iptables

I work with plain iptables; it may be not trivial to create the rules, but at least you know what your system is doing. (or you think you know…)

Of course you do not want to enter them after every reboot by hand, so i made a init script for it; it uses iptables-save and iptables-restore.

Install the script with chkconfig or insserv (chkconfig -s iptables on)

And then just configure your firewall and do either /etc/init.d/iptables save active or /sbin/iptables-save > /etc/network/iptables/active

/etc/init.d/iptables (make it executable with chmod +x): (can be easily modified into an ip6tables script, change the “INIT INFO” texts and NAME=ip6tables)

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
 
#! /bin/sh

### BEGIN INIT INFO
# Provides:          iptables
# Required-Start:
# Required-Stop:
# Should-Start:      $local_fs
# Should-Stop:       $local_fs
# Default-Start:     S
# Default-Stop:      0 6
# Short-Description: Load iptables at boot time
# Description:       Load pre-configured iptables at boot time
### END INIT INFO

PATH=/sbin:/bin

NAME=iptables

RULESETDIR="/etc/network/${NAME}"
default="/etc/default/${NAME}"

SAVE="/sbin/${NAME}-save"
RESTORE="/sbin/${NAME}-restore"

. /lib/lsb/init-functions

test -x ${RESTORE} || exit 5
test -x ${SAVE} || exit 5

umask 0077

IPTABLES_ENABLE="true"

if test -f $default; then
  . $default
fi

initd="$0"

current() {
    ${SAVE}
}

flush() {
    POLICY="${1:-ALLOW}"
    # remove all custom chains and all rules and all comments
    # zero counters too -> [0:0] (/^:/s@\[[0-9]\{1,\}:[0-9]\{1,\}\]@[0:0]@g)
    # set policy for all built-in chains to $1 (defaults to ALLOW)
    #   custom chains always have policy "-", and rules always start with "-"
    #   built-in chains and built-in targets probably never have a "-" in their names,
    #   and only built-in targets can be used as policy for (built-in) chains,
    #   so we delete every line with "-" in it (and all lines starting with '#' - comments)
    sed -e "/-/d;/^#/d;/^:/s@\[[0-9]\{1,\}:[0-9]\{1,\}\]@[0:0]@g;/^:/s@ [^ ]\{1,\} @ ${POLICY} @g"
}

accept_all() {
    current | flush ACCEPT
}

drop_all() {
    current | flush DROP
}

iptables_load() {
    RULESET="$1"
    FILE="${RULESETDIR}/${RULESET}"
    NONINTERACTIVE="$2"

    log_daemon_msg "Loading ${NAME} ruleset" "'${RULESET}'"

    if test -z "${RULESET}"; then
        log_progress_msg "no ruleset specified"
        log_end_msg 1
    elif ! test -f "${FILE}"; then
        if test "x${NONINTERACTIVE}" = "x1"; then
            log_progress_msg "(not configured, fallback to ACCEPT policy)"
            accept_all | ${RESTORE}
            log_end_msg $?
        else
            log_progress_msg "ruleset not found"
            log_end_msg 1
        fi
    else
        ${RESTORE} < "${FILE}"
        log_end_msg $?
    fi
}

iptables_save() {
    RULESET="$1"
    FILE="${RULESETDIR}/${RULESET}"

    log_daemon_msg "Saving ${NAME} ruleset" "'${RULESET}'"

    if test -z "${RULESET}"; then
        log_progress_msg "no ruleset specified"
        log_end_msg 1
    elif ${SAVE} > "${FILE}"; then
        # inplace zero counters
        sed -i -e '/^:/s@\[[0-9]\{1,\}:[0-9]\{1,\}\]@[0:0]@g' "${FILE}"
    fi
    log_end_msg $?
}

iptables_clear() {
    log_daemon_msg "Clearing ${NAME} ruleset" "default ACCEPT policy"
    accept_all | ${RESTORE}
    log_end_msg $?
}

iptables_halt() {
    log_daemon_msg "Clearing ${NAME} ruleset" "default DROP policy"
    drop_all | ${RESTORE}
    log_end_msg $?
}

usage () {
    current="$(ls -m ${RULESETDIR})"
cat <<END >&2
${initd} options:
  start|restart|reload|force-reload
     load the "active" ruleset
  save <ruleset>
     save the current ruleset
  load <ruleset>
     load a ruleset
  stop
     load the "inactive" ruleset
  clear
     remove all rules and user-defined chains, set default policy to ACCEPT
  halt
     remove all rules and user-defined chains, set default policy to DROP

Saved rulesets:
  $current

Please read: $default

END
}

case "$1" in
    start|restart|reload|force-reload)
        if ! test "x${IPTABLES_ENABLE}" = "xtrue"; then
            # disabled
            exit 0
        fi
        iptables_load "active" 1
        ;;
    stop)
        if ! test "x${IPTABLES_ENABLE}" = "xtrue"; then
            # disabled
            exit 0
        fi
        iptables_load "inactive" 1
        ;;
    save)
        iptables_save "$2"
        ;;
    load)
        iptables_load "$2"
        ;;
    clear)
        iptables_clear
        ;;
    halt)
        iptables_halt
        ;;
    *)
        if ! test -z "$@"; then
            echo "Aborting ${NAME} initd: unknown command(s): \"$@\"." >&2
        fi
        usage
        exit 3
        ;;
esac

Generated using nanoc and bootstrap - Last content change: 2011-06-10 07:41