From 033e25a3ad215ee3f5a07f0a3315f74c4abfaced Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Tue, 7 Jun 2011 14:02:37 +0200 Subject: src: move all iptables pieces into a separate directory (Unclutter top-level dir) Signed-off-by: Jan Engelhardt --- iptables-apply | 174 --------------------------------------------------------- 1 file changed, 174 deletions(-) delete mode 100755 iptables-apply (limited to 'iptables-apply') diff --git a/iptables-apply b/iptables-apply deleted file mode 100755 index 5fec76b0..00000000 --- a/iptables-apply +++ /dev/null @@ -1,174 +0,0 @@ -#!/bin/bash -# -# iptables-apply -- a safer way to update iptables remotely -# -# Copyright © Martin F. Krafft -# Released under the terms of the Artistic Licence 2.0 -# -set -eu - -PROGNAME="${0##*/}"; -VERSION=1.0 - -TIMEOUT=10 -DEFAULT_FILE=/etc/network/iptables - -function blurb() -{ - cat <<-_eof - $PROGNAME $VERSION -- a safer way to update iptables remotely - _eof -} - -function copyright() -{ - cat <<-_eof - $PROGNAME is C Martin F. Krafft . - - The program has been published under the terms of the Artistic Licence 2.0 - _eof -} - -function about() -{ - blurb - echo - copyright -} - -function usage() -{ - cat <<-_eof - Usage: $PROGNAME [options] ruleset - - The script will try to apply a new ruleset (as output by iptables-save/read - by iptables-restore) to iptables, then prompt the user whether the changes - are okay. If the new ruleset cut the existing connection, the user will not - be able to answer affirmatively. In this case, the script rolls back to the - previous ruleset. - - The following options may be specified, using standard conventions: - - -t | --timeout Specify the timeout in seconds (default: $TIMEOUT) - -V | --version Display version information - -h | --help Display this help text - _eof -} - -SHORTOPTS="t:Vh"; -LONGOPTS="timeout:,version,help"; - -OPTS=$(getopt -s bash -o "$SHORTOPTS" -l "$LONGOPTS" -n "$PROGNAME" -- "$@") || exit $? -for opt in $OPTS; do - case "$opt" in - (-*) unset OPT_STATE;; - (*) - case "${OPT_STATE:-}" in - (SET_TIMEOUT) - eval TIMEOUT=$opt - case "$TIMEOUT" in - ([0-9]*) :;; - (*) - echo "E: non-numeric timeout value." >&2 - exit 1 - ;; - esac - ;; - esac - ;; - esac - - case "$opt" in - (-h|--help) usage >&2; exit 0;; - (-V|--version) about >&2; exit 0;; - (-t|--timeout) OPT_STATE=SET_TIMEOUT;; - (--) break;; - esac - shift -done - -FILE="${1:-$DEFAULT_FILE}"; - -if [[ -z "$FILE" ]]; then - echo "E: missing file argument." >&2 - exit 1 -fi - -if [[ ! -r "$FILE" ]]; then - echo "E: cannot read $FILE" >&2 - exit 2 -fi - -case "${0##*/}" in - (*6*) - SAVE=ip6tables-save - RESTORE=ip6tables-restore - ;; - (*) - SAVE=iptables-save - RESTORE=iptables-restore - ;; -esac - -COMMANDS=(tempfile "$SAVE" "$RESTORE") - -for cmd in "${COMMANDS[@]}"; do - if ! command -v $cmd >/dev/null; then - echo "E: command not found: $cmd" >&2 - exit 127 - fi -done - -umask 0700 - -TMPFILE=$(tempfile -p iptap) -trap "rm -f $TMPFILE" EXIT 1 2 3 4 5 6 7 8 10 11 12 13 14 15 - -if ! "$SAVE" >"$TMPFILE"; then - if ! grep -q ipt /proc/modules 2>/dev/null; then - echo "E: iptables support lacking from the kernel." >&2 - exit 3 - else - echo "E: unknown error saving current iptables ruleset." >&2 - exit 4 - fi -fi - -[ -x /etc/init.d/fail2ban ] && /etc/init.d/fail2ban stop - -echo -n "Applying new ruleset... " -if ! "$RESTORE" <"$FILE"; then - echo "failed." - echo "E: unknown error applying new iptables ruleset." >&2 - exit 5 -else - echo done. -fi - -echo -n "Can you establish NEW connections to the machine? (y/N) " - -read -n1 -t "${TIMEOUT:-15}" ret 2>&1 || : -case "${ret:-}" in - (y*|Y*) - echo - echo ... then my job is done. See you next time. - ;; - (*) - if [[ -z "${ret:-}" ]]; then - echo "apparently not..." - else - echo - fi - echo "Timeout. Something happened (or did not). Better play it safe..." - echo -n "Reverting to old ruleset... " - "$RESTORE" <"$TMPFILE"; - echo done. - exit 255 - ;; -esac - -[ -x /etc/init.d/fail2ban ] && /etc/init.d/fail2ban start - -exit 0 - -# vim:noet:sw=8 -- cgit v1.2.3