Skip to content

Instantly share code, notes, and snippets.

@eqhmcow

eqhmcow/reload_iptables.sh

Created April 30, 2013 03:19
Show Gist options
  • Save eqhmcow/5486418 to your computer and use it in GitHub Desktop.
Save eqhmcow/5486418 to your computer and use it in GitHub Desktop.
Download ZIP
unload the iptables modules and then reload them and apply the firewall rules stored at /etc/iptables.conf - adapted from RHEL 5's iptables services script
Raw
reload_iptables.sh
IPTABLES=iptables
IPV=${IPTABLES%tables} # ip for ipv4 | ip6 for ipv6
PROC_IPTABLES_NAMES=/proc/net/${IPV}_tables_names
/sbin/modprobe --version 2>&1 | grep -q module-init-tools \
&& NEW_MODUTILS=1 \
|| NEW_MODUTILS=0
# Do not stop if iptables module is not loaded.
[ -e "$PROC_IPTABLES_NAMES" ] || exit 1
flush_n_delete() {
# Flush firewall rules and delete chains.
[ -e "$PROC_IPTABLES_NAMES" ] || return 1
# Check if firewall is configured (has tables)
tables=`cat $PROC_IPTABLES_NAMES 2>/dev/null`
[ -z "$tables" ] && return 1
echo -n $"Flushing firewall rules: "
ret=0
# For all tables
for i in $tables; do
# Flush firewall rules.
$IPTABLES -t $i -F;
let ret+=$?;
# Delete firewall chains.
$IPTABLES -t $i -X;
let ret+=$?;
# Set counter to zero.
$IPTABLES -t $i -Z;
let ret+=$?;
done
[ $ret -eq 0 ] && echo OK || echo FAILED
echo
return $ret
}
set_policy() {
# Set policy for configured tables.
policy=$1
# Check if iptable module is loaded
[ ! -e "$PROC_IPTABLES_NAMES" ] && return 1
# Check if firewall is configured (has tables)
tables=`cat $PROC_IPTABLES_NAMES 2>/dev/null`
[ -z "$tables" ] && return 1
echo -n $"Setting chains to policy $policy: "
ret=0
for i in $tables; do
echo -n "$i "
case "$i" in
raw)
$IPTABLES -t raw -P PREROUTING $policy \
&& $IPTABLES -t raw -P OUTPUT $policy \
|| let ret+=1
;;
filter)
$IPTABLES -t filter -P INPUT $policy \
&& $IPTABLES -t filter -P OUTPUT $policy \
&& $IPTABLES -t filter -P FORWARD $policy \
|| let ret+=1
;;
nat)
$IPTABLES -t nat -P PREROUTING $policy \
&& $IPTABLES -t nat -P POSTROUTING $policy \
&& $IPTABLES -t nat -P OUTPUT $policy \
|| let ret+=1
;;
mangle)
$IPTABLES -t mangle -P PREROUTING $policy \
&& $IPTABLES -t mangle -P POSTROUTING $policy \
&& $IPTABLES -t mangle -P INPUT $policy \
&& $IPTABLES -t mangle -P OUTPUT $policy \
&& $IPTABLES -t mangle -P FORWARD $policy \
|| let ret+=1
;;
*)
let ret+=1
;;
esac
done
[ $ret -eq 0 ] && echo OK || echo FAILED
echo
return $ret
}
rmmod_r() {
# Unload module with all referring modules.
# At first all referring modules will be unloaded, then the module itself.
local mod=$1
local ret=0
local ref=
# Get referring modules.
# New modutils have another output format.
[ $NEW_MODUTILS = 1 ] \
&& ref=`lsmod | awk "/^${mod}/ { print \\\$4; }" | tr ',' ' '` \
|| ref=`lsmod | grep ^${mod} | cut -d "[" -s -f 2 | cut -d "]" -s -f 1`
# recursive call for all referring modules
for i in $ref; do
rmmod_r $i
let ret+=$?;
done
# Unload module.
# The extra test is for 2.6: The module might have autocleaned,
# after all referring modules are unloaded.
if grep -q "^${mod}" /proc/modules ; then
modprobe -r $mod > /dev/null 2>&1
let ret+=$?;
fi
return $ret
}
flush_n_delete
set_policy ACCEPT
echo -n $"Unloading $IPTABLES modules: "
ret=0
rmmod_r ip_tables
let ret+=$?;
rmmod_r ip_conntrack
let ret+=$?;
if [ $ret -eq 0 ]; then
echo "OK"
else
echo "FAILED"
fi
echo -n $"Applying $IPTABLES firewall rules: "
/sbin/iptables-restore < /etc/iptables.conf
if [ $? -eq 0 ]; then
echo "OK"
else
echo "FAILED"
exit 1
fi
# Load additional modules (helpers)
IPTABLES_MODULES="ip_conntrack_netbios_ns ip_conntrack_ftp"
if [ -n "$IPTABLES_MODULES" ]; then
echo -n $"Loading additional $IPTABLES modules: "
ret=0
for mod in $IPTABLES_MODULES; do
echo -n "$mod "
modprobe $mod > /dev/null 2>&1
let ret+=$?;
done
[ $ret -eq 0 ] && echo OK || echo FAILED
echo
fi
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment