Initiator  0Ӿ 0Ӿ(li~ҁz.h*bѿ t Կ#!/bin/bash # iptables-apply -- a safer way to update iptables remotely # # Usage: # iptables-apply [-hV] [-t timeout] [-w savefile] {[rulesfile]|-c [runcmd]} # # Versions: # * 1.0 Copyright 2006 Martin F. Krafft # Original version # * 1.1 Copyright 2010 GW # Added parameter -c (run command) # Added parameter -w (save successfully applied rules to file) # Major code cleanup # # Released under the terms of the Artistic Licence 2.0 # set -eu PROGNAME="${0##*/}" VERSION=1.1 ### Default settings DEF_TIMEOUT=10 MODE=0 # apply rulesfile mode # MODE=1 # run command mode case "$PROGNAME" in (*6*) SAVE=ip6tables-save RESTORE=ip6tables-restore DEF_RULESFILE="/etc/network/ip6tables.up.rules" DEF_SAVEFILE="$DEF_RULESFILE" DEF_RUNCMD="/etc/network/ip6tables.up.run" ;; (*) SAVE=iptables-save RESTORE=iptables-restore DEF_RULESFILE="/etc/network/iptables.up.rules" DEF_SAVEFILE="$DEF_RULESFILE" DEF_RUNCMD="/etc/network/iptables.up.run" ;; esac ### Functions function blurb() { cat <<-__EOF__ $PROGNAME $VERSION -- a safer way to update iptables remotely __EOF__ } function copyright() { cat <<-__EOF__ $PROGNAME has been published under the terms of the Artistic Licence 2.0. Original version - Copyright 2006 Martin F. Krafft . Version 1.1 - Copyright 2010 GW . __EOF__ } function about() { blurb echo copyright } function usage() { blurb echo cat <<-__EOF__ Usage: $PROGNAME [-hV] [-t timeout] [-w savefile] {[rulesfile]|-c [runcmd]} The script will try to apply a new rulesfile (as output by iptables-save, read by iptables-restore) or run a command to configure iptables and then prompt the user whether the changes are okay. If the new iptables rules cut the existing connection, the user will not be able to answer affirmatively. In this case, the script rolls back to the previous working iptables rules after the timeout expires. Successfully applied rules can also be written to savefile and later used to roll back to this state. This can be used to implement a store last good configuration mechanism when experimenting with an iptables setup script: $PROGNAME -w $DEF_SAVEFILE -c $DEF_RUNCMD When called as ip6tables-apply, the script will use ip6tables-save/-restore and IPv6 default values instead. Default value for rulesfile is '$DEF_RULESFILE'. Options: -t seconds, --timeout seconds Specify the timeout in seconds (default: $DEF_TIMEOUT). -w savefile, --write savefile Specify the savefile where successfully applied rules will be written to (default if empty string is given: $DEF_SAVEFILE). -c runcmd, --command runcmd Run command runcmd to configure iptables instead of applying a rulesfile (default: $DEF_RUNCMD). -h, --help Display this help text. -V, --version Display version information. __EOF__ } function checkcommands() { for cmd in "${COMMANDS[@]}"; do if ! command -v "$cmd" >/dev/null; then echo "Error: needed command not found: $cmd" >&2 exit 127 fi done } function revertrules() { echo -n "Reverting to old iptables rules... " "$RESTORE" <"$TMPFILE" echo "done." } ### Parsing and checking parameters TIMEOUT="$DEF_TIMEOUT" SAVEFILE="" SHORTOPTS="t:w:chV"; LONGOPTS="timeout:,write:,command,help,version"; OPTS=$(getopt -s bash -o "$SHORTOPTS" -l "$LONGOPTS" -n "$PROGNAME" -- "$@") || exit $? for opt in $OPTS; do case "$opt" in (-*) unset OPT_STATE ;; (*) case "${OPT_STATE:-}" in (SET_TIMEOUT) eval TIMEOUT="$opt";; (SET_SAVEFILE) eval SAVEFILE="$opt" [ -z "$SAVEFILE" ] && SAVEFILE="$DEF_SAVEFILE" ;; esac ;; esac case "$opt" in (-t|--timeout) OPT_STATE="SET_TIMEOUT";; (-w|--write) OPT_STATE="SET_SAVEFILE";; (-c|--command) MODE=1;; (-h|--help) usage >&2; exit 0;; (-V|--version) about >&2