134 lines
2.4 KiB
Django/Jinja
134 lines
2.4 KiB
Django/Jinja
#!/bin/sh
|
|
|
|
# {{ ansible_managed }}
|
|
|
|
### BEGIN INIT INFO
|
|
# Provides: firewall
|
|
# Required-Start: $network
|
|
# Required-Stop: $network
|
|
# Default-Start: 2 3 4 5
|
|
# Default-Stop: 0 1 6
|
|
# Short-Description: Set up iptables rules
|
|
# Description: Loads current iptables rules from/to /etc/firewall
|
|
### END INIT INFO
|
|
|
|
. /lib/lsb/init-functions
|
|
|
|
PATH="/sbin:$PATH"
|
|
|
|
rc=0
|
|
|
|
flush_ipv4()
|
|
{
|
|
for chain in INPUT FORWARD OUTPUT; do
|
|
iptables -P $chain ACCEPT
|
|
done
|
|
for table in $(iptables-save | awk '/^\*/ { print substr($1,2) }'); do
|
|
iptables -t $table -F
|
|
iptables -t $table -X
|
|
iptables -t $table -Z
|
|
done
|
|
}
|
|
|
|
flush_ipv6()
|
|
{
|
|
for chain in INPUT FORWARD OUTPUT; do
|
|
ip6tables -P $chain ACCEPT
|
|
done
|
|
for table in $(ip6tables-save | awk '/^\*/ { print substr($1,2) }'); do
|
|
ip6tables -t $table -F
|
|
ip6tables -t $table -X
|
|
ip6tables -t $table -Z
|
|
done
|
|
}
|
|
|
|
load_rules()
|
|
{
|
|
log_action_begin_msg "Loading iptables rules"
|
|
|
|
# load IPv4 rules
|
|
if [ ! -d /etc/firewall/rules-v4.d ]; then
|
|
log_action_cont_msg " skipping IPv4 (no rules to load)"
|
|
else
|
|
log_action_cont_msg " IPv4"
|
|
|
|
flush_ipv4
|
|
for frag in /etc/firewall/rules-v4.d/*.sh; do
|
|
if [ -r "$frag" ]; then
|
|
. "$frag"
|
|
if [ $? -ne 0 ]; then
|
|
rc=1
|
|
fi
|
|
fi
|
|
done
|
|
fi
|
|
|
|
# load IPv6 rules
|
|
if [ ! -d /etc/firewall/rules-v6.d ]; then
|
|
log_action_cont_msg " skipping IPv6 (no rules to load)"
|
|
else
|
|
log_action_cont_msg " IPv6"
|
|
|
|
flush_ipv6
|
|
for frag in /etc/firewall/rules-v6.d/*.sh; do
|
|
if [ -r "$frag" ]; then
|
|
. "$frag"
|
|
if [ $? -ne 0 ]; then
|
|
rc=1
|
|
fi
|
|
fi
|
|
done
|
|
fi
|
|
|
|
log_action_end_msg $rc
|
|
}
|
|
|
|
flush_rules()
|
|
{
|
|
log_action_begin_msg "Flushing rules"
|
|
|
|
if [ ! -f /proc/net/ip_tables_names ]; then
|
|
log_action_cont_msg " skipping IPv4"
|
|
else
|
|
log_action_cont_msg " IPv4"
|
|
flush_ipv4
|
|
fi
|
|
|
|
if [ ! -f /proc/net/ip6_tables_names ]; then
|
|
log_action_cont_msg " skipping IPv6"
|
|
else
|
|
log_action_cont_msg " IPv6"
|
|
flush_ipv6
|
|
fi
|
|
|
|
log_action_end_msg 0
|
|
}
|
|
|
|
case "$1" in
|
|
start|restart|reload|force-reload)
|
|
load_rules
|
|
;;
|
|
stop)
|
|
echo "Automatic flushing disabled, use \"flush\" instead of \"stop\""
|
|
;;
|
|
flush)
|
|
flush_rules
|
|
;;
|
|
debug)
|
|
iptables() { echo "iptables $@"; }
|
|
ip6tables() { echo "ip6tables $@"; }
|
|
ipset() { echo "ipset $@"; }
|
|
log_action_begin_msg() { :; }
|
|
log_action_cont_msg() { :; }
|
|
log_action_end_msg() { :; }
|
|
|
|
load_rules
|
|
;;
|
|
*)
|
|
echo "Usage: $0 {start|restart|reload|force-reload|save|flush}" >&2
|
|
exit 1
|
|
;;
|
|
esac
|
|
|
|
exit $rc
|