source: lab.git/iptables/setfilter @ 6c31c22

trunk
Last change on this file since 6c31c22 was 71b798c, checked in by mitty <mitty@…>, 15 years ago
  • NEW setfilter now sets nat table
    • this feature clashes with setnapt.sh because both of them reset nat table
    • do not use them (setfilter and setnapt.sh) at the same same time
  • accept connections to local services from WAN
    • ACCEPT and REDIRECT examples

git-svn-id: https://lab.mitty.jp/svn/lab/trunk@13 7d2118f6-f56c-43e7-95a2-4bb3031d96e7

  • Property mode set to 100755
File size: 2.5 KB
Line 
1#!/bin/sh -e
2
3### BEGIN INIT INFO
4# Provides:          setfilter
5# Required-Start:    ufw
6# Required-Stop:     
7# Default-Start:     S
8# Default-Stop:     
9# Short-Description: set network filters with iptables
10### END INIT INFO
11
12PATH="/sbin:/bin:/usr/sbin:/usr/bin"
13
14. /lib/lsb/init-functions
15
16if [ -s /etc/ufw/ufw.conf ]; then
17    . /etc/ufw/ufw.conf
18else
19    log_failure_msg "Could not find /etc/ufw/ufw.conf (aborting)"
20    exit 1
21fi
22
23RULES_PATH="/etc/ufw"
24
25case "$1" in
26start)
27    if iptables -L LOG_ICMP -t raw -n >/dev/null 2>&1 ; then
28        # if firewall loaded, tell to reload instead
29        log_action_msg "Network filter already started, use 'force-reload'"
30        exit 0
31    fi
32    if [ "$ENABLED" = "yes" ] || [ "$ENABLED" = "YES" ]; then
33        log_action_begin_msg "Setting network filter"
34        error=""
35       
36        tables="raw mangle nat"
37        for table in $tables
38        do
39            RULES="$RULES_PATH/$table.rules"
40           
41            #flush the chains
42            iptables -F -t $table || error="yes"
43            iptables -X -t $table || error="yes"
44           
45            if [ -s "$RULES" ]; then
46                if ! iptables-restore -n < $RULES ; then
47                    log_action_cont_msg "Problem running '$RULES'"
48                    error="yes"
49                fi
50            else
51                log_action_cont_msg "Couldn't find '$RULES'"
52            fi
53        done
54   
55        if [ "$error" = "yes" ]; then
56            log_action_end_msg 1
57            exit 1
58        else
59            log_action_end_msg 0
60        fi
61    else
62        log_action_begin_msg "Skipping network filter (not enabled)"
63        log_action_end_msg 0
64    fi
65    ;;
66stop)
67    if [ "$ENABLED" != "yes" ] && [ "$ENABLED" != "YES" ]; then
68        log_action_begin_msg "Skipping network filter (not enabled)"
69        log_action_end_msg 0
70        exit 0
71    fi
72   
73    log_action_begin_msg "Stopping network filter"
74    error=""
75   
76    tables="raw mangle nat"
77    for table in $tables
78    do
79        iptables -F -t $table || error="yes"
80        iptables -X -t $table || error="yes"
81    done
82   
83    if [ "$error" = "yes" ]; then
84        log_action_end_msg 1
85        exit 1
86    else
87        log_action_end_msg 0
88    fi
89    ;;
90restart|force-reload)
91    if [ "$ENABLED" = "yes" ] || [ "$ENABLED" = "YES" ]; then
92        $0 stop
93        $0 start
94    else
95        log_warning_msg "Skipping $1 (not enabled)"
96    fi
97    ;;
98*)
99    echo "Usage: /etc/init.d/setfilter {start|stop|restart|force-reload}"
100    exit 1
101    ;;
102esac
103
104exit 0
105
Note: See TracBrowser for help on using the repository browser.