2013-09-02 17:29:11 +00:00
|
|
|
#!/bin/sh
|
2020-11-30 19:29:51 +00:00
|
|
|
#
|
|
|
|
# 2013 Nico Schottelius (nico-cdist at schottelius.org)
|
|
|
|
# 2020 Matthias Stecher (matthiasstecher at gmx.de)
|
|
|
|
#
|
|
|
|
# This file is distributed with cdist.
|
|
|
|
#
|
|
|
|
# cdist is free software: you can redistribute it and/or modify
|
|
|
|
# it under the terms of the GNU General Public License as published by
|
|
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
|
|
# (at your option) any later version.
|
|
|
|
#
|
|
|
|
# cdist is distributed in the hope that it will be useful,
|
|
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
# GNU General Public License for more details.
|
|
|
|
#
|
|
|
|
# You should have received a copy of the GNU General Public License
|
|
|
|
# along with cdist. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
#
|
|
|
|
#
|
|
|
|
# Originally written by:
|
|
|
|
# Nico Schottelius
|
|
|
|
# Zürisee, Mon Sep 2 18:38:27 CEST 2013
|
2013-09-02 17:29:11 +00:00
|
|
|
#
|
|
|
|
### BEGIN INIT INFO
|
|
|
|
# Provides: iptables
|
|
|
|
# Required-Start: $local_fs $remote_fs
|
|
|
|
# Required-Stop: $local_fs $remote_fs
|
|
|
|
# X-Start-Before: fail2ban
|
|
|
|
# Default-Start: 2 3 4 5
|
|
|
|
# Default-Stop: 0 1 6
|
|
|
|
# Short-Description: Applies iptables ruleset
|
|
|
|
# Description: Applies all rules found in /etc/iptables.d
|
|
|
|
# and saves/restores previous status
|
|
|
|
### END INIT INFO
|
|
|
|
|
|
|
|
|
2020-11-30 19:29:51 +00:00
|
|
|
# Read files and execute the content with the given commands
|
|
|
|
#
|
|
|
|
# Arguments:
|
|
|
|
# 1: Directory
|
|
|
|
# 2..n: Commands which should be used to execute the file content
|
|
|
|
gothrough() {
|
|
|
|
cd "$1" || return
|
|
|
|
shift
|
|
|
|
|
|
|
|
# iterate through all rules and continue if it's not a file
|
|
|
|
for rule in *; do
|
|
|
|
[ -f "$rule" ] || continue
|
|
|
|
echo "Appling iptables rule $rule ..."
|
|
|
|
|
|
|
|
# execute it with all commands specificed
|
|
|
|
ruleparam="$(cat "$rule")"
|
|
|
|
for cmd in "$@"; do
|
|
|
|
# Command and Rule should be split.
|
|
|
|
# shellcheck disable=SC2046
|
|
|
|
command $cmd $ruleparam
|
|
|
|
done
|
|
|
|
done
|
|
|
|
}
|
|
|
|
|
|
|
|
# Shortcut for iptables command to do IPv4 and v6
|
|
|
|
iptables() {
|
|
|
|
command iptables "$@"
|
|
|
|
command ip6tables "$@"
|
|
|
|
}
|
|
|
|
|
2013-09-02 17:29:11 +00:00
|
|
|
basedir=/etc/iptables.d
|
2020-11-30 19:29:51 +00:00
|
|
|
status4="${basedir}/.pre-start"
|
|
|
|
status6="${basedir}/.pre-start6"
|
2013-09-02 17:29:11 +00:00
|
|
|
|
|
|
|
case $1 in
|
|
|
|
start)
|
|
|
|
# Save status
|
2020-11-30 19:29:51 +00:00
|
|
|
iptables-save > "$status4"
|
|
|
|
ip6tables-save > "$status6"
|
2013-09-02 17:29:11 +00:00
|
|
|
|
|
|
|
# Apply our ruleset
|
2020-11-30 19:29:51 +00:00
|
|
|
gothrough "$basedir" iptables
|
|
|
|
#gothrough "$basedir/v4" iptables # conflicts with $basedir
|
|
|
|
gothrough "$basedir/v6" ip6tables
|
|
|
|
gothrough "$basedir/all" iptables ip6tables
|
2013-09-02 17:29:11 +00:00
|
|
|
;;
|
|
|
|
|
|
|
|
stop)
|
|
|
|
# Restore from status before, if there is something to restore
|
2020-11-30 19:29:51 +00:00
|
|
|
if [ -f "$status4" ]; then
|
|
|
|
iptables-restore < "$status4"
|
|
|
|
fi
|
|
|
|
if [ -f "$status6" ]; then
|
|
|
|
ip6tables-restore < "$status6"
|
2013-09-02 17:29:11 +00:00
|
|
|
fi
|
|
|
|
;;
|
|
|
|
restart)
|
|
|
|
"$0" stop && "$0" start
|
|
|
|
;;
|
2014-06-26 13:24:42 +00:00
|
|
|
reset)
|
|
|
|
for table in INPUT FORWARD OUTPUT; do
|
|
|
|
iptables -P "$table" ACCEPT
|
|
|
|
iptables -F "$table"
|
|
|
|
done
|
|
|
|
for table in PREROUTING POSTROUTING OUTPUT; do
|
|
|
|
iptables -t nat -P "$table" ACCEPT
|
|
|
|
iptables -t nat -F "$table"
|
|
|
|
done
|
|
|
|
;;
|
2013-09-02 17:29:11 +00:00
|
|
|
esac
|