首页 > 代码库 > iptables启动脚本分析
iptables启动脚本分析
#!/bin/sh # # iptables Start iptables firewall # # chkconfig: 2345 08 92 # description: Starts, stops and saves iptables firewall # # config: /etc/sysconfig/iptables # config: /etc/sysconfig/iptables-config # ### BEGIN INIT INFO # Provides: iptables # Required-Start: # Required-Stop: # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: start and stop iptables firewall # Description: Start, stop and save iptables firewall ### END INIT INFO # Source function library. . /etc/init.d/functions IPTABLES=iptables #变量IPTABLES IPTABLES_DATA=/etc/sysconfig/$IPTABLES #变量IPTABLES_DATA=/etc/sysconfig/iptables IPTABLES_CONFIG=/etc/sysconfig/${IPTABLES}-config #变量IPTABLES+CONFIG=/etc/sysoncifg/iptables-config IPV=${IPTABLES%tables} # ip for ipv4 | ip6 for ipv6 #变量IPV,${IPTABLES%tables},将上一个变量IPTABLES的tables字符串删除 [ "$IPV" = "ip" ] && _IPV="ipv4" || _IPV="ipv6" #如IPV=ip就执行_IPV=ipv4否则就执行_IPV=ipv6 PROC_IPTABLES_NAMES=/proc/net/${IPV}_tables_names #变量PROC_IPTABLES_NAMES=/proc/net/${IPV}_tables_names 查看 /proc/net/有如下文件 #ls /proc/net/ip* #/proc/net/ip6_flowlabel /proc/net/ip6_mr_vif /proc/net/ip_mr_vif /proc/net/ip_tables_names /proc/net/ipv6_route /proc/net/ip6_mr_cache /proc/net/ip_mr_cache /proc/net/ip_tables_matches /proc/net/ip_tables_targets VAR_SUBSYS_IPTABLES=/var/lock/subsys/$IPTABLES #变量VAR_SUBSYS_IPTABLES设置状态锁文件 # only usable for root [ $EUID = 0 ] || exit 4 #判断是否是root用户,否则退出状态为4 if [ ! -x /sbin/$IPTABLES ]; then #判断/sbin/iptables不存在,就显示下面的警告信息 echo -n $"${IPTABLES}: /sbin/$IPTABLES does not exist."; warning; echo exit 5 #退出状态为5 fi # Old or new modutils /sbin/modprobe --version 2>&1 | grep -q module-init-tools && NEW_MODUTILS=1 || NEW_MODUTILS=0 # Default firewall configuration: IPTABLES_MODULES="" IPTABLES_MODULES_UNLOAD="yes" IPTABLES_SAVE_ON_STOP="no" IPTABLES_SAVE_ON_RESTART="no" IPTABLES_SAVE_COUNTER="no" IPTABLES_STATUS_NUMERIC="yes" IPTABLES_STATUS_VERBOSE="no" IPTABLES_STATUS_LINENUMBERS="yes" # Load firewall configuration. [ -f "$IPTABLES_CONFIG" ] && . "$IPTABLES_CONFIG" #判断是否存在/etc/sysoncifg/iptables-config # Netfilter modules NF_MODULES=($(lsmod | awk "/^${IPV}table_/ {print $1}") ${IPV}_tables) # 查看启动iptables加载的模块,当iptables用此脚本停止时,模块是没有加载的 #----#lsmod|awk "/^iptable_/ {print $1}" $ip_tables---- #---iptable_filter------------------------------------- #---iptable_nat---------------------------------------- NF_MODULES_COMMON=(x_tables nf_nat nf_conntrack) # Used by netfilter v4 and v6 # Get active tables NF_TABLES=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null) #查看系统加载的iptables模块 #--------- #cat /proc/net/ip_tables_names--------- #---------filter---------------------------------- #---------nat------------------------------------- rmmod_r() { # Unload module with all referring modules. # At first all referring modules will be unloaded, then the module itself. local mod=$1 #定义一个局部变量mod=$1 local ret=0 #定义一个局部变量ret=0 local ref= #定义一个局部变量ref # Get referring modules. # New modutils have another output format. [ $NEW_MODUTILS = 1 ] && ref=$(lsmod | awk "/^${mod}/ { print $4; }" | tr ',' ' ') || ref=$(lsmod | grep ^${mod} | cut -d "[" -s -f 2 | cut -d "]" -s -f 1) #如果NEW_MODUTILSd的值1,即判断modprobe --version|grep -q module-init-tools成功, #lsmod打印第4列,显示出模块的内容,并将显示出的,全部删除 #如果NEW_MODUTILSd的值0,就执行后面 # recursive call for all referring modules for i in $ref; do rmmod_r $i let ret+=$?; done #删除已经加载的iptables模块 # Unload module. # The extra test is for 2.6: The module might have autocleaned, # after all referring modules are unloaded. if grep -q "^${mod}" /proc/modules ; then #查看iptables的模块 modprobe -r $mod > /dev/null 2>&1 #modprobe -r删除存在的iptables模块 res=$? #查看状态 [ $res -eq 0 ] || echo -n " $mod" #执行成功,显示内容 let ret+=$res; fi return $ret #===========================================# cat /proc/modules |grep ip iptable_filter 2759 0 - Live 0xffffffffa02e1000 iptable_nat 6124 1 - Live 0xffffffffa029b000 nf_nat 22788 1 iptable_nat, Live 0xffffffffa02d1000 nf_conntrack_ipv4 9440 3 iptable_nat,nf_nat, Live 0xffffffffa0286000 nf_conntrack 79643 3 iptable_nat,nf_nat,nf_conntrack_ipv4, Live 0xffffffffa02b0000 nf_defrag_ipv4 1449 1 nf_conntrack_ipv4, Live 0xffffffffa0257000 ip_tables 17765 2 iptable_filter,iptable_nat, Live 0xffffffffa02a9000 ipv6 322899 74 - Live 0xffffffffa01ab000 #====================================================# } flush_n_delete() { #情况默认策略 # Flush firewall rules and delete chains. [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0 #如果不存在/proc/net/ip_tables_names,则返回为0 # Check if firewall is configured (has tables) [ -z "$NF_TABLES" ] && return 1 #如果存在 cat /proc/net/ip_tables_names显示出来的内容,返回为1 echo -n $"${IPTABLES}: Flushing firewall rules: " #显示 ret=0 # For all tables for i in $NF_TABLES; do # Flush firewall rules. $IPTABLES -t $i -F; let ret+=$?; # Delete firewall chains. $IPTABLES -t $i -X; let ret+=$?; # Set counter to zero. $IPTABLES -t $i -Z; let ret+=$?; done #将所有iptables表执行-F -X -Z的操作 [ $ret -eq 0 ] && success || failure echo return $ret } set_policy() { # Set policy for configured tables. policy=$1 # Check if iptable module is loaded [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0 #如果不存在/proc/net/ip_tables_names,则返回为0 # Check if firewall is configured (has tables) tables=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null) #如果存在 cat /proc/net/ip_tables_names显示出来的内容,赋值给tables变量 [ -z "$tables" ] && return 1 #tables变量是否有值,无值返回1 echo -n $"${IPTABLES}: Setting chains to policy $policy: " ret=0 for i in $tables; do echo -n "$i " case "$i" in raw) $IPTABLES -t raw -P PREROUTING $policy && $IPTABLES -t raw -P OUTPUT $policy || let ret+=1 ;; filter) $IPTABLES -t filter -P INPUT $policy && $IPTABLES -t filter -P OUTPUT $policy && $IPTABLES -t filter -P FORWARD $policy || let ret+=1 ;; nat) $IPTABLES -t nat -P PREROUTING $policy && $IPTABLES -t nat -P POSTROUTING $policy && $IPTABLES -t nat -P OUTPUT $policy || let ret+=1 ;; mangle) $IPTABLES -t mangle -P PREROUTING $policy && $IPTABLES -t mangle -P POSTROUTING $policy && $IPTABLES -t mangle -P INPUT $policy && $IPTABLES -t mangle -P OUTPUT $policy && $IPTABLES -t mangle -P FORWARD $policy || let ret+=1 ;; *) let ret+=1 ;; esac done [ $ret -eq 0 ] && success || failure echo return $ret #以上命令为执行各表的策略设置 } start() { # Do not start if there is no config file. [ ! -f "$IPTABLES_DATA" ] && return 6 #如果/etc/sysconfig/iptables不存在,返回值为6 # check if ipv6 module load is deactivated if [ "${_IPV}" = "ipv6" ] && grep -qIsE "^install[[:space:]]+${_IPV}[[:space:]]+/bin/(true|false)" /etc/modprobe.conf /etc/modprobe.d/* ; then echo $"${IPTABLES}: ${_IPV} is disabled." return 150 fi #检查ipv6模块是否加载 echo -n $"${IPTABLES}: Applying firewall rules: " OPT= [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c" $IPTABLES-restore $OPT $IPTABLES_DATA #执行iptables-restore /etc/sysconfig/iptables恢复iptables设置的策略 if [ $? -eq 0 ]; then success; echo else failure; echo; return 1 fi #判断是否执行成功,并显示状态 # Load additional modules (helpers) if [ -n "$IPTABLES_MODULES" ]; then echo -n $"${IPTABLES}: Loading additional modules: " ret=0 for mod in $IPTABLES_MODULES; do echo -n "$mod " modprobe $mod > /dev/null 2>&1 let ret+=$?; done #加载iptables模块 [ $ret -eq 0 ] && success || failure echo fi touch $VAR_SUBSYS_IPTABLES #建立状态文件锁=/var/lock/subsys/iptables return $ret } stop() { # Do not stop if iptables module is not loaded. [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0 #不存在/proc/net/ip_tables_names flush_n_delete set_policy ACCEPT if [ "x$IPTABLES_MODULES_UNLOAD" = "xyes" ]; then echo -n $"${IPTABLES}: Unloading modules: " ret=0 for mod in ${NF_MODULES[*]}; do rmmod_r $mod let ret+=$?; done #卸载iptables模块 # try to unload remaining netfilter modules used by ipv4 and ipv6 # netfilter for mod in ${NF_MODULES_COMMON[*]}; do rmmod_r $mod >/dev/null done [ $ret -eq 0 ] && success || failure echo fi rm -f $VAR_SUBSYS_IPTABLES return $ret } save() { # Check if iptable module is loaded [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0 #不存在在/proc/net/ip_tables_names,返回0 # Check if firewall is configured (has tables) [ -z "$NF_TABLES" ] && return 6 #是否存在 echo -n $"${IPTABLES}: Saving firewall rules to $IPTABLES_DATA: " OPT= [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c" ret=0 TMP_FILE=$(/bin/mktemp -q $IPTABLES_DATA.XXXXXX) && chmod 600 "$TMP_FILE" && $IPTABLES-save $OPT > $TMP_FILE 2>/dev/null #iptables-save -c > 保存到文件 && size=$(stat -c '%s' $TMP_FILE) && [ $size -gt 0 ] || ret=1#判断文件是否为空 if [ $ret -eq 0 ]; then if [ -e $IPTABLES_DATA ]; then cp -f $IPTABLES_DATA $IPTABLES_DATA.save #将/etc/sysconfig/iptables备份为iptables.save && chmod 600 $IPTABLES_DATA.save #更改/etc/sysconfig/iptables权限为600 && restorecon $IPTABLES_DATA.save #更改/etc/sysconfig/iptables的selinux || ret=1 fi if [ $ret -eq 0 ]; then mv -f $TMP_FILE $IPTABLES_DATA && chmod 600 $IPTABLES_DATA && restorecon $IPTABLES_DATA || ret=1 fi fi rm -f $TMP_FILE [ $ret -eq 0 ] && success || failure echo return $ret } status() { if [ ! -f "$VAR_SUBSYS_IPTABLES" -a -z "$NF_TABLES" ]; then echo $"${IPTABLES}: Firewall is not running." return 3 fi #查看文件状态锁是否存在 # Do not print status if lockfile is missing and iptables modules are not # loaded. # Check if iptable modules are loaded if [ ! -e "$PROC_IPTABLES_NAMES" ]; then echo $"${IPTABLES}: Firewall modules are not loaded." return 3 fi # # Check if firewall is configured (has tables) if [ -z "$NF_TABLES" ]; then echo $"${IPTABLES}: Firewall is not configured. " return 3 fi NUM= [ "x$IPTABLES_STATUS_NUMERIC" = "xyes" ] && NUM="-n" VERBOSE= [ "x$IPTABLES_STATUS_VERBOSE" = "xyes" ] && VERBOSE="--verbose" COUNT= [ "x$IPTABLES_STATUS_LINENUMBERS" = "xyes" ] && COUNT="--line-numbers" for table in $NF_TABLES; do echo $"Table: $table" $IPTABLES -t $table --list $NUM $VERBOSE $COUNT && echo done return 0 } restart() { [ "x$IPTABLES_SAVE_ON_RESTART" = "xyes" ] && save stop start } case "$1" in start) [ -f "$VAR_SUBSYS_IPTABLES" ] && exit 0 start RETVAL=$? ;; stop) [ "x$IPTABLES_SAVE_ON_STOP" = "xyes" ] && save stop RETVAL=$? ;; restart|force-reload) restart RETVAL=$? ;; reload) # unimplemented RETVAL=3 ;; condrestart|try-restart) [ ! -e "$VAR_SUBSYS_IPTABLES" ] && exit 0 restart RETVAL=$? ;; status) status RETVAL=$? ;; panic) flush_n_delete set_policy DROP RETVAL=$? ;; save) save RETVAL=$? ;; *) echo $"Usage: ${IPTABLES} {start|stop|restart|condrestart|status|panic|save}" RETVAL=2 ;; esac exit $RETVAL 附录 lsmod命令 第1列:表示模块的名称。 第2列:表示模块的大小。 第3列:表示依赖模块的个数。 第4列:表示依赖模块的内容。
声明:以上内容来自用户投稿及互联网公开渠道收集整理发布,本网站不拥有所有权,未作人工编辑处理,也不承担相关法律责任,若内容有误或涉及侵权可进行投诉: 投诉/举报 工作人员会在5个工作日内联系你,一经查实,本站将立刻删除涉嫌侵权内容。