Iptables STARTUP script analysis
#! /Bin/sh # iptables Start iptables firewall # chkconfig: 2345 08 92 # description: Starts, stops and saves iptables firewall # config:/etc/sysconfig/iptables # config: /etc/sysconfig/iptables-config #### begin init info # Provides: iptables # Required-Start: # Required-Stop: # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: start and stop iptables firewall # Description: St Art, stop and save iptables firewall ### end init info # Source function library .. /etc/init. d/functions IPTABLES = iptables # variable IPTABLES IPTABLES_DATA =/etc/sysconfig/$ IPTABLES # variable IPTABLES_DATA =/etc/sysconfig/iptables IPTABLES_CONFIG =/etc/sysconfig/$ {IPTABLES }- config # variable IPTABLES + CONFIG =/etc/sysoncifg/iptables-config IPV =$ {IPTABLES % tables} # ip for ipv4 | ip6 for ipv6 # variable IPV, $ {IPTABLES % tables}: replace the previous variable Delete the tables string of IPTABLES ["$ IPV" = "ip"] & _ IPV = "ipv4" | _ IPV = "ipv6" # If IPV = ip, run _ IPV = ipv4 otherwise, run _ IPV = ipv6 PROC_IPTABLES_NAMES =/proc/net/$ {IPV} _ tables_names # variable PROC_IPTABLES_NAMES =/proc/net/$ {IPV} _ tables_names To view/proc /net/has the following file # ls/proc/net/ip * #/proc/net/ip6_flowlabel/proc/net/ip6_mr_vif/proc/net/ip_mr_vif/proc/net/ip_tables_names /proc/net/route 6_route/proc/net/ip6_mr_cache/proc/net/ip_mr_cach E/proc/net/ip_tables_matches/proc/net/ip_tables_targets VAR_SUBSYS_IPTABLES =/var/lock/subsys/$ IPTABLES # variable metadata sets the state lock file # only usable for root [$ EUID = 0] | exit 4 # determine whether the user is a root user, otherwise, the exit status is 4 if [! -X/sbin/$ IPTABLES]; then # when determining whether/sbin/iptables does not exist, the following warning message echo-n $ "$ {IPTABLES} is displayed }: /sbin/$ IPTABLES does not exist. "; warning; echo exit 5 # exit status: 5 fi # Old or new modutils/sbin/modprobe -- version 2> & 1 | grep-q module-init-tools & NEW_MODUTILS = 1 | NEW_MODUTILS = 0 # Default firewall configuration: IPTABLES_MODULES = "" IPTABLES_MODULES_UNLOAD = "yes" IPTABLES_SAVE_ON_STOP = "no" IPTABLES_SAVE_ON_RESTART = "no "IPTABLES_SAVE_COUNTER =" no "IPTABLES_STATUS_NUMERIC =" yes "IPTABLES_STATUS_VERBOSE =" no "IPTABLES_STATUS_LINENUMBERS =" yes "# Load firewall configuration. [-f "$ IPTABLES_CONFIG"] &. "$ IPTABLES_CONFIG" # determine whether/etc/sysoncifg/iptables-config # Netfilter modules NF_MODULES = ($ (lsmod | awk "/^ $ {IPV} table _/{print $1 }") $ {IPV} _ tables) # view the modules loaded by iptables. When iptables stops using this script, the modules are not loaded. # ---- # lsmod | awk "/^ iptable _/{Print $1} "$ ip_tables ---- # --- iptable_filter ------------------------------------- # --- iptable_nat define NF_MODULES_COMMON = (x_tables nf_nat nf_conntrack) # Used by netfilter v4 and v6 # Get active tables NF_TABLES = $ (cat "$ PROC_IPTABLES_NAMES" 2>/dev/null) # view the iptables module loaded by the system # --------- # cat/proc/net/ip_tables_names ------- # --------- filter --------------------- ------------- # --------- Nat ----------------------------------------- rmmod_r () {# Unload module with all referring modules. # At first all referring modules will be unloaded, then the module itself. local mod = $1 # define a local variable mod = $1 local ret = 0 # define a local variable ret = 0 local ref = # define a local variable ref # Get referring modules. # New modutils have another output format. [$ NEW_MODUTILS = 1] & ref = $ (lsmod | awk "/^ $ {mod }/{ Print $4;} "| tr ',''') | ref = $ (lsmod | grep ^ $ {mod} | cut-d "["-s-f 2 | cut-d "]"-s-f 1) # If the value of NEW_MODUTILSd is 1, modprobe -- version | grep-q module-init-tools is determined to be successful. # lsmod prints the 4th columns and displays the module content, delete all displayed items # If NEW_MODUTILSd has a value of 0, run the following command # recursive call for all referring modules for I in $ ref; do rmmod_r $ I let ret + =$ ?; Done # Delete the loaded iptables module # Unload module. # The extra test is for 2.6: The module might have autocleaned, # after all referring modules are unloaded. if grep-q "^ $ {mod}"/proc/modules; then # view iptables module modprobe-r $ mod>/dev/null 2> & 1 # modprobe-r Delete existing iptables module res =$? # View the status [$ res-eq 0] | echo-n "$ mod" # The execution is successful, and the display content is let ret + = $ res; fi return $ ret #============================================ ========# cat/proc/modules | grep ip iptable_filter 2759 0-Live 0xffffffffffa02e1000 iptable_nat 6124 1-Live 0xffffffffffa029b000 nf_nat 22788 1 iptable_nat, live 0xffffffa02d1000 nf_conntrack_ipv4 9440 3 iptable_nat, nf_nat, Live 0xffffffffa0286000 nf_conntrack 79643 3 iptable_nat, Nf_nat, nf_conntrack_ipv4, Live 0xffffffa02b0000 nf_defrag_ipv4 1449 1 nf_conntrack_ipv4, Live 0xffffffffa0257000 ip_tables 17765 2 iptable_filter, iptable_nat, live 0xffffffa02a9000 ipv6 322899 74-Live 0xffffffffa01ab000 #====================== ====================================#} flush_n_delete () {# default policy # Flush firewall rules and delete chains. [! -E "$ PROC_IPTABLES_NAMES"] & return 0 # if/proc/net/ip_tables_names does not exist, return 0 # Check if firewall is configured (has tables) [-z "$ NF_TABLES"] & return 1 # If cat/proc/net/ip_tables_names is displayed, 1 echo-n $ "$ {IPTABLES} is returned }: flushing firewall rules: "# display ret = 0 # For all tables for I in $ NF_TABLES; do # Flush firewall rules. $ IPTABLES-t $ I-F; let ret + =$ ?; # Delete firewall chains. $ IPTABLES-t $ I-X; let ret + =$ ?; # Set counter to zero. $ IPTABLES-t $ I-Z; let ret + =$ ?; Done # perform the-F-X-Z operation on all iptables tables [$ ret-eq 0] & success | failure echo return $ ret} set_policy () {# Set policy for configured tables. policy = $1 # Check if iptable module is loaded [! -E "$ PROC_IPTABLES_NAMES"] & return 0 # if/proc/net/ip_tables_names does not exist, return 0 # Check if firewall is configured (has tables) tables = $ (cat "$ PROC_IPTABLES_NAMES" 2>/dev/null) # If cat/proc/net/ip_tables_names displays content, assign a value to the tables variable [-z "$ tables"] & return 1 # Whether the tables variable has a value. If no value is returned, 1 echo-n $ "$ {IPTABLES} is returned }: setting chains to policy $ policy: "ret = 0 for I in $ tables; do echo-n" $ I "case" $ I "in raw) $ EPT ABLES-t raw-p prerouting $ policy & $ IPTABLES-t raw-p output $ policy | let ret + = 1; filter) $ IPTABLES-t filter-p input $ policy & $ IPTABLES-t filter-p output $ policy & $ IPTABLES-t filter-p forward $ policy | let ret + = 1 ;; nat) $ IPTABLES-t nat-p prerouting $ policy & $ IPTABLES-t nat-p postrouting $ policy & $ IPTABLES-t nat-p output $ policy | let ret + = 1 ;; mangle) $ IPTABLES-t ma Ngle-p prerouting $ policy & $ IPTABLES-t mangle-p postrouting $ policy & $ IPTABLES-t mangle-p input $ policy & $ IPTABLES-t mangle-P OUTPUT $ policy & $ IPTABLES-t mangle-p forward $ policy | let ret + = 1 ;; *) let ret + = 1 ;; esac done [$ ret-eq 0] & success | failure echo return $ ret # The preceding command is used to execute the policy settings for each table} start () {# Do not start if there is no config file. [! -F "$ IPTABLES_DATA"] & return 6 # If/etc/sysconfig/iptables does not exist, 6 # check if ipv6 module load is deactivated if ["$ {_ IPV}" = "ipv6"] & grep-qIsE "^ install [[: space:] + $ {_ IPV} [[: space:] +/bin/(true | false) "/etc/modprobe. conf/etc/modprobe. d/*; then echo $ "$ {IPTABLES }:$ {_ IPV} is disabled. "return 150 fi # Check whether the ipv6 module loads echo-n $" $ {IPTABLES}: Applying firewall rules: "OPT = [" x $ IPTABLES_SAVE _ COUNTER "=" xyes "] & OPT ="-c "$ IPTABLES-restore $ OPT $ IPTABLES_DATA # execute iptables-restore/etc/sysconfig/iptables to restore the policy set by iptables if [$? -Eq 0]; then success; echo else failure; echo; return 1 fi # determine whether execution is successful and the status is displayed # Load additional modules (helpers) if [-n "$ IPTABLES_MODULES"]; then echo-n $ "$ {IPTABLES}: Loading additional modules:" ret = 0 for mod in $ IPTABLES_MODULES; do echo-n "$ mod" modprobe $ mod>/dev/null 2> & 1 let ret + =$ ?; Done # load the iptables module [$ ret-eq 0] & success | failure echo fi touch $ VAR_SUBSYS_IPTABLES # create a status file lock =/var/lock/subsys/iptables return $ ret} stop () {# Do not stop if iptables module is not loaded. [! -E "$ PROC_IPTABLES_NAMES"] & return 0 #/proc/net/ip_tables_names flush_n_delete set_policy ACCEPT if ["x $ IPTABLES_MODULES_UNLOAD" = "xyes"]; then echo-n $ "$ {IPTABLES}: Unloading modules:" ret = 0 for mod in $ {NF_MODULES [*]}; do rmmod_r $ mod let ret + = $ ?; Done # uninstall the iptables Module # try to unload remaining netfilter modules used by ipv4 and ipv6 # netfilter for mod in $ {NF_MODULES_COMMON [*]}; do rmmod_r $ mod>/dev/null done [$ ret-eq 0] & success | failure echo fi rm-f $ VAR_SUBSYS_IPTABLES return $ ret} save () {# Check if iptable module is loaded [! -E "$ PROC_IPTABLES_NAMES"] & return 0 # does not exist in/proc/net/ip_tables_names. 0 # Check if firewall is configured (has tables) is returned) [-z "$ NF_TABLES"] & return 6 # whether echo-n $ "$ {IPTABLES}: Saving firewall rules to $ IPTABLES_DATA: "OPT = [" x $ IPTABLES_SAVE_COUNTER "=" xyes "] & OPT ="-c "ret = 0 TMP_FILE = $ (/bin/mktemp-q $ IPTABLES_DATA.XXXXXX) & amp; chmod 600 "$ TMP_FILE" & amp; $ IPTABLES-save $ OPT & gt; $ TMP_FILE 2 & gt/ Dev/null # iptables-save-c> save to file & size =$ (stat-c '% s' $ TMP_FILE) & [$ size-gt 0] | ret = 1 # determine whether the file is empty if [$ ret-eq 0]; then if [-e $ IPTABLES_DATA]; then cp-f $ IPTABLES_DATA $ IPTABLES_DATA.save # Back up/etc/sysconfig/iptables to iptables. save & chmod 600 $ IPTABLES_DATA.save # change the/etc/sysconfig/iptables permission to 600 & restorecon $ IPTABLES_DATA.save # Change The selinux of/etc/sysconfig/iptables | ret = 1 fi if [$ ret -Eq 0]; then mv-f $ TMP_FILE $ IPTABLES_DATA & chmod 600 $ IPTABLES_DATA & restorecon $ IPTABLES_DATA | ret = 1 fi rm-f $ TMP_FILE [$ ret-eq 0] & success | failure echo return $ ret} status () {if [! -F "$ VAR_SUBSYS_IPTABLES"-a-z "$ NF_TABLES"]; then echo $ "$ {IPTABLES}: Firewall is not running. "return 3 fi # Check whether the File status lock exists # Do not print status if lockfile is missing and iptables modules are not # loaded. # Check if iptable modules are loaded if [! -E "$ PROC_IPTABLES_NAMES"]; then echo $ "$ {IPTABLES}: Firewall modules are not loaded. "return 3 fi # Check if firewall is configured (has tables) if [-z" $ NF_TABLES "]; then echo $" $ {IPTABLES}: Firewall is not configured. "return 3 fi NUM = [" x $ IPTABLES_STATUS_NUMERIC "=" xyes "] & NUM ="-n "VERBOSE = [" x $ IPTABLES_STATUS_VERBOSE "=" xyes "] & VERBOSE = "-- verbose" COUNT = ["x $ IPTABLES_STATUS_L INENUMBERS "=" xyes "] & COUNT =" -- line-numbers "for table in $ NF_TABLES; do echo $" Table: $ table "$ IPTABLES-t $ table -- list $ NUM $ VERBOSE $ COUNT & echo done return 0} restart () {["x $ IPTABLES_SAVE_ON_RESTART" = "xyes"] & save stop start} case "$1" in start) [-f "$ VAR_SUBSYS_IPTABLES"] & exit 0 start RETVAL =$?; Stop) ["x $ IPTABLES_SAVE_ON_STOP" = "xyes"] & save stop RETVAL =$?; Restart | force-reload) restart RETVAL =$?; Reload) # unimplemented RETVAL = 3; condrestart | try-restart )[! -E "$ VAR_SUBSYS_IPTABLES"] & exit 0 restart RETVAL =$?; Status) status RETVAL =$?; Panic) flush_n_delete set_policy drop retval =$?; Save) save RETVAL =$?; *) Echo $ "Usage: $ {IPTABLES} {start | stop | restart | condrestart | status | panic | save}" RETVAL = 2 ;; esac exit $ RETVAL appendix lsmod command column 1st: indicates the module name. Column 2nd: the size of the module. Column 3rd: number of dependent modules. Column 4th: indicates the content of the dependent module.