)
$IPTABLES -t mangle -P PREROUTING $policy \
&& $IPTABLES -t mangle -P POSTROUTING $policy \
&& $IPTABLES -t mangle -P INPUT $policy \
&& $IPTABLES -t mangle -P OUTPUT $policy \
&& $IPTABLES -t mangle -P FORWARD $policy \
|| let ret+=1
;;
*)
let ret+=1
;;
esac
done
[ $ret -eq 0 ] && log_end_msg 0 || log_end_msg 1
echo
return $ret
}
start() {
# Do not start if there is no config file.
[ -f "$IPTABLES_DATA" ] || return 1
log_daemon_msg $"Applying $IPTABLES firewall rules: "
OPT=
[ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
$IPTABLES-restore $OPT $IPTABLES_DATA
if [ $ -eq 0 ]; then
log_end_msg 0; echo
else
log_end_msg 1; echo; return 1
fi
# Load additional modules (helpers)
if [ -n "$IPTABLES_MODULES" ]; then
log_daemon_msg $"Loading additional $IPTABLES modules: "
ret=0
for mod in $IPTABLES_MODULES; do
log_daemon_msg "$mod "
modprobe $mod > /dev/null 2>&1
let ret+=$ ;
done
[ $ret -eq 0 ] && log_end_msg 0 || log_end_msg 1
echo
fi
touch $VAR_SUBSYS_IPTABLES
return $ret
}
stop() {
# Do not stop if iptables module is not loaded.
[ -e "$PROC_IPTABLES_NAMES" ] || return 1
flush_n_delete
set_policy ACCEPT
if [ "x$IPTABLES_MODULES_UNLOAD" = "xyes" ]; then
log_daemon_msg $"Unloading $IPTABLES modules: "
ret=0
rmmod_r ${IPV}_tables
let ret+=$ ;
rmmod_r ${IPV}_conntrack
let ret+=$ ;
[ $ret -eq 0 ] && log_end_msg 0 || log_end_msg 1
echo
fi
rm -f $VAR_SUBSYS_IPTABLES
return $ret
}
save() {
# Check if iptable module is loaded
[ ! -e "$PROC_IPTABLES_NAMES" ] && return 1
# Check if firewall is configured (has tables)
tables=`cat $PROC_IPTABLES_NAMES 2>/dev/null`
[ -z "$tables" ] && return 1
log_daemon_msg $"Saving firewall rules to $IPTABLES_DATA: "
OPT=
[ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
ret=0
TMP_FILE=`/bin/mktemp -q /tmp/$IPTABLES.XXXXXX` \
&& chmod 600 "$TMP_FILE" \
&& $IPTABLES-save $OPT > $TMP_FILE 2>/dev/null \
&& size=`stat -c '%s' $TMP_FILE` && [ $size -gt 0 ] \
|| ret=1
if [ $ret -eq 0 ]; then
if [ -e $IPTABLES_DATA ]; then
cp -f $IPTABLES_DATA $IPTABLES_DATA.save \
&& chmod 600 $IPTABLES_DATA.save \
|| ret=1
fi
if [ $ret -eq 0 ]; then
cp -f $TMP_FILE $IPTABLES_DATA \
&& chmod 600 $IPTABLES_DATA \
|| ret=1
fi
fi
[ $ret -eq 0 ] && log_end_msg 0 || log_end_msg 1
echo
rm -f $TMP_FILE
return $ret
}
status() {
tables=`cat $PROC_IPTABLES_NAMES 2>/dev/null`
# Do not print status if lockfile is missing and iptables modules are not
# loaded.
# Check if iptable module is loaded
if [ ! -f "$VAR_SUBSYS_IPTABLES" -a -z "$tables" ]; then
log_daemon_msg $"Firewall is stopped."
return 1
fi
# Check if firewall is configured (has tables)
if [ ! -e "$PROC_IPTABLES_NAMES" ]; then
log_daemon_msg $"Firewall is not configured. "
return 1
fi
if [ -z "$tables" ]; then
log_daemon_msg $"Firewall is not configured. "
return 1
fi
NUM=
[ "x$IPTABLES_STATUS_NUMERIC" = "xyes" ] && NUM="-n"
VERBOSE=
[ "x$IPTABLES_STATUS_VERBOSE" = "xyes" ] && VERBOSE="--verbose"
COUNT=
[ "x$IPTABLES_STATUS_LINENUMBERS" = "xyes" ] && COUNT="--line-numbers"
for table in $tables; do
log_daemon_msg $"Table: $table"
$IPTABLES -t $table --list $NUM $VERBOSE $COUNT && echo
done
return 0
}
restart() {
[ "x$IPTABLES_SAVE_ON_RESTART" = "xyes" ] && save
stop
start
}
case "$1" in
start)
if [ "$ENABLED" = "true" ] ; then
stop
start
RETVAL=$
else
log_failure_msg $"iptables is disable"
fi
;;
stop)
[ "x$IPTABLES_SAVE_ON_STOP" = "xyes" ] && save
stop
RETVAL=$
;;
restart