iptables启动脚本分析
- #!/bin/sh
- #
- # iptables Start iptables firewall
- #
- # chkconfig: 2345 08 92
- # description: Starts, stops and saves iptables firewall
- #
- # config: /etc/sysconfig/iptables
- # config: /etc/sysconfig/iptables-config
- #
- ### BEGIN INIT INFO
- # Provides: iptables
- # Required-Start:
- # Required-Stop:
- # Default-Start: 2 3 4 5
- # Default-Stop: 0 1 6
- # Short-Description: start and stop iptables firewall
- # Description: Start, stop and save iptables firewall
- ### END INIT INFO
- # Source function library.
- . /etc/init.d/functions
- IPTABLES=iptables #变量IPTABLES
- IPTABLES_DATA=/etc/sysconfig/$IPTABLES #变量IPTABLES_DATA=/etc/sysconfig/iptables
- IPTABLES_CONFIG=/etc/sysconfig/${IPTABLES}-config #变量IPTABLES+CONFIG=/etc/sysoncifg/iptables-config
- IPV=${IPTABLES%tables} # ip for ipv4 | ip6 for ipv6 #变量IPV,${IPTABLES%tables},将上一个变量IPTABLES的tables字符串删除
- [ "$IPV" = "ip" ] && _IPV="ipv4" || _IPV="ipv6" #如IPV=ip就执行_IPV=ipv4否则就执行_IPV=ipv6
- PROC_IPTABLES_NAMES=/proc/net/${IPV}_tables_names #变量PROC_IPTABLES_NAMES=/proc/net/${IPV}_tables_names 查看 /proc/net/有如下文件
- #ls /proc/net/ip*
- #/proc/net/ip6_flowlabel /proc/net/ip6_mr_vif /proc/net/ip_mr_vif /proc/net/ip_tables_names /proc/net/ipv6_route /proc/net/ip6_mr_cache /proc/net/ip_mr_cache /proc/net/ip_tables_matches /proc/net/ip_tables_targets
- VAR_SUBSYS_IPTABLES=/var/lock/subsys/$IPTABLES #变量VAR_SUBSYS_IPTABLES设置状态锁文件
- # only usable for root
- [ $EUID = 0 ] || exit 4 #判断是否是root用户,否则退出状态为4
- if [ ! -x /sbin/$IPTABLES ]; then #判断/sbin/iptables不存在,就显示下面的警告信息
- echo -n $"${IPTABLES}: /sbin/$IPTABLES does not exist."; warning; echo
- exit 5 #退出状态为5
- fi
- # Old or new modutils
- /sbin/modprobe --version 2>&1 | grep -q module-init-tools \
- && NEW_MODUTILS=1 \
- || NEW_MODUTILS=0
- # Default firewall configuration:
- IPTABLES_MODULES=""
- IPTABLES_MODULES_UNLOAD="yes"
- IPTABLES_SAVE_ON_STOP="no"
- IPTABLES_SAVE_ON_RESTART="no"
- IPTABLES_SAVE_COUNTER="no"
- IPTABLES_STATUS_NUMERIC="yes"
- IPTABLES_STATUS_VERBOSE="no"
- IPTABLES_STATUS_LINENUMBERS="yes"
- # Load firewall configuration.
- [ -f "$IPTABLES_CONFIG" ] && . "$IPTABLES_CONFIG" #判断是否存在/etc/sysoncifg/iptables-config
- # Netfilter modules
- NF_MODULES=($(lsmod | awk "/^${IPV}table_/ {print \$1}") ${IPV}_tables)
- # 查看启动iptables加载的模块,当iptables用此脚本停止时,模块是没有加载的
- #----#lsmod|awk "/^iptable_/ {print \$1}" $ip_tables----
- #---iptable_filter-------------------------------------
- #---iptable_nat----------------------------------------
- NF_MODULES_COMMON=(x_tables nf_nat nf_conntrack) # Used by netfilter v4 and v6
- # Get active tables
- NF_TABLES=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null)
- #查看系统加载的iptables模块
- #--------- #cat /proc/net/ip_tables_names---------
- #---------filter----------------------------------
- #---------nat-------------------------------------
- rmmod_r() {
- # Unload module with all referring modules.
- # At first all referring modules will be unloaded, then the module itself.
- local mod=$1 #定义一个局部变量mod=$1
- local ret=0 #定义一个局部变量ret=0
- local ref= #定义一个局部变量ref
- # Get referring modules.
- # New modutils have another output format.
- [ $NEW_MODUTILS = 1 ] \
- && ref=$(lsmod | awk "/^${mod}/ { print \$4; }" | tr ',' ' ') \
- || ref=$(lsmod | grep ^${mod} | cut -d "[" -s -f 2 | cut -d "]" -s -f 1)
- #如果NEW_MODUTILSd的值1,即判断modprobe --version|grep -q module-init-tools成功,
- #lsmod打印第4列,显示出模块的内容,并将显示出的,全部删除
- #如果NEW_MODUTILSd的值0,就执行后面
- # recursive call for all referring modules
- for i in $ref; do
- rmmod_r $i
- let ret+=$?;
- done
- #删除已经加载的iptables模块
- # Unload module.
- # The extra test is for 2.6: The module might have autocleaned,
- # after all referring modules are unloaded.
- if grep -q "^${mod}" /proc/modules ; then #查看iptables的模块
- modprobe -r $mod > /dev/null 2>&1 #modprobe -r删除存在的iptables模块
- res=$? #查看状态
- [ $res -eq 0 ] || echo -n " $mod" #执行成功,显示内容
- let ret+=$res;
- fi
- return $ret
- #===========================================#
- cat /proc/modules |grep ip
- iptable_filter 2759 0 - Live 0xffffffffa02e1000
- iptable_nat 6124 1 - Live 0xffffffffa029b000
- nf_nat 22788 1 iptable_nat, Live 0xffffffffa02d1000
- nf_conntrack_ipv4 9440 3 iptable_nat,nf_nat, Live 0xffffffffa0286000
- nf_conntrack 79643 3 iptable_nat,nf_nat,nf_conntrack_ipv4, Live 0xffffffffa02b0000
- nf_defrag_ipv4 1449 1 nf_conntrack_ipv4, Live 0xffffffffa0257000
- ip_tables 17765 2 iptable_filter,iptable_nat, Live 0xffffffffa02a9000
- ipv6 322899 74 - Live 0xffffffffa01ab000
- #====================================================#
- }
- flush_n_delete() {
- #情况默认策略
- # Flush firewall rules and delete chains.
- [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0
- #如果不存在/proc/net/ip_tables_names,则返回为0
- # Check if firewall is configured (has tables)
- [ -z "$NF_TABLES" ] && return 1
- #如果存在 cat /proc/net/ip_tables_names显示出来的内容,返回为1
- echo -n $"${IPTABLES}: Flushing firewall rules: "
- #显示
- ret=0
- # For all tables
- for i in $NF_TABLES; do
- # Flush firewall rules.
- $IPTABLES -t $i -F;
- let ret+=$?;
- # Delete firewall chains.
- $IPTABLES -t $i -X;
- let ret+=$?;
- # Set counter to zero.
- $IPTABLES -t $i -Z;
- let ret+=$?;
- done
- #将所有iptables表执行-F -X -Z的操作
- [ $ret -eq 0 ] && success || failure
- echo
- return $ret
- }
- set_policy() {
- # Set policy for configured tables.
- policy=$1
- # Check if iptable module is loaded
- [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0
- #如果不存在/proc/net/ip_tables_names,则返回为0
- # Check if firewall is configured (has tables)
- tables=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null)
- #如果存在 cat /proc/net/ip_tables_names显示出来的内容,赋值给tables变量
- [ -z "$tables" ] && return 1
- #tables变量是否有值,无值返回1
- echo -n $"${IPTABLES}: Setting chains to policy $policy: "
- ret=0
- for i in $tables; do
- echo -n "$i "
- case "$i" in
- raw)
- $IPTABLES -t raw -P PREROUTING $policy \
- && $IPTABLES -t raw -P OUTPUT $policy \
- || let ret+=1
- ;;
- filter)
- $IPTABLES -t filter -P INPUT $policy \
- && $IPTABLES -t filter -P OUTPUT $policy \
- && $IPTABLES -t filter -P FORWARD $policy \
- || let ret+=1
- ;;
- nat)
- $IPTABLES -t nat -P PREROUTING $policy \
- && $IPTABLES -t nat -P POSTROUTING $policy \
- && $IPTABLES -t nat -P OUTPUT $policy \
- || let ret+=1
- ;;
- mangle)
- $IPTABLES -t mangle -P PREROUTING $policy \
- && $IPTABLES -t mangle -P POSTROUTING $policy \
- && $IPTABLES -t mangle -P INPUT $policy \
- && $IPTABLES -t mangle -P OUTPUT $policy \
- && $IPTABLES -t mangle -P FORWARD $policy \
- || let ret+=1
- ;;
- *)
- let ret+=1
- ;;
- esac
- done
- [ $ret -eq 0 ] && success || failure
- echo
- return $ret
- #以上命令为执行各表的策略设置
- }
- start() {
- # Do not start if there is no config file.
- [ ! -f "$IPTABLES_DATA" ] && return 6
- #如果/etc/sysconfig/iptables不存在,返回值为6
- # check if ipv6 module load is deactivated
- if [ "${_IPV}" = "ipv6" ] \
- && grep -qIsE "^install[[:space:]]+${_IPV}[[:space:]]+/bin/(true|false)" /etc/modprobe.conf /etc/modprobe.d/* ; then
- echo $"${IPTABLES}: ${_IPV} is disabled."
- return 150
- fi
- #检查ipv6模块是否加载
- echo -n $"${IPTABLES}: Applying firewall rules: "
- OPT=
- [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
- $IPTABLES-restore $OPT $IPTABLES_DATA
- #执行iptables-restore /etc/sysconfig/iptables恢复iptables设置的策略
- if [ $? -eq 0 ]; then
- success; echo
- else
- failure; echo; return 1
- fi
- #判断是否执行成功,并显示状态
- # Load additional modules (helpers)
- if [ -n "$IPTABLES_MODULES" ]; then
- echo -n $"${IPTABLES}: Loading additional modules: "
- ret=0
- for mod in $IPTABLES_MODULES; do
- echo -n "$mod "
- modprobe $mod > /dev/null 2>&1
- let ret+=$?;
- done
- #加载iptables模块
- [ $ret -eq 0 ] && success || failure
- echo
- fi
- touch $VAR_SUBSYS_IPTABLES
- #建立状态文件锁=/var/lock/subsys/iptables
- return $ret
- }
- stop() {
- # Do not stop if iptables module is not loaded.
- [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0
- #不存在/proc/net/ip_tables_names
- flush_n_delete
- set_policy ACCEPT
- if [ "x$IPTABLES_MODULES_UNLOAD" = "xyes" ]; then
- echo -n $"${IPTABLES}: Unloading modules: "
- ret=0
- for mod in ${NF_MODULES[*]}; do
- rmmod_r $mod
- let ret+=$?;
- done
- #卸载iptables模块
- # try to unload remaining netfilter modules used by ipv4 and ipv6
- # netfilter
- for mod in ${NF_MODULES_COMMON[*]}; do
- rmmod_r $mod >/dev/null
- done
- [ $ret -eq 0 ] && success || failure
- echo
- fi
- rm -f $VAR_SUBSYS_IPTABLES
- return $ret
- }
- save() {
- # Check if iptable module is loaded
- [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0
- #不存在在/proc/net/ip_tables_names,返回0
- # Check if firewall is configured (has tables)
- [ -z "$NF_TABLES" ] && return 6
- #是否存在
- echo -n $"${IPTABLES}: Saving firewall rules to $IPTABLES_DATA: "
- OPT=
- [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
- ret=0
- TMP_FILE=$(/bin/mktemp -q $IPTABLES_DATA.XXXXXX) \
- && chmod 600 "$TMP_FILE" \
- && $IPTABLES-save $OPT > $TMP_FILE 2>/dev/null \
- #iptables-save -c > 保存到文件
- && size=$(stat -c '%s' $TMP_FILE) && [ $size -gt 0 ] \
- || ret=1#判断文件是否为空
- if [ $ret -eq 0 ]; then
- if [ -e $IPTABLES_DATA ]; then
- cp -f $IPTABLES_DATA $IPTABLES_DATA.save \ #将/etc/sysconfig/iptables备份为iptables.save
- && chmod 600 $IPTABLES_DATA.save \ #更改/etc/sysconfig/iptables权限为600
- && restorecon $IPTABLES_DATA.save \ #更改/etc/sysconfig/iptables的selinux
- || ret=1
- fi
- if [ $ret -eq 0 ]; then
- mv -f $TMP_FILE $IPTABLES_DATA \
- && chmod 600 $IPTABLES_DATA \
- && restorecon $IPTABLES_DATA \
- || ret=1
- fi
- fi
- rm -f $TMP_FILE
- [ $ret -eq 0 ] && success || failure
- echo
- return $ret
- }
- status() {
- if [ ! -f "$VAR_SUBSYS_IPTABLES" -a -z "$NF_TABLES" ]; then
- echo $"${IPTABLES}: Firewall is not running."
- return 3
- fi
- #查看文件状态锁是否存在
- # Do not print status if lockfile is missing and iptables modules are not
- # loaded.
- # Check if iptable modules are loaded
- if [ ! -e "$PROC_IPTABLES_NAMES" ]; then
- echo $"${IPTABLES}: Firewall modules are not loaded."
- return 3
- fi
- #
- # Check if firewall is configured (has tables)
- if [ -z "$NF_TABLES" ]; then
- echo $"${IPTABLES}: Firewall is not configured. "
- return 3
- fi
- NUM=
- [ "x$IPTABLES_STATUS_NUMERIC" = "xyes" ] && NUM="-n"
- VERBOSE=
- [ "x$IPTABLES_STATUS_VERBOSE" = "xyes" ] && VERBOSE="--verbose"
- COUNT=
- [ "x$IPTABLES_STATUS_LINENUMBERS" = "xyes" ] && COUNT="--line-numbers"
- for table in $NF_TABLES; do
- echo $"Table: $table"
- $IPTABLES -t $table --list $NUM $VERBOSE $COUNT && echo
- done
- return 0
- }
- restart() {
- [ "x$IPTABLES_SAVE_ON_RESTART" = "xyes" ] && save
- stop
- start
- }
- case "$1" in
- start)
- [ -f "$VAR_SUBSYS_IPTABLES" ] && exit 0
- start
- RETVAL=$?
- ;;
- stop)
- [ "x$IPTABLES_SAVE_ON_STOP" = "xyes" ] && save
- stop
- RETVAL=$?
- ;;
- restart|force-reload)
- restart
- RETVAL=$?
- ;;
- reload)
- # unimplemented
- RETVAL=3
- ;;
- condrestart|try-restart)
- [ ! -e "$VAR_SUBSYS_IPTABLES" ] && exit 0
- restart
- RETVAL=$?
- ;;
- status)
- status
- RETVAL=$?
- ;;
- panic)
- flush_n_delete
- set_policy DROP
- RETVAL=$?
- ;;
- save)
- save
- RETVAL=$?
- ;;
- *)
- echo $"Usage: ${IPTABLES} {start|stop|restart|condrestart|status|panic|save}"
- RETVAL=2
- ;;
- esac
- exit $RETVAL
- 附录
- lsmod命令
- 第1列:表示模块的名称。
- 第2列:表示模块的大小。
- 第3列:表示依赖模块的个数。
- 第4列:表示依赖模块的内容。
- 注:本文为itnihao原创。