1  #!/bin/sh
  2  #		Written by Simon Richter <sjr@debian.org>
  3  #		modified by Jonathan Wiltshire <jmw@debian.org>
  4  #		with help from Christoph Anton Mitterer
  5  #
  6  
  7  ### BEGIN INIT INFO
  8  # Provides:          iptables-persistent
  9  # Required-Start:    mountkernfs $local_fs
 10  # Required-Stop:     $local_fs
 11  # Default-Start:     2 3 4 5
 12  # Default-Stop:      0 1 6
 13  # X-Start-Before:    $network
 14  # X-Stop-After:      $network
 15  # Short-Description: Set up iptables rules
 16  # Description:       Loads/saves current iptables rules from/to /etc/iptables
 17  #  to provide a persistent rule set during boot time
 18  ### END INIT INFO
 19  
 20  . /lib/lsb/init-functions
 21  
 22  rc=0
 23  
 24  load_rules()
 25  {
 26  	log_action_begin_msg "Loading iptables rules"
 27  
 28  	# MUST load IPSet first, in case any iptables depend on a set being present
 29  	#load IPSet rules	
 30  	if [ ! -f /etc/iptables/rules.set ]; then
 31  		log_action_cont_msg " skipping IPset (no rules to load)"
 32  	else
 33  		log_action_cont_msg " IPset"
 34  		ipset restore < /etc/iptables/rules.set 2> /dev/null
 35  		# if [ $? -ne 0 ]; then
 36  			# rc=1
 37  		# fi
 38  	fi
 39  
 40  	#load IPv4 rules
 41  	if [ ! -f /etc/iptables/rules.v4 ]; then
 42  		log_action_cont_msg " skipping IPv4 (no rules to load)"
 43  	else
 44  		log_action_cont_msg " IPv4"
 45  		iptables-restore < /etc/iptables/rules.v4 2> /dev/null
 46  		if [ $? -ne 0 ]; then
 47  			rc=1
 48  		fi
 49  	fi
 50  
 51  	#load IPv6 rules	
 52  	if [ ! -f /etc/iptables/rules.v6 ]; then
 53  		log_action_cont_msg " skipping IPv6 (no rules to load)"
 54  	else
 55  		log_action_cont_msg " IPv6"
 56  		ip6tables-restore < /etc/iptables/rules.v6 2> /dev/null
 57  		if [ $? -ne 0 ]; then
 58  			rc=1
 59  		fi
 60  	fi
 61  
 62  	log_action_end_msg $rc
 63  }
 64  
 65  save_rules()
 66  {
 67  	log_action_begin_msg "Saving rules"
 68  
 69  	#save IPv4 rules
 70  	#need at least iptable_filter loaded:
 71  	/sbin/modprobe -q iptable_filter
 72  	if [ ! -f /proc/net/ip_tables_names ]; then
 73  		log_action_cont_msg " skipping IPv4 (no modules loaded)"
 74  	elif [ -x /sbin/iptables-save ]; then
 75  		log_action_cont_msg " IPv4"
 76  		iptables-save > /etc/iptables/rules.v4
 77  		if [ $? -ne 0 ]; then
 78  			rc=1
 79  		fi
 80  	fi
 81  
 82  	#save IPv6 rules
 83  	#need at least ip6table_filter loaded:
 84  	/sbin/modprobe -q ip6table_filter
 85  	if [ ! -f /proc/net/ip6_tables_names ]; then
 86  		log_action_cont_msg " skipping IPv6 (no modules loaded)"
 87  	elif [ -x /sbin/ip6tables-save ]; then
 88  		log_action_cont_msg " IPv6"
 89  		ip6tables-save > /etc/iptables/rules.v6
 90  		if [ $? -ne 0 ]; then
 91  			rc=1
 92  		fi
 93  	fi
 94  
 95  	#save IPset rules
 96  	#need at least ip_set loaded:
 97  	/sbin/modprobe -q ip_set
 98  	if [ ! -f /proc/net/ip6_tables_names ]; then
 99  		log_action_cont_msg " skipping IPset (no modules loaded)"
100  	elif [ -x "$(command -v ipset)" ]; then
101  		log_action_cont_msg " IPset"
102  		ipset save > /etc/iptables/rules.set
103  		if [ $? -ne 0 ]; then
104  			rc=1
105  		fi
106  	fi
107  
108  	log_action_end_msg $rc
109  }
110  
111  flush_rules()
112  {
113  	log_action_begin_msg "Flushing rules"
114  
115  	if [ ! -f /proc/net/ip_tables_names ]; then
116  		log_action_cont_msg " skipping IPv4 (no module loaded)"
117  	elif [ -x /sbin/iptables ]; then
118  		log_action_cont_msg " IPv4"
119  		for param in F Z X; do /sbin/iptables -$param; done
120  		for table in $(cat /proc/net/ip_tables_names)
121  		do
122  			/sbin/iptables -t $table -F
123  			/sbin/iptables -t $table -Z
124  			/sbin/iptables -t $table -X
125  		done
126  		for chain in INPUT FORWARD OUTPUT
127  		do
128  			/sbin/iptables -P $chain ACCEPT
129  		done
130  	fi
131  	
132  	if [ ! -f /proc/net/ip6_tables_names ]; then
133  		log_action_cont_msg " skipping IPv6 (no module loaded)"
134  	elif [ -x /sbin/ip6tables ]; then
135  		log_action_cont_msg " IPv6"
136  		for param in F Z X; do /sbin/ip6tables -$param; done
137  		for table in $(cat /proc/net/ip6_tables_names)
138  		do
139  			/sbin/ip6tables -t $table -F
140  			/sbin/ip6tables -t $table -Z
141  			/sbin/ip6tables -t $table -X
142  		done
143  		for chain in INPUT FORWARD OUTPUT
144  		do
145  			/sbin/ip6tables -P $chain ACCEPT
146  		done
147  	fi
148  
149  	if [ -x "$(command -v ipset)" ]; then
150  		log_action_cont_msg " IPSet"
151  		ipset -F
152  	else
153  		log_action_cont_msg " skipping IPSet"
154  	fi
155  
156  	log_action_end_msg 0
157  }
158  
159  case "$1" in
160  start|restart|reload|force-reload)
161  	load_rules
162  	;;
163  save)
164  	save_rules
165  	;;
166  stop)
167  	# Why? because if stop is used, the firewall gets flushed for a variable
168  	# amount of time during package upgrades, leaving the machine vulnerable
169  	# It's also not always desirable to flush during purge
170  	echo "Automatic flushing disabled, use \"flush\" instead of \"stop\""
171  	;;
172  flush)
173  	flush_rules
174  	;;
175  *)
176      echo "Usage: $0 {start|restart|reload|force-reload|save|flush}" >&2
177      exit 1
178      ;;
179  esac
180  
181  exit $rc