	&& chmod 600 "$TMP_FILE" \
282	&& $IPTABLES-save $OPT > $TMP_FILE 2>/dev/null \
283	&& size=$(stat -c '%s' $TMP_FILE) && [ $size -gt 0 ] \
284	|| ret=1
285    if [ $ret -eq 0 ]; then
286	if [ -e $IPTABLES_DATA ]; then
287	    cp -f $IPTABLES_DATA $IPTABLES_DATA.save \
288		&& chmod 600 $IPTABLES_DATA.save \
289		&& restorecon $IPTABLES_DATA.save \
290		|| ret=1
291	fi
292	if [ $ret -eq 0 ]; then
293	    mv -f $TMP_FILE $IPTABLES_DATA \
294		&& chmod 600 $IPTABLES_DATA \
295		&& restorecon $IPTABLES_DATA \
296	        || ret=1
297	fi
298    fi
299    rm -f $TMP_FILE
300    [ $ret -eq 0 ] && success || failure
301    echo
302    return $ret
303}
304
305status() {
306    if [ ! -f "$VAR_SUBSYS_IPTABLES" -a -z "$NF_TABLES" ]; then
307	echo $"${IPTABLES}: Firewall is not running."
308	return 3
309    fi
310
311    # Do not print status if lockfile is missing and iptables modules are not
312    # loaded.
313    # Check if iptable modules are loaded
314    if [ ! -e "$PROC_IPTABLES_NAMES" ]; then
315	echo $"${IPTABLES}: Firewall modules are not loaded."
316	return 3
317    fi
318
319    # Check if firewall is configured (has tables)
320    if [ -z "$NF_TABLES" ]; then
321	echo $"${IPTABLES}: Firewall is not configured. "
322	return 3
323    fi
324
325    NUM=
326    [ "x$IPTABLES_STATUS_NUMERIC" = "xyes" ] && NUM="-n"
327    VERBOSE=
328    [ "x$IPTABLES_STATUS_VERBOSE" = "xyes" ] && VERBOSE="--verbose"
329    COUNT=
330    [ "x$IPTABLES_STATUS_LINENUMBERS" = "xyes" ] && COUNT="--line-numbers"
331
332    for table in $NF_TABLES; do
333	echo $"Table: $table"
334	$IPTABLES -t $table --list $NUM $VERBOSE $COUNT && echo
335    done
336
337    return 0
338}
339
340reload() {
341    # Do not reload if there is no config file.
342    if [ ! -f "$IPTABLES_DATA" ]; then
343	echo -n $"${IPTABLES}: No config file."; warning; echo
344	return 6
345    fi
346
347    # check if ipv6 module load is deactivated
348    if [ "${_IPV}" = "ipv6" ] \
349	&& grep -qIsE "^install[[:space:]]+${_IPV}[[:space:]]+/bin/(true|false)" /etc/modprobe.conf /etc/modprobe.d/* ; then
350	echo $"${IPTABLES}: ${_IPV} is disabled."
351	return 150
352    fi
353
354    echo -n $"${IPTABLES}: Trying to reload firewall rules: "
355
356    OPT=
357    [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
358    if [ $IPTABLES_RESTORE_WAIT -ne 0 ]; then
359       OPT="${OPT} --wait ${IPTABLES_RESTORE_WAIT}"
360       if [ $IPTABLES_RESTORE_WAIT_INTERVAL -lt 1000000 ]; then
361           OPT="${OPT} --wait-interval ${IPTABLES_RESTORE_WAIT_INTERVAL}"
362       fi
363    fi
364
365    $IPTABLES-restore $OPT $IPTABLES_DATA
366    if [ $? -eq 0 ]; then
367	success; echo
368    else
369	failure; echo; echo "Firewall rules are not changed."; return 1
370    fi
371
372    # Load additional modules (helpers)
373    if [ -n "$IPTABLES_MODULES" ]; then
374	echo -n $"${IPTABLES}: Loading additional modules: "
375	ret=0
376	for mod in $IPTABLES_MODULES; do
377	    echo -n "$mod "
378	    modprobe $mod > /dev/null 2>&1
379	    let ret+=$?;
380	done
381	[ $ret -eq 0 ] && success || failure
382	echo
383    fi
384
385    # Load sysctl settings
386    load_sysctl
387
388    return $ret
389}
390
391restart() {
392    [ "x$IPTABLES_SAVE_ON_RESTART" = "xyes" ] && save
393    stop
394    start
395}
396
397
398case "$1" in
399    start)
400	[ -f "$VAR_SUBSYS_IPTABLES" ] && exit 0
401	start
402	RETVAL=$?
403	;;
404    stop)
405	[ "x$IPTABLES_SAVE_ON_STOP" = "xyes" ] && save
406	stop
407	RETVAL=$?
408	;;
409    restart|force-reload)
410	restart
411	RETVAL=$?
412	;;
413    reload)
414	[ -e "$VAR_SUBSYS_IPTABLES" ] && reload
415	RETVAL=$?
416	;;
417    condrestart|try-restart)
418	[ ! -e "$VAR_SUBSYS_IPTABLES" ] && exit 0
419	restart
420	RETVAL=$?
421	;;
422    status)
423	status
424	RETVAL=$?
425	;;
426    panic)
427	set_policy DROP
428	RETVAL=$?
429        ;;
430    save)
431	save
432	RETVAL=$?
433	;;
434    *)
435	echo $"Usage: ${IPTABLES} {start|stop|reload|restart|condrestart|status|panic|save}"
436	RETVAL=2
437	;;
438esac
439
440exit $RETVAL
441