首页 > 代码库 > iptables启动脚本分析

iptables启动脚本分析

#!/bin/sh   
#   
# iptables      Start iptables firewall   
#   
# chkconfig: 2345 08 92   
# description:  Starts, stops and saves iptables firewall   
#   
# config: /etc/sysconfig/iptables   
# config: /etc/sysconfig/iptables-config   
#   
### BEGIN INIT INFO   
# Provides: iptables   
# Required-Start:   
# Required-Stop:   
# Default-Start: 2 3 4 5   
# Default-Stop: 0 1 6   
# Short-Description: start and stop iptables firewall   
# Description: Start, stop and save iptables firewall   
### END INIT INFO   
         
# Source function library.   
. /etc/init.d/functions   
         
IPTABLES=iptables                                       #变量IPTABLES   
IPTABLES_DATA=/etc/sysconfig/$IPTABLES                  #变量IPTABLES_DATA=/etc/sysconfig/iptables   
IPTABLES_CONFIG=/etc/sysconfig/${IPTABLES}-config       #变量IPTABLES+CONFIG=/etc/sysoncifg/iptables-config   
IPV=${IPTABLES%tables} # ip for ipv4 | ip6 for ipv6     #变量IPV,${IPTABLES%tables},将上一个变量IPTABLES的tables字符串删除   
[ "$IPV" = "ip" ] && _IPV="ipv4" || _IPV="ipv6"         #如IPV=ip就执行_IPV=ipv4否则就执行_IPV=ipv6   
PROC_IPTABLES_NAMES=/proc/net/${IPV}_tables_names       #变量PROC_IPTABLES_NAMES=/proc/net/${IPV}_tables_names 查看 /proc/net/有如下文件   
#ls /proc/net/ip*   
#/proc/net/ip6_flowlabel  /proc/net/ip6_mr_vif   /proc/net/ip_mr_vif          /proc/net/ip_tables_names    /proc/net/ipv6_route /proc/net/ip6_mr_cache   /proc/net/ip_mr_cache  /proc/net/ip_tables_matches  /proc/net/ip_tables_targets   
         
VAR_SUBSYS_IPTABLES=/var/lock/subsys/$IPTABLES          #变量VAR_SUBSYS_IPTABLES设置状态锁文件   
         
# only usable for root   
[ $EUID = 0 ] || exit 4                                 #判断是否是root用户,否则退出状态为4   
         
if [ ! -x /sbin/$IPTABLES ]; then                       #判断/sbin/iptables不存在,就显示下面的警告信息   
    echo -n $"${IPTABLES}: /sbin/$IPTABLES does not exist."; warning; echo   
    exit 5                                              #退出状态为5   
fi   
         
# Old or new modutils   
/sbin/modprobe --version 2>&1 | grep -q module-init-tools    
    && NEW_MODUTILS=1    
    || NEW_MODUTILS=0   
         
# Default firewall configuration:   
IPTABLES_MODULES=""
IPTABLES_MODULES_UNLOAD="yes"
IPTABLES_SAVE_ON_STOP="no"
IPTABLES_SAVE_ON_RESTART="no"
IPTABLES_SAVE_COUNTER="no"
IPTABLES_STATUS_NUMERIC="yes"
IPTABLES_STATUS_VERBOSE="no"
IPTABLES_STATUS_LINENUMBERS="yes"
         
# Load firewall configuration.   
[ -f "$IPTABLES_CONFIG" ] && . "$IPTABLES_CONFIG"  #判断是否存在/etc/sysoncifg/iptables-config   
         
# Netfilter modules   
NF_MODULES=($(lsmod | awk "/^${IPV}table_/ {print $1}") ${IPV}_tables)   
# 查看启动iptables加载的模块,当iptables用此脚本停止时,模块是没有加载的   
#----#lsmod|awk "/^iptable_/ {print $1}" $ip_tables----   
#---iptable_filter-------------------------------------   
#---iptable_nat----------------------------------------   
         
NF_MODULES_COMMON=(x_tables nf_nat nf_conntrack) # Used by netfilter v4 and v6   
         
# Get active tables   
NF_TABLES=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null)   
#查看系统加载的iptables模块   
#--------- #cat /proc/net/ip_tables_names---------       
#---------filter----------------------------------   
#---------nat-------------------------------------   
         
         
rmmod_r() {    
    # Unload module with all referring modules.   
    # At first all referring modules will be unloaded, then the module itself.   
    local mod=$1  #定义一个局部变量mod=$1   
    local ret=0   #定义一个局部变量ret=0   
    local ref=    #定义一个局部变量ref
         
    # Get referring modules.   
    # New modutils have another output format.   
    [ $NEW_MODUTILS = 1 ]    
        && ref=$(lsmod | awk "/^${mod}/ { print $4; }" | tr ',' ' ')    
        || ref=$(lsmod | grep ^${mod} | cut -d "[" -s -f 2 | cut -d "]" -s -f 1)   
#如果NEW_MODUTILSd的值1,即判断modprobe --version|grep -q module-init-tools成功,   
#lsmod打印第4列,显示出模块的内容,并将显示出的,全部删除   
#如果NEW_MODUTILSd的值0,就执行后面   
         
         
# recursive call for all referring modules   
    for i in $ref; do
        rmmod_r $i     
        let ret+=$?;   
    done   
#删除已经加载的iptables模块   
         
    # Unload module.   
    # The extra test is for 2.6: The module might have autocleaned,   
    # after all referring modules are unloaded.   
    if grep -q "^${mod}" /proc/modules ; then #查看iptables的模块   
        modprobe -r $mod > /dev/null 2>&1     #modprobe -r删除存在的iptables模块    
        res=$?                                #查看状态   
        [ $res -eq 0 ] || echo -n " $mod"     #执行成功,显示内容   
        let ret+=$res;   
    fi   
         
    return $ret   
    #===========================================#   
cat /proc/modules |grep ip   
iptable_filter 2759 0 - Live 0xffffffffa02e1000   
iptable_nat 6124 1 - Live 0xffffffffa029b000   
nf_nat 22788 1 iptable_nat, Live 0xffffffffa02d1000   
nf_conntrack_ipv4 9440 3 iptable_nat,nf_nat, Live 0xffffffffa0286000   
nf_conntrack 79643 3 iptable_nat,nf_nat,nf_conntrack_ipv4, Live 0xffffffffa02b0000   
nf_defrag_ipv4 1449 1 nf_conntrack_ipv4, Live 0xffffffffa0257000   
ip_tables 17765 2 iptable_filter,iptable_nat, Live 0xffffffffa02a9000   
ipv6 322899 74 - Live 0xffffffffa01ab000   
#====================================================#   
         
             
}   
         
flush_n_delete() {   
    #情况默认策略   
    # Flush firewall rules and delete chains.   
    [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0   
#如果不存在/proc/net/ip_tables_names,则返回为0   
         
    # Check if firewall is configured (has tables)   
    [ -z "$NF_TABLES" ] && return 1   
#如果存在 cat /proc/net/ip_tables_names显示出来的内容,返回为1   
         
    echo -n $"${IPTABLES}: Flushing firewall rules: "
#显示      
    ret=0   
    # For all tables   
    for i in $NF_TABLES; do
        # Flush firewall rules.   
        $IPTABLES -t $i -F;   
        let ret+=$?;   
         
        # Delete firewall chains.   
        $IPTABLES -t $i -X;   
        let ret+=$?;   
         
        # Set counter to zero.   
        $IPTABLES -t $i -Z;   
        let ret+=$?;   
    done   
#将所有iptables表执行-F -X -Z的操作   
         
    [ $ret -eq 0 ] && success || failure   
    echo   
    return $ret   
}   
         
set_policy() {   
    # Set policy for configured tables.   
    policy=$1   
         
    # Check if iptable module is loaded   
    [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0   
#如果不存在/proc/net/ip_tables_names,则返回为0   
         
    # Check if firewall is configured (has tables)   
    tables=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null)   
    #如果存在 cat /proc/net/ip_tables_names显示出来的内容,赋值给tables变量   
    [ -z "$tables" ] && return 1   
    #tables变量是否有值,无值返回1   
         
    echo -n $"${IPTABLES}: Setting chains to policy $policy: "
    ret=0   
    for i in $tables; do
        echo -n "$i "
        case "$i" in
            raw)   
                $IPTABLES -t raw -P PREROUTING $policy    
                    && $IPTABLES -t raw -P OUTPUT $policy    
                    || let ret+=1   
                ;;   
            filter)   
                $IPTABLES -t filter -P INPUT $policy    
                    && $IPTABLES -t filter -P OUTPUT $policy    
                    && $IPTABLES -t filter -P FORWARD $policy    
                    || let ret+=1   
                ;;   
            nat)   
                $IPTABLES -t nat -P PREROUTING $policy    
                    && $IPTABLES -t nat -P POSTROUTING $policy    
                    && $IPTABLES -t nat -P OUTPUT $policy    
                    || let ret+=1   
                ;;   
            mangle)   
                $IPTABLES -t mangle -P PREROUTING $policy    
                    && $IPTABLES -t mangle -P POSTROUTING $policy    
                    && $IPTABLES -t mangle -P INPUT $policy    
                    && $IPTABLES -t mangle -P OUTPUT $policy    
                    && $IPTABLES -t mangle -P FORWARD $policy    
                    || let ret+=1   
                ;;   
            *)   
                let ret+=1   
                ;;   
        esac   
    done   
         
    [ $ret -eq 0 ] && success || failure   
    echo   
    return $ret   
    #以上命令为执行各表的策略设置   
}   
         
start() {   
    # Do not start if there is no config file.   
    [ ! -f "$IPTABLES_DATA" ] && return 6   
#如果/etc/sysconfig/iptables不存在,返回值为6   
         
    # check if ipv6 module load is deactivated   
    if [ "${_IPV}" = "ipv6" ]    
        && grep -qIsE "^install[[:space:]]+${_IPV}[[:space:]]+/bin/(true|false)" /etc/modprobe.conf /etc/modprobe.d/* ; then   
        echo $"${IPTABLES}: ${_IPV} is disabled."
        return 150   
    fi   
#检查ipv6模块是否加载   
    echo -n $"${IPTABLES}: Applying firewall rules: "
         
    OPT=   
    [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
         
    $IPTABLES-restore $OPT $IPTABLES_DATA   
    #执行iptables-restore /etc/sysconfig/iptables恢复iptables设置的策略   
    if [ $? -eq 0 ]; then   
        success; echo   
    else
        failure; echo; return 1   
    fi   
    #判断是否执行成功,并显示状态   
         
    # Load additional modules (helpers)   
    if [ -n "$IPTABLES_MODULES" ]; then   
        echo -n $"${IPTABLES}: Loading additional modules: "
        ret=0   
        for mod in $IPTABLES_MODULES; do
            echo -n "$mod "
            modprobe $mod > /dev/null 2>&1   
            let ret+=$?;   
        done   
    #加载iptables模块   
        [ $ret -eq 0 ] && success || failure   
        echo   
    fi   
             
    touch $VAR_SUBSYS_IPTABLES   
    #建立状态文件锁=/var/lock/subsys/iptables   
    return $ret   
}   
         
stop() {   
    # Do not stop if iptables module is not loaded.   
    [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0   
#不存在/proc/net/ip_tables_names   
    flush_n_delete   
    set_policy ACCEPT   
             
    if [ "x$IPTABLES_MODULES_UNLOAD" = "xyes" ]; then   
        echo -n $"${IPTABLES}: Unloading modules: "
        ret=0   
        for mod in ${NF_MODULES[*]}; do
            rmmod_r $mod   
            let ret+=$?;   
        done   
    #卸载iptables模块   
        # try to unload remaining netfilter modules used by ipv4 and ipv6    
        # netfilter   
        for mod in ${NF_MODULES_COMMON[*]}; do
            rmmod_r $mod >/dev/null
        done   
        [ $ret -eq 0 ] && success || failure   
        echo   
    fi   
             
    rm -f $VAR_SUBSYS_IPTABLES   
    return $ret   
}   
         
save() {   
    # Check if iptable module is loaded   
    [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0   
#不存在在/proc/net/ip_tables_names,返回0   
    # Check if firewall is configured (has tables)   
    [ -z "$NF_TABLES" ] && return 6   
#是否存在   
    echo -n $"${IPTABLES}: Saving firewall rules to $IPTABLES_DATA: "
         
    OPT=   
    [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
         
    ret=0   
    TMP_FILE=$(/bin/mktemp -q $IPTABLES_DATA.XXXXXX)    
        && chmod 600 "$TMP_FILE"   
        && $IPTABLES-save $OPT > $TMP_FILE 2>/dev/null   
    #iptables-save -c > 保存到文件   
        && size=$(stat -c '%s' $TMP_FILE) && [ $size -gt 0 ]    
        || ret=1#判断文件是否为空   
    if [ $ret -eq 0 ]; then   
        if [ -e $IPTABLES_DATA ]; then   
            cp -f $IPTABLES_DATA $IPTABLES_DATA.save  #将/etc/sysconfig/iptables备份为iptables.save   
                && chmod 600 $IPTABLES_DATA.save    #更改/etc/sysconfig/iptables权限为600   
                && restorecon $IPTABLES_DATA.save   #更改/etc/sysconfig/iptables的selinux   
                || ret=1   
        fi   
        if [ $ret -eq 0 ]; then   
            mv -f $TMP_FILE $IPTABLES_DATA    
                && chmod 600 $IPTABLES_DATA    
                && restorecon $IPTABLES_DATA    
                || ret=1   
        fi   
    fi   
    rm -f $TMP_FILE   
    [ $ret -eq 0 ] && success || failure   
    echo   
    return $ret   
}   
         
status() {   
    if [ ! -f "$VAR_SUBSYS_IPTABLES" -a -z "$NF_TABLES" ]; then   
        echo $"${IPTABLES}: Firewall is not running."
        return 3   
    fi   
    #查看文件状态锁是否存在   
         
    # Do not print status if lockfile is missing and iptables modules are not    
    # loaded.   
    # Check if iptable modules are loaded   
    if [ ! -e "$PROC_IPTABLES_NAMES" ]; then   
        echo $"${IPTABLES}: Firewall modules are not loaded."
        return 3   
    fi   
#   
    # Check if firewall is configured (has tables)   
    if [ -z "$NF_TABLES" ]; then   
        echo $"${IPTABLES}: Firewall is not configured. "
        return 3   
    fi   
         
    NUM=   
    [ "x$IPTABLES_STATUS_NUMERIC" = "xyes" ] && NUM="-n"
    VERBOSE=    
    [ "x$IPTABLES_STATUS_VERBOSE" = "xyes" ] && VERBOSE="--verbose"
    COUNT=   
    [ "x$IPTABLES_STATUS_LINENUMBERS" = "xyes" ] && COUNT="--line-numbers"
         
    for table in $NF_TABLES; do
        echo $"Table: $table"
        $IPTABLES -t $table --list $NUM $VERBOSE $COUNT && echo   
    done   
         
    return 0   
}   
         
restart() {   
    [ "x$IPTABLES_SAVE_ON_RESTART" = "xyes" ] && save   
    stop   
    start   
}   
         
         
case "$1" in
    start)   
        [ -f "$VAR_SUBSYS_IPTABLES" ] && exit 0   
        start   
        RETVAL=$?   
        ;;   
    stop)   
        [ "x$IPTABLES_SAVE_ON_STOP" = "xyes" ] && save   
        stop   
        RETVAL=$?   
        ;;   
    restart|force-reload)   
        restart   
        RETVAL=$?   
        ;;   
    reload)   
        # unimplemented   
        RETVAL=3   
        ;;   
    condrestart|try-restart)   
        [ ! -e "$VAR_SUBSYS_IPTABLES" ] && exit 0   
        restart   
        RETVAL=$?   
        ;;   
    status)   
        status   
        RETVAL=$?   
        ;;   
    panic)   
        flush_n_delete   
        set_policy DROP   
        RETVAL=$?   
        ;;   
    save)   
        save   
        RETVAL=$?   
        ;;   
    *)   
        echo $"Usage: ${IPTABLES} {start|stop|restart|condrestart|status|panic|save}"
        RETVAL=2   
        ;;   
esac   
         
exit $RETVAL   
         
附录   
lsmod命令   
第1列:表示模块的名称。   
第2列:表示模块的大小。   
第3列:表示依赖模块的个数。   
第4列:表示依赖模块的内容。