From b22ddfd55e3d5e260da42ef5fc831f286c46069a Mon Sep 17 00:00:00 2001 From: Darren 'Tadgy' Austin Date: Mon, 6 Apr 2026 14:11:05 +0000 Subject: [PATCH] Add a firewall init script. --- firewall-initscript | 143 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 143 insertions(+) create mode 100755 firewall-initscript diff --git a/firewall-initscript b/firewall-initscript new file mode 100755 index 0000000..86a60f1 --- /dev/null +++ b/firewall-initscript @@ -0,0 +1,143 @@ +#!/bin/bash +### BEGIN INIT INFO +# Provides: firewall +# Required-Start: $network +# Required-Stop: $network +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: Firewalls' state save/restore/flush +# Description: Store the firewalls' state at shutdown, and restores it at boot. +# Aalso set the firewalls to a default state, and flush all rules. +### END INIT INFO + +DEFAULT_V4="/etc/firewall/default_v4.rules" +DEFAULT_V6="/etc/firewall/default_v6.rules" +STATE_V4="/etc/firewall/state_v4.rules" +STATE_V6="/etc/firewall/state_v6.rules" + +# Confirm the iptables utilities are available. +[[ ! -x "/usr/sbin/iptables" ]] || [[ ! -x "/usr/sbin/ip6tables" ]] || [[ ! -x "/usr/sbin/iptables-save" ]] || [[ ! -x "/usr/sbin/iptables-restore" ]] || [[ ! -x "/usr/sbin/ip6tables-save" ]] || [[ ! -x "/usr/sbin/ip6tables-restore" ]] && { + printf "%s: %s\\n" "${0##*/}" "iptables package not installed!" >&2 + exit 1 +} + +firewall_states_restore() { + local ERR=0 + + # Restore the saved (or default) v4 firewall state. + iptables-restore "$STATE_V4" 2>/dev/null || { + printf "%s: %s " "${0##*/}" "failed to restore saved" >&2 + if iptables-restore "$DEFAULT_V4" 2>/dev/null; then + printf "%s " ", only default" >&2 + else + printf "%s " "and default" >&2 + ERR=1 + fi + printf "%s\\n" "v4 firewall state" >&2 + } + + # Restore the saved (or default) v6 firewall state. + ip6tables-restore "$STATE_V6" 2>/dev/null || { + printf "%s: %s " "${0##*/}" "failed to restore saved" >&2 + if ip6tables-restore "$DEFAULT_V6" 2>/dev/null; then + printf "%s " ", only default" >&2 + else + printf "%s " "and default" >&2 + ERR=1 + fi + printf "%s\\n" "v6 firewall state" >&2 + } + + return "$ERR" +} + +firewall_states_save() { + local ERR=0 + + # Store the state of the v4 firewall. + iptables-save >"$STATE_V4" 2>/dev/null || { + printf "%s: %s\\n" "${0##*/}" "failed to save v4 firewall state" >&2 + ERR=1 + } + + # Store the state of the v6 firewall. + ip6tables-save >"$STATE_V6" 2>/dev/null || { + printf "%s: %s\\n" "${0##*/}" "failed to save v6 firewall state" >&2 + ERR=1 + } + + return "$ERR" +} + +firewall_defaults_restore() { + local ERR=0 + + # Restore the default v4 firewall state. + iptables-restore "$DEFAULT_V4" 2>/dev/null || { + printf "%s: %s\\n" "${0##*/}" "failed to restore default v4 firewall state" >&2 + ERR=1 + } + + # Restore the default v6 firewall state. + ip6tables-restore "$DEFAULT_V6" 2>/dev/null || { + printf "%s: %s\\n" "${0##*/}" "failed to restore default v6 firewall state" >&2 + ERR=1 + } + + return "$ERR" +} + +firewall_flush() { + # Set the default policies to ACCEPT. + iptables -P INPUT ACCEPT + ip6tables -P INPUT ACCEPT + iptables -P OUTPUT ACCEPT + ip6tables -P OUTPUT ACCEPT + iptables -P FORWARD ACCEPT + ip6tables -P FORWARD ACCEPT + + # Flush all the rules in the tables. + iptables -F INPUT + ip6tables -F INPUT + iptables -F OUTPUT + ip6tables -F OUTPUT + iptables -F FORWARD + ip6tables -F FORWARD + + # Delete all user defined tables. + iptables -X + ip6tables -X + + # Reset packet counters to zero. + iptables -Z + ip6tables -Z + + return 0 # All the above commands should never fail. +} + +case "$1" in + start|restart|reload|force-reload) + firewall_states_restore + exit "$?" + ;; + stop) + firewall_states_save + exit "$?" + ;; + defaults) + firewall_defaults_restore || { + printf "%s: %s\\n" "${0##*/}" "failed to restore default firewall state" >&2 + exit 1 + } + echo "$?" + ;; + flush) + firewall_flush # Should never fail. + ;; + *) + printf "%s %s\\n" "${0##*/}" "" + exit 2 + ;; +esac + +exit 0