-#!/bin/sh
-
-### BEGIN INIT INFO
-# Provides: iptables
-# Required-Start: $local_fs $remote_fs
-# Required-Stop: $local_fs $remote_fs
-# Should-Start: $syslog
-# Should-Stop: $syslog
-# Default-Start: 2 3 4 5
-# Default-Stop: 0 1 6
-# Short-Description: Start or stop the iptables.
-### END INIT INFO
-
-set -e
-
-# Q: How do I get started?
-# A: (Did I mention "do not use it" already? Oh well.)
-# 1. Setup your normal iptables rules -- firewalling, port forwarding
-# NAT, etc. When everything is configured the way you like, run:
-#
-# /etc/init.d/iptables save active
-#
-# 2. Setup your your inactive firewall rules -- this can be something
-# like clear all rules and set all policy defaults to accept (which
-# can be done with /etc/init.d/iptables clear). When that is ready,
-# save the inactive ruleset:
-#
-# /etc/init.d/iptables save inactive
-#
-# 3. Controlling the script itself is done through runlevels configured
-# with debconf for package installation. Run "dpkg-reconfigure iptables"
-# to enable or disable after installation.
-#
-# Q: Is that all?
-# A: Mostly. You can save additional rulesets and restore them by name. As
-# an example:
-#
-# /etc/init.d/iptables save midnight
-# /etc/init.d/iptables load midnight
-#
-#
-# Autosave only works with start followed by stop.
-#
-# Also, take great care with the halt option. It's almost as good as
-# pulling the network cable, except it disrupts localhost too.
-#
-# Also, create the /var/lib/iptables and /var/lib/ip6tables dirs
-# as necessary.
-
-# enable ipv6 support
-enable_ipv6=false
-
-# set enable_autosave to "true" to autosave the active ruleset
-# when going from start to stop
-enable_autosave=false
-
-# set enable_save_counters to "true" to save table counters with
-# rulesets
-enable_save_counters=true
-
-if test -f /etc/default/iptables-cn; then
- . /etc/default/iptables-cn
-fi
-
-PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
-
-initd="$0"
-default="$0"
-
-initd_abort () {
- cmd=$1
- shift
- echo "Aborting iptables $cmd: $@."
- echo
- usage
- exit 0
-}
-
-initd_have_a_cow_man () {
- for i in $@; do
- if ! command -v "$i" >/dev/null 2>&1; then
- echo "Aborting iptables initd: no $i executable"
- exit 0
- fi
- done
-}
-
-initd_clear () {
- rm -f "$autosave"
- echo -n "Clearing ${iptables_command} ruleset: default ACCEPT policy"
- $iptables_save | sed "/-/d;/^#/d;s/DROP/ACCEPT/" | $iptables_restore
- echo "."
-}
-
-initd_halt () {
- rm -f $autosave
- echo -n "Clearing ${iptables_command} ruleset: default DROP policy"
- $iptables_save | sed "/-/d;/^#/d;s/ACCEPT/DROP/" | $iptables_restore
- echo "."
-}
-
-initd_load () {
- ruleset="$libdir/$@"
- if ! test -f "$ruleset"; then
- initd_abort load "unknown ruleset, \"$@\""
- fi
- if test "$@" = inactive; then
- initd_autosave
- fi
- rm -f "$autosave"
- echo -n "Loading ${iptables_command} ruleset: load \"$@\""
- $iptables_restore < "$ruleset"
- echo "."
-}
-
-initd_counters () {
- if test "${enable_save_counters:-false}" = true; then
- echo -n " with counters"
- $iptables_save -c > "$ruleset"
- else
- $iptables_save | sed '/^:/s@\[[0-9]\{1,\}:[0-9]\{1,\}\]@[0:0]@g' > "$ruleset"
- fi
-}
-
-initd_save () {
- rm -f $autosave
- ruleset="${libdir}/$@"
- echo -n "Saving ${iptables_command} ruleset: save \"$@\""
- initd_counters
- echo "."
-}
-
-initd_autosave () {
- if test -f $autosave -a ${enable_autosave-false} = true; then
- ruleset="${libdir}/active"
- echo -n "Autosaving ${iptables_command} ruleset: save \"active\""
- initd_counters
- echo "."
- fi
-}
-
-usage () {
-# current="$(ls -m ${libdir} \
-# | sed 's/ \{0,1\}autosave,\{0,1\} \{0,1\}//')"
-cat << END
-$initd options:
- start|restart|reload|force-reload
- load the "active" ruleset
- save <ruleset>
- save the current ruleset
- load <ruleset>
- load a ruleset
- stop
- load the "inactive" ruleset
- clear
- remove all rules and user-defined chains, set default policy to ACCEPT
- halt
- remove all rules and user-defined chains, set default policy to DROP
-
-Saved ruleset locations: /var/lib/iptables/ and /var/lib/ip6tables/
-
-Please read: $default
-
-END
-}
-
-initd_main () {
- case "$1" in
- start|restart|reload|force-reload)
- initd_load active
- if test ${enable_autosave-false} = true; then
- touch $autosave
- fi
- ;;
- stop)
- initd_load inactive
- ;;
- clear)
- initd_clear
- ;;
- halt)
- initd_halt
- ;;
- save)
- shift
- if test -z "$*"; then
- initd_abort save "no ruleset name given"
- else
- initd_save "$*"
- fi
- ;;
- load)
- shift
- if test -z "$*"; then
- initd_abort load "no ruleset name given"
- else
- initd_load "$*"
- fi
- ;;
- save_active) #legacy option
- initd_save active
- ;;
- save_inactive) #legacy option
- initd_save inactive
- ;;
- *)
- echo "$initd: unknown command: \"$*\""
- usage
- ;;
- esac
-}
-
-initd_preload() {
- iptables="/sbin/${iptables_command}"
- iptables_save="${iptables}-save"
- iptables_restore="${iptables}-restore"
- libdir="/var/lib/${iptables_command}"
- autosave="${libdir}/autosave"
- initd_have_a_cow_man "$iptables_save" "$iptables_restore"
- ${iptables_command} -nL >/dev/null
- initd_main $*
-}
-
-iptables_command=iptables initd_preload $*
-if test "$enable_ipv6" = "true"; then
- iptables_command=ip6tables initd_preload $*
-fi
-
-exit 0