ggtools · December 14, 2016 14:56
diff --git a/docker-pfw.conf b/docker-pfw.conf
 [Service]
 EnvironmentFile=-/etc/sysconfig/docker-pfw
 ExecStartPost=-/usr/local/bin/docker-pfw.sh start
 ExecStopPost=-/usr/local/bin/docker-pfw.sh stop
diff --git a/docker-pfw.sh b/docker-pfw.sh
 #!/usr/bin/env bash

 DPFW_FILE=/etc/docker/iptables-pfw.save
 DPFW_CHAIN=DOCKER-PUB
 DPFW_INTERFACE=em0

 case $1 in
    start )
        if [ -f ${DPFW_FILE} ]
        then
            iptables-restore --noflush --table filter ${DPFW_FILE}
        else
            iptables -N ${DPFW_CHAIN}
            iptables -A ${DPFW_CHAIN} -j REJECT
            iptables -I FORWARD -i ${DPFW_INTERFACE} -j ${DPFW_CHAIN}
        fi
        ;;
    stop )
        {
            echo "*filter"
            iptables-save -c -t filter | grep ${DPFW_CHAIN} | sed 's/ -A \(FORWARD -i '${DPFW_INTERF
 ACE}'\)/ -I \1/'
            echo "COMMIT"
        } >${DPFW_FILE}
        set +e
        iptables -D FORWARD -i ${DPFW_INTERFACE} -j ${DPFW_CHAIN}
        iptables -F ${DPFW_CHAIN}
        iptables -X ${DPFW_CHAIN}
        set -e
        ;;
 esac
	[Service]
	EnvironmentFile=-/etc/sysconfig/docker-pfw
	ExecStartPost=-/usr/local/bin/docker-pfw.sh start
	ExecStopPost=-/usr/local/bin/docker-pfw.sh stop
	#!/usr/bin/env bash

	DPFW_FILE=/etc/docker/iptables-pfw.save
	DPFW_CHAIN=DOCKER-PUB
	DPFW_INTERFACE=em0

	case $1 in
	start )
	if [ -f ${DPFW_FILE} ]
	then
	iptables-restore --noflush --table filter ${DPFW_FILE}
	else
	iptables -N ${DPFW_CHAIN}
	iptables -A ${DPFW_CHAIN} -j REJECT
	iptables -I FORWARD -i ${DPFW_INTERFACE} -j ${DPFW_CHAIN}
	fi
	;;
	stop )
	{
	echo "*filter"
	iptables-save -c -t filter \| grep ${DPFW_CHAIN} \| sed 's/ -A \(FORWARD -i '${DPFW_INTERF
	ACE}'\)/ -I \1/'
	echo "COMMIT"
	} >${DPFW_FILE}
	set +e
	iptables -D FORWARD -i ${DPFW_INTERFACE} -j ${DPFW_CHAIN}
	iptables -F ${DPFW_CHAIN}
	iptables -X ${DPFW_CHAIN}
	set -e
	;;
	esac