|
Lines 3-9
Link Here
|
| 3 |
# Distributed under the terms of the GNU General Public License v2 |
3 |
# Distributed under the terms of the GNU General Public License v2 |
| 4 |
# $Header: /var/cvsroot/gentoo-x86/net-firewall/iptables/files/iptables-1.3.2.init,v 1.2 2005/08/10 23:11:12 vapier Exp $ |
4 |
# $Header: /var/cvsroot/gentoo-x86/net-firewall/iptables/files/iptables-1.3.2.init,v 1.2 2005/08/10 23:11:12 vapier Exp $ |
| 5 |
|
5 |
|
| 6 |
opts="save reload panic" |
6 |
opts="save reload panic panic_log" |
| 7 |
|
7 |
|
| 8 |
iptables_name=${SVCNAME} |
8 |
iptables_name=${SVCNAME} |
| 9 |
if [[ ${iptables_name} != "iptables" && ${iptables_name} != "ip6tables" ]] ; then |
9 |
if [[ ${iptables_name} != "iptables" && ${iptables_name} != "ip6tables" ]] ; then |
|
Lines 29-34
Link Here
|
| 29 |
nat) chains="PREROUTING POSTROUTING OUTPUT";; |
29 |
nat) chains="PREROUTING POSTROUTING OUTPUT";; |
| 30 |
mangle) chains="PREROUTING INPUT FORWARD OUTPUT POSTROUTING";; |
30 |
mangle) chains="PREROUTING INPUT FORWARD OUTPUT POSTROUTING";; |
| 31 |
filter) chains="INPUT FORWARD OUTPUT";; |
31 |
filter) chains="INPUT FORWARD OUTPUT";; |
|
|
32 |
raw) chains="OUTPUT PREROUTING";; |
| 32 |
*) chains="";; |
33 |
*) chains="";; |
| 33 |
esac |
34 |
esac |
| 34 |
local chain |
35 |
local chain |
|
Lines 37-42
Link Here
|
| 37 |
done |
38 |
done |
| 38 |
} |
39 |
} |
| 39 |
|
40 |
|
|
|
41 |
add_table_rule() { |
| 42 |
local chains table=$1 rule=$2 |
| 43 |
case ${table} in |
| 44 |
nat) chains="PREROUTING POSTROUTING OUTPUT";; |
| 45 |
mangle) chains="PREROUTING INPUT FORWARD OUTPUT POSTROUTING";; |
| 46 |
filter) chains="INPUT FORWARD OUTPUT";; |
| 47 |
raw) chains="OUTPUT PREROUTING";; |
| 48 |
*) chains="";; |
| 49 |
esac |
| 50 |
local chain |
| 51 |
for chain in ${chains} ; do |
| 52 |
${iptables_bin} -t ${table} -A ${chain} ${rule} |
| 53 |
done |
| 54 |
} |
| 55 |
|
| 56 |
|
| 40 |
checkkernel() { |
57 |
checkkernel() { |
| 41 |
if [[ ! -e ${iptables_proc} ]] ; then |
58 |
if [[ ! -e ${iptables_proc} ]] ; then |
| 42 |
eerror "Your kernel lacks ${iptables_name} support, please load" |
59 |
eerror "Your kernel lacks ${iptables_name} support, please load" |
|
Lines 82-91
Link Here
|
| 82 |
for a in $(<${iptables_proc}) ; do |
99 |
for a in $(<${iptables_proc}) ; do |
| 83 |
${iptables_bin} -F -t $a |
100 |
${iptables_bin} -F -t $a |
| 84 |
${iptables_bin} -X -t $a |
101 |
${iptables_bin} -X -t $a |
| 85 |
done |
102 |
set_table_policy $a ACCEPT |
| 86 |
eend $? |
|
|
| 87 |
|
103 |
|
|
|
104 |
done |
| 88 |
start |
105 |
start |
|
|
106 |
eend $? |
| 89 |
} |
107 |
} |
| 90 |
|
108 |
|
| 91 |
save() { |
109 |
save() { |
|
Lines 109-111
Link Here
|
| 109 |
done |
127 |
done |
| 110 |
eend $? |
128 |
eend $? |
| 111 |
} |
129 |
} |
|
|
130 |
|
| 131 |
panic_log() { |
| 132 |
checkkernel || return 1 |
| 133 |
[[ -e ${svcdir}/started/${iptables_name} ]] && svc_stop |
| 134 |
|
| 135 |
ebegin "Dropping and logging all packets" |
| 136 |
|
| 137 |
for a in $(<${iptables_proc}) ; do |
| 138 |
${iptables_bin} -F -t $a |
| 139 |
${iptables_bin} -X -t $a |
| 140 |
iptables -t $a -N BAD |
| 141 |
iptables -t $a -A BAD -j LOG --log-prefix "drop all policy: " |
| 142 |
set_table_policy $a DROP |
| 143 |
add_table_rule $a '-j BAD' |
| 144 |
done |
| 145 |
eend $? |
| 146 |
} |
