X-Git-Url: http://lab.mitty.jp/git/?a=blobdiff_plain;f=iptables%2Fsetfilter;fp=iptables%2Fsetfilter;h=4b31e853f9e7f407bf3f8394a0cdcaa1493112ad;hb=39eda0b67765385af21a00eb6d61e1d9b9915e51;hp=0000000000000000000000000000000000000000;hpb=4a36a1b26f4cdc2dc3d06d7b3c4ac895b0083b2f;p=lab.git

diff --git a/iptables/setfilter b/iptables/setfilter
new file mode 100644
index 0000000..4b31e85
--- /dev/null
+++ b/iptables/setfilter
@@ -0,0 +1,105 @@
+#!/bin/sh -e
+
+### BEGIN INIT INFO
+# Provides:          setfilter
+# Required-Start:    ufw
+# Required-Stop:     
+# Default-Start:     S
+# Default-Stop:      
+# Short-Description: set network filters with iptables
+### END INIT INFO
+
+PATH="/sbin:/bin:/usr/sbin:/usr/bin"
+
+. /lib/lsb/init-functions
+
+if [ -s /etc/ufw/ufw.conf ]; then
+    . /etc/ufw/ufw.conf
+else
+    log_failure_msg "Could not find /etc/ufw/ufw.conf (aborting)"
+    exit 1
+fi
+
+RULES_PATH="/etc/ufw"
+
+case "$1" in
+start)
+    if iptables -L LOG_ICMP -t raw -n >/dev/null 2>&1 ; then
+        # if firewall loaded, tell to reload instead
+        log_action_msg "Network filter already started, use 'force-reload'"
+        exit 0
+    fi
+    if [ "$ENABLED" = "yes" ] || [ "$ENABLED" = "YES" ]; then
+        log_action_begin_msg "Setting network filter"
+        error=""
+        
+        tables="raw mangle"
+        for table in $tables
+        do
+            RULES="$RULES_PATH/$table.rules"
+            
+            #flush the chains
+            iptables -F -t $table || error="yes"
+            iptables -X -t $table || error="yes"
+            
+            if [ -s "$RULES" ]; then
+                if ! iptables-restore -n < $RULES ; then
+                    log_action_cont_msg "Problem running '$RULES'"
+                    error="yes"
+                fi
+            else
+                log_action_cont_msg "Couldn't find '$RULES'"
+            fi
+        done
+    
+        if [ "$error" = "yes" ]; then
+            log_action_end_msg 1
+            exit 1
+        else
+            log_action_end_msg 0
+        fi
+    else
+        log_action_begin_msg "Skipping network filter (not enabled)"
+        log_action_end_msg 0
+    fi
+    ;;
+stop)
+    if [ "$ENABLED" != "yes" ] && [ "$ENABLED" != "YES" ]; then
+        log_action_begin_msg "Skipping network filter (not enabled)"
+        log_action_end_msg 0
+        exit 0
+    fi
+    
+    log_action_begin_msg "Stopping network filter"
+    error=""
+    
+    tables="raw mangle"
+    for table in $tables
+    do
+        iptables -F -t $table || error="yes"
+        iptables -X -t $table || error="yes"
+    done
+    
+    if [ "$error" = "yes" ]; then
+        log_action_end_msg 1
+        exit 1
+    else
+        log_action_end_msg 0
+    fi
+    ;;
+restart|force-reload)
+    if [ "$ENABLED" = "yes" ] || [ "$ENABLED" = "YES" ]; then
+        $0 stop
+        $0 start
+    else
+        log_warning_msg "Skipping $1 (not enabled)"
+    fi
+    ;;
+*)
+    echo "Usage: /etc/init.d/setfilter {start|stop|restart|force-reload}"
+    exit 1
+    ;;
+esac
+
+exit 0
+