#! /Bin/sh # iptables start iptables firewall # chkconfig: 2345 08 92 # Description: starts, stops and saves iptables firewall # config:/etc/sysconfig/iptables # config: /etc/sysconfig/iptables-config #### begin init info # provides: iptables # required-start: # required-stop: # default-start: 2 3 4 5 # default-stop: 0 1 6 # Short-Description: Start and Stop iptables firewall # Description: St Art, stop and save iptables firewall ### end init info # source function library .. /etc/init. d/functions iptables = iptables # variable iptables iptables_data =/etc/sysconfig/$ iptables # variable iptables_data =/etc/sysconfig/iptables iptables_config =/etc/sysconfig/$ {iptables }- config # variable iptables + Config =/etc/sysoncifg/iptables-config IPV =$ {iptables % tables} # IP for IPv4 | ip6 for IPv6 # variable IPV, $ {iptables % tables}: replace the previous variable Delete the tables string of iptables ["$ IPV" = "ip"] & _ IPV = "IPv4" | _ IPV = "IPv6" # If IPV = IP, run _ IPV = IPv4 otherwise, run _ IPV = IPv6 proc_iptables_names =/proc/NET/$ {IPV} _ tables_names # variable proc_iptables_names =/proc/NET/$ {IPV} _ tables_names To view/proc /NET/has the following file # ls/proc/NET/IP * #/proc/NET/ip6_flowlabel/proc/NET/ip6_mr_vif/proc/NET/ip_mr_vif/proc/NET/ip_tables_names /proc/NET/route 6_route/proc/NET/ip6_mr_cache/proc/NET/ip_mr_cach E/proc/NET/ip_tables_matches/proc/NET/ip_tables_targets var_subsys_iptables =/var/lock/subsys/$ iptables # variable metadata sets the state lock file # only usable for root [$ EUID = 0] | exit 4 # determine whether the user is a root user, otherwise, the exit status is 4 if [! -X/sbin/$ iptables]; then # when determining whether/sbin/iptables does not exist, the following warning message echo-N $ "$ {iptables} is displayed }: /sbin/$ iptables does not exist. "; warning; echo Exit 5 # exit status: 5 fi # old or new modutils/sbin/modprobe -- version 2> & 1 | grep-Q module-init-Tools & new_modutils = 1 | new_modutils = 0 # default Firewall Configuration: iptables_modules = "" iptables_modules_unload = "yes" iptables_save_on_stop = "no" iptables_save_on_restart = "No "Iptables_save_counter =" no "iptables_status_numeric =" yes "iptables_status_verbose =" no "iptables_status_linenumbers =" yes "# Load firewall configuration. [-F "$ iptables_config"] &. "$ iptables_config" # determine whether/etc/sysoncifg/iptables-config # netfilter modules nf_modules = ($ (lsmod | awk "/^ $ {IPV} table _/{print $1 }") $ {IPV} _ tables) # view the modules loaded by iptables. When iptables stops using this script, the modules are not loaded. # ---- # lsmod | awk "/^ iptable _/{Print $1} "$ ip_tables ---- # --- iptable_filter ------------------------------------- # --- iptable_nat define nf_modules_common = (x_tables nf_nat nf_conntrack) # used by Netfilter V4 and V6 # Get Active tables nf_tables = $ (Cat "$ proc_iptables_names" 2>/dev/null) # view the iptables module loaded by the system # --------- # Cat/proc/NET/ip_tables_names ------- # --------- filter --------------------- ------------- # --------- Nat ----------------------------------------- rmmod_r () {# unload module with all referring modules. # At first all referring modules will be unloaded, then the module itself. local mod = $1 # define a local variable mod = $1 Local ret = 0 # define a local variable ret = 0 local ref = # define a local variable ref # Get referring modules. # New modutils have another output format. [$ new_modutils = 1] & ref = $ (lsmod | awk "/^ $ {mod }/{ Print $4;} "| tr ',''') | ref = $ (lsmod | grep ^ $ {mod} | cut-d "["-S-F 2 | cut-d "]"-S-F 1) # If the value of new_modutilsd is 1, modprobe -- version | grep-Q module-init-tools is determined to be successful. # lsmod prints the 4th columns and displays the module content, delete all displayed items # If new_modutilsd has a value of 0, run the following command # recursive call for all referring modules for I in $ ref; do rmmod_r $ I let RET + =$ ?; Done # Delete the loaded iptables Module # unload module. # The extra test is for 2.6: the module might have autocleaned, # After all referring modules are unloaded. if grep-Q "^ $ {mod}"/proc/modules; then # view iptables module modprobe-r $ mod>/dev/null 2> & 1 # modprobe-r Delete existing iptables module res =$? # View the status [$ res-EQ 0] | echo-n "$ MOD" # The execution is successful, and the display content is let RET + = $ res; FI return $ RET #============================================ ========# CAT/proc/modules | grep IP iptable_filter 2759 0-live 0xffffffffffa02e1000 iptable_nat 6124 1-live 0xffffffffffa029b000 nf_nat 22788 1 iptable_nat, live 0xffffffa02d1000 nf_conntrack_ipv4 9440 3 iptable_nat, nf_nat, live 0xffffffffa0286000 nf_conntrack 79643 3 iptable_nat, Nf_nat, nf_conntrack_ipv4, live 0xffffffa02b0000 nf_defrag_ipv4 1449 1 nf_conntrack_ipv4, live 0xffffffffa0257000 ip_tables 17765 2 iptable_filter, iptable_nat, live 0xffffffa02a9000 IPv6 322899 74-live 0xffffffffa01ab000 #====================== ====================================#} flush_n_delete () {# default policy # flush firewall rules and delete chains. [! -E "$ proc_iptables_names"] & Return 0 # If/proc/NET/ip_tables_names does not exist, return 0 # Check if firewall is configured (has tables) [-z "$ nf_tables"] & return 1 # If CAT/proc/NET/ip_tables_names is displayed, 1 echo-N $ "$ {iptables} is returned }: flushing firewall rules: "# display ret = 0 # For all tables for I in $ nf_tables; do # flush firewall rules. $ iptables-T $ I-f; let RET + =$ ?; # Delete firewall chains. $ iptables-T $ I-X; let RET + =$ ?; # Set counter to zero. $ iptables-T $ I-Z; let RET + =$ ?; Done # perform the-F-X-Z operation on all iptables tables [$ ret-EQ 0] & Success | failure echo return $ RET} set_policy () {# set policy for configured tables. policy = $1 # Check if iptable module is loaded [! -E "$ proc_iptables_names"] & Return 0 # If/proc/NET/ip_tables_names does not exist, return 0 # Check if firewall is configured (has tables) tables = $ (Cat "$ proc_iptables_names" 2>/dev/null) # If CAT/proc/NET/ip_tables_names displays content, assign a value to the tables variable [-z "$ tables"] & return 1 # Whether the tables variable has a value. If no value is returned, 1 echo-N $ "$ {iptables} is returned }: setting chains to policy $ policy: "ret = 0 for I in $ tables; do echo-n" $ I "case" $ I "in raw) $ EPT Ables-t Raw-P prerouting $ Policy & $ iptables-t Raw-P output $ policy | let RET + = 1; filter) $ iptables-T filter-P Input $ Policy & $ iptables-T filter-P output $ Policy & $ iptables-T filter-P forward $ policy | let RET + = 1 ;; nat) $ iptables-T nat-P prerouting $ Policy & $ iptables-T nat-P postrouting $ Policy & $ iptables-T nat-P output $ policy | let RET + = 1 ;; mangle) $ iptables-t ma Ngle-P prerouting $ Policy & $ iptables-T mangle-P postrouting $ Policy & $ iptables-T mangle-P Input $ Policy & $ iptables-T mangle-P output $ Policy & $ iptables-T mangle-P forward $ policy | let RET + = 1 ;; *) Let RET + = 1 ;; esac done [$ ret-EQ 0] & Success | failure echo return $ RET # The preceding command is used to execute the policy settings for each table} start () {# Do not start if there is no config file. [! -F "$ iptables_data"] & Return 6 # If/etc/sysconfig/iptables does not exist, 6 # Check if IPv6 module load is deactivated if ["$ {_ IPV}" = "IPv6"] & grep-qise "^ install [[: Space:] + $ {_ IPV} [[: Space:] +/bin/(true | false) "/etc/modprobe. conf/etc/modprobe. d/*; Then ECHO $ "$ {iptables }:$ {_ IPV} is disabled. "return 150 fi # Check whether the IPv6 module loads echo-N $" $ {iptables}: Applying firewall rules: "opt = [" x $ iptables_save _ Counter "=" xyes "] & OPT ="-c "$ iptables-Restore $ opt $ iptables_data # execute iptables-Restore/etc/sysconfig/iptables to restore the policy set by iptables if [$? -EQ 0]; then success; echo else failure; ECHO; return 1 fi # determine whether execution is successful and the status is displayed # Load additional modules (helpers) if [-n "$ iptables_modules"]; Then ECHO-N $ "$ {iptables}: loading additional modules:" ret = 0 for MOD in $ iptables_modules; do echo-n "$ MOD" modprobe $ mod>/dev/null 2> & 1 Let RET + =$ ?; Done # load the iptables module [$ ret-EQ 0] & Success | failure echo fi touch $ var_subsys_iptables # create a status file lock =/var/lock/subsys/iptables return $ RET} stop () {# Do not stop if iptables module is not loaded. [! -E "$ proc_iptables_names"] & Return 0 #/proc/NET/ip_tables_names flush_n_delete set_policy accept if ["x $ iptables_modules_unload" = "xyes"]; then ECHO-N $ "$ {iptables}: unloading modules:" ret = 0 for MOD in $ {nf_modules [*]}; do rmmod_r $ mod let RET + = $ ?; Done # uninstall the iptables Module # Try to unload remaining netfilter modules used by IPv4 and IPv6 # netfilter for MOD in $ {nf_modules_common [*]}; do rmmod_r $ mod>/dev/null done [$ ret-EQ 0] & Success | failure echo fi rm-F $ var_subsys_iptables return $ RET} Save () {# Check if iptable module is loaded [! -E "$ proc_iptables_names"] & Return 0 # does not exist in/proc/NET/ip_tables_names. 0 # Check if firewall is configured (has tables) is returned) [-z "$ nf_tables"] & Return 6 # whether ECHO-N $ "$ {iptables}: Saving firewall rules to $ iptables_data: "opt = [" x $ iptables_save_counter "=" xyes "] & OPT ="-c "ret = 0 tmp_file = $ (/bin/mktemp-Q $ iptables_data.xxxxxx) & amp; chmod 600 "$ tmp_file" & amp; $ iptables-save $ opt & gt; $ tmp_file 2 & gt/ Dev/null # iptables-save-C> Save to file & size =$ (stat-c '% s' $ tmp_file) & [$ size-GT 0] | ret = 1 # determine whether the file is empty if [$ ret-EQ 0]; then if [-e $ iptables_data]; then CP-F $ iptables_data $ iptables_data.save # Back up/etc/sysconfig/iptables to iptables. save & chmod 600 $ iptables_data.save # change the/etc/sysconfig/iptables permission to 600 & restorecon $ iptables_data.save # Change The SELinux of/etc/sysconfig/iptables | ret = 1 Fi if [$ RET -EQ 0]; then MV-F $ tmp_file $ iptables_data & chmod 600 $ iptables_data & restorecon $ iptables_data | ret = 1 fi rm-F $ tmp_file [$ ret-EQ 0] & success | failure echo return $ RET} status () {if [! -F "$ var_subsys_iptables"-a-z "$ nf_tables"]; Then ECHO $ "$ {iptables}: Firewall is not running. "return 3 fi # Check whether the File status lock exists # do not print status if lockfile is missing and iptables modules are not # Loaded. # Check if iptable modules are loaded if [! -E "$ proc_iptables_names"]; Then ECHO $ "$ {iptables}: Firewall modules are not loaded. "Return 3 fi # Check if firewall is configured (has tables) If [-z" $ nf_tables "]; Then ECHO $" $ {iptables}: Firewall is not configured. "Return 3 fi num = [" x $ iptables_status_numeric "=" xyes "] & num ="-n "verbose = [" x $ iptables_status_verbose "=" xyes "] & verbose = "-- verbose" Count = ["x $ iptables_status_l Inenumbers "=" xyes "] & COUNT =" -- line-numbers "for table in $ nf_tables; do echo $" table: $ table "$ iptables-T $ table -- list $ num $ verbose $ count & echo done return 0} restart () {["x $ iptables_save_on_restart" = "xyes"] & Save stop start} case "$1" in start) [-F "$ var_subsys_iptables"] & Exit 0 start retval =$?; Stop) ["x $ iptables_save_on_stop" = "xyes"] & Save stop retval =$?; Restart | force-Reload) Restart retval =$?; RELOAD) # unimplemented retval = 3; condrestart | try-Restart )[! -E "$ var_subsys_iptables"] & Exit 0 restart retval =$?; Status) status retval =$?; Panic) flush_n_delete set_policy drop retval =$?; Save) Save retval =$?; *) Echo $ "Usage: $ {iptables} {START | stop | restart | condrestart | status | panic | save}" retval = 2 ;; esac exit $ retval appendix lsmod command column 1st: indicates the module name. Column 2nd: the size of the module. Column 3rd: number of dependent modules. Column 4th: indicates the content of the dependent module.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
