aboutsummaryrefslogtreecommitdiffstats
path: root/main/iptables/iptables.initd
blob: fa10476ce1ecb89219f645bea00440baa19b6b17 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
#!/sbin/runscript
# Copyright 1999-2011 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Header: /var/cvsroot/gentoo-x86/net-firewall/iptables/files/iptables-1.4.11.init,v 1.2 2011/12/04 10:15:59 swegener Exp $

extra_commands="save panic"
extra_started_commands="reload"

iptables_name=${SVCNAME}
if [ "${iptables_name}" != "iptables" -a "${iptables_name}" != "ip6tables" ] ; then
	iptables_name="iptables"
fi

iptables_bin="/sbin/${iptables_name}"
case ${iptables_name} in
	iptables)  iptables_proc="/proc/net/ip_tables_names"
	           iptables_save=${IPTABLES_SAVE}
		   sysctl_ipfwd=net.ipv4.ip_forward;;
	ip6tables) iptables_proc="/proc/net/ip6_tables_names"
	           iptables_save=${IP6TABLES_SAVE}
		   sysctl_ipfwd=net.ipv6.conf.all.forwarding;;
esac

depend() {
	before net
	after sysctl
	use logger
	provide firewall
}

set_table_policy() {
	local chains table=$1 policy=$2
	case ${table} in
		nat)    chains="PREROUTING POSTROUTING OUTPUT";;
		mangle) chains="PREROUTING INPUT FORWARD OUTPUT POSTROUTING";;
		filter) chains="INPUT FORWARD OUTPUT";;
		*)      chains="";;
	esac
	local chain
	for chain in ${chains} ; do
		${iptables_bin} -t ${table} -P ${chain} ${policy}
	done
}

checkkernel() {
	if [ ! -e ${iptables_proc} ] ; then
		eerror "Your kernel lacks ${iptables_name} support, please load"
		eerror "appropriate modules and try again."
		return 1
	fi
	return 0
}
checkconfig() {
	if [ ! -f ${iptables_save} ] ; then
		eerror "Not starting ${iptables_name}.  First create some rules then run:"
		eerror "/etc/init.d/${iptables_name} save"
		return 1
	fi
	return 0
}

start() {
	checkconfig || return 1
	ebegin "Loading ${iptables_name} state and starting firewall"
	${iptables_bin}-restore ${SAVE_RESTORE_OPTIONS} < "${iptables_save}"
	eend $?
	if yesno "${IPFORWARD}"; then
		ebegin "Enabling forwarding"
		/sbin/sysctl -w ${sysctl_ipfwd}=1 > /dev/null
		eend $?
	fi
}

stop() {
	if yesno "${IPFORWARD}"; then
		ebegin "Disabling forwarding"
		/sbin/sysctl -w ${sysctl_ipfwd}=0 > /dev/null
		eend $?
	fi
	if yesno "${SAVE_ON_STOP}"; then
		save || return 1
	fi
	checkkernel || return 1
	ebegin "Stopping firewall"
	local a
	for a in $(cat ${iptables_proc}) ; do
		set_table_policy $a ACCEPT

		${iptables_bin} -F -t $a
		${iptables_bin} -X -t $a
	done
	eend $?
}

reload() {
	checkkernel || return 1
	ebegin "Flushing firewall"
	local a
	for a in $(cat ${iptables_proc}) ; do
		${iptables_bin} -F -t $a
		${iptables_bin} -X -t $a
	done
	eend $?

	start
}

save() {
	ebegin "Saving ${iptables_name} state"
	touch "${iptables_save}"
	chmod 0600 "${iptables_save}"
	${iptables_bin}-save ${SAVE_RESTORE_OPTIONS} > "${iptables_save}"
	eend $?
}

panic() {
	checkkernel || return 1
	if service_started ${iptables_name}; then
		rc-service ${iptables_name} stop
	fi

	local a
	ebegin "Dropping all packets"
	for a in $(cat ${iptables_proc}) ; do
		${iptables_bin} -F -t $a
		${iptables_bin} -X -t $a

		set_table_policy $a DROP
	done
	eend $?
}