5 # Required-Start: $local_fs $remote_fs
6 # Required-Stop: $local_fs $remote_fs
7 # Should-Start: $syslog
9 # Default-Start: 2 3 4 5
11 # Short-Description: Start or stop the iptables.
16 # Q: How do I get started?
17 # A: (Did I mention "do not use it" already? Oh well.)
18 # 1. Setup your normal iptables rules -- firewalling, port forwarding
19 # NAT, etc. When everything is configured the way you like, run:
21 # /etc/init.d/iptables save active
23 # 2. Setup your your inactive firewall rules -- this can be something
24 # like clear all rules and set all policy defaults to accept (which
25 # can be done with /etc/init.d/iptables clear). When that is ready,
26 # save the inactive ruleset:
28 # /etc/init.d/iptables save inactive
30 # 3. Controlling the script itself is done through runlevels configured
31 # with debconf for package installation. Run "dpkg-reconfigure iptables"
32 # to enable or disable after installation.
35 # A: Mostly. You can save additional rulesets and restore them by name. As
38 # /etc/init.d/iptables save midnight
39 # /etc/init.d/iptables load midnight
42 # Autosave only works with start followed by stop.
44 # Also, take great care with the halt option. It's almost as good as
45 # pulling the network cable, except it disrupts localhost too.
47 # Also, create the /var/lib/iptables and /var/lib/ip6tables dirs
53 # set enable_autosave to "true" to autosave the active ruleset
54 # when going from start to stop
57 # set enable_save_counters to "true" to save table counters with
59 enable_save_counters=true
61 if test -f /etc/default/iptables-cn; then
62 . /etc/default/iptables-cn
65 PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
73 echo "Aborting iptables $cmd: $@."
79 initd_have_a_cow_man () {
81 if ! command -v "$i" >/dev/null 2>&1; then
82 echo "Aborting iptables initd: no $i executable"
90 echo -n "Clearing ${iptables_command} ruleset: default ACCEPT policy"
91 $iptables_save | sed "/-/d;/^#/d;s/DROP/ACCEPT/" | $iptables_restore
97 echo -n "Clearing ${iptables_command} ruleset: default DROP policy"
98 $iptables_save | sed "/-/d;/^#/d;s/ACCEPT/DROP/" | $iptables_restore
104 if ! test -f "$ruleset"; then
105 initd_abort load "unknown ruleset, \"$@\""
107 if test "$@" = inactive; then
111 echo -n "Loading ${iptables_command} ruleset: load \"$@\""
112 $iptables_restore < "$ruleset"
117 if test "${enable_save_counters:-false}" = true; then
118 echo -n " with counters"
119 $iptables_save -c > "$ruleset"
121 $iptables_save | sed '/^:/s@\[[0-9]\{1,\}:[0-9]\{1,\}\]@[0:0]@g' > "$ruleset"
127 ruleset="${libdir}/$@"
128 echo -n "Saving ${iptables_command} ruleset: save \"$@\""
134 if test -f $autosave -a ${enable_autosave-false} = true; then
135 ruleset="${libdir}/active"
136 echo -n "Autosaving ${iptables_command} ruleset: save \"active\""
143 # current="$(ls -m ${libdir} \
144 # | sed 's/ \{0,1\}autosave,\{0,1\} \{0,1\}//')"
147 start|restart|reload|force-reload
148 load the "active" ruleset
150 save the current ruleset
154 load the "inactive" ruleset
156 remove all rules and user-defined chains, set default policy to ACCEPT
158 remove all rules and user-defined chains, set default policy to DROP
160 Saved ruleset locations: /var/lib/iptables/ and /var/lib/ip6tables/
162 Please read: $default
169 start|restart|reload|force-reload)
171 if test ${enable_autosave-false} = true; then
186 if test -z "$*"; then
187 initd_abort save "no ruleset name given"
194 if test -z "$*"; then
195 initd_abort load "no ruleset name given"
200 save_active) #legacy option
203 save_inactive) #legacy option
207 echo "$initd: unknown command: \"$*\""
214 iptables="/sbin/${iptables_command}"
215 iptables_save="${iptables}-save"
216 iptables_restore="${iptables}-restore"
217 libdir="/var/lib/${iptables_command}"
218 autosave="${libdir}/autosave"
219 initd_have_a_cow_man "$iptables_save" "$iptables_restore"
220 ${iptables_command} -nL >/dev/null
224 iptables_command=iptables initd_preload $*
225 if test "$enable_ipv6" = "true"; then
226 iptables_command=ip6tables initd_preload $*