#!/bin/bash # # iptables -- Startup script to implement /etc/sysconfig/iptables pre-defined rules # # chkconfig: 2345 25 92 # description: Automates a packet filtering firewall with iptables. # config: /etc/sysconfig/iptables # # By bero@redhat.com, based on the ipchains script: # Script Author: Joshua Jensen # -- hacked up by gafton with help from notting # Modified by Anton Altaparmakov : # Modified by Nils Philippsen . /etc/sysconfig/rc . $rc_functions NAME=iptables IPTABLES=/sbin/$NAME IPTABLES_RESTORE=/sbin/iptables-restore IPTABLES_SAVE=/sbin/iptables-save IPTABLES_CONFIG=/etc/sysconfig/$NAME [ -x $IPTABLES ] || exit 0 case "$1" in start) # don't do squat if we don't have the config file if [ -f $IPTABLES_CONFIG ]; then # we do _not_ need to flush/clear anything when using iptables-restore echo -n $"Applying iptables firewall rules: " grep -v "^[[:space:]]*#" $IPTABLES_CONFIG | \ grep -v '^[[:space:]]*$' | \ $IPTABLES_RESTORE -c evaluate_retval; echo fi touch /var/lock/subsys/$NAME ;; stop) echo -n $"Setting up default policies to ACCEPT: " $IPTABLES --table mangle --policy PREROUTING ACCEPT && $IPTABLES --table mangle --policy INPUT ACCEPT && $IPTABLES --table mangle --policy FORWARD ACCEPT && $IPTABLES --table mangle --policy OUTPUT ACCEPT && $IPTABLES --table mangle --policy POSTROUTING ACCEPT && $IPTABLES --table filter --policy INPUT ACCEPT && $IPTABLES --table filter --policy OUTPUT ACCEPT && $IPTABLES --table filter --policy FORWARD ACCEPT && $IPTABLES --table nat --policy PREROUTING ACCEPT && $IPTABLES --table nat --policy POSTROUTING ACCEPT && $IPTABLES --table nat --policy OUTPUT ACCEPT evaluate_retval; echo echo -n $"Flushing all chains and deleting all user ones: " for table in filter nat mangle; do $IPTABLES --table $table --flush && $IPTABLES --table $table --delete-chain && $IPTABLES --table $table --zero done evaluate_retval; echo rm -f /var/lock/subsys/$NAME ;; restart|reload) # "restart" is really just "start" as this isn't a daemon, # and "start" clears any pre-defined rules anyway. # This is really only here to make those who expect it happy $0 start ;; condrestart) [ -e /var/lock/subsys/$NAME ] && $0 restart || : ;; status) for table in $(cat /proc/net/ip_tables_names 2>/dev/null); do echo "["$"TABLE:"" $table]" $IPTABLES -t $table --list echo done ;; panic) echo -n $"Setting up default policies to DROP: " $IPTABLES --table mangle --policy PREROUTING DROP && $IPTABLES --table mangle --policy INPUT DROP && $IPTABLES --table mangle --policy FORWARD DROP && $IPTABLES --table mangle --policy OUTPUT DROP && $IPTABLES --table mangle --policy POSTROUTING DROP && $IPTABLES --table filter --policy INPUT DROP && $IPTABLES --table filter --policy OUTPUT DROP && $IPTABLES --table filter --policy FORWARD DROP && $IPTABLES --table nat --policy PREROUTING DROP && $IPTABLES --table nat --policy POSTROUTING DROP && $IPTABLES --table nat --policy OUTPUT DROP evaluate_retval; echo echo -n $"Flushing all chains and deleting all user ones: " for table in filter nat mangle; do $IPTABLES --table $table --flush && $IPTABLES --table $table --delete-chain && $IPTABLES --table $table --zero done evaluate_retval; echo ;; save) echo -n $"Saving current rules to"" \`$IPTABLES_CONFIG': " touch $IPTABLES_CONFIG && chmod 600 $IPTABLES_CONFIG && $IPTABLES_SAVE -c > $IPTABLES_CONFIG 2>/dev/null evaluate_retval; echo ;; *) echo "Usage: ""$0 {start|stop|restart|condrestart|status|panic|save}" exit 1 ;; esac exit 0