Created
August 24, 2013 12:19
-
-
Save hendricius/6327806 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| # firewall Start iptables firewall | |
| # chkconfig: 2345 97 87 | |
| # description: Starts, stops and saves iptables firewall | |
| # This script sets up the firewall for the INPUT chain (which is for | |
| # the HN itself) and then processes the config files under | |
| # /etc/firewall.d to set up additional rules in the FORWARD chain | |
| # to allow access to containers' services. | |
| # http://wiki.openvz.org/Setting_up_an_iptables_firewall | |
| . /etc/init.d/functions | |
| # the IP block allocated to this server | |
| SEGMENT="78.47.95.216/29" | |
| # the IP used by the hosting server itself | |
| THISHOST="144.76.102.181" | |
| # services that should be allowed to the HN; | |
| # services for containers are configured in /etc/firewall.d/* | |
| OKPORTS="22" | |
| # hosts allowed full access through the firewall, | |
| # to all containers and to this server | |
| DMZS="78.47.95.217 144.76.102.185 78.47.95.218" | |
| success() { | |
| echo -n "...success" | |
| } | |
| failure() { | |
| echo -n "...failure" | |
| } | |
| purge() { | |
| echo -n "Firewall: Purging and allowing all traffic" | |
| iptables -P OUTPUT ACCEPT | |
| iptables -P FORWARD ACCEPT | |
| iptables -P INPUT ACCEPT | |
| iptables -F | |
| success ; echo | |
| } | |
| setup() { | |
| echo -n "Firewall: Setting default policies to DROP" | |
| iptables -P INPUT DROP | |
| iptables -P FORWARD DROP | |
| iptables -I INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED | |
| iptables -I FORWARD -j ACCEPT -m state --state ESTABLISHED,RELATED | |
| iptables -I INPUT -j ACCEPT -i lo | |
| success ; echo | |
| echo "Firewall: Allowing access to HN" | |
| for port in $OKPORTS ; do | |
| echo -n " port $port" | |
| iptables -I INPUT -j ACCEPT -d $THISHOST --protocol tcp --destination-port $port | |
| iptables -I INPUT -j ACCEPT -d $THISHOST --protocol udp --destination-port $port | |
| success ; echo | |
| done | |
| for ip in $DMZS ; do | |
| echo -n " DMZ $ip" | |
| iptables -I INPUT -i eth0 -j ACCEPT -s $ip | |
| iptables -I FORWARD -i eth0 -j ACCEPT -s $ip | |
| success ; echo | |
| done | |
| CTSETUPS=`echo /etc/firewall.d/*` | |
| if [ "$CTSETUPS" != "/etc/firewall.d/*" ] ; then | |
| echo "Firewall: Setting up container firewalls" | |
| for i in $CTSETUPS ; do | |
| . $i | |
| echo -n " $CTNAME CT$CTID" | |
| if [ -n "$BANNED" ]; then | |
| for source in $BANNED ; do iptables -I FORWARD -j DROP --destination $CTIP --source $source ; done | |
| fi | |
| if [ -n "$OPENPORTS" ]; then | |
| for port in $OPENPORTS ; do iptables -I FORWARD -j ACCEPT --protocol tcp --destination $CTIP --destination-port $port ; done | |
| for port in $OPENPORTS ; do iptables -I FORWARD -j ACCEPT --protocol udp --destination $CTIP --destination-port $port ; done | |
| fi | |
| if [ -n "$DMZS" ]; then | |
| for source in $DMZS ; do iptables -I FORWARD -j ACCEPT --protocol tcp --destination $CTIP --source $source ; done | |
| for source in $DMZS ; do iptables -I FORWARD -j ACCEPT --protocol udp --destination $CTIP --source $source ; done | |
| fi | |
| [ $? -eq 0 ] && success || failure | |
| echo | |
| done | |
| fi | |
| } | |
| case "$1" in | |
| start) | |
| echo "Starting firewall..." | |
| purge | |
| setup | |
| ;; | |
| stop) | |
| echo "Stopping firewall..." | |
| purge | |
| ;; | |
| restart) | |
| $0 stop | |
| $0 start | |
| ;; | |
| status) | |
| iptables -n -L | |
| ;; | |
| *) | |
| echo "Usage: $0 <start|stop|restart|status>" | |
| ;; | |
| esac |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment