Saltstack Official IPTables Formula
Du kan inte välja fler än 25 ämnen Ämnen måste starta med en bokstav eller siffra, kan innehålla bindestreck ('-') och vara max 35 tecken långa.

102 lines
2.5KB

  1. #!/bin/sh
  2. # This file is part of netfilter-persistent
  3. # (was iptables-persistent)
  4. # Copyright (C) 2009, Simon Richter <sjr@debian.org>
  5. # Copyright (C) 2010, 2014 Jonathan Wiltshire <jmw@debian.org>
  6. #
  7. # This program is free software; you can redistribute it and/or
  8. # modify it under the terms of the GNU General Public License
  9. # as published by the Free Software Foundation, either version 3
  10. # of the License, or (at your option) any later version.
  11. rc=0
  12. load_rules()
  13. {
  14. #load IPv4 rules
  15. if [ ! -f /etc/iptables/rules.v4 ]; then
  16. echo "Warning: skipping IPv4 (no rules to load)"
  17. else
  18. {%- if provider == 'iptables-restore' %}
  19. iptables-restore --test < /etc/iptables/rules.v4 2> /dev/null
  20. if [ $? -ne 0 ]; then
  21. rc=1
  22. else
  23. iptables-save > /etc/iptables/rules.v4.bak
  24. grep -v __saltstack__ /etc/iptables/rules.v4.bak | iptables-restore 2> /dev/null
  25. iptables-restore --noflush < /etc/iptables/rules.v4 2> /dev/null
  26. if [ $? -ne 0 ]; then
  27. rc=1
  28. iptables-restore < /etc/iptables/rules.v4.bak 2> /dev/null
  29. fi
  30. fi
  31. {%- else %}
  32. iptables-restore < /etc/iptables/rules.v4 2> /dev/null
  33. if [ $? -ne 0 ]; then
  34. rc=1
  35. fi
  36. {%- endif %}
  37. fi
  38. }
  39. save_rules()
  40. {
  41. #save IPv4 rules
  42. #need at least iptable_filter loaded:
  43. /sbin/modprobe -q iptable_filter
  44. if [ ! -f /proc/net/ip_tables_names ]; then
  45. echo "Warning: skipping IPv4 (no modules loaded)"
  46. elif [ -x /sbin/iptables-save ]; then
  47. touch /etc/iptables/rules.v4
  48. chmod 0640 /etc/iptables/rules.v4
  49. iptables-save > /etc/iptables/rules.v4
  50. if [ $? -ne 0 ]; then
  51. rc=1
  52. fi
  53. fi
  54. }
  55. flush_rules()
  56. {
  57. if [ ! -f /proc/net/ip_tables_names ]; then
  58. log_action_cont_msg "Warning: skipping IPv4 (no module loaded)"
  59. elif [ -x /sbin/iptables ]; then
  60. for param in F Z X; do /sbin/iptables -$param; done
  61. for table in $(cat /proc/net/ip_tables_names)
  62. do
  63. /sbin/iptables -t $table -F
  64. /sbin/iptables -t $table -Z
  65. /sbin/iptables -t $table -X
  66. done
  67. for chain in INPUT FORWARD OUTPUT
  68. do
  69. /sbin/iptables -P $chain ACCEPT
  70. done
  71. fi
  72. }
  73. case "$1" in
  74. start|restart|reload|force-reload)
  75. load_rules
  76. ;;
  77. save)
  78. save_rules
  79. ;;
  80. stop)
  81. # Why? because if stop is used, the firewall gets flushed for a variable
  82. # amount of time during package upgrades, leaving the machine vulnerable
  83. # It's also not always desirable to flush during purge
  84. echo "Automatic flushing disabled, use \"flush\" instead of \"stop\""
  85. ;;
  86. flush)
  87. flush_rules
  88. ;;
  89. *)
  90. echo "Usage: $0 {start|restart|reload|force-reload|save|flush}" >&2
  91. exit 1
  92. ;;
  93. esac
  94. exit $rc