5 # Q: How do I get started?
6 # A: (Did I mention "do not use it" already? Oh well.)
7 # 1. Setup your normal iptables rules -- firewalling, port forwarding
8 # NAT, etc. When everything is configured the way you like, run:
10 # /etc/init.d/iptables save active
12 # 2. Setup your your inactive firewall rules -- this can be something
13 # like clear all rules and set all policy defaults to accept (which
14 # can be done with /etc/init.d/iptables clear). When that is ready,
15 # save the inactive ruleset:
17 # /etc/init.d/iptables save inactive
19 # 3. Controlling the script itself is done through runlevels configured
20 # with debconf for package installation. Run "dpkg-reconfigure iptables"
21 # to enable or disable after installation.
24 # A: Mostly. You can save additional rulesets and restore them by name. As
27 # /etc/init.d/iptables save midnight
28 # /etc/init.d/iptables load midnight
31 # Autosave only works with start followed by stop.
33 # Also, take great care with the halt option. It's almost as good as
34 # pulling the network cable, except it disrupts localhost too.
36 # Also, create the /var/lib/iptables and /var/lib/ip6tables dirs
42 # set enable_autosave to "true" to autosave the active ruleset
43 # when going from start to stop
46 # set enable_save_counters to "true" to save table counters with
48 enable_save_counters=true
50 if test -f /etc/default/iptables-cn; then
51 . /etc/default/iptables-cn
54 PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
62 echo "Aborting iptables $cmd: $@."
68 initd_have_a_cow_man () {
70 if ! command -v "$i" >/dev/null 2>&1; then
71 echo "Aborting iptables initd: no $i executable"
79 echo -n "Clearing ${iptables_command} ruleset: default ACCEPT policy"
80 $iptables_save | sed "/-/d;/^#/d;s/DROP/ACCEPT/" | $iptables_restore
86 echo -n "Clearing ${iptables_command} ruleset: default DROP policy"
87 $iptables_save | sed "/-/d;/^#/d;s/ACCEPT/DROP/" | $iptables_restore
93 if ! test -f "$ruleset"; then
94 initd_abort load "unknown ruleset, \"$@\""
96 if test "$@" = inactive; then
100 echo -n "Loading ${iptables_command} ruleset: load \"$@\""
101 $iptables_restore < "$ruleset"
106 if test "${enable_save_counters:-false}" = true; then
107 echo -n " with counters"
108 $iptables_save -c > "$ruleset"
110 $iptables_save | sed '/^:/s@\[[0-9]\{1,\}:[0-9]\{1,\}\]@[0:0]@g' > "$ruleset"
116 ruleset="${libdir}/$@"
117 echo -n "Saving ${iptables_command} ruleset: save \"$@\""
123 if test -f $autosave -a ${enable_autosave-false} = true; then
124 ruleset="${libdir}/active"
125 echo -n "Autosaving ${iptables_command} ruleset: save \"active\""
132 # current="$(ls -m ${libdir} \
133 # | sed 's/ \{0,1\}autosave,\{0,1\} \{0,1\}//')"
136 start|restart|reload|force-reload
137 load the "active" ruleset
139 save the current ruleset
143 load the "inactive" ruleset
145 remove all rules and user-defined chains, set default policy to ACCEPT
147 remove all rules and user-defined chains, set default policy to DROP
149 Saved ruleset locations: /var/lib/iptables/ and /var/lib/ip6tables/
151 Please read: $default
158 start|restart|reload|force-reload)
160 if test ${enable_autosave-false} = true; then
175 if test -z "$*"; then
176 initd_abort save "no ruleset name given"
183 if test -z "$*"; then
184 initd_abort load "no ruleset name given"
189 save_active) #legacy option
192 save_inactive) #legacy option
196 echo "$initd: unknown command: \"$*\""
203 iptables="/sbin/${iptables_command}"
204 iptables_save="${iptables}-save"
205 iptables_restore="${iptables}-restore"
206 libdir="/var/lib/${iptables_command}"
207 autosave="${libdir}/autosave"
208 initd_have_a_cow_man "$iptables_save" "$iptables_restore"
209 ${iptables_command} -nL >/dev/null
213 iptables_command=iptables initd_preload $*
214 if test "$enable_ipv6" = "true"; then
215 iptables_command=ip6tables initd_preload $*