From 5dd3f713439c4d6c0a916b7cc893b908af18db0f Mon Sep 17 00:00:00 2001 From: jordanrinke Date: Fri, 13 Jun 2014 12:41:04 -0700 Subject: [PATCH 1/4] Initial commit --- README.md | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 README.md diff --git a/README.md b/README.md new file mode 100644 index 00000000..09b0e392 --- /dev/null +++ b/README.md @@ -0,0 +1,4 @@ +ipsets-persistent +================= + +init.d script for iptables-persistent on Debian/Ubuntu that also saves/loads ipsets From 3560bfedb7b432b841046ca43a0db921d7993210 Mon Sep 17 00:00:00 2001 From: jordanrinke Date: Fri, 13 Jun 2014 12:51:41 -0700 Subject: [PATCH 2/4] add ipset save/load/flush added checking for and saving ipsets. sets are saved in the same place as the other rules in a file named rules.ipset. Rules are only saved if they are defined, same with flushing and loading. Instead of checking to see if ipset is installed on the load, I just check for the rules.ipset file, since if that doesn't exist loading doesn't make sense. --- iptables-persistent | 182 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 182 insertions(+) create mode 100644 iptables-persistent diff --git a/iptables-persistent b/iptables-persistent new file mode 100644 index 00000000..01ca1d2d --- /dev/null +++ b/iptables-persistent @@ -0,0 +1,182 @@ +#!/bin/sh +# Written by Simon Richter +# modified by Jonathan Wiltshire +# with help from Christoph Anton Mitterer +# and again by Jordan Rinke +# + +### BEGIN INIT INFO +# Provides: iptables-persistent +# Required-Start: mountkernfs $local_fs +# Required-Stop: $local_fs +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# X-Start-Before: $network +# X-Stop-After: $network +# Short-Description: Set up iptables rules +# Description: Loads/saves current iptables rules from/to /etc/iptables +# to provide a persistent rule set during boot time +### END INIT INFO + +. /lib/lsb/init-functions + +rc=0 + +load_rules() +{ + log_action_begin_msg "Loading iptables rules" + + #load IPsets + if [ ! -f /etc/iptables/rules.ipsets ]; then + log_action_cont_msg " skipping IPsets (no rules to load)" + else + log_action_cont_msg " IPset" + ipset restore -! < /etc/iptables/rules.ipsets 2> /dev/null + if [ $? -ne 0 ]; then + rc=1 + fi + fi + + #load IPv4 rules + if [ ! -f /etc/iptables/rules.v4 ]; then + log_action_cont_msg " skipping IPv4 (no rules to load)" + else + log_action_cont_msg " IPv4" + iptables-restore < /etc/iptables/rules.v4 2> /dev/null + if [ $? -ne 0 ]; then + rc=1 + fi + fi + + #load IPv6 rules + if [ ! -f /etc/iptables/rules.v6 ]; then + log_action_cont_msg " skipping IPv6 (no rules to load)" + else + log_action_cont_msg " IPv6" + ip6tables-restore < /etc/iptables/rules.v6 2> /dev/null + if [ $? -ne 0 ]; then + rc=1 + fi + fi + + log_action_end_msg $rc +} + +save_rules() +{ + log_action_begin_msg "Saving rules" + + #save IPsets + #need at least iptable_filter loaded: + if ! ipset list | grep -i "name">/dev/null 2>&1; then + log_action_cont_msg " skipping IPset - no sets defined or not loaded" + elif [ -x /usr/sbin/ipset ] || [ -x /sbin/ipset ]; then + log_action_cont_msg " IPset" + ipset save > /etc/iptables/rules.ipsets + if [ $? -ne 0 ]; then + rc=1 + fi + fi + + #save IPv4 rules + #need at least iptable_filter loaded: + /sbin/modprobe -q iptable_filter + if [ ! -f /proc/net/ip_tables_names ]; then + log_action_cont_msg " skipping IPv4 (no modules loaded)" + elif [ -x /sbin/iptables-save ]; then + log_action_cont_msg " IPv4" + iptables-save > /etc/iptables/rules.v4 + if [ $? -ne 0 ]; then + rc=1 + fi + fi + + #save IPv6 rules + #need at least ip6table_filter loaded: + /sbin/modprobe -q ip6table_filter + if [ ! -f /proc/net/ip6_tables_names ]; then + log_action_cont_msg " skipping IPv6 (no modules loaded)" + elif [ -x /sbin/ip6tables-save ]; then + log_action_cont_msg " IPv6" + ip6tables-save > /etc/iptables/rules.v6 + if [ $? -ne 0 ]; then + rc=1 + fi + fi + + log_action_end_msg $rc +} + +flush_rules() +{ + log_action_begin_msg "Flushing rules" + + if ! ipset list | grep -i "name">/dev/null 2>&1; then + log_action_cont_msg " skipping IPset (no sets defined or not installed)" + elif [ -x /usr/sbin/ipset ] || [ -x /sbin/ipset ]; then + log_action_cont_msg " IPset" + ipset flush + fi + + + + if [ ! -f /proc/net/ip_tables_names ]; then + log_action_cont_msg " skipping IPv4 (no module loaded)" + elif [ -x /sbin/iptables ]; then + log_action_cont_msg " IPv4" + for param in F Z X; do /sbin/iptables -$param; done + for table in $(cat /proc/net/ip_tables_names) + do + /sbin/iptables -t $table -F + /sbin/iptables -t $table -Z + /sbin/iptables -t $table -X + done + for chain in INPUT FORWARD OUTPUT + do + /sbin/iptables -P $chain ACCEPT + done + fi + + if [ ! -f /proc/net/ip6_tables_names ]; then + log_action_cont_msg " skipping IPv6 (no module loaded)" + elif [ -x /sbin/ip6tables ]; then + log_action_cont_msg " IPv6" + for param in F Z X; do /sbin/ip6tables -$param; done + for table in $(cat /proc/net/ip6_tables_names) + do + /sbin/ip6tables -t $table -F + /sbin/ip6tables -t $table -Z + /sbin/ip6tables -t $table -X + done + for chain in INPUT FORWARD OUTPUT + do + /sbin/ip6tables -P $chain ACCEPT + done + fi + + log_action_end_msg 0 +} + +case "$1" in +start|restart|reload|force-reload) + load_rules + ;; +save) + save_rules + ;; +stop) + # Why? because if stop is used, the firewall gets flushed for a variable + # amount of time during package upgrades, leaving the machine vulnerable + # It's also not always desirable to flush during purge + echo "Automatic flushing disabled, use \"flush\" instead of \"stop\"" + ;; +flush) + flush_rules + ;; +*) + echo "Usage: $0 {start|restart|reload|force-reload|save|flush}" >&2 + exit 1 + ;; +esac + +exit $rc From 1ca7c0c6e18e788ecb335bf947e333c451bc892c Mon Sep 17 00:00:00 2001 From: jordanrinke Date: Fri, 13 Jun 2014 12:52:21 -0700 Subject: [PATCH 3/4] Update README.md --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index 09b0e392..f6b16482 100644 --- a/README.md +++ b/README.md @@ -2,3 +2,6 @@ ipsets-persistent ================= init.d script for iptables-persistent on Debian/Ubuntu that also saves/loads ipsets + + +I added checking for and saving ipsets. sets are saved in the same place as the other rules in a file named rules.ipset. Rules are only saved if they are defined, same with flushing and loading. Instead of checking to see if ipset is installed on the load, I just check for the rules.ipset file, since if that doesn't exist loading does't make sense. There might be better ways to do it, feel free to submit a pull etc. this is just the way I made it work for me. From 600ecb5356970ee7fd5cfcee55c51d12bb0c2777 Mon Sep 17 00:00:00 2001 From: jordanrinke Date: Fri, 8 Aug 2014 16:41:31 -0700 Subject: [PATCH 4/4] Exclude f2b sets If you save the f2b set, it will stack them on restart. Adding grep -iv "f2b" will exclude any sets from fail2ban from being saved, so they append a single time properly --- iptables-persistent | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/iptables-persistent b/iptables-persistent index 01ca1d2d..fe174d8f 100644 --- a/iptables-persistent +++ b/iptables-persistent @@ -72,7 +72,7 @@ save_rules() log_action_cont_msg " skipping IPset - no sets defined or not loaded" elif [ -x /usr/sbin/ipset ] || [ -x /sbin/ipset ]; then log_action_cont_msg " IPset" - ipset save > /etc/iptables/rules.ipsets + ipset save | grep -iv "f2b"> /etc/iptables/rules.ipsets if [ $? -ne 0 ]; then rc=1 fi