#!/bin/bash ### BEGIN INIT INFO # Provides: firewall # Required-Start: $network # Required-Stop: $network # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Firewalls' state save/restore/flush # Description: Store the firewalls' state at shutdown, and restores it at boot. # Aalso set the firewalls to a default state, and flush all rules. ### END INIT INFO DEFAULT_V4="/etc/firewall/default_v4.rules" DEFAULT_V6="/etc/firewall/default_v6.rules" STATE_V4="/etc/firewall/state_v4.rules" STATE_V6="/etc/firewall/state_v6.rules" # Confirm the iptables utilities are available. [[ ! -x "/usr/sbin/iptables" ]] || [[ ! -x "/usr/sbin/ip6tables" ]] || [[ ! -x "/usr/sbin/iptables-save" ]] || [[ ! -x "/usr/sbin/iptables-restore" ]] || [[ ! -x "/usr/sbin/ip6tables-save" ]] || [[ ! -x "/usr/sbin/ip6tables-restore" ]] && { printf "%s: %s\\n" "${0##*/}" "iptables package not installed!" >&2 exit 1 } firewall_states_restore() { local ERR=0 # Restore the saved (or default) v4 firewall state. iptables-restore "$STATE_V4" 2>/dev/null || { printf "%s: %s" "${0##*/}" "failed to restore saved" >&2 if iptables-restore "$DEFAULT_V4" 2>/dev/null; then printf "%s" ", only default" >&2 else printf " %s" "and default" >&2 ERR=1 fi printf " %s\\n" "v4 firewall state" >&2 } # Restore the saved (or default) v6 firewall state. ip6tables-restore "$STATE_V6" 2>/dev/null || { printf "%s: %s" "${0##*/}" "failed to restore saved" >&2 if ip6tables-restore "$DEFAULT_V6" 2>/dev/null; then printf "%s" ", only default" >&2 else printf " %s" "and default" >&2 ERR=1 fi printf " %s\\n" "v6 firewall state" >&2 } return "$ERR" } firewall_states_save() { local ERR=0 # Store the state of the v4 firewall. iptables-save >"$STATE_V4" 2>/dev/null || { printf "%s: %s\\n" "${0##*/}" "failed to save v4 firewall state" >&2 ERR=1 } # Store the state of the v6 firewall. ip6tables-save >"$STATE_V6" 2>/dev/null || { printf "%s: %s\\n" "${0##*/}" "failed to save v6 firewall state" >&2 ERR=1 } return "$ERR" } firewall_defaults_restore() { local ERR=0 # Restore the default v4 firewall state. iptables-restore "$DEFAULT_V4" 2>/dev/null || { printf "%s: %s\\n" "${0##*/}" "failed to restore default v4 firewall state" >&2 ERR=1 } # Restore the default v6 firewall state. ip6tables-restore "$DEFAULT_V6" 2>/dev/null || { printf "%s: %s\\n" "${0##*/}" "failed to restore default v6 firewall state" >&2 ERR=1 } return "$ERR" } firewall_flush() { # Set the default policies to ACCEPT. iptables -P INPUT ACCEPT ip6tables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT ip6tables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT ip6tables -P FORWARD ACCEPT # Flush all the rules in the tables. iptables -F INPUT ip6tables -F INPUT iptables -F OUTPUT ip6tables -F OUTPUT iptables -F FORWARD ip6tables -F FORWARD # Delete all user defined tables. iptables -X ip6tables -X # Reset packet counters to zero. iptables -Z ip6tables -Z return 0 # All the above commands should never fail. } case "$1" in start|restart|reload|force-reload) firewall_states_restore exit "$?" ;; stop) firewall_states_save exit "$?" ;; defaults) firewall_defaults_restore || { printf "%s: %s\\n" "${0##*/}" "failed to restore default firewall state" >&2 exit 1 } echo "$?" ;; flush) firewall_flush # Should never fail. ;; *) printf "%s %s\\n" "${0##*/}" "" exit 2 ;; esac exit 0