initial upload

2025-10-10 11:07:34 +00:00
commit 6224cd01c6
161 changed files with 8964 additions and 0 deletions
--- a/roles/firewall/templates/etc_init.d_firewall.j2
+++ b/roles/firewall/templates/etc_init.d_firewall.j2
@@ -0,0 +1,133 @@
+#!/bin/sh
+
+# {{ ansible_managed }}
+
+### BEGIN INIT INFO
+# Provides:          firewall
+# Required-Start:    $network
+# Required-Stop:     $network
+# Default-Start:     2 3 4 5
+# Default-Stop:      0 1 6
+# Short-Description: Set up iptables rules
+# Description:       Loads current iptables rules from/to /etc/firewall
+### END INIT INFO
+
+. /lib/lsb/init-functions
+
+PATH="/sbin:$PATH"
+
+rc=0
+
+flush_ipv4()
+{
+	for chain in INPUT FORWARD OUTPUT; do
+		iptables -P $chain ACCEPT
+	done
+	for table in $(iptables-save | awk '/^\*/ { print substr($1,2) }'); do
+		iptables -t $table -F
+		iptables -t $table -X
+		iptables -t $table -Z
+	done
+}
+
+flush_ipv6()
+{
+	for chain in INPUT FORWARD OUTPUT; do
+		ip6tables -P $chain ACCEPT
+	done
+	for table in $(ip6tables-save | awk '/^\*/ { print substr($1,2) }'); do
+		ip6tables -t $table -F
+		ip6tables -t $table -X
+		ip6tables -t $table -Z
+	done
+}
+
+load_rules()
+{
+	log_action_begin_msg "Loading iptables rules"
+
+	# load IPv4 rules
+	if [ ! -d /etc/firewall/rules-v4.d ]; then
+		log_action_cont_msg " skipping IPv4 (no rules to load)"
+	else
+		log_action_cont_msg " IPv4"
+
+		flush_ipv4
+		for frag in /etc/firewall/rules-v4.d/*.sh; do
+			if [ -r "$frag" ]; then
+				. "$frag"
+				if [ $? -ne 0 ]; then
+			    		rc=1
+				fi
+			fi
+		done
+	fi
+
+	# load IPv6 rules
+	if [ ! -d /etc/firewall/rules-v6.d ]; then
+		log_action_cont_msg " skipping IPv6 (no rules to load)"
+	else
+		log_action_cont_msg " IPv6"
+
+		flush_ipv6
+		for frag in /etc/firewall/rules-v6.d/*.sh; do
+			if [ -r "$frag" ]; then
+				. "$frag"
+				if [ $? -ne 0 ]; then
+			    		rc=1
+				fi
+			fi
+		done
+	fi
+
+	log_action_end_msg $rc
+}
+
+flush_rules()
+{
+	log_action_begin_msg "Flushing rules"
+
+	if [ ! -f /proc/net/ip_tables_names ]; then
+		log_action_cont_msg " skipping IPv4"
+	else
+		log_action_cont_msg " IPv4"
+		flush_ipv4
+	fi
+
+	if [ ! -f /proc/net/ip6_tables_names ]; then
+		log_action_cont_msg " skipping IPv6"
+	else
+		log_action_cont_msg " IPv6"
+		flush_ipv6
+	fi
+
+	log_action_end_msg 0
+}
+
+case "$1" in
+start|restart|reload|force-reload)
+	load_rules
+	;;
+stop)
+	echo "Automatic flushing disabled, use \"flush\" instead of \"stop\""
+	;;
+flush)
+	flush_rules
+	;;
+debug)
+	iptables() { echo "iptables $@"; }
+	ip6tables() { echo "ip6tables $@"; }
+	ipset() { echo "ipset $@"; }
+	log_action_begin_msg() { :; }
+	log_action_cont_msg() { :; }
+	log_action_end_msg() { :; }
+
+	load_rules
+	;;
+*)
+	echo "Usage: $0 {start|restart|reload|force-reload|save|flush}" >&2
+	exit 1
+	;;
+esac
+
+exit $rc