redhat iptables 脚本移植给suse

#!/bin/sh
# Copyright (c) 2007 SuSE Linux AG Nuernberg, Germany.
#
# Author: devil <guxing1841@gmail.com>
#
# /etc/init.d/iptables
#
### BEGIN INIT INFO
# Provides:       iptables
# Required-Start: $local_fs dbus haldaemon
# Required-Stop:
# Default-Start:  3 5
# Default-Stop:
# Description:    start iptables fireware
### END INIT INFO
IPTABLES=iptables
IPTABLES_DATA=/etc/sysconfig/$IPTABLES
IPTABLES_CONFIG=/etc/sysconfig/${IPTABLES}-config
IPV=${IPTABLES%tables} # ip for ipv4 | ip6 for ipv6
PROC_IPTABLES_NAMES=/proc/net/${IPV}_tables_names
VAR_SUBSYS_IPTABLES=/var/lock/subsys/$IPTABLES
# Shell functions sourced from /etc/rc.status:
#      rc_check         check and set local and overall rc status
#      rc_status        check and set local and overall rc status
#      rc_status -v     ditto but be verbose in local rc status
#      rc_status -v -r  ditto and clear the local rc status
#      rc_failed        set local and overall rc status to failed
#      rc_failed <num>  set local and overall rc status to <num><num>
#      rc_reset         clear local rc status (overall remains)
#      rc_exit          exit appropriate to overall rc status
. /etc/rc.status
# First reset status of this service
rc_reset
# Return values acc. to LSB for all commands but status:
# 0 - success
# 1 - generic or unspecified error
# 2 - invalid or excess argument(s)
# 3 - unimplemented feature (e.g. "reload")
# 4 - insufficient privilege
# 5 - program is not installed
# 6 - program is not configured
# 7 - program is not running
#
# Note that starting an already running service, stopping
# or restarting a not-running service as well as the restart
# with force-reload (in case signalling is not supported) are
# considered a success.
if [ ! -x /usr/sbin/$IPTABLES ]; then
echo -n $"/sbin/$IPTABLES does not exist.";
rc_failed; rc_status -v;
rc_exit;
fi
if lsmod 2>/dev/null | grep -q ipchains ; then
echo -n $"ipchains and $IPTABLES can not be used together.";
rc_failed; rc_status -v;
rc_exit;
fi
# Old or new modutils
/sbin/modprobe --version 2>&1 | grep -q module-init-tools /
&& NEW_MODUTILS=1 /
|| NEW_MODUTILS=0
# Default firewall configuration:
IPTABLES_MODULES=""
IPTABLES_MODULES_UNLOAD="yes"
IPTABLES_SAVE_ON_STOP="no"
IPTABLES_SAVE_ON_RESTART="no"
IPTABLES_SAVE_COUNTER="no"
IPTABLES_STATUS_NUMERIC="yes"
# Load firewall configuration.
[ -f "$IPTABLES_CONFIG" ] && . "$IPTABLES_CONFIG"
rmmod_r() {
# Unload module with all referring modules.
# At first all referring modules will be unloaded, then the module itself.
local mod=$1
local ret=0
local ref=
# Get referring modules.
# New modutils have another output format.
[ $NEW_MODUTILS = 1 ] /
&& ref=`lsmod | awk "/^${mod}/ { print ///$4; }" | tr ',' ' '` /
|| ref=`lsmod | grep ^${mod} | cut -d "[" -s -f 2 | cut -d "]" -s -f 1`
# recursive call for all referring modules
for i in $ref; do
rmmod_r $i
let ret+=$?;
done
# Unload module.
# The extra test is for 2.6: The module might have autocleaned,
# after all referring modules are unloaded.
if grep -q "^${mod}" /proc/modules ; then
modprobe -r $mod > /dev/null 2>&1
let ret+=$?;
fi
return $ret
}
flush_n_delete() {
# Flush firewall rules and delete chains.
[ -e "$PROC_IPTABLES_NAMES" ] || return 1
# Check if firewall is configured (has tables)
tables=`cat $PROC_IPTABLES_NAMES 2>/dev/null`
if [ -z "$tables" ]; then
return 1;
fi
echo -n $"Flushing firewall rules: "
ret=0
# For all tables
for i in $tables; do
# Flush firewall rules.
$IPTABLES -t $i -F;
let ret+=$?;
# Delete firewall chains.
$IPTABLES -t $i -X;
let ret+=$?;
# Set counter to zero.
$IPTABLES -t $i -Z;
let ret+=$?;
done
rc_failed $ret
rc_status -v
return $ret;
}
set_policy() {
# Set policy for configured tables.
policy=$1
# Check if iptable module is loaded
[ ! -e "$PROC_IPTABLES_NAMES" ] && return 1
# Check if firewall is configured (has tables)
tables=`cat $PROC_IPTABLES_NAMES 2>/dev/null`
[ -z "$tables" ] && return 1
echo -n $"Setting chains to policy $policy: "
ret=0
for i in $tables; do
echo -n "$i "
case "$i" in
filter)
$IPTABLES -t filter -P INPUT $policy /
&& $IPTABLES -t filter -P OUTPUT $policy /
&& $IPTABLES -t filter -P FORWARD $policy /
|| let ret+=1
;;
nat)
$IPTABLES -t nat -P PREROUTING $policy /
&& $IPTABLES -t nat -P POSTROUTING $policy /
&& $IPTABLES -t nat -P OUTPUT $policy /
|| let ret+=1
;;
mangle)
$IPTABLES -t mangle -P PREROUTING $policy /
&& $IPTABLES -t mangle -P POSTROUTING $policy /
&& $IPTABLES -t mangle -P INPUT $policy /
&& $IPTABLES -t mangle -P OUTPUT $policy /
&& $IPTABLES -t mangle -P FORWARD $policy /
|| let ret+=1
;;
*)
let ret+=1
;;
esac
done
rc_failed $ret
rc_status -v
return $ret
}
start() {
# Do not start if there is no config file.
[ -f "$IPTABLES_DATA" ] || return 1
echo -n $"Applying $IPTABLES firewall rules: "
OPT=
[ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
ret=0
$IPTABLES-restore $OPT $IPTABLES_DATA
ret=$?
if [ $ret -ne 0 ]; then
return $ret
fi

# Load additional modules (helpers)
if [ -n "$IPTABLES_MODULES" ]; then
echo -n $"Loading additional $IPTABLES modules: "
ret=0
for mod in $IPTABLES_MODULES; do
echo -n "$mod "
modprobe $mod > /dev/null 2>&1
let ret+=$?;
done
fi

touch $VAR_SUBSYS_IPTABLES
return $ret
}
stop() {
# Do not stop if iptables module is not loaded.
[ -e "$PROC_IPTABLES_NAMES" ] || return 1
flush_n_delete
set_policy ACCEPT

if [ "x$IPTABLES_MODULES_UNLOAD" = "xyes" ]; then
echo -n $"Unloading $IPTABLES modules: "
ret=0
rmmod_r ${IPV}_tables
let ret+=$?;
rmmod_r ${IPV}_conntrack
let ret+=$?;
fi
rm -f $VAR_SUBSYS_IPTABLES
return $ret
}
save() {
# Check if iptable module is loaded
[ ! -e "$PROC_IPTABLES_NAMES" ] && return 1
# Check if firewall is configured (has tables)
tables=`cat $PROC_IPTABLES_NAMES 2>/dev/null`
[ -z "$tables" ] && return 1
echo -n $"Saving firewall rules to $IPTABLES_DATA: "
OPT=
[ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
ret=0
TMP_FILE=`/bin/mktemp -q /tmp/$IPTABLES.XXXXXX` /
&& chmod 600 "$TMP_FILE" /
&& $IPTABLES-save $OPT > $TMP_FILE 2>/dev/null /
&& size=`stat -c '%s' $TMP_FILE` && [ $size -gt 0 ] /
|| ret=1
if [ $ret -eq 0 ]; then
if [ -e $IPTABLES_DATA ]; then
cp -f $IPTABLES_DATA $IPTABLES_DATA.save /
&& chmod 600 $IPTABLES_DATA.save /
|| ret=1
fi
if [ $ret -eq 0 ]; then
cp -f $TMP_FILE $IPTABLES_DATA /
&& chmod 600 $IPTABLES_DATA /
|| ret=1
fi
fi
return $ret
}
status() {
# Do not print status if lockfile is missing and iptables modules are not
# loaded.
# Check if iptable module is loaded
if [ ! -f "$VAR_SUBSYS_IPTABLES" ]; then
echo $"Firewall
996b
is stopped."
return 1
fi
# Check if firewall is configured (has tables)
if [ ! -e "$PROC_IPTABLES_NAMES" ]; then
echo $"Firewall is not configured. "
return 1
fi
tables=`cat $PROC_IPTABLES_NAMES 2>/dev/null`
if [ -z "$tables" ]; then
echo $"Firewall is not configured. "
return 1
fi
NUM=
[ "x$IPTABLES_STATUS_NUMERIC" = "xyes" ] && NUM="-n"
for table in $tables; do
echo $"Table: $table"
$IPTABLES -t $table --list $NUM && echo
done
return 0
}
restart() {
if [ "x$IPTABLES_SAVE_ON_RESTART" = "xyes" ]; then
save;
rc_status -v
fi
stop
rc_status -v
start
}
case "$1" in
start)
stop
rc_status -v
start
rc_status -v
;;
stop)
if [ "x$IPTABLES_SAVE_ON_STOP" = "xyes" ]; then
save;
rc_status -v
fi
stop
rc_status -v
;;
restart)
restart
rc_status -v
;;
condrestart)
[ -e "$VAR_SUBSYS_IPTABLES" ] && restart
rc_status -v
;;
status)
status
rc_status -v
;;
panic)
flush_n_delete
set_policy DROP
rc_status -v
;;
save)
save
rc_status -v
;;
*)
echo $"Usage: $0 {start|stop|restart|condrestart|status|panic|save}"
exit 1
;;
esac
rc_exit;