#! /bin/sh # Copyright (c) 2002-2010 Henning Hucke, Frankfurt, Germany. # All rights reserved. # # Author: Henning Hucke # # /etc/init.d/myiptables # # and symbolic its link # # /(usr/)sbin/rcmyiptables # # LSB compliant service control script; see http://www.linuxbase.org/spec/ # # System startup script for setting iptables firewall rules. # ### BEGIN INIT INFO # Provides: myiptables # Required-Start: $syslog network isdn # Required-Stop: network isdn # Default-Start: 3 5 # Default-Stop: 0 1 2 6 # Description: Start my very own firewall ### END INIT INFO # # Note on Required-Start: It does specify the init script ordering, # not real dependencies. Depencies have to be handled by admin # resp. the configuration tools (s)he uses. # Source SuSE config (if still necessary, most info has been moved) test -r /etc/rc.config && . /etc/rc.config # Check for missing binaries (stale symlinks should not happen) IPTABLES_BIN=/usr/sbin/iptables test -x $IPTABLES_BIN || exit 5 IPTABLES_SAVE_BIN=/usr/sbin/iptables-save test -x $IPTABLES_SAVE_BIN || exit 5 IPTABLES_RESTORE_BIN=/usr/sbin/iptables-restore test -x $IPTABLES_RESTORE_BIN || exit 5 TOUCH_BIN=/usr/bin/touch test -x $TOUCH_BIN || exit 5 RM="/bin/rm -f" test -x ${RM%% *} || exit 5 MODPROBE_BIN="/sbin/modprobe" test -x $MODPROBE_BIN || exit 5 # Check for existence of needed config file and read it IPTABLES_CONFIG="/etc/sysconfig/myiptables" test -r $IPTABLES_CONFIG || exit 6 . $IPTABLES_CONFIG : ${IPTABLES_RULES_FILE:=/etc/my-iptables.rules} : ${SAVE_IPTABLES:=no} : ${MODULES:=} RUNNING_FILE="/var/lib/my-iptables/running" # Shell functions sourced from /etc/rc.status: # rc_check check and set local and overall rc status # rc_status check and set local and overall rc status # rc_status -v ditto but be verbose in local rc status # rc_status -v -r ditto and clear the local rc status # rc_failed set local and overall rc status to failed # rc_failed set local and overall rc status to # rc_reset clear local rc status (overall remains) # rc_exit exit appropriate to overall rc status # rc_active checks whether a service is activated by symlinks . /etc/rc.status # First reset status of this service rc_reset # Return values acc. to LSB for all commands but status: # 0 - success # 1 - generic or unspecified error # 2 - invalid or excess argument(s) # 3 - unimplemented feature (e.g. "reload") # 4 - insufficient privilege # 5 - program is not installed # 6 - program is not configured # 7 - program is not running # # Note that starting an already running service, stopping # or restarting a not-running service as well as the restart # with force-reload (in case signalling is not supported) are # considered a success. function output () { local line newline ifs_bak="$IFS" while read line; do echo -en "$newline $line"; newline="\n" done IFS="$ifs_bak" } case "$1" in start) echo -n "Starting my-iptables firewall" if [ -r "$IPTABLES_RULES_FILE" ]; then echo ( $IPTABLES_RESTORE_BIN `test "$SAVE_IPTABLES" = "yes" && echo " -c"` -v < $IPTABLES_RULES_FILE 2>&1 | \ output ) rc_status if [ -n "$MODULES" ]; then for module in $MODULES; do $MODPROBE_BIN $module 2>&1 | output done fi $TOUCH_BIN $RUNNING_FILE else echo -n ": rules file '$IPTABLES_RULES_FILE' missing" rc_failed fi # Remember status and be verbose rc_status -v ;; stop) echo -n "Shutting my-iptables firewall" if [ -w "$IPTABLES_RULES_FILE" ]; then if [ "$SAVE_IPTABLES" = "yes" ]; then echo -n ": Saving rules" ( $IPTABLES_SAVE_BIN -c 2>&1 > $IPTABLES_RULES_FILE | \ output ) rc_status fi $IPTABLES_BIN -F; rc_status $IPTABLES_BIN -X; rc_status $IPTABLES_BIN -P INPUT ACCEPT; rc_status $IPTABLES_BIN -P FORWARD ACCEPT; rc_status $IPTABLES_BIN -P OUTPUT ACCEPT; rc_status if [ -n "$MODULES" ]; then $MODPROBE_BIN -r $MODULES 2>&1 | output fi $RM $RUNNING_FILE else echo -n ": rules file '$IPTABLES_RULES_FILE' unwritable" rc_failed fi # Remember status and be verbose rc_status -v ;; try-restart) ## Stop the service and if this succeeds (i.e. the ## service was running before), start it again. ## Note: try-restart is not (yet) part of LSB (as of 0.7.5) $0 status >/dev/null && $0 restart # Remember status and be quiet rc_status ;; restart) ## Stop the service and regardless of whether it was ## running or not, start it again. $0 stop $0 start # Remember status and be quiet rc_status ;; force-reload) ## Signal the daemon to reload its config. Most daemons ## do this on signal 1 (SIGHUP). ## If it does not support it, restart. echo -n "Reload my-iptables firewall" ## if it supports it: #killproc -HUP $FOO_BIN #touch /var/run/FOO.pid #rc_status -v ## Otherwise: $0 stop && $0 start rc_status ;; reload) ## Like force-reload, but if daemon does not support ## signalling, do nothing (!) # If it supports signalling: #echo -n "Reload my-iptables firewall" #killproc -HUP $FOO_BIN #touch /var/run/FOO.pid #rc_status -v ## Otherwise if it does not support reload: rc_failed 3 rc_status -v ;; status) echo -n "Checking for service FOO: " ## Check status with checkproc(8), if process is running ## checkproc will return with exit status 0. # Return value is slightly different for the status command: # 0 - service running # 1 - service dead, but /var/run/ pid file exists # 2 - service dead, but /var/lock/ lock file exists # 3 - service not running # NOTE: checkproc returns LSB compliant status values. ( test -x $RUNNING_FILE || exit 3 ) rc_status -v ;; probe) ## Optional: Probe for the necessity of a reload, ## print out the argument which is required for a reload. test $IPTABLES_RULES_FILE -nt $RUNNING_FILE && echo reload ;; *) echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe}" exit 1 ;; esac rc_exit