#!/bin/sh
#
# iptables Start iptables firewall
#
# chkconfig: 2345 08 92
# description: Starts, stops and saves iptables firewall
#
# config: /etc/sysconfig/iptables
# config: /etc/sysconfig/iptables-config
#
### BEGIN INIT INFO
# Provides: iptables
# Required-Start:
# Required-Stop:
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: start and stop iptables firewall
# Description: Start, stop and save iptables firewall
### END INIT INFO
# Source function library.
. /etc/init.d/functions
IPTABLES=iptables #变量IPTABLES
IPTABLES_DATA=/etc/sysconfig/$IPTABLES #变量IPTABLES_DATA=/etc/sysconfig/iptables
IPTABLES_CONFIG=/etc/sysconfig/${IPTABLES}-config #变量IPTABLES+CONFIG=/etc/sysoncifg/iptables-config
IPV=${IPTABLES%tables} # ip for ipv4 | ip6 for ipv6 #变量IPV,${IPTABLES%tables},将上一个变量IPTABLES的tables字符串删除
[ "$IPV" = "ip" ] && _IPV="ipv4" || _IPV="ipv6" #如IPV=ip就执行_IPV=ipv4否则就执行_IPV=ipv6
PROC_IPTABLES_NAMES=/proc/net/${IPV}_tables_names #变量PROC_IPTABLES_NAMES=/proc/net/${IPV}_tables_names 查看 /proc/net/有如下文件
#ls /proc/net/ip*
#/proc/net/ip6_flowlabel /proc/net/ip6_mr_vif /proc/net/ip_mr_vif /proc/net/ip_tables_names /proc/net/ipv6_route /proc/net/ip6_mr_cache /proc/net/ip_mr_cache /proc/net/ip_tables_matches /proc/net/ip_tables_targets
VAR_SUBSYS_IPTABLES=/var/lock/subsys/$IPTABLES #变量VAR_SUBSYS_IPTABLES设置状态锁文件
# only usable for root
[ $EUID = 0 ] || exit 4 #判断是否是root用户,否则退出状态为4
if [ ! -x /sbin/$IPTABLES ]; then #判断/sbin/iptables不存在,就显示下面的警告信息
echo -n $"${IPTABLES}: /sbin/$IPTABLES does not exist."; warning; echo
exit 5 #退出状态为5
fi
# Old or new modutils
/sbin/modprobe --version 2>&1 | grep -q module-init-tools
&& NEW_MODUTILS=1
|| NEW_MODUTILS=0
# Default firewall configuration:
IPTABLES_MODULES=""
IPTABLES_MODULES_UNLOAD="yes"
IPTABLES_SAVE_ON_STOP="no"
IPTABLES_SAVE_ON_RESTART="no"
IPTABLES_SAVE_COUNTER="no"
IPTABLES_STATUS_NUMERIC="yes"
IPTABLES_STATUS_VERBOSE="no"
IPTABLES_STATUS_LINENUMBERS="yes"
# Load firewall configuration.
[ -f "$IPTABLES_CONFIG" ] && . "$IPTABLES_CONFIG" #判断是否存在/etc/sysoncifg/iptables-config
# Netfilter modules
NF_MODULES=($(lsmod | awk "/^${IPV}table_/ {print $1}") ${IPV}_tables)
# 查看启动iptables加载的模块,当iptables用此脚本停止时,模块是没有加载的
#----#lsmod|awk "/^iptable_/ {print $1}" $ip_tables----
#---iptable_filter-------------------------------------
#---iptable_nat----------------------------------------
NF_MODULES_COMMON=(x_tables nf_nat nf_conntrack) # Used by netfilter v4 and v6
# Get active tables
NF_TABLES=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null)
#查看系统加载的iptables模块
#--------- #cat /proc/net/ip_tables_names---------
#---------filter----------------------------------
#---------nat-------------------------------------
rmmod_r() {
# Unload module with all referring modules.
# At first all referring modules will be unloaded, then the module itself.
local mod=$1 #定义一个局部变量mod=$1
local ret=0 #定义一个局部变量ret=0
local ref= #定义一个局部变量ref
# Get referring modules.
# New modutils have another output format.
[ $NEW_MODUTILS = 1 ]
&& ref=$(lsmod | awk "/^${mod}/ { print $4; }" | tr ',' ' ')
|| ref=$(lsmod | grep ^${mod} | cut -d "[" -s -f 2 | cut -d "]" -s -f 1)
#如果NEW_MODUTILSd的值1,即判断modprobe --version|grep -q module-init-tools成功,
#lsmod打印第4列,显示出模块的内容,并将显示出的,全部删除
#如果NEW_MODUTILSd的值0,就执行后面
# recursive call for all referring modules
for i in $ref; do
rmmod_r $i
let ret+=$?;
done
#删除已经加载的iptables模块
# Unload module.
# The extra test is for 2.6: The module might have autocleaned,
# after all referring modules are unloaded.
if grep -q "^${mod}" /proc/modules ; then #查看iptables的模块
modprobe -r $mod > /dev/null 2>&1 #modprobe -r删除存在的iptables模块
res=$? #查看状态
[ $res -eq 0 ] || echo -n " $mod" #执行成功,显示内容
let ret+=$res;
fi
return $ret
#===========================================#
cat /proc/modules |grep ip
iptable_filter 2759 0 - Live 0xffffffffa02e1000
iptable_nat 6124 1 - Live 0xffffffffa029b000
nf_nat 22788 1 iptable_nat, Live 0xffffffffa02d1000
nf_conntrack_ipv4 9440 3 iptable_nat,nf_nat, Live 0xffffffffa0286000
nf_conntrack 79643 3 iptable_nat,nf_nat,nf_conntrack_ipv4, Live 0xffffffffa02b0000
nf_defrag_ipv4 1449 1 nf_conntrack_ipv4, Live 0xffffffffa0257000
ip_tables 17765 2 iptable_filter,iptable_nat, Live 0xffffffffa02a9000
ipv6 322899 74 - Live 0xffffffffa01ab000
#====================================================#
}
flush_n_delete() {
#情况默认策略
# Flush firewall rules and delete chains.
[ ! -e "$PROC_IPTABLES_NAMES" ] && return 0
#如果不存在/proc/net/ip_tables_names,则返回为0
# Check if firewall is configured (has tables)
[ -z "$NF_TABLES" ] && return 1
#如果存在 cat /proc/net/ip_tables_names显示出来的内容,返回为1
echo -n $"${IPTABLES}: Flushing firewall rules: "
#显示
ret=0
# For all tables
for i in $NF_TABLES; do
# Flush firewall rules.
$IPTABLES -t $i -F;
let ret+=$?;
# Delete firewall chains.
$IPTABLES -t $i -X;
let ret+=$?;
# Set counter to zero.
$IPTABLES -t $i -Z;
let ret+=$?;
done
#将所有iptables表执行-F -X -Z的操作
[ $ret -eq 0 ] && success || failure
echo
return $ret
}
set_policy() {
# Set policy for configured tables.
policy=$1
# Check if iptable module is loaded
[ ! -e "$PROC_IPTABLES_NAMES" ] && return 0
#如果不存在/proc/net/ip_tables_names,则返回为0
# Check if firewall is configured (has tables)
tables=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null)
#如果存在 cat /proc/net/ip_tables_names显示出来的内容,赋值给tables变量
[ -z "$tables" ] && return 1
#tables变量是否有值,无值返回1
echo -n $"${IPTABLES}: Setting chains to policy $policy: "
ret=0
for i in $tables; do
echo -n "$i "
case "$i" in
raw)
$IPTABLES -t raw -P PREROUTING $policy
&& $IPTABLES -t raw -P OUTPUT $policy
|| let ret+=1
;;
filter)
$IPTABLES -t filter -P INPUT $policy
&& $IPTABLES -t filter -P OUTPUT $policy
&& $IPTABLES -t filter -P FORWARD $policy
|| let ret+=1
;;
nat)
$IPTABLES -t nat -P PREROUTING $policy
&& $IPTABLES -t nat -P POSTROUTING $policy
&& $IPTABLES -t nat -P OUTPUT $policy
|| let ret+=1
;;
mangle)
$IPTABLES -t mangle -P PREROUTING $policy
&& $IPTABLES -t mangle -P POSTROUTING $policy
&& $IPTABLES -t mangle -P INPUT $policy
&& $IPTABLES -t mangle -P OUTPUT $policy
&& $IPTABLES -t mangle -P FORWARD $policy
|| let ret+=1
;;
*)
let ret+=1
;;
esac
done
[ $ret -eq 0 ] && success || failure
echo
return $ret
#以上命令为执行各表的策略设置
}
start() {
# Do not start if there is no config file.
[ ! -f "$IPTABLES_DATA" ] && return 6
#如果/etc/sysconfig/iptables不存在,返回值为6
# check if ipv6 module load is deactivated
if [ "${_IPV}" = "ipv6" ]
&& grep -qIsE "^install[[:space:]]+${_IPV}[[:space:]]+/bin/(true|false)" /etc/modprobe.conf /etc/modprobe.d/* ; then
echo $"${IPTABLES}: ${_IPV} is disabled."
return 150
fi
#检查ipv6模块是否加载
echo -n $"${IPTABLES}: Applying firewall rules: "
OPT=
[ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
$IPTABLES-restore $OPT $IPTABLES_DATA
#执行iptables-restore /etc/sysconfig/iptables恢复iptables设置的策略
if [ $? -eq 0 ]; then
success; echo
else
failure; echo; return 1
fi
#判断是否执行成功,并显示状态
# Load additional modules (helpers)
if [ -n "$IPTABLES_MODULES" ]; then
echo -n $"${IPTABLES}: Loading additional modules: "
ret=0
for mod in $IPTABLES_MODULES; do
echo -n "$mod "
modprobe $mod > /dev/null 2>&1
let ret+=$?;
done
#加载iptables模块
[ $ret -eq 0 ] && success || failure
echo
fi
touch $VAR_SUBSYS_IPTABLES
#建立状态文件锁=/var/lock/subsys/iptables
return $ret
}
stop() {
# Do not stop if iptables module is not loaded.
[ ! -e "$PROC_IPTABLES_NAMES" ] && return 0
#不存在/proc/net/ip_tables_names
flush_n_delete
set_policy ACCEPT
if [ "x$IPTABLES_MODULES_UNLOAD" = "xyes" ]; then
echo -n $"${IPTABLES}: Unloading modules: "
ret=0
for mod in ${NF_MODULES[*]}; do
rmmod_r $mod
let ret+=$?;
done
#卸载iptables模块
# try to unload remaining netfilter modules used by ipv4 and ipv6
# netfilter
for mod in ${NF_MODULES_COMMON[*]}; do
rmmod_r $mod >/dev/null
done
[ $ret -eq 0 ] && success || failure
echo
fi
rm -f $VAR_SUBSYS_IPTABLES
return $ret
}
save() {
# Check if iptable module is loaded
[ ! -e "$PROC_IPTABLES_NAMES" ] && return 0
#不存在在/proc/net/ip_tables_names,返回0
# Check if firewall is configured (has tables)
[ -z "$NF_TABLES" ] && return 6
#是否存在
echo -n $"${IPTABLES}: Saving firewall rules to $IPTABLES_DATA: "
OPT=
[ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
ret=0
TMP_FILE=$(/bin/mktemp -q $IPTABLES_DATA.XXXXXX)
&& chmod 600 "$TMP_FILE"
&& $IPTABLES-save $OPT > $TMP_FILE 2>/dev/null
#iptables-save -c > 保存到文件
&& size=$(stat -c '%s' $TMP_FILE) && [ $size -gt 0 ]
|| ret=1#判断文件是否为空
if [ $ret -eq 0 ]; then
if [ -e $IPTABLES_DATA ]; then
cp -f $IPTABLES_DATA $IPTABLES_DATA.save #将/etc/sysconfig/iptables备份为iptables.save
&& chmod 600 $IPTABLES_DATA.save #更改/etc/sysconfig/iptables权限为600
&& restorecon $IPTABLES_DATA.save #更改/etc/sysconfig/iptables的selinux
|| ret=1
fi
if [ $ret -eq 0 ]; then
mv -f $TMP_FILE $IPTABLES_DATA
&& chmod 600 $IPTABLES_DATA
&& restorecon $IPTABLES_DATA
|| ret=1
fi
fi
rm -f $TMP_FILE
[ $ret -eq 0 ] && success || failure
echo
return $ret
}
status() {
if [ ! -f "$VAR_SUBSYS_IPTABLES" -a -z "$NF_TABLES" ]; then
echo $"${IPTABLES}: Firewall is not running."
return 3
fi
#查看文件状态锁是否存在
# Do not print status if lockfile is missing and iptables modules are not
# loaded.
# Check if iptable modules are loaded
if [ ! -e "$PROC_IPTABLES_NAMES" ]; then
echo $"${IPTABLES}: Firewall modules are not loaded."
return 3
fi
#
# Check if firewall is configured (has tables)
if [ -z "$NF_TABLES" ]; then
echo $"${IPTABLES}: Firewall is not configured. "
return 3
fi
NUM=
[ "x$IPTABLES_STATUS_NUMERIC" = "xyes" ] && NUM="-n"
VERBOSE=
[ "x$IPTABLES_STATUS_VERBOSE" = "xyes" ] && VERBOSE="--verbose"
COUNT=
[ "x$IPTABLES_STATUS_LINENUMBERS" = "xyes" ] && COUNT="--line-numbers"
for table in $NF_TABLES; do
echo $"Table: $table"
$IPTABLES -t $table --list $NUM $VERBOSE $COUNT && echo
done
return 0
}
restart() {
[ "x$IPTABLES_SAVE_ON_RESTART" = "xyes" ] && save
stop
start
}
case "$1" in
start)
[ -f "$VAR_SUBSYS_IPTABLES" ] && exit 0
start
RETVAL=$?
;;
stop)
[ "x$IPTABLES_SAVE_ON_STOP" = "xyes" ] && save
stop
RETVAL=$?
;;
restart|force-reload)
restart
RETVAL=$?
;;
reload)
# unimplemented
RETVAL=3
;;
condrestart|try-restart)
[ ! -e "$VAR_SUBSYS_IPTABLES" ] && exit 0
restart
RETVAL=$?
;;
status)
status
RETVAL=$?
;;
panic)
flush_n_delete
set_policy DROP
RETVAL=$?
;;
save)
save
RETVAL=$?
;;
*)
echo $"Usage: ${IPTABLES} {start|stop|restart|condrestart|status|panic|save}"
RETVAL=2
;;
esac
exit $RETVAL
附录
lsmod命令
第1列:表示模块的名称。
第2列:表示模块的大小。
第3列:表示依赖模块的个数。
第4列:表示依赖模块的内容。
转载请注明文章转自:良玉的博客 [ http://blog.uouo123.com ]